Beyond Pattern Matching: A Concurrency Model For Stateful Deep Packet Inspection

The ever-increasing sophistication in network attacks, combined with larger and larger volumes of traffic, presents a dual challenge to network intrusion detection systems (IDSs). On one hand, to take advantage of modern multi-core processing platforms IDSs need to support scalability, by distributing traffic analysis across a large number of processing units. On the other hand, such scalability must not come at the cost of decreased effectiveness in attack detection. In this paper, we present a novel domain-specific concurrency model that addresses this challenge by introducing the notion of detection scope: a unit for partitioning network traffic such that the traffic contained in each resulting "slice" is independent for detection purposes. The notion of scope enables IDSs to automatically distribute traffic processing, while ensuring that information necessary to detect intrusions remains available to detector instances.We show that for a large class of detection algorithms, scope can be automatically inferred via program analysis; and we present scheduling algorithms that ensure safe, scope-aware processing of network events. We evaluate our technique on a set of IDS analyses, showing that our approach can indeed exploit the concurrency inherent in network traffic to provide significant throughput improvements.