The performance pressures on implementing effective network security monitoring are growing fiercely in multiple dimensions, outpacing improvements in CPU performance. The situation has now become dire with the end of Moore's Law for single CPUs. In general, hardware vendors now turn to parallel execution---many cores and many threads---to sustain performance growth. But adapting network security monitoring to such parallelism raises a host of challenging issues.
This project seeks to develop methodologies for effectively parallelizing in-depth security analysis of network activity. Doing so requires structuring the processing into separate, low-level threads suitable for concurrent execution, for which several key issues must be addressed: forwarding packets only when all relevant threads have finished their vetting; minimizing inter-thread communication in the presence of global analysis algorithms; optimizing memory access patterns for locality; and providing effective performance debugging tools.
The work centers around an event-oriented underlying architecture, which allows for exposing many opportunities for concurrent execution due to the decoupled asynchrony that events introduce into the flow of analysis. In addition, by associating events with the packets that ultimately stimulated them, the system can make sound decisions for resolving whether and when it becomes safe to forward pending packets.
Ultimately, the effort aims to enable network intrusion prevention to reap both the benefits of executing on general purpose commodity hardware, as well as the exponential scaling that Moore's Law promises for future parallel processors.
