How to Fight Massive IoT DDoS Attacks with Multi-layered Defense
Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent...
Transcript of Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent...
![Page 1: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/1.jpg)
Co-Evaluation of Pattern Matching Algorithms on IoT Devices with Embedded GPUs
Charalampos StylianopoulosSimon KindströmMagnus AlmgrenOlaf LandsiedelMarina Papatriantafilou
Distributed Computing and Systems
![Page 2: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/2.jpg)
Motivation
2
¢ IoT security is a concern ¢ Recent attacks:
l Show that IoT security is lacking• Mirai botnet• Attacks on a casino’s aquarium
thermostat
l Underline the need for countermeasures
![Page 3: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/3.jpg)
Motivation
Standard security countermeasures (e.g. NIDS) can be applied
l on the IoT devices themselves l on the entry point to the network of IoT devices
3
![Page 4: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/4.jpg)
Motivation
¢ Challengesl Resource constrained devicesl More connected devices -> More traffic to inspect
¢ NIDSl Performance bottleneckl Not tailored to hardware
4
![Page 5: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/5.jpg)
5
… http://some.site.com/get.asp?f=/etc/passwd … GET HTTP try_backdoor…
Input Stream
…/etc/passwdadmin.dllget.aspbackdoor
…Pattern set
Search for all patterns, anywhere in the network stream.
… http://some.site.com/get.asp?f=/etc/passwd … GET HTTP try_backdoor…
Pattern matching = The core functionality of NIDS
Goal:
Compare all network traffic against all malicious signatures
Motivation: Pattern matching
more than 70% of running time [1]
[1] "Generating realistic workloads for network intrusion detection systems", Antonatos et al.
![Page 6: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/6.jpg)
Motivation: New Devices
¢ Opportunitiesl IoT/Embedded hardware is evolvingl New hardware features
• Example: ODROID single board computers with embedded Graphic Processor Units (GPUs)
6
Making use of those features is an open issue
![Page 7: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/7.jpg)
¢ The questions we are trying to answer in this work:l Which algorithms to use?l What are the hardware characteristics that
affect the performance?l How to create new algorithms that make
best use of those characteristics?
8
Our work
![Page 8: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/8.jpg)
Our work
¢ Co-evaluation of pattern matching algorithmsl Evaluate existing implementationsl Influence the design of new ones
¢ Target embedded GPUsl Deep look in their architectural features
¢ Extensive evaluationl Different datasets, patterns, l Energy efficiency
9
![Page 9: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/9.jpg)
Outline
¢ Backgroundl GPU computing
¢ Our Benchmark¢ Evaluation
10
![Page 10: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/10.jpg)
Background
¢ General Purpose GPU computing (GPGPU)l Other than graphics, GPUs can be used for
general tasks as welll Highly parallel architecture
¢ Pattern matching on a GPU: Not a new thingl Not much work on embedded GPUs
11
[1]"Gnort: High Performance Network Intrusion Detection Using Graphics Processors”, Vasiliadis et al., RAID 2008[2]"APUNet: Revitalizing GPU as Packet Processing Accelerator”, Go et al, NSDI 2017[3]"A highly-efficient memory-compression scheme for GPU-accelerated intrusion detectionsystems”, Bellekens et al. SINCONF 2017
![Page 11: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/11.jpg)
Background
¢ The platform
12Source :Energy efficient run-time mapping and thread partitioning of concurrentOpenCL applications on CPU-GPU MPSoCs
![Page 12: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/12.jpg)
Background
Important characteristics(unique to embedded GPUS)
¢ Small number of cores/threads¢ No main memory on the GPU
Ø Shared main memory between CPU and GPU¢ No local memory on chip¢ Vectorization in each GPU thread¢ Separate instruction counter per GPU thread
Ø No need to worry about divergent execution13
![Page 13: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/13.jpg)
Outline
¢ Background¢ Our Benchmark
l Algorithmsl Optimizations
¢ Evaluation
14
![Page 14: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/14.jpg)
Algorithms
Representative algorithms from two categories:
15
Aho Corasick DFCCPU
GPU
State machine based Filtering based
![Page 15: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/15.jpg)
Algorithms (CPU)
The Aho-Corasick algorithm¢ Used in many Network Intrusion Detection Systems¢ Builds a State Machine (SM) from all the patterns¢ Traverses the SM reading the input byte by byte
“Efficient String Matching: An Aid to Bibliographic Search”, A. Aho, M, Corasick, ACM Comm.’75
• Poor cache locality• Data dependenciesLimitations
• Only one lookup per input byteBenefits
¢ Aho Corasick¢ DFC
16
![Page 16: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/16.jpg)
Algorithms (CPU)
The DFC algorithm¢ Creates a filter from patterns¢ Quickly filter outs parts of
the input
“DFC: Accelerating String Pattern Matching for Network Applications”, Choi et al. NSDI’16
…a c t i v a t ea d m i n . d l lb a c k d o o rg e t . a s p
… Pattern set
… 0 1 1 0 0 0 1 0 0 0 1 0 0
Filter (8 KB)
ac adab ... ba bb ... ge ...
Fits in cache! … t h i s i s a n i n p u t
Input Stream
¢ Aho Corasick¢ DFC
17
![Page 17: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/17.jpg)
Algorithms (CPU)¢ Aho Corasick¢ DFC
¢ Progressive filteringl in cache
¢ Verificationl in memory
Hash%tables
Initial%filter
1B
… …223B 427B 82 B
… … … … … …
… …
Patternlengthspecificfilters
… … … …
… …
… …
• Verification phase is costlyLimitations
• Cache locality (on filtering)• No data dependenciesBenefits
“DFC: Accelerating String Pattern Matching for Network Applications”, Choi et al. NSDI’16
The DFC algorithm (continued)
18
![Page 18: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/18.jpg)
Algorithms
Representative algorithms from two categories:
19
Aho Corasick
PFAC [1]
DFC
DFC (GPU)
HYBRID
CPU
GPU
[1] “Accelerating Pattern Matching Using a Novel Parallel Algorithm on GPUs” Lin et al., TOC 2013
State machine based Filtering based
![Page 19: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/19.jpg)
Hardware-oriented optimizations
Relevant aspects that we investigate:¢ Memory mapping vs data transfers
l 2-5X faster with memory mapping¢ Placement of the filters
l Global memoryl Texture memoryl Local memory
¢ Vectorizationl No significant speedup 20More in the paper…
![Page 20: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/20.jpg)
Outline
¢ Background¢ Our Benchmark¢ Evaluation
21
![Page 21: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/21.jpg)
Evaluation Methodology
Hardware
22
CPU 4 ARM big.LITTLE
GPU ARM Mali-T628 (6 shader cores)
Memory 2GB RAM
Sensors On board energy sensors
l 3 publicly available traffic tracesl 1 randomly generated data set
l 2183 patterns (from Snort)
Datasets
MaliciousPatterns l 5000 patterns (emergingthreats.net)
![Page 22: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/22.jpg)
Evaluation Methodology
¢ Goal of the evaluation:1. How fast we can process the input (execution time)2. How much energy we spent for processing (energy consumption)3. Effect of datasets and number of patterns4. Influence the design of new algorithms
¢ Versions: l Aho-Corasickl DFC l PFACl DFC on GPU (w/wo vectorization)l HYBRID (w/wo vectorization)
CPU
GPU
23
![Page 23: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/23.jpg)
Evaluation Results
¢ Experiment 1: execution time breakdown
24( Post-processing = Output which and how many patterns matched, on the CPU )
Post-processingCPU->GPUCPU->GPU
CPU Versions GPU VersionsVect
![Page 24: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/24.jpg)
Evaluation Results
¢ Experiment 2: energy consumption
25
![Page 25: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/25.jpg)
Evaluation Results
¢ Experiment 3: effect of datasets and #patterns
26
2183 patterns
5000 patterns
![Page 26: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/26.jpg)
Evaluation Results
¢ Experiment 4: configuring Hybrid
27Bigger Filter =Slower access time (green trend, left y-axis)
Higher hit ratio -> Less verification (red trend, right y-axis)
![Page 27: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/27.jpg)
Conclusions & Future Work
¢ Conclusionsl New hardware features (embedded GPUs) can alleviate the
bottleneck of pattern matchingl Architecture characteristics important for high performance and
low energy consumptionl Possible to design new algorithms tailored to the hardware
¢ Future Workl Overlap CPU/GPU execution (heterogeneous design)l More algorithms and devices (e.g. Nvidia’s Jetson Nano)l Integrate with existing systems (e.g. Snort)
¢ Code available online 28
![Page 28: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/28.jpg)
¢ Backup Slides
29
![Page 29: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/29.jpg)
Background (1/3)
¢ Snortl The de-facto NIDSl Signature based (malicious signatures are
known in advance) l The main pipeline looks like that
30more than 70%of running timeincludes pattern
matching
![Page 30: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/30.jpg)
Algorithms (CPU)
The Aho-Corasick algorithm¢ Used in many Network Intrusion Detection Systems¢ Builds a State Machine (SM) from all the patterns¢ Traverses the SM reading the input byte by byte
“Efficient String Matching: An Aid to Bibliographic Search”, A. Aho, M, Corasick, ACM Comm.’7531
• Poor cache locality• Data dependenciesLimitations
• Only one lookup per input byteBenefits
¢ Aho Corasick¢ DFC
![Page 31: Co-Evaluation of Pattern Matching Algorithms on IoT Devices ...¢IoT security is a concern ¢Recent attacks: lShow that IoTsecurity is lacking •Miraibotnet •Attacks on a casino’s](https://reader034.fdocuments.in/reader034/viewer/2022050409/5f85d987163b046aac4cb944/html5/thumbnails/31.jpg)
Related work
¢ State machine basedl Aho Corasick
“Efficient String Matching: An Aid to Bibliographic Search”, A. Aho, M, Corasick, ACM Comm.’75
¢ Filter basedl DFC
• Poor cache locality• Data dependenciesLimitations
• Only one lookup per input byteBenefits
…a c t i v a t ea d m i n . d l lb a c k d o o rg e t . a s p
… Pattern set
… 0 0 0 0 0 0 0 0 0 0 0 0 0
Filter (8 KB)
ac adab ... ba bb ... ge ...
… 0 1 0 0 0 0 0 0 0 0 0 0 0… 0 1 1 0 0 0 0 0 0 0 0 0 0… 0 1 1 0 0 0 1 0 0 0 1 0 0
"DFC: Accelerating String Pattern Matching for Network Applications”, Choi et al. NSDI’16
• Much of the hardware remains underutilizedLimitations
• Cache locality (on filtering)• No data dependenciesBenefits
e.g. vectorinstructions?32