1. Field of the Invention
The present invention relates to distributed detection for network intrusion, and more particularly, relates to a system for parallel flow-awared pattern matching and a method thereof.
2. Description of the Related Art
DPI (Deep Packet Inspection), more specifically Pattern Matching (PM), for Network Intrusion Detection, as a kind of key method for many emerging and popular-gaining network monitoring and analysis application such as NIDS (Network Intrusion Detection System), is recognized as both computation and communication (i.e. I/O) intensive. Usually, DPI applications are required to match large volume network traffic against a big pattern set. The demanded performance proportionally relates to the wire-speed of the network interface being monitored against (since DPI deals with not only packet headers but also the payloads), which together makes DPI realization extremely hard for a huge pattern set over a multi Giga bit line-rate.
As a replacement for the last generation of Network Processors, the Multi-core processor (CMP/SMP/SMT) system, which has a much higher computing power, is a promising processing platform because it provides higher programmability and scalable processing/computing power than traditional hardware solutions. However, the traditional parallel programming model for data load-balancing can hardly be adopted by DPI processing. For example, the traditional parallel programming model for data-based load balancing is inefficient when adopted for PM processing in NIDS. The data transmitted over networks are usually in terms of flows (namely, the packet flow between an arbitrary source-destination communication pair). For PM in NIDS, the packet data within a flow has a strong dependency with each other and must be processed in sequence to avoid missed detection or false detection. An unfortunate fact is that network flow might be extremely unevenly distributed in terms of size, and some flows may even dominate the whole cable bandwidth in certain cases (e.g. due to the existence of VPN tunnels, some flows may even dominate the whole line bandwidth). This makes it extremely hard to highly utilize the processing power of the multi-core platforms and realize an efficient flow-awared dynamic load-balancing via traditional load-balancing approaches. A traditional packet-based parallel processing model is illustrated in FIG. 1, in which parallel processing is compared to original serial processing.
The load-balancing model based on sub-tasks partitioning, namely the Pipelining model, is an alternative to leverage the multi-core processor systems. One of its strengths is its In-Order processing retains the data dependency within the packet flows. However, note that only when the sub-tasks/pipeline-stages are evenly partitioned can the computation resources of multi-core processors be fully utilized to achieve optimal gain. Unfortunately, since the sub-tasks are usually pre-divided and dispatched, the pipeline model suffers from very low adaptive ability, thus making it hard to achieve an even partition of the task based on the DPI processing code. Due to the existence of monolithic sub-tasks and the sophisticated branching in the code path of NIDS, it is extremely hard to balance the workload under this model, especially in a dynamic way, therefore causing an inability to achieve high resource utilization.
All signs lead to the need for developing a new programming model for high performance DPI applications to realize a more efficient DPI processing engine. Such a programming model needs not only the instinct of retaining data dependency within the packet flows, but also the ability to balance the workload among the parallel processor resources more perfectly in dynamic ways.