Scaling Network Security Application Performance using Software Pattern Matching

Network security performance challenges Application driven data continues to grow on a massive scale, as does the importance of that data to its users. At the same time, the task of protecting that is becoming increasingly complex and challenging. Threats today come in many varieties and seek to infiltrate systems through any means possible. The entire network operation is vulnerable, including the infrastructure, applications, data, and all of the traffic that comes through. In a report issued on February 2nd 2010, the Director of US National Intelligence reported that cyber activity is occurring on an unprecedented scale with extraordinary sophistication1. As such, equipment vendors need to ensure their platforms and applications are engineered accordingly to address these challenges. At the heart of most security applications, and a growing number of networking applications, is pattern matching. Often interpreted as deep packet inspection or content inspection, pattern matching is the process of checking (inspecting) data (packets) for the presence of the elements of a given pattern. In the security world, patterns are typically a set of signatures intended for the identification of specific malware threats. While many pattern matchers in the industry today are implemented with simple sequential approaches, or as pieces of specialized hardware, developers can now take advantage of powerful software-based tools, such as those provided by Sensory Networks that run on single or multi-core CPU (Central Processing Units) architectures, to cost-effectively drive and scale performance. As a result security processing power can be significantly increased with minimal software change. For resource-intensive applications, requiring high performance, general-purpose multi-core processors, such as the Quad-Core Intel® Xeon® processor 5500 provide a highly cost-effective solution, in meeting these fast-growing requirements for scaling throughput and enabling more sophisticated network security applications. These processors are delivering much greater computing performance with comparable power consumption and a similar form factor to previous-generation single-core processors. Combining these powerful processors with standards-based hardware and software components, security and networking vendors are developing solutions that obviate the need for specialized hardware. This paper describes Sensory Networks' HyperScan software pattern matching solution and details the benchmarked content scanning performance and scalability, when HyperScan is used conjunction with a variety of tier-1 Vendors' IPS (Intrusion Prevention Sub-system) signature databases running on an Intel® Xeon® processor 5500 platform. Packet processing solutions such as these are aimed primarily at simplifying the designs and reducing the tools needed for developing new products, while by helping programmers and developers to migrate from single-core to multiprocessing environments. Sensory Networks' HyperScanTM: Software Pattern Matching HyperScan is a high-speed L4-L7 pattern matching software library that fully supports regular expressions (‘Regex') and enables performance tuning for even the most unique pattern sets and largest databases. It comes with a simple API (Application Programming Interface) and is highly portable, running on x86, MIPS and PowerPC architectures and on Linux, FreeBSD, VxWorks and Windows OS (Operating Systems). The product is designed for easy integration into platforms such as appliances, routers, servers and switches. By virtue of it being a software library, HyperScan's performance, scalability and flexibility directly translate into substantial gains in packet processing intelligence, price/performance and time-to-market advantage for networking and security equipment vendors. The product is provided under a simple license framework that is not only cost-effective compared to alternative solutions, but also allows equipment vendors to leverage the technology across multiple product lines with just one integration cycle. HyperScan scales throughput performance linearly, and in some cases, super-linearly with the number of CPU cores, to provide a pattern matching solution that leverages cache memory to scan tens of thousands of patterns simultaneously. HyperScan's patented algorithms go beyond the DFA (Deterministic Finite state machine Automaton) and NFA (Non-deterministic Finite state machine Automaton) implementations typically used in the industry for pattern matching, avoiding state blow-out and performance problems each suffer. This is one of the reasons why running HyperScan, software performance (in many cases) exceeds the performance of equivalent customer hardware and silicon solutions. HyperScan delivers full support for capturing sub-expressions with the same semantics as libpcre (Perl Compatible Regular Expression library), a capacity vital for SIEM (Security Information and Event Management), log management and advanced search applications. The software can select among hundreds of regular expression-based rules and capture important data fields as sub-expressions, at well over 50,000 log events per second. Also for DLP (Data Loss Prevention) and associated applications such as fingerprinting, HyperScan delivers high-speed processing of hundreds of thousands of literal data fragments. We are also continuing to push performance and expand our regular expression matching and capture facilities to support many other powerful new features, including scanning UTF-8 and UTF-16 (8- bit and 16-bit UCS /Unicode Transformation Formats respectively), even in corrupted forms, as well as approximate matching with edit distances, and efficient and standardized detection of many obfuscation techniques. Given a set of patterns (signatures), HyperScan compiles them into an optimized database that is able to efficiently match them against data passed to it in large discrete buffers or as packetized data streams. This facilitates a natural integration into products that process streams of network packets as well as those that have access to the complete object to be scanned. All regular expressions in the signature set are scanned for simultaneously, and matches are returned to the application as they are found.    Benefits of Software-based pattern matching --        Compared to hardware/co-processor solutions, throughput performance is a lot more scalable and linear/near-linear, per core/thread, in most cases. --        Highly portable and easier to integrate, with OS and CPU architecture independence; provides opportunity to upgrade units already installed in the field. --        Data is processed directly on the CPU: to scan the data, simply execute some instructions, in the address space, in the CPU thread. --        Low overhead:  •         Compile time is typically less than 1sec •         Bytecode size is typically 100K -- 1MB •         Stream state size, memory usage •         Low latency Pattern Matching Benchmarking Setup For the purpose of performance benchmarking the latest Intel® Xeon® 5500 processor, the HyperScan pattern matching software library and a small benchmarking application were installed on a dual-socket (8-core) Intel platform (Table 1) and run against HTTP-based test traffic and using a complete set of IPS signatures sourced from a leading (Tier-1) security equipment vendor.    The benchmarking application used for these tests passed captured HTTP traffic (from a PCAP capture file) through HyperScan, recording the time spent actually matching traffic against the signature database.  This data was scanned packet-by-packet, simulating the behavior of a real network application such as an IPS or a web proxy appliance. Data was matched in ‘streaming mode' for cases where the threats might be spread across multiple packets (streaming mode allows detection of threats distributed across multiple packets while keeping only a small fixed-size stream state), and in ‘non-streaming mode' for threats that would be contained within a single chunk of data such as URI (which will typically need to be normalized, so that streaming mode is unnecessary). Given the resource-intensive nature of intrusion prevention (IPS) applications, patterns (signatures), sourced from a tier-1 IPS network security equipment vendor were used for the benchmarking, and provided multiple variants of both ‘to-client'/‘to-server' and URI (Uniform Resource Identifier) signatures. The entire signature set was compiled into their runtime database within 4 seconds.   Performance Results Using Sensory's HyperScan software, the Intel® Xeon® Processor 5500 Series (Nehalem) platform was benchmarked with a throughput performance that scales from 9Gbps to over 73Gbps depending on the IPS signature workload (see Table 2 for more details). It was also recorded that the Intel® Xeon® Processor 5500 Series performs 22% faster clock-for-clock than the Intel® Xeon® 5400 Processor Series (Harperton). It should be noted that the throughput performance numbers published, in Table 2 and Figure 4, above represent CPU packet processing/throughput performance against commercial IPS signatures. These numbers should not be interpreted as end-end network IPS throughput performance. As shown in Table 3 below, HyperScan achieves near-linear scalability across the entire thread count, especially from 1-8 threads being almost perfect.  Conclusion Networking and security equipment vendors are under pressure to speed up development cycles and spin new products that address emerging threats and the growing demand for performance. They are looking for agile platforms that cost-effectively provide predictable performance, scalability and high levels of flexibility, especially seamless upgradability. This is possible by adopting software-only solutions, such as HyperScanTM from Sensory Networks that, are easy to integrate and accelerate platform and application performance. In contrast to custom silicon/co-processors and alternative hardware-based acceleration solutions, a high-speed software engine running directly on the main platform CPU footprint creates a highly-simplified  solution that, is not only more cost-effective, but is also easier to manage. References 1.       Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, Dennis C. Blair, Director of National Intelligence, February 2, 2010. 2.       Intel® and Xeon® are registered trademarks of Intel Corporation. For More Information For more information on please visit our website www.sensorynetworks.com, or contact Sab Gosal at sgosal@sensorynetworks.com. About Sensory Networks Sensory Networks is a leading OEM provider of high performance network security acceleration technology. The company's NodalCore® hardware acceleration products include a broad range of chipsets, accelerated software libraries, PCI acceleration cards and appliance platforms for Antivirus, Antispam, Antispyware, Content Filtering, Firewalls and Intrusion Detection/Prevention systems. Sensory's products allow application developers and network equipment vendors to build higher performance, more accurate, broader coverage network security products without the substantial cost and risk associated with development of specialized hardware. Headquartered in Palo Alto, Calif., Sensory Networks has regional offices in London, Sydney and Beijing.

http://www.sensorynetworks.com