Intrusion prevention systems (IPSs), which analyze network traffic to detect signs of malicious activity, are a long-standing cornerstone of network security. Nowadays, the combination of advanced, targeted online threats and increasing bandwidth usage is making existing tools increasingly ineffective. In order to cope with the large amounts of data moved by network links, current IPSs limit themselves to simple threat detection strategies which match each network flow against a set of attack signatures. This approach is fragile and limited in expressiveness: signatures can be often evaded by small tweaks in the attack strategy, and fail to capture various classes of attacks altogether.

In my talk I will describe the design of a flexible IPS platform which supports complex threat detection strategies, while satisfying the performance requirement through parallelization. In particular, my work proposes a domain-specific concurrency model, in which a work scheduler partitions network traffic into subsets that can be analyzed independently for threat detection purposes. This scheduler drives a multi-threaded IPS in which concurrent threads always process independent slices of network traffic, making synchronization and inter-thread communication unnecessary. The system uses a novel program analysis technique to automatically generate a suitable work scheduler given any user-defined threat detection algorithm. This makes parallelization general and fully transparent to the operator.

In the second part of my talk I will provide an overview of another relevant contribution of my Ph.D. work: a programmable dataflow-based hardware accelerator for inspection and forwarding of network traffic.