Intrusion prevention systems (IPSs), which analyze network traffic to
detect signs of malicious activity, are a long-standing cornerstone of
network security. Nowadays, the combination of advanced, targeted
online threats and increasing bandwidth usage is making existing tools
increasingly ineffective. In order to cope with the large amounts of
data moved by network links, current IPSs limit themselves to simple
threat detection strategies which match each network flow against a
set of attack signatures. This approach is fragile and limited in
expressiveness: signatures can be often evaded by small tweaks in the
attack strategy, and fail to capture various classes of attacks
altogether.
In my talk I will describe the design of a flexible IPS platform which
supports complex threat detection strategies, while satisfying the
performance requirement through parallelization. In particular, my
work proposes a domain-specific concurrency model, in which a work
scheduler partitions network traffic into subsets that can be analyzed
independently for threat detection purposes. This scheduler drives a
multi-threaded IPS in which concurrent threads always process
independent slices of network traffic, making synchronization and
inter-thread communication unnecessary. The system uses a novel
program analysis technique to automatically generate a suitable work
scheduler given any user-defined threat detection algorithm. This
makes parallelization general and fully transparent to the operator.
In the second part of my talk I will provide an overview of another
relevant contribution of my Ph.D. work: a programmable dataflow-based
hardware accelerator for inspection and forwarding of network traffic.