Networking stack abstraction for high-performance flow-processing middleboxes = 고성능 플로우 처리 미들박스를 위한 네트워킹 스택 추상화

Cited 0 time in webofscience Cited 0 time in scopus
  • Hit : 246
  • Download : 0
(ii) it parallelizes pattern matching workloads on CPU and GPU cores; The rise of network function virtualization (NFV) frameworks, along with the introduction of hardware innovations in commodity systems have made software-based middleboxes much more relevant than hardware-based solutions. Software-based middleboxes are generally more flexible, in terms of reconfigurability, and easily adapt to the changes observed in the network traffic over time. However, building a high performance, stateful software-based middlebox remains challenging. This is because it is usually difficult to develop a networking system that can derive optimal performance from a system equipped with state-of-the-art commodity hardware (including multi-queue NICs, many-core programmable GPUs, and processors based on non-uniform memory architectures). In short, there is still considerable room, in the research domain, for introducing novel abstractions that can help create efficient, flow-processing software middleboxes on commodity computing hardware. This dissertation first discusses how a commodity heterogeneous system is used to build a highly scalable software-based middlebox appliance: a network intrusion detection system (NIDS) called Kargus. Kargus is a stateful NIDS capable of monitoring network traffic at multi-10 Gbps networks. It employs multi-queue NICs, multi-core CPU processors and many-core graphics processing units (GPUs) for highly parallelizeable operations. More specifically: (i) it batch processes workload items from the network device layer all the way up to the application layer; and $(iii)$ it implements an adaptive resource usage algorithm that saves power consumption on low input traffic rates. As a result of these optimizations Kargus performs $1.9 \times$ to $4.3 \times$ faster than the prior state-of-the-art system. The second half of the dissertation discusses the lessons we learn while we develop Kargus with respect to high-speed network traffic flow management. First, designing a stateful middlebox (such as a NIDS) with efficient flow processing is challenging because it requires a deep understanding of TCP flow state management. Second, existing networking APIs only offer abstractions to develop endpoint applications and therefore lack proper flow-based programming constructs for stateful middlebox processing. Based on these lessons, we design and implement a networking stack that provides intuitive and elegant abstractions for building new middlebox applications. Our stack provides an API that allows developers to focus only on the core middlebox application logic (such as intrusion detection and firewalling) instead of dealing with implementing low-level TCP flow processing. The core stack, under the hood, implements an efficient event-based system that is derived from mTCP, a high-performance user-level TCP/IP stack. We evaluate our stack and show that middlebox applications built on our subsystem reduce development efforts significantly and induce negligible performance overhead.
Park, KyoungSooresearcher박경수researcher
한국과학기술원 :전기및전자공학부,
Issue Date

학위논문(박사) - 한국과학기술원 : 전기및전자공학부, 2017.2,[viii, 102 p. :]


intrusion detection systems; stateful middleboxes; networked systems; network security; computer security; 침입 탐지 시스템; 상태보존형 미들박스; 네트워크 시스템; 네트워크 보안; 컴퓨터 보안

Appears in Collection
Files in This Item
There are no files associated with this item.


  • mendeley


rss_1.0 rss_2.0 atom_1.0