Background:

High-performance network intrusion detection systems (NIDSes) are gaining more popularity as
network bandwidth is rapidly increasing. As traditional perimeter defense, NIDSes oversee all
the network activity on a given network, and alarm the network administrators if suspicious
intrusion attempts are detected. As the edge network bandwidth of large enterprises and
campuses expands to 10+ Gbps over time, the demand for high-throughput intrusion detection
keeps on increasing.
Many existing NIDSes adopt customized FPGA/ASIC hardware to meet the high performance
requirements. While these systems offer monitoring throughputs of 10+ Gbps, it is often very
challenging to configure and adapt such systems to varying network conditions. For example,
moving an FPGA application to a new device requires non-trivial modification of the hardware
logic even if we retain the same application semantics. In addition, specialized hardware often
entails high costs and a long development cycle.

Goal:
While many high-performance intrusion detection systems (IDSes) employ dedicated network
processors or special memory to meet the demanding performance requirements, it often
increases the cost and limits functional flexibility. In contrast, existing softwarebased IDS stacks
fail to achieve a high throughput despite modern hardware innovations such as multicore CPUs,
manycore GPUs, and 10 Gbps network cards that support multiple hardware queues and which
deals with the high complexity.

Research Problem:
However, these hardware-based approaches limit the operational flexibility as well as increase
the cost. In contrast, software-based IDSes on commodity PCs lessen the burden of cost and can
extend the functionalities and adopt new matching algorithms easily. However, the system
architecture of the existing software stacks does not guarantee a high performance and Large
number of GPU cores consume a significant amount of power.

Claimed Contribution:
Two basic techniques that we employ for high performance are (i) batch processing and (ii)
parallel execution with an intelligent load balancing algorithm, as elaborated more next. First, we
extensively apply batch processing from packet reception, flow management, all the way to
pattern matching. Fetching multiple packets from a NIC at a time significantly reduces perpacket reception (RX) overhead and allows a high input rate up to 40 Gbps even for minimumsized packets. In addition, in Kargus, each pattern matching function handles a batch of packets
at a time. This function call batching allows efficient usage of CPU cache and reduces repeated
function call overheads as well as improves GPU utilization for pattern matching.

Second, we seek high processing parallelism by balancing the load of flow processing and
pattern matching across multiple CPU and GPU cores. We configure NICs to divide the
incoming packets by their corresponding flows into the queues affinitized to different CPU cores,
and have each CPU core process the packets in the same flow without any lock contention. We
also devise a load balancing algorithm that selectively offloads pattern matching tasks to GPU
only if CPU is under heavy computation stress.

Evaluation:
Our evaluation shows that Haetae achieves up to 79.3 Gbps for synthetic traffic or 48.5 Gbps for
real packet traces. Our system outperforms the best-known GPU-based NIDS by 2.4 times and
the best-performing MCP-based system by 1.7 times. In addition, Haetae is 5.8 times more
power efficient than the state-of-the-art GPU-based NIDS. Synthetic HTTP workload and In
terms of power consumption, Haetae is much more efficient.

Conclusion:
Compared with MIDeA , a GPU-accelerated multicore IDS engine, Kargus shows a factor of 1.9
to 4.3 performance improvements by the per CPU-cycle metric. We analyze the performance
bottleneck at each stage of packet handling: packet capture, pattern matching, and load balancing
across CPU and GPU.

Assessment:
High-performance IDS engines often meet these challenges with dedicated network processors,
special pattern matching memory. The most widely-used software IDS, is unable to read the
network packets. Processing with CPU is preferable in terms of latency and power usage.
Q. What is Kargus two major ideas?
Ans: most popular software IDS, Snort are two major ideas of Kargus.
Q. Which software does it utilize?
Ans: CPU, GPUS, NUMA, NICS.
Adopt resource usage based on input rate.
Q. How does it shape the research?
Ans: Each thread on the multi-threaded parallel architecture runs on a spate pipeling.
Work load:

Synthetic workload