2-step power scheduling with adaptive …laulpt/img/mcsoc16_lyon...suricata and multiplexing program...
TRANSCRIPT
2-STEP POWER SCHEDULING WITH
ADAPTIVE CONTROL INTERVAL FOR
NETWORK INTRUSION DETECTION
SYSTEM ON MULTICORES
Lau Phi Tuong, Keiji Kimura
Department of Computer Science and Engineering
Waseda University, Tokyo, Japan
2016 September 22nd
2016/9/22 MCSoC-16 Lyon France 1
Network Security and Power
Consumption in NIDS • Because of the global accessibility of the Internet, cyber
attackers try to send malicious code throughout the
Internet.
• Network intrusion detection system (NIDS) is widely used
to monitor malicious activities from network.
• The performance issue of NIDS on multicores has been
well-studied. However, NIDS on smart devices consumes
a lot of power.
2016/9/22 MCSoC-16 Lyon France 2
NIDS in data centers
• NIDS captures packets at routers and sends notifications
to an administrator in case of malicious packets.
2016/9/22 MCSoC-16 Lyon France 3
Router
File
server
Firewall
Internet
Bank
server
server B u s
NIDS
Power Control for Various Systems
• Reducing voltage supply or clock frequency to reduce
power consumption. 𝑃𝑜𝑤𝑒𝑟 = 𝐶 ∗ 𝑉2 ∗ 𝑓
Adjusting the clock frequency based on the deadline of real-time
applications. For instance,
The MPEG movie player has the fixed deadline of 30ms.
For network controller devices, adjusting the clock frequency or
voltage supply based on network traffic.
Scheduling DVFS among servers in data centers based on
workloads of servers.
2016/9/22 MCSoC-16 Lyon France 4
Our Work
• 2-step power scheduling with adaptive control interval for
NIDSs.
Dynamically control both of clock frequency and scheduling interval.
Applicable for both of low and big network traffic with low overhead.
• A core-controlling algorithm
Assign the appropriate number of cores, especially, for embedded
systems multiplexing multiple applications.
2016/9/22 MCSoC-16 Lyon France 5
Suricata architecture
• Suricata is a real-time NIDS designed with multithreads.
Stream: streaming packets receiving from network
Decode: decoding packets after streaming
Detection: multiple packet detection are posed to multicores
Output: output alerts of malicious packets to log files
• It uses the signature-based detection. That is, it just can
detect known attacks from known rules.
2016/9/22 MCSoC-16 Lyon France 6
Stream Decode Detection
Detection
Detection
Output
2-Step Power Scheduling Technique
• There are two steps to schedule power budget during
running Suricata.
2016/9/22 MCSoC-16 Lyon France 7
Packet n
Packet 2
Packet 1
Stream Decode Detection
Detection
Detection
Output
Step 2
Step 1
Step 1: Assign the feasible clock
frequency after each control interval
Step 2: Adjust the clock
frequency to meet control interval
Step 1: Calculate Clock Frequency
• x is the number of received packets from network.
• is the processing time of its own packet.
• The total processing time of all ones as the expression (1).
• Deriving (1) to give (2) below:
• is the average processing time of a packet.
2016/9/22 MCSoC-16 Lyon France 8
deadlinemean
feasible
xi
i
i
feasible
TTf
xTf
*1
**1
1
i
xi
i
i TTTT
...21
1
iT
(1)
(2)
meanT
Step 1: Calculate Control Interval
2016/9/22 MCSoC-16 Lyon France 9
• Network is unstable. Hence, recording past buffers to
predict the real network traffic exactly.
Real network traffic is tending to increase, reducing the control
interval.
Real network traffic is tending to decrease, increasing the control
interval.
-10
10
30
50
-10
10
30
50
Control Interval
Unstable
point
deadlineT
Big Traffic Low Traffic
An Example in Step 1
• Assume that an interval of 30ms, the average processing cost of a packet is 50us, and 1000 received packets. Hence, the total processing cost is 50us*1000 = 50000us = 50ms.
• The feasible clock frequency = 50ms/30ms ~ 1.6GHz per one core (200MHz < 1.6GHz < 2.0GHz). For n cores, then f = 1.6/n GHz.
• This clock frequency is not the most feasible because it depends on types of packets.
2016/9/22 MCSoC-16 Lyon France 10
feasiblemean
deadline
fTT
x *1
* )0.2200( GHzfMHz feasible
The Case of Benign Packets
• Benign packets take a little time to process.
• Assume that 1000 benign packets and each costs 5us,
the total processing cost is 1000*5us = 5ms. Hence,
The most feasible clock frequency should be 5ms/30ms = 0.16GHz
= 160MHz < 200MHz, so it should be 200MHz.
In this case, power budget can be reduced to the minimum of
200MHz instead of using 1.6GHz.
2016/9/22 MCSoC-16 Lyon France 11
The Case of Malicious Packets
• Malicious packets take much time to process.
• Assuming that 1000 malicious packets and each cost
100us, the total processing cost is 1000*100us =
100000us = 100ms.
The most feasible clock frequency should be 100ms/30ms =
3.3GHz > 2.0GHz, so it should be 2.0GHz.
In this case, it causes performance degradation by switching
to 1.6GHz.
2016/9/22 MCSoC-16 Lyon France 12
We need a second step to adjust the
clock frequency.
Step 2: Adjust Clock Frequency
• Adjusting the clock frequency at the packet detection
phase for two reasons:
Increasing clock frequency to meet the deadline constraint.
Decreasing clock frequency to reduce power consumption
minimally.
• Adjusting the clock frequency based on two points:
The current processing time of all received packets and the control
interval.
How many received packets have been processed during the
control interval.
2016/9/22 MCSoC-16 Lyon France 13
Don’t Switch Clock Frequency
• Do not switch the clock frequency.
50% processed packets while the current processing time of them
is less than a half of the control interval.
2016/9/22 MCSoC-16 Lyon France 14
50% processed packets 50% control interval
Control interval
Current processing time
Clock frequency
Switch Clock Frequency
2016/9/22 MCSoC-16 Lyon France 15
50% processed
packets
50% control
interval
Control
interval
Current
processing time
Clock
frequency
100% processed
packets
Control
interval
Current
processing time
Clock
frequency
Acceptable
interval
50% control
interval
Increasing the clock frequency
to maintain performance
Switching to the
minimum clock frequency
Core-Controlling Algorithm
• More applications run on the same core causes the
overhead.
• When multiplexing programs and NIDS run on the same
device:
NIDS and multiplexing programs are scheduled to different cores to
ensure the performance capability of them.
2016/9/22 MCSoC-16 Lyon France 16
Test Environment
• Hardware ODROID XU3 board (4 big ARM Cortex-A15 2.0GHz, 4 small ARM
Cortex-A7 1.4GHz).
• Software Ubuntu 15.04 mate ODROID-XU3 operating system.
Suricata 2.0.8.
• Measurement Read the power value of ODROID-XU3 board throughout
/sys/dev/system/cpu/cpu0/.
Evaluate 2-step power scheduling with adaptive interval compared with the fixed interval technique, the Performance and the Ondemand governor in Linux.
2016/9/22 MCSoC-16 Lyon France 17
Big Cortex-A15: Low Traffic
• Reducing an average of 87% power consumption by
using the fixed and adaptive mechanism compared with
the Performance governor of Linux on 1, 2, 3, 4 cores.
• The performance is the same by using all techniques.
2016/9/22 MCSoC-16 Lyon France 18
Network traffic 1,000 packets/seconds
87%
reduction
Big Cortex-A15: Big Traffic
• The fixed 30ms and 2-step with adaptive control interval
are the most effective techniques.
• The performance is the same by using all techniques.
2016/9/22 MCSoC-16 Lyon France 19
Network traffic 10,000 packets/seconds
70%
reduction 30%
reduction
Big Cortex-A15: Big Traffic
• The performance is violated seriously by using the fixed
interval on 1, 2, and 3 cores.
• 1-step adaptive technique violates the performance on 2
and 3 cores.
2016/9/22 MCSoC-16 Lyon France 20
Network traffic 17,000 packets/seconds
Small Cortex-A17: Low Traffic
• Fixed 30ms and 2-step adaptive obtain the best optimal
power consumption compared with other techniques.
• The performance is the same by using all techniques.
2016/9/22 MCSoC-16 Lyon France 21
Network traffic 1,000 packets/seconds
87%
reduction
Small Cortex-A17: Big Traffic
• The performance is seriously violated by using the fixed
interval techniques on 1, 2, 3, 4 cores.
• 2-step adaptive reduces power consumption and maintain
the performance.
2016/9/22 MCSoC-16 Lyon France 22
Network traffic 5,000 packets/seconds 60%
reduction
Suricata and Multiplexing Program
• 2-step with adaptive interval has less power consumption
than the Ondemand governor.
• The performance of Suricata is the same by using two
techniques.
2016/9/22 MCSoC-16 Lyon France 23
Governor scaling Performance
(packets/seconds)
Ondemand 10,122
2-step adaptive 10,067
Network traffic 10,000 packets/seconds
Conclusion
• NIDS is widely used to monitor network in embedded
platforms and data centers.
• The proposed technique:
2-step power scheduling with adaptive control interval.
Core controlling when multiplexing applications and NIDS run on
the same device.
• 2-step power scheduling with adaptive control interval
achieves:
87% power reduction on big ARM Cortex-A17 and small ARM
Cortex-A15 at network traffic 1,000 packets/seconds compared
with the Performance governor in Linux on 4 cores.
2016/9/22 MCSoC-16 Lyon France 24