Load Balancing by Ruleset Partition for Parallel IDS on Multi-Core Processors

With increasing line speed and enlarging spectra of attacks, Intrusion Detection Systems (IDSes) have to move to multi-core platform to be able to keep up with the security risks. A major issue in this way is the issue of Load Balancing (LB). This problem has attracted some interests in the past years and flow based techniques have been proposed. However, flow based LB schemes cannot fully exploit the power of parallelism because of uneven flow space, duration and size distribution. Adaptive LB techniques that adapt the dispatching ratio among processors based on a prediction of flow volumes alleviate the problem but they are far from solving it, as these methods are still intrinsically flow based. In this paper we tackle the load balancing from another dimension. In place of flow based LB schemes, we propose Ruleset Partition Balancing (RPB) to split the load among cores. By doing this we show that load balancing does not anymore depend on traffic characteristics and that RPB results in a more even load balancing than previous techniques. Moreover, as rule partitioning is done offline there is no additional overhead in RPB operation. We present in this paper a simple methodology to partition the ruleset for RPB. It consists of organizing the ruleset into a Linked Rule Array (LRA) data structure and applying to it a Leaf Pruning (LP) strategy. In order to evaluate the scalability and performance of RPB, we have integrated it into the Suricata IDS. Experimental results using real world ruleset and traffic traces with realistic uneven flow distribution, show that the load balancing problem is fully resolved by RPB and that compared with existing flow based LB schemes, the throughput is increased by 42%. KeywordsIntrusion detection system; Suricata; load balancing; multi-core; software pipeline