Baohua Yang

Packet Classification Algorithms: From Theory to Practice

During the past decade, the packet classification problem has been widely studied to accelerate network applications such as access control, traffic engineering and intrusion detection. In our research, we found that although a great number of packet classification algorithms have been proposed in recent years, unfortunately most of them stagnate in mathematical analysis or software simulation stages and few of them have been implemented in commercial products as a generic solution. To fill the gap between theory and practice, in this paper, we propose a novel packet classification algorithm named HyperSplit. Compared to the well-known HiCuts and HSM algorithms, HyperSplit achieves superior performance in terms of classification speed, memory usage and preprocessing time. The practicability of the proposed algorithm is manifested by two facts in our test: HyperSplit is the only algorithm that can successfully handle all the rule sets; HyperSplit is also the only algorithm that reaches more than 6Gbps throughput on the Octeon3860 multi-core platform when tested with 64-byte Ethernet packets against 10K ACL rules.

Towards high-performance flow-level packet processing on multi-core network processors

There is a growing interest in designing high-performance network devices to perform packet processing at flow level. Applications such as stateful access control, deep inspection and flow-based load balancing all require efficient flow-level packet processing. In this paper, we present a design of high-performance flow-level packet processing system based on multi-core network processors. Main contribution of this paper includes: a) A high performance flow classification algorithm optimized for network processors; b) An efficient flow state management scheme leveraging memory hierarchy to support large number of concurrent flows; c) Two hardware-optimized order-preserving strategies that preserve internal and external per-flow packet order. Experimental results show that: a) The proposed flow classification algorithm, AggreCuts, outperforms the well-known HiCuts algorithm in terms of classification rate and memory usage; b) The presented SigHash scheme can manage over 10M concurrent flow states on the Intel IXP2850 NP with extremely low collision rate; c) The performance of internal packet order-preserving scheme using SRAM queue-array is about 70% of that of external packet order-preserving scheme realized by ordered-thread execution.

LiveSec: Towards Effective Security Management in Large-Scale Production Networks

Network security has become an increasingly important yet challenging issue in present production networks. State-of-the-art solutions cannot meet the overall requirements of high-efficiency security, due to the complicated configuration demands, heavy network traffic and ever-increasing network scale. In this paper, we present Live Sec, a scalable and flexible security management architecture, which achieves holistic security protection with good scalability and flexibility in large-scale networks. Live Sec employs a new Access-Switching layer to provide: 1) interactive policy-enforcement that enables fine-grain control for the end-to-end traffic of network tenants or users, 2) distributed load-balancing that dynamically dispatches security workload over incrementally-deployed security service elements, 3) application-aware network visualization that helps to identify and locate security events, via live traffic monitoring and historical traffic replay. Live Sec has been deployed in Tsinghua University since December 2010. Currently, we are successfully supporting more than 50 users simultaneously (wireless and wired), and over 200 VM-based service elements.

SMILER: Towards Practical Online Traffic Classification

Network traffic classification is extremely important in numerous network functions today. However, most of the current approaches based on port number or payload detection are becoming increasingly impractical with the appearance of dynamic or encrypted applications. Even though some supervised learning based work were proposed, it is difficult to collect sufficient flow-labeled traces for training. On the other hand, online classification needs an early identification, which is still challenging for most well-known approaches. In this paper, we propose a semi-supervised learning based traffic classification approach named SMILER, which supports an early classification from the sizes of the first few packets (empirically 5 packets) of a flow. Experiments in real networks demonstrate that SMILER achieves 94% precision and 96% recall on average for all tested applications, even with disordered packets SMILER still works well. With a hybrid scheme, the performance is further improved. Meanwhile, SMILER performs fast in both classification and updating. All experimental results show that SMILER is practical for fast and accurate online traffic classification.

Practical Multituple Packet Classification Using Dynamic Discrete Bit Selection

Multituple packet classification is one of the key technologies, and often the performance bottleneck in modern network devices. Devices such as firewalls demand fast packet classification on very complicated rule sets of large size, which is still challenging today. This paper proposes a practical packet classification algorithm named dynamic discrete bit selection (D2 BS), which achieves high classification speed while requiring low storage. D2 BS employs dynamic heuristic schemes at bit level, to explore the inherent characteristics of the rule sets. D2BS has been implemented on various platforms including Intel-architecture, multicore network processor, and FPGA, and is compared with the state-of-the-art solutions. Experimental results on real-life rule sets show that the memory storage required by D2BS is at least one to two orders of magnitude lower than that of the existing work, while the speed is much higher. With 64-byte Ethernet packet and 10K size ACL rule set, D2BS achieves a throughput over 10 Gbps on Cavium OCTEON CN5860 multicore network processor and over 135 Gbps on Xilinx Virtex-5 FPGA, which outperforms the existing work under the same test environment. All results promise that D2BS is a highly practical solution to satisfy vigorous requirements.

DBS: A Bit-level Heuristic Packet Classification Algorithm for High Speed Network

Packet classification is one of the most critical techniques in many network devices such as Firewall, IDS and IPS, etc. In order to meet the performance requirement for high speed Internet (even higher than 10 Gbps), practical algorithms must keep better spatial and temporal performance. Moreover, as the size of rule set is increasing to tens of thousands, novel packet classification algorithms must have good scalability. In this paper, we propose a novel packet classification algorithm named DBS (Discrete Bit Selection) which takes a bit level heuristic design to partition the rule set effectively. To the best of our knowledge, DBS is the first try to design a heuristic classification algorithm at bit-level. To evaluate the performance of our algorithm, DBS is deployed on a popular multi-core Network Processor platform, compared with two existing well-known algorithms. Experimental results show that DBS achieves 300% higher throughput than HiCuts and HSM, while the memory requirement is reduced to about 10% averagely. DBS works well especially with large rule set (10K), which trends a good scalability.

Towards System-level Optimization for High Performance Unified Threat Management

To build holistic protection against complex and blended network threats, multiple security features need to be integrated into unified security architecture, which requires in a unified threat management (UTM). However, most existing UTMs operate by simply stringing together a number of security applications working independently without system level optimization that streamlines processing flow and leverages shared information and resources to reach high performance. In this paper, a generic framework is proposed to optimize the performance of UTMs at both algorithmic and architectural aspects by exploring the idea of integrated protocol processing (IPP). The algorithm proposed in this paper improves overall protocol processing complexity of ACL and IDS from Theta(log(M) + log(N)) to Theta(log(M +N)) . Experiments on Intel IXP2850 network processor show that our scheme outperforms existing solutions with 30% increase of throughput.

Towards High-Performance Network Intrusion Prevention System on Multi-core Network Services Processor

Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

Emilie: Enhance the power of traffic identification

Network traffic identification has become more and more important in recent years. However, as the Internet backbone bandwidth continuously grows, traditional flow-based traffic identification methods gradually become impractical. In order to improve the performance of traffic identification, this paper proposes an ingenious and practical flow dispatching mechanism named Emilie, which intelligently predicts the elephant flows using only the first three packets of each flow. By discriminating mouse flows against elephant flows, methods with various complexity are utilized to identify the application-level protocol type of elephant and mouse flows separately. Emilie utilizes Machine Learning techniques to achieve high accuracy as well as keep fast speed in predicting elephant flows. Experimental results on real network traffic traces illustrate that around 88% precision, 85% recall and over 85% accuracy are gained on average, which is much better than existing solutions. To the best of our knowledge, this is the first practical and efficient work that supports inline elephant flow prediction. Flow dispatching based on Emilie empowers traffic identification systems to achieve both high accuracy and fast speed.

Towards effective network algorithms on multi-core network processors

To build high-performance network devices with holistic security protection, a large number of algorithms have been proposed. However, multi-core implementation of the existing algorithms suffers from three limitations: performance instability, data-structure heterogeneity, and hardware dependency. In this paper, we propose three principles for effective network processing on multi-core network processors. To verify the effectiveness of these principles, algorithms for two typical network processing tasks are redesigned and implemented on the Cavium Octeon3860 network processor. Test results show that our schemes achieve superior performance in comparison with existing best-known algorithms.