PAMO: Pattern Matching Offload for Intrusion Detection Systems
Lukáš Šišmiš, Colin Evrard, Etienne Rivière, Tom Barbette
This week I am going to present PAMO, a modified version of the industry-grade Suricata IDS to support offloading pattern matching to the RegEx engine of the BlueField 2.
We first review and analyses the internals of IDS, focusing on Suricata with the help of one of its maintainers, Lukas Sisimis who did a 6 month exchange with us at UCLouvain (and continued to work on it as the job was much bigger than initially envisioned).
We then benchmarked what the RegEx engine was capable of.
The answer is : 51Gbps with big packets and not too many rules (we employed the widely used Emerging Threats ruleset). Still, the RXP engine used from the ARM cores of the BlueField provides a huge help and alleviate 6 or 7 x86 cores.
But the reality is that an IDS is far from being just about rules matching. And industry-grade IDS have complex processing to decide which rules should be evaluated.
After many challenges we evaluate PAMO using a real trace and a window-based mechanism to accelerate it using parallel traces, leaving temporal features untouched.
While we reduce the payload prefilter CPU processing time to peanuts, the RXP has a cost that bring the improvement to 6X. As we can’t beat Amdahl’s law, we get a 40% performance increase (this is with one core).
Perhaps an interesting result is how PAMO improves the performance of Suricata on the BlueField 2 itself. In that mode the IDS runs entierly on the NIC. As the ARM cores are weaker, the improvement reaches 70%.
Come say hello at Middleware’25 in Nashville, or check out our paper !