2-STEP POWER SCHEDULING WITH

ADAPTIVE CONTROL INTERVAL FOR

NETWORK INTRUSION DETECTION

SYSTEM ON MULTICORES

Lau Phi Tuong, Keiji Kimura

Department of Computer Science and Engineering

Waseda University, Tokyo, Japan

2016 September 22nd

2016/9/22 MCSoC-16 Lyon France 1

Network Security and Power

Consumption in NIDS • Because of the global accessibility of the Internet, cyber

attackers try to send malicious code throughout the

Internet.

• Network intrusion detection system (NIDS) is widely used

to monitor malicious activities from network.

• The performance issue of NIDS on multicores has been

well-studied. However, NIDS on smart devices consumes

a lot of power.

2016/9/22 MCSoC-16 Lyon France 2

NIDS in data centers

• NIDS captures packets at routers and sends notifications

to an administrator in case of malicious packets.

2016/9/22 MCSoC-16 Lyon France 3

Router

File

server

Firewall

Internet

Bank

server

Mail

server B u s

NIDS

Power Control for Various Systems

• Reducing voltage supply or clock frequency to reduce

power consumption. 𝑃𝑜𝑤𝑒𝑟 = 𝐶 ∗ 𝑉2 ∗ 𝑓

Adjusting the clock frequency based on the deadline of real-time

applications. For instance,

The MPEG movie player has the fixed deadline of 30ms.

For network controller devices, adjusting the clock frequency or

voltage supply based on network traffic.

Scheduling DVFS among servers in data centers based on

workloads of servers.

2016/9/22 MCSoC-16 Lyon France 4

Our Work

• 2-step power scheduling with adaptive control interval for

NIDSs.

Dynamically control both of clock frequency and scheduling interval.

Applicable for both of low and big network traffic with low overhead.

• A core-controlling algorithm

Assign the appropriate number of cores, especially, for embedded

systems multiplexing multiple applications.

2016/9/22 MCSoC-16 Lyon France 5

Suricata architecture

• Suricata is a real-time NIDS designed with multithreads.

Stream: streaming packets receiving from network

Decode: decoding packets after streaming

Detection: multiple packet detection are posed to multicores

Output: output alerts of malicious packets to log files

• It uses the signature-based detection. That is, it just can

detect known attacks from known rules.

2016/9/22 MCSoC-16 Lyon France 6

Stream Decode Detection

Detection

Detection

Output

2-Step Power Scheduling Technique

• There are two steps to schedule power budget during

running Suricata.

2016/9/22 MCSoC-16 Lyon France 7

Packet n

Packet 2

Packet 1

Stream Decode Detection

Detection

Detection

Output

Step 2

Step 1

Step 1: Assign the feasible clock

frequency after each control interval

Step 2: Adjust the clock

frequency to meet control interval

Step 1: Calculate Clock Frequency

• x is the number of received packets from network.

• is the processing time of its own packet.

• The total processing time of all ones as the expression (1).

• Deriving (1) to give (2) below:

• is the average processing time of a packet.

2016/9/22 MCSoC-16 Lyon France 8

deadlinemean

feasible

xi

i

i

feasible

TTf

xTf

*1

**1

1

i

xi

i

i TTTT

...21

1

iT

(1)

(2)

meanT

Step 1: Calculate Control Interval

2016/9/22 MCSoC-16 Lyon France 9

• Network is unstable. Hence, recording past buffers to

predict the real network traffic exactly.

Real network traffic is tending to increase, reducing the control

interval.

Real network traffic is tending to decrease, increasing the control

interval.

-10

10

30

50

-10

10

30

50

Control Interval

Unstable

point

deadlineT

Big Traffic Low Traffic

An Example in Step 1

• Assume that an interval of 30ms, the average processing cost of a packet is 50us, and 1000 received packets. Hence, the total processing cost is 50us*1000 = 50000us = 50ms.

• The feasible clock frequency = 50ms/30ms ~ 1.6GHz per one core (200MHz < 1.6GHz < 2.0GHz). For n cores, then f = 1.6/n GHz.

• This clock frequency is not the most feasible because it depends on types of packets.

2016/9/22 MCSoC-16 Lyon France 10

feasiblemean

deadline

fTT

x *1

* )0.2200( GHzfMHz feasible

The Case of Benign Packets

• Benign packets take a little time to process.

• Assume that 1000 benign packets and each costs 5us,

the total processing cost is 1000*5us = 5ms. Hence,

The most feasible clock frequency should be 5ms/30ms = 0.16GHz

= 160MHz < 200MHz, so it should be 200MHz.

In this case, power budget can be reduced to the minimum of

200MHz instead of using 1.6GHz.

2016/9/22 MCSoC-16 Lyon France 11

The Case of Malicious Packets

• Malicious packets take much time to process.

• Assuming that 1000 malicious packets and each cost

100us, the total processing cost is 1000*100us =

100000us = 100ms.

The most feasible clock frequency should be 100ms/30ms =

3.3GHz > 2.0GHz, so it should be 2.0GHz.

In this case, it causes performance degradation by switching

to 1.6GHz.

2016/9/22 MCSoC-16 Lyon France 12

We need a second step to adjust the

clock frequency.

Step 2: Adjust Clock Frequency

• Adjusting the clock frequency at the packet detection

phase for two reasons:

Increasing clock frequency to meet the deadline constraint.

Decreasing clock frequency to reduce power consumption

minimally.

• Adjusting the clock frequency based on two points:

The current processing time of all received packets and the control

interval.

How many received packets have been processed during the

control interval.

2016/9/22 MCSoC-16 Lyon France 13

Don’t Switch Clock Frequency

• Do not switch the clock frequency.

50% processed packets while the current processing time of them

is less than a half of the control interval.

2016/9/22 MCSoC-16 Lyon France 14

50% processed packets 50% control interval

Control interval

Current processing time

Clock frequency

Switch Clock Frequency

2016/9/22 MCSoC-16 Lyon France 15

50% processed

packets

50% control

interval

Control

interval

Current

processing time

Clock

frequency

100% processed

packets

Control

interval

Current

processing time

Clock

frequency

Acceptable

interval

50% control

interval

Increasing the clock frequency

to maintain performance

Switching to the

minimum clock frequency

Core-Controlling Algorithm

• More applications run on the same core causes the

overhead.

• When multiplexing programs and NIDS run on the same

device:

NIDS and multiplexing programs are scheduled to different cores to

ensure the performance capability of them.

2016/9/22 MCSoC-16 Lyon France 16

Test Environment

• Hardware ODROID XU3 board (4 big ARM Cortex-A15 2.0GHz, 4 small ARM

Cortex-A7 1.4GHz).

• Software Ubuntu 15.04 mate ODROID-XU3 operating system.

Suricata 2.0.8.

• Measurement Read the power value of ODROID-XU3 board throughout

/sys/dev/system/cpu/cpu0/.

Evaluate 2-step power scheduling with adaptive interval compared with the fixed interval technique, the Performance and the Ondemand governor in Linux.

2016/9/22 MCSoC-16 Lyon France 17

Big Cortex-A15: Low Traffic

• Reducing an average of 87% power consumption by

using the fixed and adaptive mechanism compared with

the Performance governor of Linux on 1, 2, 3, 4 cores.

• The performance is the same by using all techniques.

2016/9/22 MCSoC-16 Lyon France 18

Network traffic 1,000 packets/seconds

87%

reduction

Big Cortex-A15: Big Traffic

• The fixed 30ms and 2-step with adaptive control interval

are the most effective techniques.

• The performance is the same by using all techniques.

2016/9/22 MCSoC-16 Lyon France 19

Network traffic 10,000 packets/seconds

70%

reduction 30%

reduction

Big Cortex-A15: Big Traffic

• The performance is violated seriously by using the fixed

interval on 1, 2, and 3 cores.

• 1-step adaptive technique violates the performance on 2

and 3 cores.

2016/9/22 MCSoC-16 Lyon France 20

Network traffic 17,000 packets/seconds

Small Cortex-A17: Low Traffic

• Fixed 30ms and 2-step adaptive obtain the best optimal

power consumption compared with other techniques.

• The performance is the same by using all techniques.

2016/9/22 MCSoC-16 Lyon France 21

Network traffic 1,000 packets/seconds

87%

reduction

Small Cortex-A17: Big Traffic

• The performance is seriously violated by using the fixed

interval techniques on 1, 2, 3, 4 cores.

• 2-step adaptive reduces power consumption and maintain

the performance.

2016/9/22 MCSoC-16 Lyon France 22

Network traffic 5,000 packets/seconds 60%

reduction

Suricata and Multiplexing Program

• 2-step with adaptive interval has less power consumption

than the Ondemand governor.

• The performance of Suricata is the same by using two

techniques.

2016/9/22 MCSoC-16 Lyon France 23

Governor scaling Performance

(packets/seconds)

Ondemand 10,122

2-step adaptive 10,067

Network traffic 10,000 packets/seconds

Conclusion

• NIDS is widely used to monitor network in embedded

platforms and data centers.

• The proposed technique:

2-step power scheduling with adaptive control interval.

Core controlling when multiplexing applications and NIDS run on

the same device.

• 2-step power scheduling with adaptive control interval

achieves:

87% power reduction on big ARM Cortex-A17 and small ARM

Cortex-A15 at network traffic 1,000 packets/seconds compared

with the Performance governor in Linux on 4 cores.

2016/9/22 MCSoC-16 Lyon France 24