PAMO: Pattern Matching Offload for Intrusion Detection Systems

Intrusion Detection Systems (IDS) play a crucial role in network security. An IDS recognizes malicious activity in network traffic by matching it against patterns defined in a set of rules. The complexity and size of rule sets lead to substantial computational load. In a state-of-the-art IDS, such as Suricata, a single CPU core processes a few hundred MB to a few GB of network traffic per second, and rule evaluation accounts for over 60% of CPU consumption. Scaling IDS to today’s high-speed networks is, therefore, a significant challenge. We present PAMO, a PAttern Matching Offload for Intrusion Detection Systems. PAMO accelerates the most CPU-intensive task in an IDS, pattern matching. For this, it leverages an RXP accelerator, a pattern and regular expression matching engine available on commodity SmartNICs such as the NVIDIA BlueField-2. We evaluate the RXP engine’s characteristics and performance and show how it can be integrated into Suricata’s processing workflow. By offloading the prefiltering stage of pattern matching to the RXP engine, we achieve over 80 Gbps of throughput on traffic collected at the entry of a ~30K-user campus network, increasing the performance by up to 40% and decreasing the per-gigabit total cost of ownership by up to 28% compared to unmodified software-only Suricata. PAMO also enables running an IDS entirely on the Smart-NIC by combining its eight integrated ARM cores with the RXP engine. PAMO in SmartNIC-only deployment achieves 6.8 Gbps of throughput (+70% increase relative to software-only Suricata) and 44% improvement in energy efficiency.