Lorenzo De Carli

Traffic analysis performed by intrusion detection systems (IDSs) present unique challenges: on one hand, analysis has to sustain high throughput to search ever-increasing volumes of traffic. Therefore, IDSs should support scalability, and be able to parallelize their workload over an arbitrary number of processing units. On the other hand such scalability should not impose excessive constraint on developers of traffic analysis algorithm, to avoid limit functionality and effectiveness of IDSs. In this context, we developed a domain-specific concurrency model based on the notion of detection scope: a unit for partitioning network traffic such that the traffic contained in each resulting “slice” is independent for detection purposes. We then developed a program analysis technique that can automatically infer the appropriate scope given an analysis algorithm. The overall vision is that of an IDS where the operator can develop analyses as she sees fit, while the system automatically reasons about the best way to parallelize them. The results of this work were presented in our CCS 2014 paper.

As part of this work I also participated in the design of HILTI, a framework for deep packet inspection consisting in a domain-specific intermediate representation (IR) and a runtime. The goal of HILTI is to provide a generic way to express DPI programs to make their functionality easy to reuse. Indeed, we used HILTI’s program analysis capabilities as a foundation to implement our IDS parallelization approach. HILTI was presented in our IMC 2014 paper.