Fidas: Fortifying the Cloud via Comprehensive FPGA-based Offloading for Intrusion Detection: Industrial Product*

Abstract

Network intrusion detection systems (IDS) are crucial for secure cloud computing, but they are also severely constrained by CPU computation capacity as the network bandwidth increases. Therefore, hardware ofoading is essential for the IDS servers to support the ever-growing throughput demand for packet processing. Based on the experience of large-scale IDS deployment, we fnd the existing hardware ofoading solutions have fundamental limitations that prevent them from being massively deployed in the production environment. In this paper, we present Fidas, an FPGA-based intrusion detection ofoad system that avoids the limitations of the existing hardware solutions by comprehensively ofoading the primary NIC, rule pattern matching, and trafc flow rate classifcation. The pattern matching module in Fidas uses a multi-level flter-based approach for efcient regex processing, and the flow rate classifcation module employs a novel dual-stack memory scheme to identify the hot flows under volumetric attacks. Our evaluation shows that Fidas achieves the state-of-the-art throughput in pattern matching and flow rate classifcation while freeing up processors for other security-related functionalities. Fidas is deployed in the production data center and has been battle-tested for its performance, cost-effectiveness, and DevOps agility.