\documentclass{beamer}
\documentclass{article}
\usepackage{graphicx}
\graphicspath{ {images/} }
\usetheme{Madrid}
\title{LEoNIDS}
% A subtitle is optional and this may be deleted
\subtitle{A Low-Latency and
Energy-Efficient Network-Level
Intrusion Detection System}
\author{NIKOS TSIKOUDIS \inst{1} ANTONIS PAPADOGIANNAKIS \inst{2} \and EVANGELOS P. MARKATOS \inst{2}}
% - Give the names in the same order as the appear in the paper.
% - Use the \inst{?} command only if the authors have different
% affiliation.
\institute[NIT-KKR] % (optional, but mostly needed)
{
\inst{1}
Brandeis University, Waltham, MA 02453, USA
\and
\inst{2}
Institute of Computer Science,Foundation for Research and Technology-Hellas, Heraklion 700 13, Greece
}
% - Use the \inst command only if there are several affiliations.
% - Keep it simple, no one is interested in your street address.
\date{IEEE Transaction on Emerging Topics in Computing \\ 26 Feburary 2016}
% - Either use conference name or its abbreviation.
% - Not really informative to the audience, more for people (including
% yourself) who are reading the slides online
\subject{LEoNIDS}
% This is only inserted into the PDF information catalog. Can be left
% out.
% If you have a file called "university-logo-filename.xxx", where xxx
% is a graphic format that can be processed by latex or pdflatex,
% resp., then you can add a logo as follows:
%\pgfdeclareimage[height=1.5cm]{university-logo}{tree04}
%\logo{\pgfuseimage{tree04}}
% Delete this, if you do not want the table of contents to pop up at
% the beginning of each subsection:
%\AtBeginSubsection[]
%{
% \begin{frame}<beamer>{Outline}
% \tableofcontents[currentsection,currentsubsection]
%\end{frame}
%}
% Let's get started
\begin{document}
\begin{frame}
\titlepage
\end{frame}
\begin{frame}[allowframebreaks]{\huge Contents}
\tableofcontents
\end{frame}
% You might wish to add the option [pausesections]
\section {Introduction}
\section{Motivation}
\subsection {Why Detection Latency Matters}
\subsection{Why Power Consumption Matters }
\section{Towards Power Proportional NIDS}
\subsection{Experimental Environment}
\subsection{Power Consumption}
\subsection{Adapt to the Traffic Load}
\section{Energy-Latency Tradeoff in NIDS}
\subsection{Detection Latency}
\subsection{Deconstructing Detection Latency}
\subsection{Delay Analysis}
\addtocontents{toc}{\protect\framebreak}
\section{Solving the Energy-Latency Tradeoff}
\subsection{Identify The Most Important Packets For Detection Latency}
\subsection{Tolerating Evasion Attempts}
\subsection{Time Sharing}
\subsection{Space Sharing}
\subsection{Delay Analysis With Priorities}
\section{Implementation}
\subsection{Time Sharing}
\subsection{Space Sharing}
\section{Experimental Evaluation}
\subsection{Comparing Time and Space Sharing}
\subsection{Comparing All Approaches}
\section{Related Work}
\section{Conclusions}
\section{References}
% Section and subsections will appear in the presentation overview
% and table of contents.
%\begin{frame}{Blocks}
%\begin{block}{Block Title}
%You can also highlight sections of your presentation in a block, %with it's own title
%\end{block}
%\begin{theorem}
%There are separate environments for theorems, examples, definitions and proofs.
%\end{theorem}
%\begin{example}
%Here is an example of an example block.
%\end{example}
%\end{frame}
% Placing a * after \section means it will not show in the
% outline or table of contents.
\begin{frame}[allowframebreaks]{\huge \textbf{1.}Introduction}
\begin{itemize}
\item Low power consumption has emerged as one of the main
design goals in today's computer systems.
Towards this direction, we aim to build an energy-efficient
Network-level Intrusion Detection System (NIDS).
\item NIDS are commonly deployed to detect security violations, enhancing the secure operation of modern computer networks. They perform computationally heavy operations like pattern matching, regular expression matching, and other types of complex analysis to detect at real time malicious activities in the monitored network.
\item However, the energy efficiency of security systems like NIDS has not received significant attention and has not been studied before.Although NIDS are usually provisioned to operate at link
rate,most networks are typically much less utilized. This results
in increased power consumption at low traffic load.
\item To reduce the energy spent under low traffic we aim at building a power-proportional NIDS using Dynamic Voltage and Frequency
Scaling (DVFS) and sleep states (C-states), which can be found in modern processors.This energy-efficient NIDS can process all packets with up to 23 percent lower power consumption than the original system at low rates.
\item However,we observe a significant increase on the detection latency. A low detection latency is very important to ensure a timely reaction to the attack. Therefore, our
results indicate a new tradeoff for NIDS: the energy-latency
tradeoff.
\item Our key idea to resolve this tradeoff is to identify
the most important packets for attack detection and process
them with higher priority, resulting in low latency and fast
detection. The rest packets are processed with lower priority
to achieve an overall low power consumption.
\item We explore two alternative approaches to reduce the
latency of high-priority packets: time sharing and space
sharing. We experimentally compare the two approaches and we find that space sharing has a better power-latency ratio.
\item Based on these approaches we propose LEoNIDS: a NIDS
architecture that resolves the energy-latency tradeoff. \\
The main contributions of this work are:\\
1. We identify a new tradeoff for NIDS: the energy-latency
tradeoff.\\
2. We resolve the energy-latency tradeoff.\\
3. We introduce space sharing.\\
4. We experimentally compare two alternative approaches for low latency in a power-proportional NIDS.\\
5.We present the design, implementation, and evaluation
of LEoNIDS.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{\huge \textbf{2.}Motivation}
\textbf{ We first explain why a low response time(detection latency) is crucial for
a NIDS, and then we argue for the usefulness of an
energy-efficient(power consumption) NIDS.}
\end{frame}
\begin{frame}[allowframebreaks]{\large \textit{Why Detection Latency Matters?}}
\begin{itemize}
\item A fast attack detection is necessary. This is because a NIDS is able to react and
protect the potential victims upon a timely attack detection,
without the need of human advisory.
\item \textbf{Method 1:}To achieve this is to actively terminate an offending TCP connection by sending TCP reset packets with the correct sequence numbers and spoofed IP addresses of victim and attacker hosts. Since a reset packet may reach the client or server after the other host has already responded, the NIDS tries to close the connection by sending multiple reset packets and guessing the next TCP sequence and acknowledgment numbers. \\However, such an
active response is not guaranteed to successfully terminate
an offending connection: it is a race between the NIDS and
the endpoints of the network communication. \\Depending on
the detection latency and the network latency, NIDS may or
may not win this race.\\
For instance, in case of an 100 Mbit/sec
connection, assuming an average packet size of 500 bytes, an
attack packet should be detected in less than 40 microseconds
upon its arrival for an effective active response by the NIDS.
\item \textbf{Method 2:} To automatically add a firewall rule to block the next incoming attack packets in order to prevent a full system compromise. To be effective, a low detection latency is again crucial. Moreover, DNS and URL blacklists may also be updated upon the detection of a malicious domain or malicious URL to protect the other hosts from accessing it. Since a malicious website may be accessed within short time periods by many users, e.g., due to massive spam messages, it is important to automatically update these
blacklists in a timely fashion.
\end{itemize}
\end{frame}
\begin{frame}[allowframebreaks]{\large \textit{Why Power Consumption Matters?}}
\begin{itemize}
\item NIDS are usually overprovisioned to handle a fully utilized
line and tolerate overloads without missed attacks. Thus,
they use all the available resources: all cores, and the max-
imum CPU frequency. In high speed networks, the traffic load
may also be split among multiple machines. However,
the monitored networks are rarely fully utilized at their max-
imum capacity and a NIDS machine is not often overloaded.
This results in increased energy and increased cost for running
multiple NIDS to protect a large infrastructure.
\item Power consumption is a significant concern in data center
environments with limited power capacity. Moreover, it is
important in devices with limited resources, such as small
routers or wireless access points. The power consumption
is even more important when NIDS run on devices with
limited battery life, such as sensor nodes or mobile devices.
So our work can be applied in NIDS that run in such devices as well.
\item Reducing the power consumption of network security
solutions like NIDS is important to reduce the operational
costs of these security products, making them more attrac-
tive to use than other alternative approaches. Reducing the
power cost of a NIDS may not be very important for a
data center compared to its total power consumption, but it
is quite important for NIDS vendors to provide more cost-
effective solutions.
\item Network security products with reduced
power consumption will give one more benefit in the market,
while network security services based on NIDS, which are
rapidly developed today using cloud infrastructures, will
offer lower prices when consuming less energy. Given the
recent advances in hardware and computer architecture, with
more powerful hardware components and increasing number
of CPU cores, building energy-efficient systems and
applications becomes an important performance indicator.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{\huge \textbf{3.}Towards a power proportional NIDS}
\textbf{ Now we explore the design space to build a power-proportional NIDS}
\end{frame}
\begin{frame}[allowframebreaks]{\large \textit{Environment Setup}}
\begin{itemize}
\item Our testbed consists of 2 machines interconnected with
a 10 Gigabit Ethernet switch. Both machines are equipped with two
6-core Intel Xeon E5-2620 processors with 15 MB L2
cache, 8 GB RAM, and an Intel 82599EB 10 Gigabit Ethernet network
interface.
\item The processor's clock frequency can be scaled from 1.2 GHz to 2.0 GHz using DVFS, which results in 9 available frequency
steps. They also support Intel Turbo Boost technology to
increase their frequency up to 2.5 GHz.
\item To reduce power consumption, each idle core can be put into one of the 3 available sleep states: C1, C3 or C6, where the CPU reduces
or stops the performance of internal units. We measure the
power consumption in the NIDS machine using the Watts up?
PRO ES device.
\item The first machine is used for traffic generation. The
generated traffic reaches the second machine, which runs
Snort IDS v2.8.3.2 with official rule set containing
8308 rules.
\item We use
%PF_RING
v5.3.0 and ixgbe driver v3.7.17 to split the incoming traffic to active cores using
the Receive Side Scaling (RSS) feature of Intel 82599
NIC.We set the size of the ring buffer that stores packets
at each core to 4096 slots. To change the frequency we use the
cpufrequtils package. Both machines run 64-bit Linux (kernel
version 3.5.0).
\item We generate real traffic by replaying an one-hour
long anonymized trace captured at the access link of an operational network. The trace contains 58,714,906 packets
and 1,493,032 flows, totaling more than 40GB, 95.4% of
which is TCP traffic.
\item For this trace Snort triggers 1851 alerts from 76 different rules. In order to strengthen our evaluation, we augmented the trace with 120 anonymized traces of real attacks captured in the
wild, adding 233 more alerts from 14 different rules.
In this work we present our findings using this trace as
workload. We found quite similar results when using few
different workloads based on anonymized packet traces from
other sources.
\end{itemize}
\end{frame}
\begin{frame}[allowframebreaks]{\large \textit{Environment Power Consumption}}
\begin{itemize}
\item The system's idle power consumption is 85.1 W, and when
Snort fully utilizes all cores it consumes 145.7 W.CPU consumes
the larger portion of energy in the system.We measure the CPU power consumption by accessing the RAPL (Running Average Power Limit) registers provided by Xeon CPU.\\
\begin{figure}[h]
\centering
\includegraphics[width=0.7\textwidth]{leonids}
\caption{The CPU consumes the larger portion of energy in a NIDS. More than 50 percent of the power is consumed by the CPU.}
% \label{fig:}
\end{figure}
\item Modern processors offer 2 ways to reduce power:\\
1. Frequency Scaling\\
2. Sleep States(C-States)
\item Xeon processor has a single voltage & frequency regulator thereby frequency changing uniformly at all cores of a processor and transition between frequencies requires small time.\\However,each core can operate in a different C-state to save energy.
\item The power consumption of each core consists of:\\
1. Power consumed when the core processes packets.\\
2. Power consumed to enter a C-state.\\
3.Power consumed during the idle state.\\
\item We see that idle cores consume less power in C6 state, so we put inactive cores in this state.
\item We aim to find the most energy-efficient strategy for a NIDS by properly adapting the frequency and the number of active cores (not in C-states).
\item The two main questions are:\\
1.Is it better to operate at lower frequency or utilize sleep states?\\
2.Is it better to use more cores on lower frequency or fewer cores at higher frequency?
\item To answer the above questions we measure Snort's power
consumption as a function of frequency and number of active
cores, when sending traffic at a constant rate of 0.6 Gbit/sec.
\begin{figure}[h]
\centering
\includegraphics[width=0.48\textwidth]{leonids2}
\caption{Power Consumption}
\includegraphics[width=0.5\textwidth]{leonids3}
\caption{Processing at 1.5Gb/sec}
\label{fig:3}
\end{figure}
\end{itemize}
\end{frame}
\begin{frame}[allowframebreaks]{\large \textit{Adapting to the traffic load}}
\begin{itemize}
\item A power-proportional NIDS should utilize the smallest number of cores that are able to process all the incoming traffic when they operate at the lowest possible frequency. Therefore, the system should dynamically adapt to the load by changing the frequency and activating/deactivating cores.
\item A straight-forward power-proportional NIDS
uses the following strategy:\\
1. It starts with a single active core at the minimum
frequency.\\
2. It continuously monitors the queues' usage.\\
2.1 If queues are filled by more than a high threshold:\\
2.1.1 If there are inactive cores, it wakes up one core.\\
2.1.2 Else, it increases the frequency of all cores.\\
2.2 If queues are filled by less than a low threshold:\\
2.2.1 If the lowest frequency is used, it deactivates
one core.\\
2.2.2 Else, it decreases the frequency.\\
\item We implemented this algorithm within
the packet capturing subsystem and we ran Snort over this
system while varying the load. We set high threshold to 90 percent
and low threshold to 70 percent.
\end{itemize}
\begin{figure}[h]
\centering
\includegraphics[width=0.40\textwidth]{leonids4}
\caption{Power consumption and detection latency of a
straight-forward power-proportional NIDS versus the original
NIDS as a function of traffic rate. The straight-forward
power-proportional NIDS consumes less power with higher
detection latency.}
\label{fig:3}
\end{figure}
\end{frame}
% All of the following is optional and typically not needed.
\appendix
\section<presentation>*{\appendixname}
\subsection<presentation>*{For Further Reading}
\begin{frame}[allowframebreaks]
\frametitle<presentation>{For Further Reading}
\begin{thebibliography}{10}
\beamertemplatebookbibitems
% Start with overview books.
\bibitem{Author1990}
A.~Author.
\newblock {\em Handbook of Everything}.
\newblock Some Press, 1990.
\beamertemplatearticlebibitems
% Followed by interesting articles. Keep the list short.
\bibitem{Someone2000}
S.~Someone.
\newblock On this and that.
\newblock {\em Journal of This and That}, 2(1):50--100,
2000.
\end{thebibliography}
\end{frame}
\end{document}
Antwort1
So können Sie Ihren Code fehlerfrei kompilieren:
Habe nur eins
\documentclass
, also entferne\documentclass{article}
Sie können es nicht in normalem Text verwenden
&
(es ist ein Sonderzeichen, das zum Ausrichten von Dingen in geeigneten Umgebungen verwendet wird), verwenden Sie daher\&
stattdessen.
Dinge, die Sie zur Verbesserung Ihres Codes tun können:
Die Platzierung aller
\sections
und\subsections
ist nicht sinnvoll. Sie sollten dort verwendet werden, wo die jeweiligen (Unter-)Absätze beginnen, und nicht dort, wo das Inhaltsverzeichnis steht.(Dies wurde Ihnen in zwei Ihrer vorherigen Fragen mitgeteilt.)Wahrscheinlich
\\
sollten alle durch leere Zeilen ersetzt werden. Latex bietet nur sehr wenige Stellen, an denen es verwendet werden kann\\
(zum Beispiel in Tabellen), aber es sollte nicht für neue Zeilen verwendet werden.(Dies wurde Ihnen in einer Ihrer vorherigen Fragen mitgeteilt)Kein Bedarf für
\usepackage{graphicx}
Dinge, die Ihr Publikum bei Verstand halten:
- Sind Sie sicher, dass Sie so viel Text auf Ihren Folien haben möchten?