

# **Design and Implementation of a new Inter-Process Communication Architecture for Log-based HIDS for 100 GbE Environments**

---

Bachelor Thesis

by

**Paul Raatschen**



University of Potsdam  
Institute for Computer Science  
Operating Systems and Distributed Systems

Supervisors:  
Prof. Dr. Bettina Schnor  
M.Sc. Max Schrötter

Potsdam, April 9, 2023

**Raatschen, Paul**

raatschen@uni-potsdam.de

Design and Implementation of a new Inter-Process Communication Architecture for Log-based  
HIDS for 100 GbE Environments

Bachelor Thesis, Institute for Computer Science  
University of Potsdam, April 2023

Thanks



# **Selbständigkeitserklärung**

Hiermit erkläre ich, dass ich die vorliegende Arbeit selbständig angefertigt, nicht anderweitig zu Prüfungszwecken vorgelegt und keine anderen als die angegebenen Hilfsmittel verwendet habe. Sämtliche wissentlich verwendeten Textausschnitte, Zitate oder Inhalte anderer Verfasser wurden ausdrücklich als solche gekennzeichnet.

Potsdam, April 9, 2023

---

Paul Raatschen



## Abstract



## **Deutsche Zusammenfassung**

Deutsche Zusammenfassung



# Contents

|          |                                                       |           |
|----------|-------------------------------------------------------|-----------|
| <b>1</b> | <b>Introduction</b>                                   | <b>1</b>  |
| <b>2</b> | <b>Background</b>                                     | <b>2</b>  |
| 2.1      | Host-based Intrusion Detection / Prevention . . . . . | 2         |
| 2.1.1    | Fail2ban . . . . .                                    | 2         |
| 2.2      | Inter-Process Communication . . . . .                 | 3         |
| 2.2.1    | Types of IPC . . . . .                                | 3         |
| 2.2.2    | IPC based logging . . . . .                           | 3         |
| 2.3      | Special Software . . . . .                            | 3         |
| 2.3.1    | Hyperscan . . . . .                                   | 3         |
| 2.3.2    | io_uring . . . . .                                    | 3         |
| 2.3.3    | Trex . . . . .                                        | 3         |
| <b>3</b> | <b>Design &amp; Implementation</b>                    | <b>4</b>  |
| 3.1      | Requirements . . . . .                                | 4         |
| 3.2      | Abstract Architecture . . . . .                       | 4         |
| 3.3      | Choice of IPC Type . . . . .                          | 4         |
| 3.4      | Shared Memory API . . . . .                           | 4         |
| 3.5      | Proof-of-Concept IPS . . . . .                        | 4         |
| 3.6      | Test Application . . . . .                            | 4         |
| <b>4</b> | <b>Evaluation</b>                                     | <b>8</b>  |
| 4.1      | Testenviroment . . . . .                              | 8         |
| 4.2      | Experimental Design . . . . .                         | 8         |
| 4.3      | Fail2ban Replication Measurements . . . . .           | 8         |
| 4.4      | Simplefail2ban, Logfile Measurements . . . . .        | 8         |
| 4.5      | Simplefail2ban, Shared Memory Measurements . . . . .  | 8         |
| 4.6      | Shared Memory Feature Measurements . . . . .          | 8         |
| <b>5</b> | <b>Conclusion</b>                                     | <b>34</b> |

|                           |           |
|---------------------------|-----------|
| <b>List of Figures</b>    | <b>35</b> |
| <b>List of Tables</b>     | <b>36</b> |
| <b>List of Algorithms</b> | <b>37</b> |
| <b>A Abbreviations</b>    | <b>38</b> |
| <b>B Source Files</b>     | <b>39</b> |
| <b>Bibliography</b>       | <b>40</b> |

# 1 Introduction

Since the advent of the Internet, bandwidths available to both commercial and private users have been ever increasing. While this opens up new possibilities for high bandwidth network applications, it also poses new security challenges for dealing with potentially malicious network traffic. In addition to traditional firewalls, Host-based Intrusion Detection System (HIDS) are a commonly used security measure, to protect a system . Traditionally, HIDS make use of application logfiles, which are parsed for information on possible attacks and to identify malicious clients. The Intrusion Prevention System (IPS) Fail2ban[1] is an one of the most prim

The goal of this thesis will be the design and implementation of a new Inter-Process Communication (IPC) architecture for the transmission of log messages, that is able to facilitate low latency communication between sender and receiver. Additionally, the design should be able to scale to multiple recipients, in order to accommodate more complex security system, in which several processes require access to a hosts application log. For this purpose, a Proof of Concept IPS will be developed, that utilizes the proposed IPC architecture to receive log messages and ban malicious clients in the style of Fail2ban.

This thesis will be structured as follows: The following section provides background information on relevant concepts,

## 2 Background

The following section introduces the concept of HIDS with the specific example of Fail2ban and presents the problem setting this thesis aims to solve. In addition to that, an overview over common types of Inter-Process Communication and existing IPC based logging solution is given. Finally, external libraries and other software used for the implementation and evaluation of the Proof-of-Concept IPS are introduced.

### 2.1 Host-based Intrusion Detection / Prevention

The idea of specialized software for detecting intrusion attempts and other security threads goes as far back as 1980, when James Anderson published a study on “Computer security threat monitoring and surveillance”[2]. In 1987, Dorothy Denning presented a seminal model for Intrusion Detection Systems, that suggested the use of pattern matching based on statistical analysis of audit records generated by a system, in order to detect abnormal user behavior [3]. Intrusion Detection Systems in general, gather data from a multitude of sources, which is then processed to identify and report potential threats. Host-based Intrusion Detection Systems in particular, use information that is provided by the hosts under their supervision. This includes event logs of applications, as well as operating system (Operating System (OS)) based information, such as user logins, file system operations or systemcalls. The analysis of the gathered data can be divided into two categories: 1. Misuse based detection relies on predefined patterns of misuse or malicious behavior, which are then matched against the observed behavior in the data. 2. Anomaly based detection uses statistical analysis to identify deviations from the norm, thereby also being able to identify attacks, that have not been previously observed [4]. Intrusion Prevention Systems (IPS) constitute a special class of IDS, which are not only capable of detecting an attack, but also take measures to prevent or mitigate it.

#### 2.1.1 Fail2ban

Fail2ban is an open source IPS for POSIX Systems, that is widely used to protect web servers, for instance against brute-force login attempts, as well as other types of attacks [5]. To identify potentially malicious clients, Fail2ban makes use of application logs, that are parsed based on a predefined filter. Fail2ban uses configuration units called ‘Jails’, that allow for the customization to a wide range of applications. A Jail defines the path to the application log, the filter being applied to the log messages within the logfile and an action, that is executed on client matching the filter criteria. In addition to that, Jails contain further parameters, such as the threshold of matches a client needs to reach, in order for the action to be executed, as well as the duration of the action. The filter component of a Jail defines a set of regular expressions, that are used to identify certain events in a log, like an unsuccessful login attempts or the exceeding of a rate

limit. the filter also obtains a clients IP address as well as the date and time of the log messages, to determine, if the event occurred in a relevant time frame.

## **2.2 Inter-Process Communication**

### **2.2.1 Types of IPC**

### **2.2.2 IPC based logging**

Syslog, Rsyslog

## **2.3 Special Software**

### **2.3.1 Hyperscan**

Hyperscan is a open source regular expressions matching engine developed by Intel. It is specifically designed for high performance use cases, such as the application in security contexts and is being used by the intrusion detection systems Snort and Suricata. The process of regular expressions matching with Hyperscan is separated into compile- and run-time. At compile-time a set regular expressions in string representation are compiled into a database, with additional configuration options

### **2.3.2 io\_uring**

### **2.3.3 Trex**

## **3 Design & Implementation**

**3.1 Requirements**

**3.2 Abstract Architecture**

**3.3 Choice of IPC Type**

**3.4 Shared Memory API**

**3.5 Proof-of-Concept IPS**

**3.6 Test Application**

**Figure 3.1:** Abstract IPC architecture



### 3 Design & Implementation

---



**Figure 3.2:** Architecture for the single-writer multi-reader shared memory ringbuffer for the transmission of log messages.



**Figure 3.3:** Activity diagram for the proof-of-concept IPS implementation. A variable number of “banning threads” receive log messages from a host and parse them with a predefined regular expressions. For messages that match the expression, the clients IP address is extracted from the log message and added to a hashtable, that keeps count of the number of matches per address. If the count reaches the configured limit, the address is added to the list of banned addresses with a current timestamp and inserted into the eBPF map. One “unbanning thread” routinely iterates through the banned list and checks, if a clients bantime has elapsed. Clients with an elapsed bantime are removed from the eBPF map, banned list and hashtable.

## 4 Evaluation

### 4.1 Testenvironment

### 4.2 Experimental Design

### 4.3 Fail2ban Replication Measurements

### 4.4 Simplefail2ban, Logfile Measurements

### 4.5 Simplefail2ban, Shared Memory Measurements

### 4.6 Shared Memory Feature Measurements

**Table 4.1**

| <b>Hardware</b> |                                            |
|-----------------|--------------------------------------------|
| CPU             | Intel(R) Xeon(R) Silver 4314 CPU @ 2.40GHz |
| NIC             | Mellanox ConnectX-6 100GbE                 |
| RAM             | 128GB                                      |
| <b>Software</b> |                                            |
| OS              | Debian 11                                  |
| Kernel          | 6.1.0-0                                    |
| NIC Driver      | mlx5_core, 6.1.0-0                         |
| Fail2Ban        | 0.11.2                                     |
| TRex            | 3.02                                       |



**Figure 4.1:** Abstract architecture



**Figure 4.2:** Abstract architecture



**Figure 4.3:** Some text



**Figure 4.4:** Some text



**Figure 4.5:** Some text



**Figure 4.6:** Some text



**Figure 4.7:** Some text



**Figure 4.8:** Some text



**Figure 4.9:** Some text



**Figure 4.10:** Some text



**Figure 4.11:** Some text



**Figure 4.12:** Some text



**Figure 4.13:** Some text



**Figure 4.14:** Some text



**Figure 4.15:** Some text



**Figure 4.16:** Some text



**Figure 4.17:** Some text



**Figure 4.18:** Some text



**Figure 4.19:** Some text



**Figure 4.20:** Some text



**Figure 4.21:** Some text



**Figure 4.22:** Some text



**Figure 4.23:** Some text



**Figure 4.24:** Some text



**Figure 4.25:** Some text

## **5 Conclusion**

# List of Figures

|      |                                                                       |    |
|------|-----------------------------------------------------------------------|----|
| 3.1  | IPC Architecture . . . . .                                            | 5  |
| 3.2  | Shared Memory Architecture . . . . .                                  | 6  |
| 3.3  | Simplefail2ban Architecture . . . . .                                 | 7  |
| 4.1  | Fail2Ban Replication Measurements 1 . . . . .                         | 9  |
| 4.2  | IPC Architecture . . . . .                                            | 10 |
| 4.3  | Simplefail2ban, Logfile IPv4, 100k Packets per Second (PPS) . . . . . | 11 |
| 4.4  | Simplefail2ban, Logfile IPv4, 1m PPS . . . . .                        | 12 |
| 4.5  | Simplefail2ban, Logfile IPv4, 10m PPS . . . . .                       | 13 |
| 4.6  | Simplefail2ban, Logfile IPv6, 100k PPS . . . . .                      | 14 |
| 4.7  | Simplefail2ban, Logfile IPv6, 1m PPS . . . . .                        | 15 |
| 4.8  | Simplefail2ban, Logfile IPv6, 10m PPS . . . . .                       | 16 |
| 4.9  | Simplefail2ban, Logfile IPv4 & IPv6, 100k PPS . . . . .               | 17 |
| 4.10 | Simplefail2ban, Logfile IPv4 & IPv6, 1m PPS . . . . .                 | 18 |
| 4.11 | Simplefail2ban, Logfile IPv4 & IPv6, 10m PPS . . . . .                | 19 |
| 4.12 | Simplefail2ban, Shared Memory, IPv4, 1m PPS . . . . .                 | 20 |
| 4.13 | Simplefail2ban, Shared Memory, IPv4, 1m PPS . . . . .                 | 21 |
| 4.14 | Simplefail2ban, Shared Memory, IPv4, 10m PPS . . . . .                | 22 |
| 4.15 | Simplefail2ban, Shared Memory, IPv6, 100k PPS . . . . .               | 23 |
| 4.16 | Simplefail2ban, Shared Memory, IPv6, 1m PPS . . . . .                 | 24 |
| 4.17 | Simplefail2ban, Shared Memory, IPv6, 10m PPS . . . . .                | 25 |
| 4.18 | Simplefail2ban, Shared Memory, IPv4 & IPv6, 100k PPS . . . . .        | 26 |
| 4.19 | Simplefail2ban, Shared Memory, IPv4 & IPv6, 1m PPS . . . . .          | 27 |
| 4.20 | Simplefail2ban, Shared Memory, IPv4 & IPv6, 10m PPS . . . . .         | 28 |
| 4.21 | Simplefail2ban, Shared Memory, IPv4 & IPv6, 30m PPS . . . . .         | 29 |
| 4.22 | Simplefail2ban, Shared Memory 2 Readers . . . . .                     | 30 |
| 4.23 | Simplefail2ban, Shared Memory 2 Readers with Overwrite . . . . .      | 31 |
| 4.24 | Simplefail2ban, Shared Memory with Workload Sharing . . . . .         | 32 |
| 4.25 | Simplefail2ban, Shared Memory without Regex Matching . . . . .        | 33 |

## **List of Tables**

|                               |   |
|-------------------------------|---|
| 4.1 Testbed Summary . . . . . | 8 |
|-------------------------------|---|

## **List of Algorithms**

## A Abbreviations

|             |                                       |
|-------------|---------------------------------------|
| <b>HIDS</b> | Host-based Intrusion Detection System |
| <b>IPC</b>  | Inter-Process Communication           |
| <b>IPS</b>  | Intrusion Prevention System           |
| <b>OS</b>   | Operating System                      |
| <b>PPS</b>  | Packets per Second                    |

## B Source Files

For the sake of not having to chop down a forest to print this thesis, no full source files will be appended. The source code is available in a git repository at: <https://gitup.uni-potsdam.de/raatschen/bachelorarbeit>. Access can be requested through me, or the second supervisor Max Schrötter.

## Bibliography

- [1] Fail2Ban. Official Fail2Ban Website. <https://www.fail2ban.org>, 2011. Last visited on: 04.04.2023.
- [2] James P Anderson. Computer security threat monitoring and surveillance. *Technical Report, James P. Anderson Company*, 1980.
- [3] Dorothy E Denning. An intrusion-detection model. *IEEE Transactions on software engineering*, pages 222–232, 1987.
- [4] Giovanni Vigna and Christopher Kruegel. Host-based intrusion detection. In *Handbook of Information Security*, pages 701–713. California State University, 2006.