Performance
HyperScan has been designed from the ground up for high performance and low latency, properties that are both critical for pattern matching in modern network security applications.
HyperScan delivers excellent performance by:
- Extensive analysis of the signature set at compilation time, building a pattern database tuned for efficient matching.
- Leveraging the unique features of every target architecture (such as SIMD instruction sets) to build runtime engines that squeeze the best performance out of each CPU.
- Only performing memory allocations where necessary (such as for fixed-size stream state records), and providing pluggable allocations for applications that need to control them.
Example
The following data was collected by benchmarking HyperScan on a dual-socket Intel Xeon E5-2600 family platform (16 cores), using HTTP test traffic and a complete set of IPS signatures sourced from a leading (Tier-1) security equipment vendor.
The benchmarking application used for these tests passed captured HTTP traffic through HyperScan, recording the time spent actually matching traffic against the signature database. This data was scanned packet-by-packet, simulating the behaviour of a real network application such as an IPS or web proxy appliance. Data was matched in streaming mode for cases where the threats might be spread across multiple packets, and in block mode for treats that would be contained within a single block of data such as an URI (which would typically be normalized by the application before scanning.)
| Test case | Signature set size | Average throughput (Gbps) | |||||
|---|---|---|---|---|---|---|---|
| 1 thread | 2 threads | 4 threads | 8 threads | 16 threads | 32 threads | ||
| HTTP to-client traffic 1, streaming | 69 complex | 11.9 | 23.3 | 46.3 | 74.0 | 132.4 | 159.5 |
| HTTP to-client traffic 2, streaming | 142 complex | 6.2 | 12.4 | 24.5 | 43.1 | 81.8 | 95.2 |
| HTTP to-server traffic 1, streaming | 43 complex | 3.8 | 7.5 | 14.9 | 25.7 | 48.5 | 56.7 |
| HTTP to-server traffic 2, streaming | 235 complex | 1.4 | 2.8 | 5.5 | 10.0 | 19.1 | 20.8 |
| HTTP to-server URI-only traffic 1 | 13,000 medium | 1.2 | 2.3 | 4.7 | 8.6 | 16.5 | 19.9 |
| HTTP to-server URI-only traffic 2 | 8,000 medium | 2.2 | 4.4 | 8.7 | 16.0 | 30.6 | 34.4 |
More Information
More information about the test scenario above can be found in our most recent HyperScan white paper.