QTL: An efficient scheduling policy for 10Gbps network intrusion detection system

Broad network bandwidth and deep inspection impose great challenge for the capability of 10Gpbs network security monitoring. Proper scheduling policies can improve system capability without requiring additional resources. LAS, a size-based scheduling policy which can achieve optimal mean response time by giving preferential analysis to short flows, is widely used in various aspects of network field. Due to the high variability property of Internet traffic, LAS favors short flows without penalizing large flows very much. Unfortunately, the inspection of large flows can not be guaranteed in those network intrusion detection systems on 10Gbps links, which are usually heavily loaded, or even overloaded. Although tiny in percentage, large flows comprise more than 50% of the total load, and therefore can not be ignored, especially when specified by users as critical. How to avoid starving large flows while still giving higher priority to short flows is a dilemma we have to face in practice. In this paper, we propose a QoS-supported three-level scheduling policy (QTL), which can remedy LAS´ defect. The experimental results show that our QTL scheduling policy has approximately the same performance as LAS for short flows, and meanwhile exhibits greatly enhanced processing capability for large flows.