Fidas: FPGA‑Based Comprehensive Offloading for Cloud Intrusion Detection (ISCA 2022 Full‑Score Paper)

At the ISCA 2022 conference, a paper titled Fidas: Fortifying the Cloud via Comprehensive FPGA‑based Offloading for Intrusion Detection received a perfect score, highlighting a hardware‑accelerated solution for intrusion detection systems (IDS) in cloud environments.

The research targets the growing demand for high‑throughput IDS in data centers, where traditional CPU‑only processing cannot keep up with line‑rate traffic exceeding 100 Gbps. The authors propose evaluating IDS acceleration across four dimensions: software flexibility, rule‑update agility, number of accelerated tasks, and load‑balancing efficiency.

Fidas combines FPGA‑based regular‑expression matching with synchronized traffic‑classification offloading, employing a software‑hardware co‑design that separates control (software) and data (hardware) paths. This design enables rapid rule preprocessing in software while the FPGA performs hierarchical matching of compiled sub‑rules.

The system also introduces a dual‑stack traffic‑classification scheme that efficiently separates hot and cold traffic streams, allowing the FPGA to handle both without packet loss. In benchmark tests, Fidas achieves line‑rate (100 Gbps) regex matching and 10 Mpps traffic classification, saving 30–120 CPU cores compared with traditional Snort‑based solutions.

Beyond performance, the architecture offers operational benefits: frequent rule updates can be completed within a day without hardware changes, and the fully open software stack avoids vendor lock‑in associated with proprietary DPU runtimes.

Fidas has been deployed at scale in Alibaba Cloud data centers for over two years, delivering measurable improvements in detection latency for DDoS attacks and overall IDS efficiency, while reducing hardware costs and enhancing flexibility for cloud service providers.