Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Introducing Packet-Level Analysis in Programmable Data Planes to Advance Network Intrusion Detection (2307.05936v4)

Published 12 Jul 2023 in cs.CR and cs.NI

Abstract: Programmable data planes offer precise control over the low-level processing steps applied to network packets, serving as a valuable tool for analysing malicious flows in the field of intrusion detection. Albeit with limitations on physical resources and capabilities, they allow for the efficient extraction of detailed traffic information, which can then be utilised by Machine Learning (ML) algorithms responsible for identifying security threats. In addressing resource constraints, existing solutions in the literature rely on compressing network data through the collection of statistical traffic features in the data plane. While this compression saves memory resources in switches and minimises the burden on the control channel between the data and the control plane, it also results in a loss of information available to the Network Intrusion Detection System (NIDS), limiting access to packet payload, categorical features, and the semantic understanding of network communications, such as the behaviour of packets within traffic flows. This paper proposes P4DDLe, a framework that exploits the flexibility of P4-based programmable data planes for packet-level feature extraction and pre-processing. P4DDLe leverages the programmable data plane to extract raw packet features from the network traffic, categorical features included, and to organise them in a way that the semantics of traffic flows are preserved. To minimise memory and control channel overheads, P4DDLe selectively processes and filters packet-level data, so that only the features required by the NIDS are collected. The experimental evaluation with recent Distributed Denial of Service (DDoS) attack data demonstrates that the proposed approach is very efficient in collecting compact and high-quality representations of network flows, ensuring precise detection of DDoS attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (67)
  1. European Union Agency for Cybersecurity (ENISA), “ENISA Threat Landscape 2022,” https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022, 2022, [Accessed: 30-June-2023].
  2. E. Rojas, R. Doriguzzi-Corin, S. Tamurejo, A. Beato, A. Schwabe, K. Phemius, and C. Guerrero, “Are we ready to drive software-defined networks? a comprehensive survey on management tools and techniques,” ACM Computing Surveys (CSUR), vol. 51, no. 2, pp. 1–35, 2018.
  3. S. Khorsandroo, A. G. Sánchez, A. S. Tosun, J. M. Arco, and R. Doriguzzi-Corin, “Hybrid sdn evolution: A comprehensive survey of the state-of-the-art,” Computer Networks, vol. 192, p. 107981, 2021.
  4. M. E. Kanakis, R. Khalili, and L. Wang, “Machine learning for computer systems and networking: A survey,” ACM Computing Surveys, vol. 55, no. 4, pp. 1–36, 2022.
  5. N. Sultana, N. Chilamkurti, W. Peng, and R. Alhadad, “Survey on sdn based network intrusion detection system using machine learning approaches,” Peer-to-Peer Networking and Applications, vol. 12, pp. 493–501, 2019.
  6. D. Yu, Y. Zhu, B. Arzani, R. Fonseca, T. Zhang, K. Deng, and L. Yuan, “Dshark: A general, easy to program and scalable framework for analyzing in-network packet traces,” ser. NSDI’19.   USENIX Association, 2019.
  7. S. Wang, C. Sun, Z. Meng, M. Wang, J. Cao, M. Xu, J. Bi, Q. Huang, M. Moshref, T. Yang, H. Hu, and G. Zhang, “Martini: Bridging the gap between network measurement and control using switching asics,” in 2020 IEEE 28th International Conference on Network Protocols (ICNP), 2020.
  8. X. Chen, H. Liu, D. Zhang, Q. Huang, H. Zhou, C. Wu, and Q. Yang, “Eliminating control plane overload via measurement task placement,” IEEE/ACM Transactions on Networking, pp. 1–15, 2022.
  9. H. Liu, X. Chen, Q. Huang, D. Kong, J. Sun, D. Zhang, H. Zhou, and C. Wu, “Escala: Timely elastic scaling of control channels in network measurement,” in IEEE INFOCOM 2022, 2022.
  10. C. H. Song, X. Z. Khooi, D. M. Divakaran, and M. C. Chan, “Revisiting application offloads on programmable switches,” in 2022 IFIP Networking Conference (IFIP Networking), 2022.
  11. T. Bühler, R. Jacob, I. Poese, and L. Vanbever, “Enhancing global network monitoring with magnifier,” in 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23), 2023, pp. 1521–1539.
  12. O. Michel, R. Bifulco, G. Rétvári, and S. Schmid, “The programmable data plane: Abstractions, architectures, algorithms, and applications,” ACM Comput. Surv., vol. 54, no. 4, may 2021.
  13. J. Xing, Q. Kang, and A. Chen, “Netwarden: Mitigating network covert channels while preserving performance,” in USENIX Security, 2020.
  14. P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese, and D. Walker, “P4: Programming protocol-independent packet processors,” SIGCOMM Comput. Commun. Rev., vol. 44, no. 3, p. 87–95, jul 2014.
  15. D. Ding, M. Savi, and D. Siracusa, “Estimating logarithmic and exponential functions to track network traffic entropy in p4,” in Proc. of IEEE/IFIP Network Operations and Management Symposium (NOMS), 2020.
  16. Z. Xiong and N. Zilberman, “Do switches dream of machine learning? toward in-network classification,” in Proceedings of the 18th ACM Workshop on Hot Topics in Networks, 2019, p. 25–33.
  17. F. Musumeci, A. C. Fidanci, F. Paolucci, F. Cugini, and M. Tornatore, “Machine-learning-enabled ddos attacks detection in p4 programmable networks,” Journal of Network and Systems Management, vol. 30, no. 1, pp. 1–27, 2022.
  18. S. G. Macías, L. P. Gaspary, and J. F. Botero, “Oracle: An architecture for collaboration of data and control planes to detect ddos attacks,” in 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM).   IEEE, 2021, pp. 962–967.
  19. D. Barradas, N. Santos, L. Rodrigues, S. Signorello, F. M. Ramos, and A. Madeira, “Flowlens: Enabling efficient flow classification for ml-based network security applications.” in NDSS, 2021.
  20. M. Zang, E. O. Zaballa, and L. Dittmann, “Sdn-based in-band ddos detection using ensemble learning algorithm on iot edge,” in 2022 25th Conference on Innovation in Clouds, Internet and Networks (ICIN).   IEEE, 2022, pp. 111–115.
  21. M. Roshani and M. Nobakht, “Hybriddad: Detecting ddos flooding attack using machine learning with programmable switches,” in Proceedings of the 17th International Conference on Availability, Reliability and Security, 2022, pp. 1–11.
  22. R. Hofstede, L. Hendriks, A. Sperotto, and A. Pras, “Ssh compromise detection using netflow/ipfix,” ACM SIGCOMM computer communication review, vol. 44, no. 5, pp. 20–26, 2014.
  23. A. Custura, R. Secchi, and G. Fairhurst, “Exploring dscp modification pathologies in the internet,” Computer Communications, vol. 127, pp. 86–94, 2018.
  24. P. Illy, G. Kaddoum, K. Kaur, and S. Garg, “Ml-based idps enhancement with complementary features for home iot networks,” IEEE Transactions on Network and Service Management, vol. 19, no. 2, pp. 772–783, 2022.
  25. R. Doriguzzi-Corin, S. Millar, S. Scott-Hayward, J. Martínez-del Rincón, and D. Siracusa, “Lucid: A Practical, Lightweight Deep Learning Solution for DDoS Attack Detection,” IEEE Transactions on Network and Service Management, vol. 17, no. 2, pp. 876–889, 2020.
  26. C. Xu, J. Shen, and X. Du, “A method of few-shot network intrusion detection based on meta-learning framework,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3540–3552, 2020.
  27. M. M. Alani, “Botstop: Packet-based efficient and explainable iot botnet detection using machine learning,” Computer Communications, vol. 193, pp. 53–62, 2022.
  28. E. Min, J. Long, Q. Liu, J. Cui, , and W. Chen, “TR-IDS: Anomaly-Based Intrusion Detection through Text-Convolutional Neural Network and Random Forest,” Security and Communication Networks, 2018.
  29. X. Han, S. Cui, S. Liu, C. Zhang, B. Jiang, and Z. Lu, “Network intrusion detection based on n-gram frequency and time-aware transformer,” Computers & Security, vol. 128, p. 103171, 2023.
  30. B. Coelho and A. Schaeffer-Filho, “Backorders: Using random forests to detect ddos attacks in programmable data planes,” in Proceedings of the 5th International Workshop on P4 in Europe, 2022, p. 1–7.
  31. Q. Qin, K. Poularakis, K. K. Leung, and L. Tassiulas, “Line-speed and scalable intrusion detection at the network edge via federated learning,” in 2020 IFIP Networking Conference (Networking), 2020, pp. 352–360.
  32. D. Ding, M. Savi, and D. Siracusa, “Tracking normalized network traffic entropy to detect ddos attacks in p4,” IEEE Transactions on Dependable and Secure Computing, 2021.
  33. R. L. Graham, L. Levi, D. Burredy, G. Bloch, G. Shainer, D. Cho, G. Elias, D. Klein, J. Ladd, O. Maor et al., “Scalable hierarchical aggregation and reduction protocol (sharp) tm streaming-aggregation hardware design and evaluation,” in International Conference on High Performance Computing.   Springer, 2020, pp. 41–59.
  34. Y. Yuan, O. Alama, J. Fei, J. Nelson, D. R. Ports, A. Sapio, M. Canini, and N. S. Kim, “Unlocking the power of inline {{\{{Floating-Point}}\}} operations on programmable switches,” in 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), 2022, pp. 683–700.
  35. X. Zhang, L. Cui, F. P. Tso, and W. Jia, “pheavy: Predicting heavy flows in the programmable data plane,” IEEE Transactions on Network and Service Management, vol. 18, no. 4, pp. 4353–4364, 2021.
  36. B. M. Xavier, R. S. Guimarães, G. Comarela, and M. Martinello, “Map4: A pragmatic framework for in-network machine learning traffic classification,” IEEE Transactions on Network and Service Management, 2022.
  37. C. Zheng, Z. Xiong, T. T. Bui, S. Kaupmees, R. Bensoussane, A. Bernabeu, S. Vargaftik, Y. Ben-Itzhak, and N. Zilberman, “Iisy: Practical in-network classification,” arXiv preprint arXiv:2205.08243, 2022.
  38. G. Zhou, Z. Liu, C. Fu, Q. Li, and K. Xu, “An efficient design of intelligent network data plane,” in 32nd USENIX Security Symposium (USENIX Security 23), 2023.
  39. G. Xie, Q. Li, Y. Dong, G. Duan, Y. Jiang, and J. Duan, “Mousika: Enable general in-network intelligence in programmable switches by knowledge distillation,” in IEEE INFOCOM 2022, 2022.
  40. C. Busse-Grawitz, R. Meier, A. Dietmüller, T. Bühler, and L. Vanbever, “pforest: In-network inference with random forests,” arXiv preprint arXiv:1909.05680, 2019.
  41. J.-H. Lee and K. Singh, “Switchtree: in-network computing and traffic analyses with random forests,” Neural Computing and Applications, pp. 1–12, 2020.
  42. G. Siracusano, S. Galea, D. Sanvito, M. Malekzadeh, G. Antichi, P. Costa, H. Haddadi, and R. Bifulco, “Re-architecting traffic analysis with neural network interface cards,” in 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), 2022.
  43. K. Razavi, G. Karlos, V. Nigade, M. Mühlhäuser, and L. Wang, “Distributed dnn serving in the network data plane,” in Proceedings of the 5th International Workshop on P4 in Europe, 2022, p. 67–70.
  44. C. Zheng, M. Zang, X. Hong, R. Bensoussane, S. Vargaftik, Y. Ben-Itzhak, and N. Zilberman, “Automating in-network machine learning,” arXiv preprint arXiv:2205.08824, 2022.
  45. T. Swamy, A. Zulfiqar, L. Nardi, M. Shahbaz, and K. Olukotun, “Homunculus: Auto-generating efficient data-plane ml pipelines for datacenter networks,” arXiv preprint arXiv:2206.05592, 2022.
  46. C. B. Serna and C. Mas-Machuca, “Preventing control plane overload in sdn networks with programmable data planes,” in 2022 18th International Conference on Network and Service Management (CNSM), 2022.
  47. S. Tarkoma, C. E. Rothenberg, and E. Lagerspetz, “Theory and practice of bloom filters for distributed systems,” IEEE Communications Surveys & Tutorials, vol. 14, no. 1, pp. 131–155, 2011.
  48. P. Manzanares-Lopez, J. P. Muñoz-Gea, and J. Malgosa-Sanahuja, “Passive in-band network telemetry systems: The potential of programmable data plane on network-wide telemetry,” IEEE Access, vol. 9, pp. 20 391–20 409, 2021.
  49. G. Combs, “Tshark - dump and analyze network traffic,” 2022, [Accessed: 30-Nov-2022]. [Online]. Available: https://www.wireshark.org/docs/man-pages/tshark.html
  50. Apache Software Foundation, “Apache Thrift,” 2022, [Accessed: 30-Jun-2023]. [Online]. Available: https://thrift.apache.org/
  51. The P4.org API Working Group, “P4Runtime Specification,” 2022, [Accessed: 30-Jun-2023]. [Online]. Available: https://p4.org/p4-spec/p4runtime/main/P4Runtime-Spec.html
  52. Open Networking Foundation, “Behavioral Model Source Code,” 2022, [Accessed: 30-Jun-2023]. [Online]. Available: https://github.com/p4lang/behavioral-model
  53. Mininet Project Contributors, “Mininet,” 2022, [Accessed: 30-Jun-2023]. [Online]. Available: http://mininet.org/
  54. Luis Augusto Dias Knob, “P4DDLe source code,” 2023, [Accessed: 30-Jun-2023]. [Online]. Available: https://github.com/risingfbk/p4ddle
  55. R. Doriguzzi-Corin, “LUCID source code,” https://github.com/ doriguzzi/lucid-ddos, 2020, [Accessed: January 4, 2024].
  56. Antonin Bas, “Behavioral Model Thrift Source Code,” 2022, [Accessed: 30-Jun-2023]. [Online]. Available: https://github.com/p4lang/behavioral-model/tree/main/thrift_src
  57. I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “Developing realistic distributed denial of service (ddos) attack dataset and taxonomy,” in 2019 International Carnahan Conference on Security Technology (ICCST).   IEEE, 2019, pp. 1–8.
  58. University of New Brunswick. (2019) DDoS Evaluation Dataset. [Online]. Available: https://www.unb.ca/cic/datasets/ddos-2019.html
  59. I. Sharafaldin, A. Gharib, A. H. Lashkari, and A. A. Ghorbani, “Towards a reliable intrusion detection benchmark dataset,” Software Networking, vol. 2018, no. 1, pp. 177–200, 2018.
  60. R. Doriguzzi-Corin, “Lucid dataset parser,” https://github.com/doriguzzi/ lucid-ddos/blob/master/lucid_dataset_parser.py.
  61. Open Networking Foundation, “Performance of bmv2,” 2019, [Accessed: 30-Jun-2023]. [Online]. Available: https://github.com/p4lang/behavioral-model/blob/main/docs/performance.md
  62. P. Jurkiewicz, G. Rzym, and P. Boryło, “Flow length and size distributions in campus internet traffic,” Computer Communications, vol. 167, pp. 15–30, 2021.
  63. Imperva, “LOIC,” [Accessed: 31-Oct-2023]. [Online]. Available: https://www.imperva.com/learn/ddos/low-orbit-ion-cannon/
  64. Imperva, “HOIC,” [Accessed: 31-Oct-2023]. [Online]. Available: https://www.imperva.com/learn/ddos/high-orbit-ion-cannon/
  65. A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, “Toward developing a systematic approach to generate benchmark datasets for intrusion detection,” Computers & Security, vol. 31, 2012.
  66. I. Sharafaldin, A. Habibi Lashkari, and A. A. Ghorbani, “Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization,” in Proc. of ICISSP, 2018.
  67. I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward generating a new intrusion detection dataset and intrusion traffic characterization.” ICISSp, vol. 1, pp. 108–116, 2018.
Citations (7)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now