IDS

P4-baesd IPS-Charles H.-P. Wen

Chi-Hsiang P4 , , ,

Abstract

IoT security is important nowadays. The number of IoTs connected to the Internet is growing rapidly. IPS provides abilities of detecting and blocking malware packets. In addition to hardware IPSs, another approach is conducted by SDN with VNF technique which is deploying software (e.g., Zeek) in VM or server. However, existing SDN-based IPS methods have one big challenge “Long response time”.

 

 P4-IPS: In-switch detecting and blocking malware

  • Flow Filter : Match malware detection table to do action (e.g., forward, drop) or do feature extraction later.
  • Feature Extractor : Mirror packets which built with self-defined headers and truncated payload to the control plane. ⇨ Forwarding pipeline offloading
  • Malware Detector : Use multi-thread methods to parallelly detect packets with the neural network model and add entries to the table. ⇨ Reduce time of detecting packet

Fig. 1: P4-IPS Architecture

Environment setting

Host1 acts as sender which use ”tcpreplay” to send flows from the pcap file.

Fig. 2: Simple Test Environment

Evaluation

For Zeek, its processing capacity is less than 2 flows and response time is 119.63 ms.

Processing capacity (unit): single thread : 2950 flow/s and 8 threads : 9345 flow/s (4672x flows)

Average response time: single thread : 0.339 ms (352x faster)

Fig. 3: Processing Capacity for Edgecore Wedge 100BF-32X

 

 

Neural-Network Based Malware Detection on P4 Switch-Charles H.-P. Wen

Chi-Hsiang P4 , , ,

Introduction

The traditional IDS(Intrusion Detection System) costs too much time and bandwidth, so we use machine learning and P4 switch to improve the efficiency of malware detection.

Fig. 1: IDS and P4-IDS

P4 Malware Detection

  • Machine Learning model identifies malware faster than traditional IDS.
  • P4 Switch is a programmable switch, so we can define the field for ML prediction.
  • Combining the features of ML and P4, we propose P4 malware detection.
  • Process shows in Fig.2

Fig. 2: Flowchart of P4 Malware Detection

 

In-switch P4 Tofino ASIC Pipeline side:

  • Truncate packet and send the self-defined fields to CPU for machine learning model prediction.
  • One table to block the malwares.

In-switch x86 CPU Platform side:

  • Identify the uncertain flows by machine learning model.
    • Neural Network for fast prediction
    • Detail of NN model presents in fig.3
    • Model accuracy : 99.6%
  • Add/Modify entry to pipeline

Fig. 3: NN Model (Accuracy: 99.6%)

Experiments

  • Time Saving:
    • It dose not mirror packet to external device.
    • ML model prediction is faster than software IDS.
  • Bandwidth Saving
    • P4 switch truncate packet for ML model.
  • Compare with Software IDS (Zeek)
    • Identify speed improve about 200 times.
    • Response time improve about 240 times.

 

Publication: H.-F. Chang, M. I.-C. Wang, C.-H. Hung, and C. H.-P. Wen, “Enabling Malware Detection with Machine Learning on Programmable Switch,” in NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium, Apr. 2022, pp. 1–5. doi: 10.1109/NOMS54207.2022.9789939.