1 Introduction
2 Background
2.1 DDoS Attacks
-
Source-based detection, implemented at the attacking hosts
-
Destination-based detection, implemented at the victim hosts
-
Network-based detection, implemented at the network intermediate nodes (e.g., switches, routers)
2.2 Related Work
2.3 P4 Language
-
Parsers, responsible for the analysis of the incoming packet and the detection of the considered protocol stacks (either standard or proprietary)
-
Tables and actions, the key set of the SDN paradigm, identifying the packet processing rule in the standard match-action fashion. In P4, tables and actions may be programmed with a high level of flexibility and rule definitions, including protocol field updates, port selection, actions on the entire packet (e.g., packet drop, cloning, recirculation)
-
Pipeline control, responsible of structuring a programmable set of tables inside a given pipeline, in the context of well-defined pipeline abstract models. In all the considered models, the design identifies an ingress pipeline (i.e., performing operations at packet reception and implementing forwarding decisions) and an egress pipeline (i.e., operations performed after the forwarding decision, such as pre-forwarding operations or multicast). Each pipeline defines an ordered sequence of tables, optionally subject to conditional rules and loop execution. This latter feature is a specific and powerful P4 feature with respect to traditional SDN pipelines, typically implemented with a static set of tables.
3 ML-Assisted DDoS Attack Detection
3.1 DAD Detection Architectures
3.2 ML Classifiers and Considered Features
-
Average length: the average size in bytes of packets in time window (t, \(t+T\))$$\begin{aligned} f_1=Len(t)=\frac{total \; no. \; of \; bytes \; in \; (t, t+T)}{total \; no. \;of\; packets\; in \; (t, t+T)} \end{aligned}$$
-
TCP ratio: the percentage of TCP packets out of the total in time window (t, \(t+T\));$$\begin{aligned} f_2=R_{TCP}(t)=\frac{no.\; of\; TCP\; packets\; in \; (t, t+T)}{total \; no. \;of\; packets\; in \; (t, t+T)} \end{aligned}$$
-
UDP ratio: similarly to \(R_{TCP}\), it represents the percentage of UDP packets;$$\begin{aligned} f_3=R_{UDP}(t)=\frac{no.\; of\; UDP\; packets\; in \; (t, t+T)}{total \; no. \;of\; packets\; in \; (t, t+T)} \end{aligned}$$
-
TCP-UDP ratio: the ratio between TCP and UDP packets in time window (t, \(t+T\)). If no UDP packet is present in the window, we set this feature equal to a large finite number;$$\begin{aligned} f_4=R_{TU}(t) = \frac{no. \; of \;TCP\; packets\; in \; (t, t+T)}{no. \; of \; UDP\; packets\; in \; (t, t+T)} \end{aligned}$$
-
Flags(t): is the percentage of TCP packets with an active SYN flag out of the total in time window (t, \(t+T\)).$$\begin{aligned} f_5=Flags(t) = \frac{no. \; of \;TCP \; packets\; with \;SYN\; flag\; in \; (t, t+T)}{total\; no. \;of\; packets\; in \; (t, t+T)} \end{aligned}$$
4 Using P4 Language for Attack Detection in Data Plane
-
Stateful objects handling, with the definition of programmable registers storing and updating the number of selected packets occurrences within a traffic window;
-
Feature Extra header, used to convey the statistics and provide the analysis results to the detection module utilizing a portion of selected mirrored packets.
-
Conditional pipeline control, used to implement different pipeline execution branches subject to context condition.
m
_ip
for IP, m
_transport
for UDP/TCP and m
_syn
for SYN flag detection) performs the update of the feature occurrences in the registers and in the packet metadata. The figure shows the list of actions related to the m
_transport
table when the match detects UDP packets: in this case the register at offset r1
will be first read (i.e., to retrieve the last cumulative value of UDP packets occurrences), incremented and re-written by means of an auxiliary packet metadata field. Similarly, such operations are performed in the other two tables. When the statistics have been updated, the ingress pipeline is subject to a conditional check. In the case the traffic window (e.g., set to \(10^5\) packets in the P4 code, see experimental results) is terminated (the check is done using the specific packet metadata field), the code executes a specific branch of tables (go
_read
_reset
, go
_steer
and go
_header
in Fig. 3) in order to generate the report packet to the DAD, otherwise it follows a standard packet forward/block procedure based on flow entries received by the DAD module or by the SDN controller. In this specific implementation, the traffic window is mapped in a packet-based window assuming that the switch operates in a constant bit rate scenario (as in the experimental evaluation, see Sect. 6.3), while in a more general deployment it may be mapped in a time-based window using P4 timestamp metadata. Forwarding is implemented using standard network-layer information to emulate internet router behavior. Specifically, in the case of packet report generation, table go
_read
_reset
is responsible for resetting the values of the internal registers, table go
_steer
is responsible for cloning the packet and set its output port to the control interface connected to the DAD module, while table go
_header
triggers the features extra header insertion, positioned after the considered packet protocol stack. The figure shows the details of the action add
_int
, inside table go
_header
. The action first generates the extra header insertion in the packet (i.e., add
_header
P4 native command), then updates its fields with the statistics retrieved by the registers and temporarily stored in the packet metadata, along with the switch id parameter, thus allowing multiple network switches to send their reports to the DAD in parallel. It is worthwhile to note that a P4 switch is not allowed to generate a new asynchronous packet, thus the report packet sent to the DAD is the result of a mirror and a subsequent manipulation (i.e., extra header inclusion) of an existing traffic packet. The final P4 behavior allows to generate a features report at the end of each traffic window, ready to be submitted to the classifier. In the meanwhile, the switch is able to act as a firewall allowing/blocking suspected flows indicated by the controller through the DAD module outcomes.5 Case Study and ML Algorithms Settings
5.1 Traffic Scenario and Corresponding Datasets
Parameter | Value |
---|---|
Traces duration | 15 min |
TCP traffic bit rate | 13.5 Mbit/s |
UDP traffic bit rate | 11.4 Mbit/s |
IP traffic bit rate | 5.1 Mbit/s |
Attack traffic bit rate | 26.5 kbit/s |
Attack Type | SYN flood |
Window duration | \(T\in \{0.5; 1; 2; 10\}\) s |
Windows distance | \(\delta \in \{0.01; 0.05; 0.1; 0.2; 0.5; 1\}\) s |
5.2 Evaluation Metrics
-
true positives (TP): Number of windows of type ‘1’ correctly classified with label ‘1’;
-
true negatives (TN): Number of windows of type ‘0’ correctly classified with label ‘0’;
-
false positives (FP): Number of windows of type ‘0’ misclassified with label ‘1’;
-
false negatives (FN): Number of windows of type ‘1’ misclassified with label ‘0’.
-
Accuracy is the fraction of correctly-classified windows, i.e.,$$\begin{aligned} A = \frac{TP+TN}{TP+TN+FP+FN} \end{aligned}$$
-
Precision is the fraction of correctly-classified positive windows out of the total number of windows classified as positive, i.e.,$$\begin{aligned} P = \frac{TP}{TP+FP} \end{aligned}$$
-
Recall is the fraction of correctly-classified positive windows out of the total number of windows which are actually positive, i.e.,Note that precision and recall are two contrasting objectives and different algorithms may provide different trade-offs on these measures.$$\begin{aligned} R = \frac{TP}{TP+FN} \end{aligned}$$
-
F1-score (or F-score) is used as a unique metric when both precision and recall are relevant in the evaluation, and it is defined as follows:$$\begin{aligned} F1 = 2\frac{P\cdot R}{P+R} \end{aligned}$$
-
training duration: it represents the time required to perform ML algorithm training; as in the following we adopt fivefold cross-validation to perform algorithms evaluation, we show training duration as an averaged value across all the subsets used for algorithm training, i.e., it is evaluated on 1/5 of the entire dataset obtained with given values of T and \(\delta\).
-
test time: it is the time needed to perform classification of a single traffic window once the ML algorithm has been trained; note that, for each ML algorithm, test time value can vary with window duration T, but it is not affected by window sampling period \(\delta\).
5.3 ML Models Selection
Algorithm | Parameter | Tested values | Selected value |
---|---|---|---|
KNN | no. of neighbors K | {3, 4, 5, 6, 7, 8, 9, 10} | 3 |
neighbors weight | {uniform, distance-based} | uniform | |
RF | splitting criterium | {Gini, Entropy} | Gini |
no. of trees | {10, 20, 30, 40, 50, 60, 70, 80, 90, 100} | 10 | |
SVM | kernel | {sigmoid, rbf, polynomial} | rbf |
regul. param. C | {1, 10, \(10^2\), \(10^3\), \(10^4\)} | \(10^3\) | |
kernel coefficient \(\gamma\) | {\(10^{-4}\), \(10^{-3}\), \(10^{-2}\), \(10^{-1}\), 1} | \(10^{-2}\) | |
ANN | no. of hidden layers | {1,2} | 2 |
no. of neurons per layer | {5,10,11} | 10 | |
activation function | {sigmoid, relu, elu} | elu |
6 Numerical Results
6.1 ML Algorithms Performance Evaluation
Algorithm | \(\delta =0.01\) s | \(\delta =0.05\) s | \(\delta =0.1\) s | \(\delta =0.2\) s | \(\delta =0.5\) s |
---|---|---|---|---|---|
KNN | 0.153 | 0.03 | 0.015 | 0.009 | 0.009 |
RF | 1.003 | 0.236 | 0.154 | 0.126 | 0.128 |
SVM | 3.28 | 0.179 | 0.077 | 0.03 | 0.014 |
ANN | 10.303 | 6.784 | 5.289 | 5.239 | 5.278 |
Algorithm | Mean test time \((\upmu\)s) |
---|---|
KNN | 113.18 |
RF | 112.68 |
SVM | 1.75 |
ANN | 279.95 |
6.2 Standalone and Correlated DAD Architectures
6.3 Real-Time DAD with P4-Enabled Switches
-
\(t_1\): time needed by the P4 switch for packet processing, i.e., to elaborate packets and send traffic information for a single window to the attack detection module;
-
\(t_2\): time needed for window features extraction, either performed in the P4 switch or in the ML-assisted DAD module;
-
\(t_3\): time needed by the ML classifier to perform window classification, based on the extracted features.
RF | SVM | |||||
---|---|---|---|---|---|---|
\(t_1 (\upmu \text {s})\) | \(t_2\) (s) | \(t_3 (\upmu \text {s})\) | \(t_1 (\upmu \text {s})\) | \(t_2\) (s) | \(t_3 (\upmu \text {s})\) | |
Packet mirr. | 75 | 16.9 | 5.6 (5.7) | 75 | 16.3 | 14.4 (17) |
Header mirr. | 65 | 14.9 | 5.6 (5.7) | 65 | 14.3 | 14.4 (17) |
P4-metadata | 110 | 0 | 5.6 (5.7) | 110 | 0 | 14.4 (17) |