Euclid: A Fully In-Network, P4-Based Approach for Real-Time DDoS Attack Detection and Mitigation

Ilha, Alexandre da Silveira; Lapolli, Angelo Cardoso; Marques, Jonatas Adilson; Gaspary, Luciano Paschoal

doi:10.1109/tnsm.2020.3048265

Cited by 37 publications

(17 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Moreover, authors of [36] presented an alternative model for the coordination of stateful switches. In [37], authors leveraged P4 to enable traffic inspection for realtime attack detection, whereas authors of [38] adopt P4 language and statistical models based on IP address entropy to distinguish between legitimate and attack traffic. Similarly, in [39], authors implemented a P4 strategy to contrast TCP flood port scan attacks and evaluated this strategy in both a P4-enabled software switch and a FPGA.…”

Section: Related Workmentioning

confidence: 99%

Machine-Learning-Enabled DDoS Attacks Detection in P4 Programmable Networks

et al. 2021

View full text Add to dashboard Cite

Distributed Denial of Service (DDoS) attacks represent a major concern in modern Software Defined Networking (SDN), as SDN controllers are sensitive points of failures in the whole SDN architecture. Recently, research on DDoS attacks detection in SDN has focused on investigation of how to leverage data plane programmability, enabled by P4 language, to detect attacks directly in network switches, with marginal involvement of SDN controllers. In order to effectively address cybersecurity management in SDN architectures, we investigate the potential of Artificial Intelligence and Machine Learning (ML) algorithms to perform automated DDoS Attacks Detection (DAD), specifically focusing on Transmission Control Protocol SYN flood attacks. We compare two different DAD architectures, called Standalone and Correlated DAD, where traffic features collection and attack detection are performed locally at network switches or in a single entity (e.g., in SDN controller), respectively. We combine the capability of ML and P4-enabled data planes to implement real-time DAD. Illustrative numerical results show that, for all tested ML algorithms, accuracy, precision, recall and F1-score are above 98% in most cases, and classification time is in the order of few hundreds of $$\upmu \text {s}$$ μ s in the worst case. Considering real-time DAD implementation, significant latency reduction is obtained when features are extracted at the data plane by using P4 language. Graphic Abstract

show abstract

Section: Related Workmentioning

confidence: 99%

Machine-Learning-Enabled DDoS Attacks Detection in P4 Programmable Networks

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Preconditions/ Postconditions [123] OFDP vulnerable BFD [125] Fake packet-in Switch port association with host MAC [135] Lack of packet-in message authentication Independent hardware implementation [136] DoS attacks Statistics [137] DoS attacks Protocol-independent defense framework [128] Spoofing and DoS attacks ACL / Machine learning [155] Spoofing Route and Dos attacks Traffic statistics [138] DDoS attacks Entropy [140] DoS attacks Entropy [141] DoS attacks Traffic statistics [142] DDoS attacks KPCA+GA+ Machine learning [143] DDoS attacks Blockchain [144] Lack of P2P traffic identification Machine learning [145] HTTP DDoS attacks Entropy + Hardware [149] DDoS attacks PCA [150] DDoS attacks EWMA [151] DDoS attacks Snort IDS [152] DDoS attacks Machine learning [153] DDoS attacks Deep Learning [154] DDoS attacks Entropy / Machine learning [156] Inference attacks Randomization of network attributes/ Rate-limiting + Proactive rules Rate-limiting + Proxy [160] DoS attacks (LDoS) Statistics / LRU [130] Inference attacks Routing aggregation / TCAM + SRAM [161], [162] Lack of network client access control EAP / RADIUS [163] Lack of network client access control EAPoL / RADIUS [164] DoS attacks Blockchain + Hardware [129] SYN flooding and ARP spoofing attacks SYN/ACK and ACK/FIN packets' ratio / P4 cache [165] Traffic overload / Latency App+P4 [166] Traffic overload Snort IPS + P4 [167] DDoS attacks P4+Entropy+FSM [168] Lack of link protection between stateful switches MACsec [169] States exchange between stateful switches Digital signatures [170] Link floo...…”

Section: ) Stateful Data Planementioning

confidence: 99%

“…Ilha et al [167] present a proposal to detect and mitigate DDoS attacks in stateful environments with P4. For detection, the authors use entropy, whereas for mitigation, they use finite-state machine FSM.…”

Section: ) Stateful Data Planementioning

confidence: 99%

A Survey of the Main Security Issues and Solutions for the SDN Architecture

et al. 2021

View full text Add to dashboard Cite

The software-defined networking (SDN) paradigm proposes the decoupling of control and data planes and a centralized software-oriented management approach based on a central controller, easing the development of new applications and services. These design principles pave the way for a more flexible, fast, and dynamic software-controlled network. However, in terms of security, the elements that comprise the SDN architecture present several vulnerabilities, which could be exploited by attackers to carry out malicious actions and thus affect the network and its services. Although for several years, some studies have already focused on identifying the weaknesses of the SDN layer structure, the nature of the attacks, and possible solutions for this paradigm, the literature contains few contributions that review and discuss this topic in an integral fashion. This paper provides a comprehensive, updated, and detailed review of the main security issues and mitigating measures for all layers and interfaces of the SDN architecture, classifying the contributions according to the STRIDE threat modeling methodology categories. Finally, this manuscript identifies, discusses, and synthesizes open challenges and future research directions in this area.

show abstract

“…The use of Machine Learning techniques for the reconfiguration of SDN networks is widely used in today literature, both for cybersecurity-oriented solutions for attack mitigation [2], [3], [4], and for QoS guarantee by redistributing the workload traffic [5], [6], [7]. The main issue in using AI for DDoS detection is the challenge to provide a detailed and meaningful traffic analysis for anomaly detection at line rate.…”

Section: Introductionmentioning

confidence: 99%