Tracking Normalized Network Traffic Entropy to Detect DDoS Attacks in P4

Abstract: Distributed Denial-of-Service (DDoS) attacks represent a persistent threat to modern telecommunications networks: detecting and counteracting them is still a crucial unresolved challenge for network operators. DDoS attack detection is usually carried out in one or more central nodes that collect significant amounts of monitoring data from networking devices, potentially creating issues related to network overload or delay in detection. The dawn of programmable data planes in Software-Defined Networks can help … Show more

“…However, the widely adopted data plane programming language, P4, lacks support for many arithmetic operations, limiting the straightforward implementation of advanced network monitoring functionalities required for DDoS detection. To address this limitation, Ding et al [7] present two novel strategies for flow cardinality and normalized network traffic entropy estimation, which rely solely on P4-supported operations and ensure low relative error. Building upon these contributions, the authors propose a DDoS detection strategy based on variations of normalized network traffic entropy.…”

“…The PoC illustrates how GRAPH4 can efficiently enhance network security by providing a holistic view of vulnerabilities and potential attack paths while monitoring and reacting in case of a detected attack. In terms of specific implementation choices, it combines high-level metrics on the controller by generating a MulVal AG to pinpoint the vulnerable hosts and P4NEntropy [7] on the data plane as a low-level metric to calculate the normalized entropy and detect ongoing anomalies.…”

“…The adopted low-level metric, P4NEntropy [7], estimates the normalized network traffic entropy in a given time interval, as described by Equation (3) in Section 2. It is implemented in P4, thus overcoming the lack of this language which does not natively support basic yet relevant arithmetic operations such as division, logarithm, and exponential function calculation as well as any operation on floating numbers or for loops.…”

“…P4DDoS is an application developed by the authors of [7] to trigger an alarm when the entropy metric P4NEntropy reaches a value crossing a given threshold. We modified the P4DDoS application to be compatible with GRAPH4 so as to be able to install the detection rules only for the vulnerable hosts that result from the AG.…”

“…DPP is the enabler of the solution we propose, i.e., the data plane can be programmed to gather information about the traffic or to process it. An example of offloading computation to the data plane to detect DDoS attacks is proposed by Ding et al [7].…”

GRAPH4: A Security Monitoring Architecture Based on Data Plane Anomaly Detection Metrics Calculated over Attack Graphs

“…However, the widely adopted data plane programming language, P4, lacks support for many arithmetic operations, limiting the straightforward implementation of advanced network monitoring functionalities required for DDoS detection. To address this limitation, Ding et al [7] present two novel strategies for flow cardinality and normalized network traffic entropy estimation, which rely solely on P4-supported operations and ensure low relative error. Building upon these contributions, the authors propose a DDoS detection strategy based on variations of normalized network traffic entropy.…”

“…The PoC illustrates how GRAPH4 can efficiently enhance network security by providing a holistic view of vulnerabilities and potential attack paths while monitoring and reacting in case of a detected attack. In terms of specific implementation choices, it combines high-level metrics on the controller by generating a MulVal AG to pinpoint the vulnerable hosts and P4NEntropy [7] on the data plane as a low-level metric to calculate the normalized entropy and detect ongoing anomalies.…”

“…The adopted low-level metric, P4NEntropy [7], estimates the normalized network traffic entropy in a given time interval, as described by Equation (3) in Section 2. It is implemented in P4, thus overcoming the lack of this language which does not natively support basic yet relevant arithmetic operations such as division, logarithm, and exponential function calculation as well as any operation on floating numbers or for loops.…”

“…P4DDoS is an application developed by the authors of [7] to trigger an alarm when the entropy metric P4NEntropy reaches a value crossing a given threshold. We modified the P4DDoS application to be compatible with GRAPH4 so as to be able to install the detection rules only for the vulnerable hosts that result from the AG.…”

“…DPP is the enabler of the solution we propose, i.e., the data plane can be programmed to gather information about the traffic or to process it. An example of offloading computation to the data plane to detect DDoS attacks is proposed by Ding et al [7].…”

GRAPH4: A Security Monitoring Architecture Based on Data Plane Anomaly Detection Metrics Calculated over Attack Graphs

DDoS Detection Method Based on Improved Generalized Entropy

Rational Identification of Suitable Classification Models for Detecting DDoS Attacks in Software-Defined Networks