P4-ONIDS: A P4-based NIDS optimized for constrained programmable data planes in SDN
Abstract
Network Intrusion Detection Systems (NIDS) are one of the key defense mechanisms employed to detect and mitigate network-based threats. Several works explored the ability to offload NIDS pre-filtering capabilities to hardware platforms in order to reduce resource usage saturation and improve detection accuracy. Among them, network data plane solutions in SDN aim to leverage the hardware speed and the recent flexibility of programmable switches. However, those solutions are designed without considering a constrained data plane with limited table sizes and memory space, thus reducing accuracy detection and vulnerability buffer saturation attacks. This paper proposes P4- ONIDS, a solution that improves the parsing and compilation of NIDS rules for the data plane alongside sketch-based solutions for suspicious flow pre-filtering while maintaining a low usage of resources and leveraging the hardware speed of the data plane. We evaluate the compiler and our pre-filtering data plane capabilities in an emulated environment using Mininet with Snort NIDS. Results have shown more than 400x reduction on generated P4 rules. Some experiments reach an accuracy of approximately 90% with 40% of packets filtering.
References
Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., et al. (2014). P4: Programming protocolindependent packet processors. ACM SIGCOMM Computer Communication Review, 44(3):87–95.
Chen, X., Wu, Y., Xu, L., Xue, Y., and Li, J. (2009). Para-snort: A multi-thread snort on multi-core ia platform. Proceedings of Parallel and Distributed Computing and Systems (PDCS).
Cormode, G. and Muthukrishnan, S. (2005). An improved data stream summary: the count-min sketch and its applications. Journal of Algorithms, 55(1):58–75.
De Oliveira, R. L. S., Schweitzer, C. M., Shinoda, A. A., and Prete, L. R. (2014). Using mininet for emulation and prototyping software-defined networks. In 2014 IEEE Colombian Conference on Communications and Computing (COLCOM), pages 1–6.
El-Bakry, H. M. and Mastorakis, N. (2010). Fast packet detection by using high speed time delay neural networks. In Proc. 10th WSEAS Int. Conf. Multimedia Systems and Signal Processing, pages 222–227.
Erlacher, F. and Dressler, F. (2018). Fixids: A high-speed signature-based flow intrusion detection system. In NOMS 2018-2018 IEEE/IFIP Network Operations and Management Symposium, pages 1–8. IEEE.
Hoque, N., Bhuyan, M. H., Baishya, R. C., Bhattacharyya, D. K., and Kalita, J. K. (2014). Network attacks: Taxonomy, tools and systems. Journal of Network and Computer Applications, 40:307–324.
Khalil, G. (2015). Open source ids high performance shootout. [link].
Kohler, E., Morris, R., Chen, B., Jannotti, J., and Kaashoek, M. F. (2000). The click modular router. ACM Transactions on Computer Systems (TOCS), 18(3):263–297.
Lewis, B., Broadbent, M., and Race, N. (2019). P4id: P4 enhanced intrusion detection. In 2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pages 1–4.
Lin, C.-H., Liu, C.-H., Chien, L.-S., and Chang, S.-C. (2012). Accelerating pattern matching using a novel parallel algorithm on gpus. IEEE Transactions on Computers, 62(10):1906–1916.
Lopez, M. A. and Duarte, O. C. M. (2015). Providing elasticity to intrusion detection systems in virtualized software defined networks. In 2015 IEEE International Conference on Communications (ICC), pages 7120–7125. IEEE.
Nam, K. and Kim, K. (2018). A study on sdn security enhancement using open source ids/ips suricata. In 2018 International Conference on Information and Communication Technology Convergence (ICTC), pages 1124–1126. IEEE.
P4App (2020). https://github.com/p4lang/p4app. (visited on Mar. 14, 2021).
Panigrahi, R. and Borah, S. (2018). A detailed analysis of cicids2017 dataset for designing intrusion detection systems. International Journal of Engineering & Technology, 7(3.24):479–482.
SDxCentral (2020). Software-Defined Networking (SDN) Definition. https://www.sdxcentral.com/networking/sdn/definitions. (visited on Feb, 2020).
Song, H., Dharmapurikar, S., Turner, J., and Lockwood, J. (2005). Fast hash table lookup using extended bloom filter: an aid to network processing. ACM SIGCOMM Computer Communication Review, 35(4):181–192.
Teofili, S., Nobile, E., Pontarelli, S., and Bianchi, G. (2011). Ids rules adaptation for packets pre-filtering in gbps line rates. In Trustworthy Internet, pages 303–316. Springer.
Open Network Foundation. (2013). Openflow switch specification v1.5. [link].
Wan, Z., Liang, G., and Li, T. (2012). Multi-core processors based network intrusion detection method. Journal of Networks, 7(9):1327.
Xing, T., Huang, D., Xu, L., Chung, C.-J., and Khatkar, P. (2013). Snortflow: A openflowbased intrusion prevention system in cloud environment. In Research and Educational Experiment Workshop (GREE), 2013 Second GENI, pages 89–92. IEEE.
