skip to main content
10.1145/3680121.3697807acmconferencesArticle/Chapter ViewAbstractPublication PagesconextConference Proceedingsconference-collections
short-paper
Open access

iGuard: Efficient Isolation Forest Design for Malicious Traffic Detection in Programmable Switches

Published: 09 December 2024 Publication History

Abstract

Deploying machine learning (ML) models in programmable switch data planes facilitates low latency and high throughput traffic inference at line speed. However, data planes pose significant constraints due to the limited memory and minimal support for mathematical operations and data types. As a result, the only unsupervised ML models implemented in data planes to date are Isolation Forests (iForests). However, conventional iForest models yield suboptimal malicious traffic detection performance in various traffic use cases. To address this limitation, this paper proposes iGuard, the first iForest implementation that can accurately detect malicious traffic by incorporating the "knowledge" of more powerful autoencoders. We deploy iGuard in the form of a small set of whitelist rules that could be easily installed in the switch data planes. We implement iGuard using the P4 language, and assess its performance in an experimental platform based on Intel Tofino switches. Upon evaluating iGuard on various attack traffic use cases, our model can improve accuracy up to 48.3% while maintaining a similar or lower switch memory footprint over previous approaches to implement iForest models in real-world equipment.

References

[1]
2021. Barefoot Networks, Tofino Switch. (2021).
[2]
Aristide Tanyi-Jong Akem, Beyza Bütün, Michele Gucciardo, Marco Fiore, et al. 2024. Jewel: Resource-Efficient Joint Packet and Flow Level Inference in Programmable Switches. In IEEE Conference on Computer Communications.
[3]
Aristide T.-J. Akem, Michele Gucciardo, and Marco Fiore. 2023. Flowrest: Practical Flow-Level Inference in Programmable Switches with Random Forests. IEEE INFOCOM 2023 - IEEE Conference on Computer Communications (2023).
[4]
João Romeiras Amado, Francisco Pereira, David Pissarra, Salvatore Signorello, Miguel Correia, and Fernando Ramos. 2024. Peregrine: ML-based Malicious Traffic Detection for Terabit Networks. arXiv preprint arXiv:2403.18788 (2024).
[5]
Giuseppina Andresini, Feargus Pendlebury, Fabio Pierazzi, Corrado Loglisci, Annalisa Appice, and Lorenzo Cavallaro. 2021. Insomnia: Towards conceptdrift robustness in network intrusion detection. In Proceedings of the 14th ACM workshop on artificial intelligence and security.
[6]
Giovanni Apruzzese, Pavel Laskov, and Aliya Tastemirova. 2022. SoK: The impact of unlabelled data in cyberthreat detection. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P).
[7]
Daniel Arp, Erwin Quiring, Feargus Pendlebury, Alexander Warnecke, Fabio Pierazzi, ChristianWressnegger, Lorenzo Cavallaro, and Konrad Rieck. 2022. Dos and don'ts of machine learning in computer security. In 31st USENIX Security Symposium (USENIX Security 22).
[8]
Vitor Hugo Bezerra, Victor G Turrisi da Costa, Ricardo Augusto Martins, Sylvio Barbon Junior, Rodrigo Sanches Miani, and Bruno Bogaz Zarpelao. 2018. Providing IoT host-based datasets for intrusion detection research. In Anais do XVIII Simpósio Brasileiro de Segurança da Informaçao Sistemas Computacionais.
[9]
Pat Bosshart, Dan Daly, Glen Gibb, Martin Izzard, Nick McKeown, Jennifer Rexford, Cole Schlesinger, Dan Talayco, Amin Vahdat, George Varghese, et al. 2014. P4: Programming protocol-independent packet processors. ACM SIGCOMM Computer Communication Review (2014).
[10]
Coralie Busse-Grawitz, Roland Meier, Alexander Dietmüller, Tobias Bühler, and Laurent Vanbever. 2019. pforest: In-network inference with random forests. arXiv preprint arXiv:1909.05680 (2019).
[11]
Z Berkay Celik, Gang Tan, and Patrick D McDaniel. 2019. Iotguard: Dynamic enforcement of security and safety policy in commodity IoT. In NDSS.
[12]
Sharad Chole, Andy Fingerhut, Sha Ma, Anirudh Sivaraman, Shay Vargaftik, Alon Berger, Gal Mendelson, Mohammad Alizadeh, Shang-Tse Chuang, Isaac Keslassy, et al. 2017. drmt: Disaggregated programmable switching. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication.
[13]
Bruno Coelho and Alberto Schaeffer-Filho. 2022. BACKORDERS: using random forests to detect DDoS attacks in programmable data planes. In Proceedings of the 5th International Workshop on P4 in Europe (EuroP4 '22).
[14]
F. Ding. 2017. IoT Malware. (2017). https://github.com/ifding/iot-malware
[15]
Yutao Dong, Qing Li, Kaidong Wu, Ruoyu Li, Dan Zhao, Gareth Tyson, Junkun Peng, Yong Jiang, Shutao Xia, and Mingwei Xu. 2023. HorusEye: A Realtime IoT Malicious Traffic Detection Framework using Programmable Switches. In 32nd USENIX Security Symposium (USENIX Security 23).
[16]
Yifan Feng, Weihong Cai, Haoyu Yue, Jianlong Xu, Yan Lin, Jiaxin Chen, and Zijun Hu. 2022. An improved X-means and isolation forest based methodology for network traffic anomaly detection. Plos one (2022).
[17]
Kurt Friday, Elias Bou-Harb, and Jorge Crichigno. 2022. A Learning Methodology for Line-Rate Ransomware Mitigation with P4 Switches. In International Conference on Network and System Security.
[18]
Kurt Friday, Elie Kfoury, Elias Bou-Harb, and Jorge Crichigno. 2022. INC: In- Network Classification of Botnet Propagation at Line Rate. In European Symposium on Research in Computer Security.
[19]
Chuanpu Fu, Qi Li, Meng Shen, and Ke Xu. 2021. Realtime robust malicious traffic detection via frequency domain analysis. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 3431--3446.
[20]
Ian Goodfellow, Yoshua Bengio, and Aaron Courville. 2016. Deep learning. MIT press.
[21]
Syed Usman Jafri, Sanjay Rao, Vishal Shrivastav, and Mohit Tawarmalani. 2024. Leo: Online ML-based Traffic Classification at Multi-Terabit Line Rate. NSDI.
[22]
Roberto Jordaney, Kumar Sharad, Santanu K Dash, Zhi Wang, Davide Papini, Ilia Nouretdinov, and Lorenzo Cavallaro. 2017. Transcend: Detecting concept drift in malware classification models. In 26th USENIX security symposium.
[23]
Nickolaos Koroniotis, Nour Moustafa, Elena Sitnikova, and Benjamin Turnbull. 2019. Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset. Future Generation Computer Systems (2019).
[24]
Fei Tony Liu, Kai Ming Ting, and Zhi-Hua Zhou. 2008. Isolation forest. In 2008 eighth ieee international conference on data mining. IEEE, 413--422.
[25]
Rui Miao, Hongyi Zeng, Changhoon Kim, Jeongkeun Lee, and Minlan Yu. 2017. Silkroad: Making stateful layer-4 load balancing fast and cheap using switching asics. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication.
[26]
Yisroel Mirsky, Tomer Doitshman, Yuval Elovici, and Asaf Shabtai. 2018. Kitsune: an ensemble of autoencoders for online network intrusion detection. Network and Distributed System Security Symposium 2018 (NDSS'18) (2018).
[27]
Tian Pan, Nianbing Yu, Chenhao Jia, Jianwen Pi, Liang Xu, Yisong Qiao, Zhiguo Li, Kun Liu, Jie Lu, Jianyuan Lu, et al. 2021. Sailfish: Accelerating cloud-scale multi-tenant multi-service gateways with programmable switches. In Proceedings of the 2021 ACM SIGCOMM 2021 Conference.
[28]
F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research (2011).
[29]
Naveen Kr Sharma, Antoine Kaufmann, Thomas Anderson, Arvind Krishnamurthy, Jacob Nelson, and Simon Peter. 2017. Evaluating the power of flexible packet processing for network resource allocation. In 14th USENIX Symposium on Networked Systems Design and Implementation (NSDI 17).
[30]
Arunan Sivanathan, Hassan Habibi Gharakheili, Franco Loi, Adam Radford, Chamith Wijenayake, Arun Vishwanath, and Vijay Sivaraman. 2018. Classifying IoT devices in smart environments using network traffic characteristics. IEEE Transactions on Mobile Computing (2018).
[31]
Anirudh Sivaraman, Alvin Cheung, Mihai Budiu, Changhoon Kim, Mohammad Alizadeh, Hari Balakrishnan, George Varghese, Nick McKeown, and Steve Licking. 2016. Packet transactions: High-level programming for line-rate switches. In Proceedings of the 2016 ACM SIGCOMM Conference.
[32]
Vibhaalakshmi Sivaraman, Srinivas Narayana, Ori Rottenstreich, Shan Muthukrishnan, and Jennifer Rexford. 2017. Heavy-hitter detection entirely in the data plane. In Proceedings of the Symposium on SDN Research. 164--176.
[33]
Ruming Tang, Zheng Yang, Zeyan Li,Weibin Meng, HaixinWang, Qi Li, Yongqian Sun, Dan Pei, Tao Wei, Yanfei Xu, et al. 2020. Zerowall: Detecting zero-day web attacks through encoder-decoder recurrent neural networks. In IEEE INFOCOM 2020-IEEE Conference on Computer Communications.
[34]
Bruno Missi Xavier, Rafael Silva Guimarães, Giovanni Comarela, and Magnos Martinello. 2021. Programmable Switches for in-Networking Classification. In IEEE INFOCOM 2021 - IEEE Conference on Computer Communications.
[35]
Guorui Xie, Qing Li, Yutao Dong, Guanglin Duan, Yong Jiang, and Jingpu Duan. 2022. Mousika: Enable general in-network intelligence in programmable switches by knowledge distillation. In IEEE INFOCOM 2022-IEEE Conference on Computer Communications.
[36]
Guorui Xie, Qing Li, Guanglin Duan, Jiaye Lin, Yutao Dong, Yong Jiang, Dan Zhao, and Yuan Yang. 2024. Empowering In-Network Classification in Programmable Switches by Binary Decision Tree and Knowledge Distillation. IEEE/ACM Transactions on Networking (2024).
[37]
Yifan Yuan, Omar Alama, Jiawei Fei, Jacob Nelson, Dan R. K. Ports, Amedeo Sapio, Marco Canini, and Nam Sung Kim. 2022. Unlocking the Power of Inline Floating- Point Operations on Programmable Switches. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22).
[38]
Wei Zhang, Yan Meng, Yugeng Liu, Xiaokuan Zhang, Yinqian Zhang, and Haojin Zhu. 2018. Homonit: Monitoring smart home apps from encrypted traffic. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.
[39]
Xiaoquan Zhang, Lin Cui, Fung Po Tso, and Weijia Jia. 2021. pHeavy: Predicting heavy flows in the programmable data plane. IEEE Transactions on Network and Service Management (2021).
[40]
Changgang Zheng, Zhaoqi Xiong, Thanh T Bui, Siim Kaupmees, Riyad Bensoussane, Antoine Bernabeu, Shay Vargaftik, Yaniv Ben-Itzhak, and Noa Zilberman. 2022. IIsy: Practical in-network classification. arXiv preprint arXiv:2205.08243 (2022).
[41]
Changgang Zheng, Zhaoqi Xiong, Thanh T. Bui, Siim Kaupmees, Riyad Bensoussane, Antoine Bernabeu, Shay Vargaftik, Yaniv Ben-Itzhak, and Noa Zilberman. 2024. IIsy: Hybrid In-Network Classification Using Programmable Switches. IEEE/ACM Transactions on Networking (2024).
[42]
Changgang Zheng, Mingyuan Zang, Xinpeng Hong, Riyad Bensoussane, Shay Vargaftik, Yaniv Ben-Itzhak, and Noa Zilberman. 2022. Automating in-network machine learning. arXiv preprint arXiv:2205.08824 (2022).
[43]
Changgang Zheng and Noa Zilberman. 2021. Planter: seeding trees within switches. In Proceedings of the SIGCOMM'21 Poster and Demo Sessions.
[44]
Guangmeng Zhou, Zhuotao Liu, Chuanpu Fu, Qi Li, and Ke Xu. 2023. An Efficient Design of Intelligent Network Data Plane. In 32nd USENIX Security Symposium (USENIX Security 23). Anaheim, CA: USENIX Association.

Index Terms

  1. iGuard: Efficient Isolation Forest Design for Malicious Traffic Detection in Programmable Switches

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Conferences
        CoNEXT '24: Proceedings of the 20th International Conference on emerging Networking EXperiments and Technologies
        December 2024
        80 pages
        ISBN:9798400711084
        DOI:10.1145/3680121
        This work is licensed under a Creative Commons Attribution International 4.0 License.

        Sponsors

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 09 December 2024

        Check for updates

        Author Tags

        1. intrusion/anomaly detection
        2. machine learning
        3. network security
        4. programmable switches
        5. software defined networking

        Qualifiers

        • Short-paper

        Funding Sources

        • National Security Council Secretariat, India

        Conference

        CoNEXT '24
        Sponsor:

        Acceptance Rates

        Overall Acceptance Rate 198 of 789 submissions, 25%

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • 0
          Total Citations
        • 226
          Total Downloads
        • Downloads (Last 12 months)226
        • Downloads (Last 6 weeks)89
        Reflects downloads up to 10 Feb 2025

        Other Metrics

        Citations

        View Options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Login options

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media