Flowrest: Practical Flow-Level Inference in Programmable Switches with Random Forests

“…The communications between multiple actors deployed at different planes introduced by approaches such as those above ultimately translates into network overhead and delays that may significantly curb a fast response to attacks. Hence, we propose to reduce the latency in attack detection and response by exploiting the recent advancements in in-switch inference [14]- [20] to perform those tasks directly in the user plane. Figure 1 also illustrates how our framework would perform the separation of benign and malicious traffic directly in the switch, leaving to the controller the only task of modifying the security policies after the attack has been detected.…”

“…We employ the Scikit-Learn libraries [21] to train Random Forest (RF) models on historical traffic measured in the target network and provided in the form of packet capture (pcap) files. We opt for RF models as they have been repeatedly proven to suit well the architecture of programmable switches [14]- [20].…”

“…Once the final RF model has been identified and trained, we deploy it into the programmable switch. Specifically, we employ the first stage of the Henna model [14] to map the trained RF model onto the Protocol Independent Switch Architecture (PISA) adopted by modern programmable switch ASICs. The mapping is based on that originally proposed by Planter [18], whose code was not available at the time of writing.…”

“…The mapping relies on generating a codeword which embeds the paths to be taken in each tree of the RF model, and is matched against a final set of tables, one per tree, associating each possible codeword (i.e., path) to the classification result Thus, once it has traversed all M/A stages, the packet is tagged with a class by each tree. We refer the reader to [14] and Planter [18] for full details.…”

Fast Detection of Cyberattacks on the Metaverse through User-plane Inference

“…The communications between multiple actors deployed at different planes introduced by approaches such as those above ultimately translates into network overhead and delays that may significantly curb a fast response to attacks. Hence, we propose to reduce the latency in attack detection and response by exploiting the recent advancements in in-switch inference [14]- [20] to perform those tasks directly in the user plane. Figure 1 also illustrates how our framework would perform the separation of benign and malicious traffic directly in the switch, leaving to the controller the only task of modifying the security policies after the attack has been detected.…”

“…We employ the Scikit-Learn libraries [21] to train Random Forest (RF) models on historical traffic measured in the target network and provided in the form of packet capture (pcap) files. We opt for RF models as they have been repeatedly proven to suit well the architecture of programmable switches [14]- [20].…”

“…Once the final RF model has been identified and trained, we deploy it into the programmable switch. Specifically, we employ the first stage of the Henna model [14] to map the trained RF model onto the Protocol Independent Switch Architecture (PISA) adopted by modern programmable switch ASICs. The mapping is based on that originally proposed by Planter [18], whose code was not available at the time of writing.…”

“…The mapping relies on generating a codeword which embeds the paths to be taken in each tree of the RF model, and is matched against a final set of tables, one per tree, associating each possible codeword (i.e., path) to the classification result Thus, once it has traversed all M/A stages, the packet is tagged with a class by each tree. We refer the reader to [14] and Planter [18] for full details.…”

Fast Detection of Cyberattacks on the Metaverse through User-plane Inference

P4Rex: Accelerating regular expression matching with programmable switches

On DGA Detection and Classification Using P4 Programmable Switches