Professional Documents
Culture Documents
Abstract—The growth in scale and capacity of networks in Zeek [5]. As an alternative to searching against a list of
recent years leads to challenges of positioning and scalability of signatures (as used in a signature-based IDS), anomalies are
Intrusion Detection Systems (IDS). With the flexibility afforded detected by comparing traffic statistics to those of previously
by programmable dataplanes, it is now possible to perform a new
level of intrusion detection in switches themselves. We present seen activities. However, this behaviour would be challenging
P4ID, combining a rule parser, stateless and stateful packet to implement in a packet-forwarding environment such as P4.
processing using P4, and evaluate it using publicly available Intrusion Detection Systems can also act as Intrusion Pre
datasets. We show that using this technique, we can achieve a vention Systems (IPS). In these instances, traffic is forwarded
significant reduction in traffic being processed by an IDS.
via, instead of mirrored to, the IDS. Packets are then inspected
I. I NTRODUCTION and either forwarded to their original destination, modified in
some way or dropped completely. When acting as an IPS,
With the advent of Software-Defined Networking, both new there is an inherent overhead in terms of latency, as packets
opportunities and challenges arise. Since the initial publication pass via the IPS to be processed before being forwarded on to
of OpenFlow [1] in 2008, a number of supporting projects have
their original destination. P4ID looks to bring some of these
emerged, eventually leading to P4 [2], a language and set of as benefits without introducing the same overheads.
sociated specifications for programming the behaviour of net
work devices. Conceptually similar to the Active Networks [3] B. P4 and the Stateful Dataplane
of the late 1990s, P4 brings a new level of flexibility into the
packet forwarding process, by programmatically exposing the Whilst OpenFlow provides a means for exposing the control
data-plane. plane of a network, it focuses on fixed-function data-planes.
In this paper, we present P4ID, an implementation in P4 As a result, there are a number of versions of OpenFlow, with
to reduce the processing power required by an IDS for a functionality differing between versions. This can harm inter
given size of network. To achieve this, we combine rule- operability of controllers and applications using OpenFlow.
sets designed for traditional Intrusion Detection Systems, such P4 takes these concepts further by providing a language
as Snort [4] and apply pre-filtering in the dataplane. This and set of specifications for defining the packet forwarding
technique allows for the handling of packets in the network behaviour of network devices. The language is centred on
itself, without the direct involvement of the IDS. Our results the combination of programmable parsers and match-action
show that we achieve up to a 75% reduction in the amount of tables, with both the structure of the tables and the behaviour
traffic being processed by the IDS. of their actions being programmer-defined. A key part of the
language is that, as used by our implementation, stateful packet
II. B a c k g r o u n d a n d Re l a t ed Wo r k processing can be achieved in the data-plane. In OpenFlow,
A. Intrusion Detection stateful processing without controller intervention is minimal.
By using state at this level, it is possible to change forwarding
Intrusion Detection is a long-studied field [4] [5], with
behaviour without controller intervention, providing a low
appliances traditionally situated at ingress into a network. As
latency response and less load on the controller itself.
networks continue to grow in scale, the amount of traffic an
IDS has to process increases proportionally, as they typically
C. SDN-based Security
consume a mirrored copy of network traffic.
Intrusion Detection is usually categorised as using either Previous work, including OpenSAFE [6] and FRESCO [7],
signature-based or anomaly-based detection. A signature- has aimed to facilitate building new monitoring frameworks,
based IDS consumes a list of rules describing various packet whilst work including PSI [8] and TENNISON [9] focuses on
characteristics. These characteristics include IP addresses, providing a security framework and policy management based
ports, protocols, flow-establishment characteristics, as well around OpenFlow networks. Whilst both offer flexibility and
as packet payload contents. Pre-assembled rule sets are of customisable policy, they are still bound by the capabilities of
ten available, either under a public license or commercially. OpenFlow switches, relying on a combination with virtualised
Anomaly based detection is used by platforms such as network services to achieve the goals of their implementation.
III. I m p l e m e n t a t io n o f P4ID
The final stage of rule generation takes the intermediate
A. Architecture representation and produces individual table entries to be
To realise the benefits of a programmable network for installed.
intrusion detection, we propose P4ID, an architecture to reduce C. P4 Pipeline
the processing load on traditional IDS, by placing additional
pre-filtering into network switches. This filtering allows traffic 1) Stateless Stage: The stateless stage of the P4 pipeline
to bypass an IDS where possible, whilst maintaining adequate formed the basis for our initial implementation. This
levels of detection. P4ID is comprised of two key components: influenced the subsequent stateful stage, which is discussed in
the Rule Parser and the P4 implementation. The Rule Parser Section IV. We first implemented a layer 2/3 hybrid switch in
consumes rules made for the popular Snort IDS and produces P4, capable of parsing as far as the transport layer. Our parser
table entries than can be installed into the P4 pipeline. stores source and destination TCP/UDP ports in metadata
Within the P4 implementation, there are two distinguishing fields, allowing one table to cover both protocols. We then
components, namely the stateless and stateful pipeline stages. add an additional table, the rule table. We use guarding logic
Our work and analysis of results from the stateless stage led to ensure that this table is only applied if the packet is TCP,
us to develop the stateful stage. ICMP or UDP. This table contains the following fields: Source
IP, Destination IP, Source Port, Destination Port, Protocol
and where relevant, TCP flags. We use ternary matching
B. Rule Parser
with this table, which better maps to switch hardware and
The Rule Parser, written in Golang [15], takes rules in brings other benefits, including allowing a single rule to cover
the Snort format and translates them into table entries to be multiple protocols, specifying IP subnets, ranges of ports and
installed into P4 switches. This is necessary to allow them individual TCP flags. If a packet matches against a rule in
to be mapped into match-action tables for the P4 v1model this table, it can either be dropped, forwarded normally or
architecture. forwarded to the IDS.
The parser follows a number of stages: the first stage is
searching the rule-set for any rules which cannot be easily 2) Stateful Stage: Our work with the stateless stage high
represented in P4 match-action tables, notably those using lighted some key challenges, which are discussed in detail in
logical NOT match criteria. NOTs add processing complexity, Section IV. One of these challenges was that a significant
which does not readily map into a P4 pipeline. proportion of traffic involves well-known or system ports.
The second stage generates a list of individual intermediate This can reduce the efficacy of pre-filtering. We propose that
rules: these are generated based on the use of environment combining a stateful stage (for well-known ports) with our
variables, used to represent local networks, service ports stateless stage (for traffic from other ports), allows us to exploit
(HTTP) etc. These rules contain fields that are then stripped the benefits of both approaches. To achieve this, we instead
out, such as alert messages and payload signatures. These forward the first N packets of new flows to the IDS. N can
fields build on the traditional 5-tuple by also taking into be defined on a per-port basis, as well as the timeout that is
account the state of a flow and TCP flags. used. Three tables are used in order to implement this, along
We use this intermediate stage to search for duplicate rules, with two registers.
as these can cause a table entry conflict when trying to install The first two tables match on source and destination ports
the rules into a switch. For the purposes of this work, we respectively. Each table is populated by the controller with a
consider a duplicate rule as any rule matching the same 7 list of ports o f interest. We use two tables, as the P4 behavioral
tuple criteria. model does not support applying the same table twice, and
2019 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)
100000 80.00%
90000
D a ta se t D a ta se t
я % of U n filte re d S ize % of U n filte re d D e te c tio n s
eS nort A le rts P4 F i l t e r e d S n o rt A le r ts
Fig. 2. Filtered vs uniiltered: Snort Alerts Fig. 3. Stateful filtering percentage of original traffic and detections
For the results shown, we use a timeout of 100ms per flow, [4] M. Roesch e t a l , "Snort: Lightweight intrusion detection for
with the first 100 packets being sent to the IDS. networks.." in L isa , vol. 99. 1999, pp. 229-238.
In the best case, with stateful filtering applied, we detect [5] V. Paxson. "Bro: A system for detecting network intruders in
real-time." C o m p u te r n e tw o r k s , vol. 31. no. 23-24. pp. 2435-
75% of attack signatures, whilst only requiring 50% of traffic 2463. 1999.
to be forwarded. In other cases, the minimum we achieve is a [6] J. R. Ballard e t a l,, "Extensible and scalable network moni
better than 1:1 ratio of detections to traffic. toring using opensafe.," in In m /w re n , 2010.
[7] S. W. Shin e t a l , "Fresco: Modular composable security ser
V. F u t u r e W ork and C onclusions vices for software-defined networks." in 2 0 th A n n u a l N e tw o r k
& D is tr ib u te d S y ste m S e c u r ity S y m p o siu m , Ndss. 2013.
In this work, we present a new approach in filtering for
[8] T. Yu e t a l , "PSI: Precise Security Instrumentation for Enter
intrusion detection by using a P4 stateful dataplane to proac prise Networks." 2017. D O I : 10.14722/ndss.2017.23200.
tively detennine whether traffic should be forwarded to an [9] L. Fawcett e t a l , "Tennison: A Distributed SDN Framework
intrusion detection system. We highlight the relative strengths for Scalable Network Security." IE E E J o u r n a l o n S e le c te d
of our approach in tenns of traffic reduction, whilst preserving A r e a s in C o m m u n ic a tio n s , vol. 36. pp. 2805-2818. 2018. I S S N :
0733-8716. D O I : 10.1109/jsac.2018.2871313.
fidelity in tenns of signatures detected.
[10] P. Võrõs e t a l , "Security middleware programming using p4,"
Future work includes combining this approach with feed in In te r n a tio n a l C o n feren c e o n H u m a n A s p e c ts o f In fo r m a tio n
back from the IDS. That is, parsing Snort logs to generate S ecu rity, P riva c y, arid T ru st, Springer. 2016. pp. 277-287.
table entries to either allow a high-speed bypass, or to force [11] C.-H. He e t a l , "A zero flow entry expiration timeout p4
traffic in a given flow to continue going via the IDS. This switch." in P r o c e e d in g s o f th e S y m p o siu m on S D N R e se a rc h ,
ACM. 2018. p. 19.
would allow us to tune the response and flow timeouts based
[12] R. Datta e t a l , "P4guard: Designing p4 based firewall." in
on network conditions. Another element of future work will be M I L C O M 2 0 1 8 -2 0 1 8 I E E E M ilita r y C o m m u n ic a tio n s C o n fe r -
to rate limiting traffic to the IDS. With the stateful processing e n c e (M I L C O M ), IEEE. 2018. pp. 'l-6.
afforded, there are also meters that can be used. In this case, [13] G. K. Ndonda e t a l , "A two-level intrusion detection system
these could be used to actively prevent overloading of the IDS for industrial control system networks using p4," in P r o c e e d -
in g s o f th e 5 th In te r n a tio n a l S y m p o s iu m f o r I C S & S C A D A
in high-traffic situations.
C y b e r S e c u r ity R e s e a r c h , 2018. pp. 31-40.
R eferences [14] r '.-H. Hwang e t a l , pp. 168-173. 2018. D O I : 10.1109/1-SPAN.
2018.00035. [Online], Available: https://doi.org/10.1109/I-
[1] N. McKeown e t a l , "Openflow: Enabling innovation in cam
SPAN.2018.00035.
pus networks." S IG C O M M C o m p u t. C o m m u n , R ev., vol. 38. [15] I. Meyerson. "The go programming language." IE E E so ftw a re ,
no. 2. pp. 69-74. Mar. 2008. I S S N : 0146-4833. D O I : 10.1145/
vol. 31. no. 5. pp. 104-104, 2014
1355734.1355746. [Online], Available: http://doi.acm.org/10. [16] I. Sharafaldin e t a l , "Toward generating a new intrusion
1145/1355734.1355746.
detection dataset and intrusion traffic characterization.." in
[2] P. Bosshart e t a l , "P4: Programming protocol-independent IC IS S P , 2018. pp. 108-116.
packet processors." S IG C O M M C o m p u t. C o m m u n , R ev.,
[17] E m e rg in g th re a ts r u le s e t fa q . [Online], Available: https://docs.
vol. 44. no. 3. pp. 87-95. Jul. 2014. I S S N : 0146-4833. D O I : emergingthreats.net/bin/view/Main/EmergingFAQ.
10.1145/2656877.2656890. [Online], Available: http://doi.
[18] S. Onion. S e c u r ity o n io n . [Online], Available: https :/ /
acm.org/10.1145/2656877.2656890. securityonion.net/.
[3] K. Psounis. "Active networks: Applications, security, safety,
[19] S n o r t ru le s d o w n lo a d , [Online], Available: https://www.snort.
and architectures." IE E E C o m m u n ic a tio n s S u rv e y s & T u to ria ls, org/downloads/#rule-downloads.
vol. 2. 1999. I S S N : 1553-877x. D O I : 10.11097comst. 1999.
5340509.