Multi-step Attack Detection and Mitigation Enhancing In-Network Flow Classification

Recent in-network flow classification methods are able to run within the data plane of network switches allowing intrusion detection at linerate. Although this enables fine-grained, scalable and timely analysis, outcomes are still subject to uncertainty, aggravated by limited data plane resources an...

Full description

Saved in:
Bibliographic Details
Published inInternational Conference on Advanced Communication Technologies and Networking (Online) pp. 1 - 10
Main Authors Hardegen, Christoph, Rieger, Sebastian, Geier, Timo
Format Conference Proceeding
LanguageEnglish
Published IEEE 12.12.2022
Subjects
Communications technology
Delays
Flow Clas-sification
Intrusion detection
Metadata
Programmable Switches
Switches
Traffic Analysis
Traffic control
Uncertainty
Online AccessGet full text
ISSN2771-7402
DOI10.1109/CommNet56067.2022.9993965

Cover

More Information
Summary:Recent in-network flow classification methods are able to run within the data plane of network switches allowing intrusion detection at linerate. Although this enables fine-grained, scalable and timely analysis, outcomes are still subject to uncertainty, aggravated by limited data plane resources and language constraints of respective programs, and hence associated with higher risk of misclassification. Countering these deficiencies by leveraging increased computational capabilities at CPU level of the switches helps to obtain more sophisticated analysis decisions. However, exporting metadata for packet streams from data plane into the network operating system space to run downstream analysis is associated with additional delay and also limited regarding the amount of data that can be shared to ensure scalable processing. To address this trade-off, a certainty-based approach that selectively combines advantages of lower latency and data locality at the data plane with higher computational power and analysis complexity in the operating system is proposed. Therefore, a two-tier flow classification method integrates initial in-network inference on early subflow metadata with advanced decision support provided by a subsequent machine learning-based analysis step. In addition, load and flow monitoring is employed to track long-term and voluminous heavy hitters, supporting a flow detour and throttling mechanism to assist in controlling the volume and velocity of suspicious packet streams. Evaluations show that, first, the cooperative behavior using both traffic classification steps allows for improved accuracies while providing scalable, timely and certain decisions. Second, considered steps to handle potentially malicious heavy hitters allow traffic control to reduce negative impacts on benign flows.
ISSN:2771-7402
DOI:10.1109/CommNet56067.2022.9993965