Go to DBLP homepageIntelligent In-Network Attack Detection on Programmable Switches With Soterv2
Abstract: To improve the accuracy of network attack detection, recent work has proposed deep learning (DL) based detectors. Nonetheless, conventional DL-based solutions are computation-intensive and have to be deployed on high-performance x86 servers, which is inefficient for large-scale networks. Unlike x86 servers, current programmable switches (P4 switches) support a throughput of Tbps and enable programmable logic in networks, indicating a promising alternative. Therefore, we present Soterv2, an intelligent in-network solution deployed on programmable switches. Soterv2 utilizes a two-phase detection manner. In the first phase, we build a P4 program running on the switch's Tofino ASIC to filter malicious packets from the massive traffic. Then, a DL-based inspection is conducted on the switch's CPU, thoroughly detecting the filtered packets. To improve the filtering performance, we propose to embed the rule-based machine learning model, decision tree, in a single match-action table in the P4 program. We also design a lightweight DL model, Branch Convolution Net, running on a multi-core fashion to speed up the thorough detection. Besides, Soterv2 enables the coordination of distributed switches, covering the detection in a large-scale network. Experiments demonstrate that Soterv2 behaves stably in eight network scenarios of different traffic rates (40/100 Gbps) and fulfills per-flow detection in 0.03 s.
Loading