820 research outputs found
Flow caching for high entropy packet fields
Packet classification on general purpose CPUs remains expensive regardless of advances in classification algorithms. Unless the packet forwarding pipeline is both simple and static in function, fine-tuning the system for optimal forwarding is a time-consuming and brittle process. Network virtualization and network function virtual-ization value general purpose CPUs exactly for their flexibility: in such systems, a single x86 forwarding element does not implement a single, static classification step but a sequence of dynamically reconfigurable and potentially complex forwarding operations. This leaves a software developer looking for maximal packet forwarding throughput with few options besides flow caching. In this paper, we consider the problem of flow caching and more specifically, how to cache forwarding decisions that depend on packet fields with high entropy (and therefore, change often); to this end, we arrive at algorithms that allow us to efficiently compute near optimal flow cache entries spanning several transport connections, even if forwarding decisions depend on transport protocol headers. Categories and Subject Descriptor
Dataplane Specialization for High-performance OpenFlow Software Switching
OpenFlow is an amazingly expressive dataplane program-
ming language, but this expressiveness comes at a severe
performance price as switches must do excessive packet clas-
sification in the fast path. The prevalent OpenFlow software
switch architecture is therefore built on flow caching, but
this imposes intricate limitations on the workloads that can
be supported efficiently and may even open the door to mali-
cious cache overflow attacks. In this paper we argue that in-
stead of enforcing the same universal flow cache semantics
to all OpenFlow applications and optimize for the common
case, a switch should rather automatically specialize its dat-
aplane piecemeal with respect to the configured workload.
We introduce ES WITCH , a novel switch architecture that
uses on-the-fly template-based code generation to compile
any OpenFlow pipeline into efficient machine code, which
can then be readily used as fast path. We present a proof-
of-concept prototype and we demonstrate on illustrative use
cases that ES WITCH yields a simpler architecture, superior
packet processing speed, improved latency and CPU scala-
bility, and predictable performance. Our prototype can eas-
ily scale beyond 100 Gbps on a single Intel blade even with
complex OpenFlow pipelines
The Challenges in SDN/ML Based Network Security : A Survey
Machine Learning is gaining popularity in the network security domain as many
more network-enabled devices get connected, as malicious activities become
stealthier, and as new technologies like Software Defined Networking (SDN)
emerge. Sitting at the application layer and communicating with the control
layer, machine learning based SDN security models exercise a huge influence on
the routing/switching of the entire SDN. Compromising the models is
consequently a very desirable goal. Previous surveys have been done on either
adversarial machine learning or the general vulnerabilities of SDNs but not
both. Through examination of the latest ML-based SDN security applications and
a good look at ML/SDN specific vulnerabilities accompanied by common attack
methods on ML, this paper serves as a unique survey, making a case for more
secure development processes of ML-based SDN security applications.Comment: 8 pages. arXiv admin note: substantial text overlap with
arXiv:1705.0056
Real Time Packet Classification and Analysis based on Bloom Filter for Longest Prefix Matching
Packet classification is an enabling function in network and security systems; hence, hardware-based solutions, such as TCAM (Ternary Content Addressable Memory), have been extensively adopted for high-performance systems. With the expeditious improvement of hardware architectures and burgeoning popularity of multi-core multi-threaded processors, decision-tree based packet classification algorithms such as HiCuts and HyperCuts are grabbing considerable attention, outstanding to their flexibility in satisfying miscellaneous industrial requirements for network and security systems. For high classification speed, these algorithms internally use decision trees, whose size increases exponentially with the ruleset size; consequently, they cannot be used with a large rulesets. However, these decision tree algorithms involve complicated heuristics for concluding the number of cuts and fields. Moreover, ?xed interval-based cutting not depicting the actual space that each rule covers is defeasible and terminates in a huge storage requirement. We propose a new packet classification that simultaneously supports high scalability and fast classification performance by using Bloom Filter. Bloom uses hash table as a data structure which is an efficient data structure for membership queries to avoid lookup in some subsets which contain no matching rules and to sustain high throughput by using Longest Prefix Matching (LPM) algorithm. Hash table data structure which improves the performance by providing better boundaries on the hash collisions and memory accesses per search. The proposed classification algorithm also shows good scalability, high classification speed, irrespective of the number of rules. Performance analysis results show that the proposed algorithm enables network and security systems to support heavy traffic in the most effective manner
Machine Learning DDoS Detection for Consumer Internet of Things Devices
An increasing number of Internet of Things (IoT) devices are connecting to
the Internet, yet many of these devices are fundamentally insecure, exposing
the Internet to a variety of attacks. Botnets such as Mirai have used insecure
consumer IoT devices to conduct distributed denial of service (DDoS) attacks on
critical Internet infrastructure. This motivates the development of new
techniques to automatically detect consumer IoT attack traffic. In this paper,
we demonstrate that using IoT-specific network behaviors (e.g. limited number
of endpoints and regular time intervals between packets) to inform feature
selection can result in high accuracy DDoS detection in IoT network traffic
with a variety of machine learning algorithms, including neural networks. These
results indicate that home gateway routers or other network middleboxes could
automatically detect local IoT device sources of DDoS attacks using low-cost
machine learning algorithms and traffic data that is flow-based and
protocol-agnostic.Comment: 7 pages, 3 figures, 3 tables, appears in the 2018 Workshop on Deep
Learning and Security (DLS '18
Reducing Router Forwarding Table Size Using Aggregation and Caching
The fast growth of global routing table size has been causing concerns that the Forwarding Information Base (FIB) will not be able to fit in existing routers\u27 expensive line-card memory, and upgrades will lead to a higher cost for network operators and customers. FIB Aggregation, a technique that merges multiple FIB entries into one, is probably the most practical solution since it is a software solution local to a router, and does not require any changes to routing protocols or network operations. While previous work on FIB aggregation mostly focuses on reducing table size, this work focuses on algorithms that can update compressed FIBs quickly and incrementally. Quick updates are critical to routers because they have very limited time to process routing updates without impacting packet delivery performance. We have designed three algorithms: FIFA-S for the smallest table size, FIFA-T for the shortest running time, and FIFA-H for both small tables and short running time, and operators can use the one best suited to their needs. These algorithms significantly improve over existing work in terms of reducing routers\u27 computation overhead and limiting impact on the forwarding plane while maintaining a good compression ratio. Another potential solution is to install only the most popular FIB entries into the fast memory (e.g., an FIB cache), while storing the complete FIB in slow memory. In this paper, we propose an effective FIB caching scheme that achieves a considerably higher hit ratio than previous approaches while preventing the cache-hiding problem. Our experimental results using data traffic from a regional network show that with only 20K prefixes in the cache (5.36% of the actual FIB size), the hit ratio of our scheme is higher than 99.95%. Our scheme can also efficiently handle cache misses, cache replacement and routing updates
- …