Incremental High Throughput Network Traffic Classifier

Today’s network traffic are dynamic and fast. Con-ventional network traffic classification based on flow feature and data mining are not able to process traffic efficiently. Hardware based network traffic classifier is needed to be adaptable to dynamic network state and to provide accurate and updated classification at high speed. In this paper, a hardware architecture of online incremental semi-supervised algorithm is proposed. The hardware architecture is designed such that it is suitable to be incorporated in NetFPGA reference switch design. The experimental results on real datasets show that with only 10% of labeled data, the proposed architecture can perform online classification of network traffic at 1Gbps bitrate with 91% average accuracy without loosing any flows

Traffic classification and management based flow statistics netfpga

The internet bandwidth increased significantly over the past years but the problem of network bandwidth management remained a key issue. One of the major problems associated with bandwidth management is network bottleneck, which is the overcapacity of network traffic due to abnormal application bandwidth usage. With the release of new applications every year, especially P2P applications that require high bandwidth, effective network management has become even more important. Congestion can be caused inside a network by numerous flows and high bandwidth applications that may dominate the total bandwidth allocation, affecting normal users. This report presents an approach to detect and manage high bandwidth traffic flows in a congested network, providing fair bandwidth usage to normal users and restricting bandwidth-heavy applications. Flow statistics information is used for classification of network traffic by applying k-means clustering. An inline rate-limiter technique based on queue management is used for controlling high bandwidth flows. The proposed traffic shapping method queues the header packets of flows that are classified as high bandwidth flows. These modules are integrated into the NetFPGA platform, where decision making is carried out with minimal intervention of network administrators by only updating the classifier model when accuracy falls below a threshold line. It ensure zero intrusion of user privacy and at the same time it is able to reduce the high bandwidth rate, providing fair network usage for home users

Do switches dream of machine learning?: Toward in-network classification

Machine learning is currently driving a technological and societal revolution. While programmable switches have been proven to be useful for in-network computing, machine learning within programmable switches had little success so far. Not using network devices for machine learning has a high toll, given the known power efficiency and performance benefits of processing within the network. In this paper, we explore the potential use of commodity programmable switches for in-network classification, by mapping trained machine learning models to match-action pipelines. We introduce IIsy, a software and hardware based prototype of our approach, and discuss the suitability of mapping to different targets. Our solution can be generalized to additional machine learning algorithms, using the methods presented in this work

Fast Packet Processing on High Performance Architectures

The rapid growth of Internet and the fast emergence of new network applications have brought great challenges and complex issues in deploying high-speed and QoS guaranteed IP network. For this reason packet classication and network intrusion detection have assumed a key role in modern communication networks in order to provide Qos and security. In this thesis we describe a number of the most advanced solutions to these tasks. We introduce NetFPGA and Network Processors as reference platforms both for the design and the implementation of the solutions and algorithms described in this thesis. The rise in links capacity reduces the time available to network devices for packet processing. For this reason, we show different solutions which, either by heuristic and randomization or by smart construction of state machine, allow IP lookup, packet classification and deep packet inspection to be fast in real devices based on high speed platforms such as NetFPGA or Network Processors

A Survey on Data Plane Programming with P4: Fundamentals, Advances, and Applied Research

With traditional networking, users can configure control plane protocols to match the specific network configuration, but without the ability to fundamentally change the underlying algorithms. With SDN, the users may provide their own control plane, that can control network devices through their data plane APIs. Programmable data planes allow users to define their own data plane algorithms for network devices including appropriate data plane APIs which may be leveraged by user-defined SDN control. Thus, programmable data planes and SDN offer great flexibility for network customization, be it for specialized, commercial appliances, e.g., in 5G or data center networks, or for rapid prototyping in industrial and academic research. Programming protocol-independent packet processors (P4) has emerged as the currently most widespread abstraction, programming language, and concept for data plane programming. It is developed and standardized by an open community and it is supported by various software and hardware platforms. In this paper, we survey the literature from 2015 to 2020 on data plane programming with P4. Our survey covers 497 references of which 367 are scientific publications. We organize our work into two parts. In the first part, we give an overview of data plane programming models, the programming language, architectures, compilers, targets, and data plane APIs. We also consider research efforts to advance P4 technology. In the second part, we analyze a large body of literature considering P4-based applied research. We categorize 241 research papers into different application domains, summarize their contributions, and extract prototypes, target platforms, and source code availability.Comment: Submitted to IEEE Communications Surveys and Tutorials (COMS) on 2021-01-2

Impact of Packet Inter-arrival Time Features for Online Peer-to-Peer (P2P) Classification

Identification of bandwidth-heavy Internet traffic is important for network administrators to throttle high-bandwidth application traffic. Flow features based classification have been previously proposed as promising method to identify Internet traffic based on packet statistical features. The selection of statistical features plays an important role for accurate and timely classification. In this work, we investigate the impact of packet inter-arrival time feature for online P2P classification in terms of accuracy, Kappa statistic and time. Simulations were conducted using available traces from University of Brescia, University of Aalborg and University of Cambridge. Experimental results show that the inclusion of inter-arrival time (IAT) as an online feature increases simulation time and decreases classification accuracy and Kappa statistic

Distributed Network Monitoring for Distributed Denial of Service Attacks Detection and Prevention

There are two main categories of Distributed Denial of Service (DDoS) attacks that are capable of disrupting the daily operations of internet users and these are the low and high rate DDoS attacks. The detection and prevention of DDoS attacks is a very important aspect in network security in ensuring that the operations of businesses, communication, and educational facilities operate efficiently without disruptions. Over the years, many DDoS attacks detection systems have been proposed. These detection systems have focused more on obtaining high accuracy, reduction of false alarm rates and simplification of detection systems. However, less attention has been given to the computational costs of detection systems (processing power requirements and memory consumptions), early detection and flexibility in their deployment to support the different needs of networks and distributed monitoring approaches. The focus of this thesis is to investigate the use of a robust feature selection approach and machine learning classifiers to develop useful DDoS detection architectures for fast, effective, and efficient DDoS attacks detection to achieve high performance at low computational cost. To achieve this, a lightweight software architecture which is simple in design using minimal number of network flow features for distinguishing normal from DDoS attack network flows is proposed. The architecture is based on the Decision-Tree (DT) classifier and distinguishes DDoS attack from normal traffic network flows with a detection accuracy of over 99.9% when evaluated with up-to-date DDoS attack datasets. In addition, it can flexibly be deployed in a real-time network environment and at different network nodes to meet the needs of the network being monitored creating an avenue for distributed monitoring. Also, the use of minimal network flow features selected through a robust features selection approach results in a massive reduction in memory requirements when compared to traditional systems. Results from the software implementation of the architecture indicated that it uses just 7% processing power of a core of the detection system’s CPU in offline mode and provides no additional overhead to the monitored network. However, software applications for distinguishing normal from DDoS attack traffic are struggling to cope with the ever-increasing complexity and intensity of DDoS attack traffic. This increased workload ranges from the capturing and processing of millions of packets per second to classification of thousands of network flows per second which is evident in some of the most recent DDoS attacks faced by a variety of companies. To cope with this workload, a hardware accelerated hybrid network monitoring application is proposed. The proposed application is capable of fast network flows classification by leveraging the hardware parallel processing characteristics of a Field Programmable Gate Array (FPGA) whilst using a software application in the CPU for the network flow pre-processing required for classification. The hybrid system is capable of distinguishing DDoS attacks from normal network traffic flows with a detection accuracy of over 98% when deployed in a real-time environment under different network traffic conditions with detection in 1µs which is over thirty times faster than the software implementation of the architecture. The hardware accelerated application was implemented in the Zynq-7000 All Programmable SoCs ZedBoard which can monitor up to 1Gbps line rate. The evaluation results and findings from analysis of the experimental results of the hard ware accelerated application provide some important insights in improving the programmability, overall performance, scalability, and flexibility in deployment of the detection system across a network for accurate and early DDoS attack detection. In the final part of this thesis, the use of distributed network monitoring is explored with the implementation of the lightweight DDoS attacks detection architecture using Network Simulator 3 (NS-3). The systems are distributed at different parts of a network and results from the approach indicated that effective implementation of distributed network monitoring systems dramatically reduces the effect of DDoS attack to a minimal on the target network or network node