FLAD: Adaptive Federated Learning for DDoS Attack Detection

Federated Learning (FL) has been recently receiving increasing consideration from the cybersecurity community as a way to collaboratively train deep learning models with distributed profiles of cyberthreats, with no disclosure of training data. Nevertheless, the adoption of FL in cybersecurity is still in its infancy, and a range of practical aspects have not been properly addressed yet. Indeed, the Federated Averaging algorithm at the core of the FL concept requires the availability of test data to control the FL process. Although this might be feasible in some domains, test network traffic of newly discovered attacks cannot be always shared without disclosing sensitive information. In this paper, we address the convergence of the FL process in dynamic cybersecurity scenarios, where the trained model must be frequently updated with new recent attack profiles to empower all members of the federation with latest detection features. To this aim, we propose FLAD (adaptive Federated Learning Approach to DDoS attack detection), a FL solution for cybersecurity applications based on an adaptive mechanism that orchestrates the FL process by dynamically assigning more computation to those members whose attacks profiles are harder to learn, without the need of sharing any test data to monitor the performance of the trained model. Using a recent dataset of DDoS attacks, we demonstrate that FLAD outperforms the original FL algorithm in terms of convergence time and accuracy across a range of unbalanced datasets of heterogeneous DDoS attacks. We also show the robustness of our approach in a realistic scenario, where we retrain the deep learning model multiple times to introduce the profiles of new attacks on a pre-trained model

Tracking Normalized Network Traffic Entropy to Detect DDoS Attacks in P4

Distributed Denial-of-Service (DDoS) attacks represent a persistent threat to modern telecommunications networks: detecting and counteracting them is still a crucial unresolved challenge for network operators. DDoS attack detection is usually carried out in one or more central nodes that collect significant amounts of monitoring data from networking devices, potentially creating issues related to network overload or delay in detection. The dawn of programmable data planes in Software-Defined Networks can help mitigate this issue, opening the door to the detection of DDoS attacks directly in the data plane of the switches. However, the most widely-adopted data plane programming language, namely P4, lacks supporting many arithmetic operations, therefore, some of the advanced network monitoring functionalities needed for DDoS detection cannot be straightforwardly implemented in P4. This work overcomes such a limitation and presents two novel strategies for flow cardinality and for normalized network traffic entropy estimation that only use P4-supported operations and guarantee a low relative error. Additionally, based on these contributions, we propose a DDoS detection strategy relying on variations of the normalized network traffic entropy. Results show that it has comparable or higher detection accuracy than state-of-the-art solutions, yet being simpler and entirely executed in the data plane.Comment: Accepted by TDSC on 24/09/202

Automatic Intent-Based Secure Service Creation Through a Multilayer SDN Network Orchestration

Growing traffic demands and increasing security awareness are driving the need for secure services. Current solutions require manual configuration and deployment based on the customer's requirements. In this work, we present an architecture for an automatic intent-based provisioning of a secure service in a multilayer - IP, Ethernet, and optical - network while choosing the appropriate encryption layer using an open-source software-defined networking (SDN) orchestrator. The approach is experimentally evaluated in a testbed with commercial equipment. Results indicate that the processing impact of secure channel creation on a controller is negligible. As the time for setting up services over WDM varies between technologies, it needs to be taken into account in the decision-making process.Comment: Parts of the presented work has received funding from the European Commission within the H2020 Research and Innovation Programme, under grant agreeement n.645127, project ACIN

Application-Centric Provisioning of Virtual Security Network Functions

Network Function Virtualization (NFV) enables flexible implementation and provisioning of network functions as virtual machines running on commodity servers. Due to the availability of multiple hosting servers, such network functions (also called Virtual Network Functions (VNFs)) can be placed where they are actually needed, dynamically migrated, duplicated, or deleted according to the current network requirements. However, the placement of VNFs within the physical network is one of the main challenges in the NFV domain as it has a critical impact on the performance of the network. In this work we focus on efficient placement of Virtual Security Network Functions (VSNFs), i.e. the placement of virtual network functions whose purpose is to prevent or mitigate network security threats. In this regard, we tackle the placement problem not only considering performance optimization aspects, but also trying to find solutions that are consistent from the security viewpoint. Specifically, the main contribution of this paper is the formulation of the placement problem by taking into account both Security and Quality of Service (QoS) requirements of user applications

Resource-aware Cyber Deception in Cloud-Native Environments

Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloud-native environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys

In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches

Volumetric distributed Denial-of-Service (DDoS) attacks have become one of the most significant threats to modern telecommunication networks. However, most existing defense systems require that detection software operates from a centralized monitoring collector, leading to increased traffic load and delayed response. The recent advent of Data Plane Programmability (DPP) enables an alternative solution: threshold-based volumetric DDoS detection can be performed directly in programmable switches to skim only potentially hazardous traffic, to be analyzed in depth at the controller. In this paper, we first introduce the BACON data structure based on sketches, to estimate per-destination flow cardinality, and theoretically analyze it. Then we employ it in a simple in-network DDoS victim identification strategy, INDDoS, to detect the destination IPs for which the number of incoming connections exceeds a pre-defined threshold. We describe its hardware implementation on a Tofino-based programmable switch using the domain-specific P4 language, proving that some limitations imposed by real hardware to safeguard processing speed can be overcome to implement relatively complex packet manipulations. Finally, we present some experimental performance measurements, showing that our programmable switch is able to keep processing packets at line-rate while performing volumetric DDoS detection, and also achieves a high F1 score on DDoS victim identification.Comment: Accepted by IEEE Transactions on Network and Service Management Special issue on Latest Developments for Security Management of Networks and Service