A NetFlow/IPFIX implementation with OpenFlow

Peer ReviewedPostprint (published version

Detecting cryptocurrency miners with NetFlow/IPFIX network measurements

In the last few years, cryptocurrency mining has become more and more important on the Internet activity and nowadays is even having a noticeable impact on the global economy. This has motivated the emergence of a new malicious activity called cryptojacking, which consists of compromising other machines connected to the Internet and leverage their resources to mine cryptocurrencies. In this context, it is of particular interest for network administrators to detect possible cryptocurrency miners using network resources without permission. Currently, it is possible to detect them using IP address lists from known mining pools, processing information from DNS traffic, or directly performing Deep Packet Inspection (DPI) over all the traffic. However, all these methods are still ineffective to detect miners using unknown mining servers or result too expensive to be deployed in real-world networks with large traffic volume. In this paper, we present a machine learning-based method able to detect cryptocurrency miners using NetFlow/IPFIX network measurements. Our method does not require to inspect the packets' payload; as a result, it achieves cost-efficient miner detection with similar accuracy than DPI-based techniques.This work has been supported by the Spanish MINECO under contract TEC2017-90034-C2-1-R (ALLIANCE).Peer ReviewedPostprint (author's final draft

Unveiling the potential of graph neural networks for robust intrusion detection

The last few years have seen an increasing wave of attacks with serious economic and privacy damages, which evinces the need for accurate Network Intrusion Detection Systems (NIDS). Recent works propose the use of Machine Learning (ML) techniques for building such systems (e.g., decision trees, neural networks). However, existing ML-based NIDS are barely robust to common adversarial attacks, which limits their applicability to real networks. A fundamental problem of these solutions is that they treat and classify flows independently. In contrast, in this paper we argue the importance of focusing on the structural patterns of attacks, by capturing not only the individual flow features, but also the relations between different flows (e.g., the source/destination hosts they share). To this end, we use a graph representation that keeps flow records and their relationships, and propose a novel Graph Neural Network (GNN) model tailored to process and learn from such graph-structured information. In our evaluation, we first show that the proposed GNN model achieves state-of-the-art results in the well-known CIC-IDS2017 dataset. Moreover, we assess the robustness of our solution under two common adversarial attacks, that intentionally modify the packet size and interarrival times to avoid detection. The results show that our model is able to maintain the same level of accuracy as in previous experiments, while state-of-the-art ML techniques degrade up to 50% their accuracy (F1-score) under these attacks. This unprecedented level of robustness is mainly induced by the capability of our GNN model to learn flow patterns of attacks structured as graphs.This publication is part of the Spanish I+D+i project TRAINER-A (ref. PID2020-118011GB-C21), funded by MCIN/AEI/10.13039/501100011033. This work is also partially funded by the Catalan Institution for Research and Advanced Studies (ICREA), and by the European Union’s Horizon 2020 research and innovation programme within the framework of the NGI-POINTER Project, funded under grant agreement No. 871528. This article reflects only the authors’ view; the European Commission is not responsible for any use that may be made of the information it contains.Peer ReviewedPostprint (published version

Unveiling the potential of Graph Neural Networks for network modeling and optimization in SDN

Network modeling is a critical component for building self-driving Software-Defined Networks, particularly to find optimal routing schemes that meet the goals set by administrators. However, existing modeling techniques do not meet the requirements to provide accurate estimations of relevant performance metrics such as delay and jitter. In this paper we propose a novel Graph Neural Network (GNN) model able to understand the complex relationship between topology, routing and input traffic to produce accurate estimates of the per-source/destination pair mean delay and jitter. GNN are tailored to learn and model information structured as graphs and as a result, our model is able to generalize over arbitrary topologies, routing schemes and variable traffic intensity. In the paper we show that our model provides accurate estimates of delay and jitter (worst case R2 = 0.86) when testing against topologies, routing and traffic not seen during training. In addition, we present the potential of the model for network operation by presenting several use-cases that show its effective use in per-source/destination pair delay/jitter routing optimization and its generalization capabilities by reasoning in topologies and routing schemes not seen during training.This work was supported by AGH University of Science and Technology grant, under contract no. 15.11.230.400, the Spanish MINECO under contract TEC2017-90034-C2-1-R (ALLIANCE) and the Catalan Institution for Research and Advanced Studies (ICREA). The research was also supported in part by PL-Grid Infrastructure.Peer ReviewedPostprint (author's final draft

RouteNet: leveraging graph neural networks for network modeling and optimization in SDN

© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes,creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.Network modeling is a key enabler to achieve efficient network operation in future self-driving Software-Defined Networks. However, we still lack functional network models able to produce accurate predictions of Key Performance Indicators (KPI) such as delay, jitter or loss at limited cost. In this paper we propose RouteNet, a novel network model based on Graph Neural Network (GNN) that is able to understand the complex relationship between topology, routing, and input traffic to produce accurate estimates of the per-source/destination per-packet delay distribution and loss. RouteNet leverages the ability of GNNs to learn and model graph-structured information and as a result, our model is able to generalize over arbitrary topologies, routing schemes and traffic intensity. In our evaluation, we show that RouteNet is able to predict accurately the delay distribution (mean delay and jitter) and loss even in topologies, routing and traffic unseen in the training (worst case MRE = 15.4%). Also, we present several use cases where we leverage the KPI predictions of our GNN model to achieve efficient routing optimization and network planning.This work was supported in part by the Polish Ministryof Science and Higher Education with the subvention funds of the Facultyof Computer Science, Electronics and Telecommunications, AGH University,in part by the Spanish MINECO under Contract TEC2017-90034-C2-1-R(ALLIANCE), in part by the Catalan Institution for Research and AdvancedStudies (ICREA) and the FI-AGAUR Grant by the Catalan Government, andin part by PL-Grid Infrastructure.Peer ReviewedPostprint (author's final draft

NetXplain: Real-time explainability of graph neural networks applied to computer networks

Recent advancements in Deep Learning (DL) have revolutionized the way we can efficiently tackle complex optimization problems. However, existing DL-based solutions are often considered as black boxes due to their high inner complexity. As a result, there is still certain skepticism among the computer network industry about their practical viability to operate data networks. In this context, explainability techniques have recently emerged to unveil why DL models make each decision. This paper focuses on Graph Neural Network (GNN) models applied to computer networks, which have already shown outstanding performance in different network optimization tasks. We thus present NetXplain, a novel real-time explainability solution that uses a GNN to interpret the output produced by another GNN. In the evaluation, we apply the proposed explainability method to RouteNet –a GNN model that predicts end-to-end performance metrics in computer networks. We show that NetXplain operates more than 3 orders of magnitude faster than state-of-the-art explainability solutions when applied to networks up to 24 nodes, which makes this solution compatible with real-time applications. Moreover, it demonstrated strong generalization capabilities over different network scenarios unseen during training.This work has received funding from the European Union’s Horizon 2020 research and innovation programme within the framework of the NGI-POINTER Project funded under grant agreement No. 871528. This paper reflects only the author’s view; the EC is not responsible for any use that may be made of the information it contains. This work was also supported by the Spanish MINECO under contract TEC2017-90034-C2-1-R (ALLIANCE) and the Catalan Institution for Research and Advanced Studies (ICREA).Peer ReviewedPostprint (published version

NetXplain: Real-time explainability of graph neural networks applied to networking

Recent advancements in Deep Learning (DL) have revolutionized the way we can efficiently tackle complex optimization problems. However, existing DL-based solutions are often considered as black boxes with high inner complexity. As a result, there is still certain skepticism among the networking industry about their practical viability to operate data networks. In this context, explainability techniques have recently emerged to unveil why DL models make each decision. This paper focuses on the explainability of Graph Neural Networks (GNNs) applied to networking. GNNs are a novel DL family with unique properties to generalize over graphs. As a result, they have shown unprecedented performance to solve complex network optimization problems. This paper presents NetXplain, a novel real-time explainability solution that uses a GNN to interpret the output produced by another GNN. In the evaluation, we apply the proposed explainability method to RouteNet, a GNN model that predicts end-to-end QoS metrics in networks. We show that NetXplain operates more than 3 orders of magnitude faster than state-of-the-art explainability solutions when applied to networks up to 24 nodes, which makes it compatible with real-time applications; while demonstrating strong capabilities to generalize to network scenarios not seen during training.This work has been supported by the Spanish MINECO under contract TEC2017‑90034‑C2‑1‑R (ALLIANCE) and the Catalan Institution for Research and Advanced Studies (ICREA).Peer ReviewedPostprint (published version

Fast traffic engineering by gradient descent with learned differentiable routing

Emerging applications such as the metaverse, telesurgery or cloud computing require increasingly complex operational demands on networks (e.g., ultra-reliable low latency). Likewise, the ever-faster traffic dynamics will demand network control mechanisms that can operate at short timescales (e.g., sub-minute). In this context, Traffic Engineering (TE) is a key component to efficiently control network traffic according to some performance goals (e.g., minimize network congestion).This paper presents Routing By Backprop (RBB), a novel TE method based on Graph Neural Networks (GNN) and differentiable programming. Thanks to its internal GNN model, RBB builds an end-to-end differentiable function of the target TE problem (MinMaxLoad). This enables fast TE optimization via gradient descent. In our evaluation, we show the potential of RBB to optimize OSPF-based routing (˜25% of improvement with respect to default OSPF configurations). Moreover, we test the potential of RBB as an initializer of computationally-intensive TE solvers. The experimental results show promising prospects for accelerating this type of solvers and achieving efficient online TE optimization.This work was supported by the Polish Ministry of Science and Higher Education with the subvention funds of the Faculty of Computer Science, Electronics and Telecommunications of AGH University and by the PL-Grid Infrastructure. Also, this publication is part of the Spanish I+D+i project TRAINER-A (ref. PID2020-118011GB-C21), funded by MCIN/ AEI/10.13039/501100011033. This work is also partially funded by the Catalan Institution for Research and Advanced Studies (ICREA) and the Secretariat for Universities and Research of the Ministry of Business and Knowledge of the Government of Catalonia and the European Social Fund.Peer ReviewedPostprint (author's final draft

Feature engineering for deep reinforcement learning based routing

Recent advances in Deep Reinforcement Learning (DRL) techniques are providing a dramatic improvement in decision-making and automated control problems. As a result, we are witnessing a growing number of research works that are proposing ways of applying DRL techniques to network-related problems such as routing. However, such proposals failed to achieve good results, often under-performing traditional routing techniques. We argue that successfully applying DRL-based techniques to networking requires finding good representations of the network parameters: feature engineering. DRL agents need to represent both the state (e.g., link utilization) and the action space (e.g., changes to the routing policy). In this paper, we show that existing approaches use straightforward representations that lead to poor performance. We propose a novel representation of the state and action that outperforms existing ones and that is flexible enough to be applied to many networking use-cases. We test our representation in two different scenarios: (i) routing in optical transport networks and (ii) QoS-aware routing in IP networks. Our results show that the DRL agent achieves significantly better performance compared to existing state/action representations.This work has been supported by the Spanish MINECO under contract TEC2017-90034-C2-1-R (ALLIANCE) and the Catalan Institution for Research and Advanced Studies (ICREA).Peer ReviewedPostprint (author's final draft

Towards more realistic network models based on Graph Neural Networks

Recently, a Graph Neural Network (GNN) model called RouteNet was proposed as an efficient method to estimate end-to-end network performance metrics such as delay or jitter, given the topology, routing, and traffic of the network. Despite its success in making accurate estimations and generalizing to unseen topologies, the model makes some simplifying assumptions about the network, and does not consider all the particularities of how real networks operate. In this work we extend the architecture of RouteNet to support different features on forwarding devices, specifically we focus on devices with variable queue sizes, and we experimentally evaluate the accuracy of the extended RouteNet architecture.This work was supported by the Spanish MINECO under contract TEC2017-90034-C2-1-R (ALLIANCE), the Catalan Institution for Research and Advanced Studies (ICREA), FI-AGAUR grant by the Catalan Government and the AGH University of Science and by the Polish Ministry of Science and Higher Education with the subvention funds of the Faculty of Computer Science, Electronics and Telecommunications of AGH University. The research was also supported in part by PL-Grid Infrastructure.Peer ReviewedPostprint (author's final draft