Neural-Network Based Malware Detection on P4 Switch-温宏斌

Introduction

The traditional IDS(Intrusion Detection System) costs too much time and bandwidth, so we use machine learning and P4 switch to improve the efficiency of malware detection.

Fig. 1: IDS and P4-IDS

P4 Malware Detection

  • Machine Learning model identifies malware faster than traditional IDS.
  • P4 Switch is a programmable switch, so we can define the field for ML prediction.
  • Combining the features of ML and P4, we propose P4 malware detection.
  • Process shows in Fig.2

Fig. 2: Flowchart of P4 Malware Detection

 

In-switch P4 Tofino ASIC Pipeline side:

  • Truncate packet and send the self-defined fields to CPU for machine learning model prediction.
  • One table to block the malwares.

In-switch x86 CPU Platform side:

  • Identify the uncertain flows by machine learning model.
    • Neural Network for fast prediction
    • Detail of NN model presents in fig.3
    • Model accuracy : 99.6%
  • Add/Modify entry to pipeline

Fig. 3: NN Model (Accuracy: 99.6%)

Experiments

  • Time Saving:
    • It dose not mirror packet to external device.
    • ML model prediction is faster than software IDS.
  • Bandwidth Saving
    • P4 switch truncate packet for ML model.
  • Compare with Software IDS (Zeek)
    • Identify speed improve about 200 times.
    • Response time improve about 240 times.

 

Publication: H.-F. Chang, M. I.-C. Wang, C.-H. Hung, and C. H.-P. Wen, “Enabling Malware Detection with Machine Learning on Programmable Switch,” in NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium, Apr. 2022, pp. 1–5. doi: 10.1109/NOMS54207.2022.9789939.