Introduction
The traditional IDS(Intrusion Detection System) costs too much time and bandwidth, so we use machine learning and P4 switch to improve the efficiency of malware detection.
Fig. 1: IDS and P4-IDS
P4 Malware Detection
- Machine Learning model identifies malware faster than traditional IDS.
- P4 Switch is a programmable switch, so we can define the field for ML prediction.
- Combining the features of ML and P4, we propose P4 malware detection.
- Process shows in Fig.2
Fig. 2: Flowchart of P4 Malware Detection
In-switch P4 Tofino ASIC Pipeline side:
- Truncate packet and send the self-defined fields to CPU for machine learning model prediction.
- One table to block the malwares.
In-switch x86 CPU Platform side:
- Identify the uncertain flows by machine learning model.
- Neural Network for fast prediction
- Detail of NN model presents in fig.3
- Model accuracy : 99.6%
- Add/Modify entry to pipeline
Fig. 3: NN Model (Accuracy: 99.6%)
Experiments
- Time Saving:
- It dose not mirror packet to external device.
- ML model prediction is faster than software IDS.
- Bandwidth Saving
- P4 switch truncate packet for ML model.
- Compare with Software IDS (Zeek)
- Identify speed improve about 200 times.
- Response time improve about 240 times.
Publication: H.-F. Chang, M. I.-C. Wang, C.-H. Hung, and C. H.-P. Wen, “Enabling Malware Detection with Machine Learning on Programmable Switch,” in NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium, Apr. 2022, pp. 1–5. doi: 10.1109/NOMS54207.2022.9789939.