A Robust Counting Sketch for Data Plane Intrusion Detection

Proceedings 2023 Network and Distributed System Security Symposium Pub Date : 1900-01-01 DOI:10.14722/ndss.2023.23102

S. Kim, Changhun Jung, Rhongho Jang, David A. Mohaisen, Daehun Nyang

{"title":"A Robust Counting Sketch for Data Plane Intrusion Detection","authors":"S. Kim, Changhun Jung, Rhongho Jang, David A. Mohaisen, Daehun Nyang","doi":"10.14722/ndss.2023.23102","DOIUrl":null,"url":null,"abstract":"— Demands are increasing to measure per-flow statis- tics in the data plane of high-speed switches. However, the resource constraint of the data plane is the biggest challenge. Although existing in-data plane solutions improve memory efficiency by accommodating Zipfian distribution of network traffic, they cannot adapt to various flow size distributions due to their static data structure. In other words, they cannot provide robust flow measurement under complex traffic patterns (e.g., under attacks). Recent works suggest dynamic data structure manage- ment schemes, but the high complexity is the major obstruction for the data plane deployment. In this paper, we present Count- Less (CL) sketch that enables robust and accurate network measurement under a wide variety of traffic distributions without dynamic data structure updates. Count-Less adopts a novel sketch update strategy, called minimum update (CL-MU), which approximates the conservative update strategy of Count-Min for fitting into in-network switches. Not only theoretical proof on CL-MU’s estimation but also comprehensive experimental results are presented in terms of estimation accuracy and throughput of CL-MU, compared to Count-Min (baseline), Elastic sketch, and FCM sketch. More specifically, experiment results on security applications including estimation errors under various skewness parameters are provided. CL-MU is much more accurate in all measurement tasks than Count-Min and outperforms FCM sketch and Elastic sketch, state-of-the-art algorithms without the help of any special hardware like TCAM. To prove its feasibility in the data plane of a high-speed switch, CL-MU prototype on an ASIC-based programmable switch (Tofino) is implemented in P4 language and evaluated. In terms of data plane latency, CL-MU is faster than FCM, while consuming fewer resources such as hash bits, SRAM, and ALU","PeriodicalId":199733,"journal":{"name":"Proceedings 2023 Network and Distributed System Security Symposium","volume":"56 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2023 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2023.23102","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

— Demands are increasing to measure per-flow statis- tics in the data plane of high-speed switches. However, the resource constraint of the data plane is the biggest challenge. Although existing in-data plane solutions improve memory efficiency by accommodating Zipfian distribution of network traffic, they cannot adapt to various flow size distributions due to their static data structure. In other words, they cannot provide robust flow measurement under complex traffic patterns (e.g., under attacks). Recent works suggest dynamic data structure manage- ment schemes, but the high complexity is the major obstruction for the data plane deployment. In this paper, we present Count- Less (CL) sketch that enables robust and accurate network measurement under a wide variety of traffic distributions without dynamic data structure updates. Count-Less adopts a novel sketch update strategy, called minimum update (CL-MU), which approximates the conservative update strategy of Count-Min for fitting into in-network switches. Not only theoretical proof on CL-MU’s estimation but also comprehensive experimental results are presented in terms of estimation accuracy and throughput of CL-MU, compared to Count-Min (baseline), Elastic sketch, and FCM sketch. More specifically, experiment results on security applications including estimation errors under various skewness parameters are provided. CL-MU is much more accurate in all measurement tasks than Count-Min and outperforms FCM sketch and Elastic sketch, state-of-the-art algorithms without the help of any special hardware like TCAM. To prove its feasibility in the data plane of a high-speed switch, CL-MU prototype on an ASIC-based programmable switch (Tofino) is implemented in P4 language and evaluated. In terms of data plane latency, CL-MU is faster than FCM, while consuming fewer resources such as hash bits, SRAM, and ALU

查看原文本刊更多论文

数据平面入侵检测的鲁棒计数草图

—高速交换机数据平面的流量统计数据测量需求越来越大。然而，数据平面的资源约束是最大的挑战。虽然现有的数据平面内解决方案通过适应网络流量的Zipfian分布来提高内存效率，但由于其静态数据结构，无法适应各种流量大小分布。换句话说，它们不能在复杂的流量模式下(例如，在攻击下)提供健壮的流量测量。最近的研究提出了动态数据结构管理方案，但高复杂性是数据平面部署的主要障碍。在本文中，我们提出了Count- Less (CL)草图，该草图能够在各种流量分布下实现鲁棒和准确的网络测量，而无需动态数据结构更新。Count-Less采用了一种新颖的草图更新策略，称为最小更新(minimum update, CL-MU)，它近似于Count-Min的保守更新策略，以适应网内交换机。本文不仅对CL-MU的估计进行了理论证明，还对CL-MU的估计精度和吞吐量进行了全面的实验结果，并与Count-Min (baseline)、Elastic sketch和FCM sketch进行了比较。更具体地说，给出了安全应用的实验结果，包括在各种偏度参数下的估计误差。CL-MU在所有测量任务中比Count-Min更准确，并且优于FCM草图和Elastic草图，最先进的算法，而无需任何特殊硬件(如TCAM)的帮助。为了证明其在高速交换机数据平面上的可行性，在基于asic的可编程交换机(Tofino)上用P4语言实现了CL-MU原型并进行了评估。在数据平面延迟方面，CL-MU比FCM更快，同时消耗的哈希位、SRAM、ALU等资源更少

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings 2023 Network and Distributed System Security Symposium

自引率

0.00%

发文量