More Web Proxy on the site http://driver.im/

short-paper

Open access

Poster: P4DME: DNS Threat Mitigation with P4 In-Network Machine Learning Offload

Authors:

Csaba Györgyi,

Stefan SchmidAuthors Info & Claims

EuroP4 '23: Proceedings of the 6th on European P4 Workshop

Pages 53 - 56

https://doi.org/10.1145/3630047.3630251

Published: 06 December 2023 Publication History

Abstract

The ever-evolving cybersecurity landscape demands innovative solutions to safeguard critical network infrastructure such as the Domain Name System (DNS). This paper presents P4DME, a novel approach that harnesses the potential of Machine Learning (ML) in conjunction with P4 programmable switches to tackle DNS threats efficiently. P4DME's primary benefit lies in offloading filtering from resource-intensive ML processing tasks on dedicated servers. This offloading boosts the overall traffic throughput that can be inspected or achieves the same throughput with reduced resource consumption while preserving the servers' capabilities for high-performance threat identification. This work uses P4-based in-network elements to handle crucial DNS threats, dynamic white- and blacklisting, and an online popularity-based anomaly detection heuristic. The latter serves as a trigger for dedicated ML-based inspection. Furthermore, we introduce in-network mitigation filters updated through the control plane to provide adaptable and responsive threat mitigation. Preliminary simulation results show more than 99.9% offload ratio at 5% increased False Negative Ratio.

References

[1]

2019. PulPy. https://github.com/juartinv/pulpy [Online; accessed 7-September- 2023].

[2]

Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis. 2006. A Multifaceted Approach to Understanding the Botnet Phenomenon. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (Rio de Janeriro, Brazil) (IMC '06). Association for Computing Machinery, New York, NY, USA, 41--52. https://doi.org/10.1145/1177080.1177086

Digital Library

[3]

Yehuda Afek, Anat Bremler-Barr, and Lior Shafir. 2020. NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 631--648. https://www.usenix.org/conference/usenixsecurity20/presentation/afek

[4]

Abdul Ahad, Rana Abu Bakar, Muhammad Arslan, and Muhammad Hasan Ali. 2023. DPIDNS: A Deep Packet Inspection Based IPS for Security Of P4 Network Data Plane. In 2023 International Conference on Smart Computing and Application (ICSCA). 1--8. https://doi.org/10.1109/ICSCA57840.2023.10087377

[5]

Ali AlSabeh, Elie Kfoury, Jorge Crichigno, and Elias Bou-Harb. 2022. P4ddpi: Securing p4-programmable data plane networks via dns deep packet inspection. In NDSS Symposium 2022.

[6]

Manos Antonakakis, Tim April, Michael Bailey, Matthew Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In Proceedings of the 26th USENIX Conference on Security Symposium (Vancouver, BC, Canada) (SEC '17). USENIX Association, USA, 1093--1110.

Digital Library

[7]

Sherry Bai, Hyojoon Kim, and Jennifer Rexford. 2022. Passive OS Fingerprinting on Commodity Switches. In 2022 IEEE 8th International Conference on Network Softwarization (NetSoft). 264--268. https://doi.org/10.1109/NetSoft54395.2022.9844109

[8]

R. Behrends, L. K. Dillon, S. D. Fleming, and R. E. K. Stirewalt. 2017. Whitepaper: Dns reflection, amplification, dns water-torture. Technical Report. Akamai. 6 pages. https://www.akamai.com/site/en/documents/research-paper/dns-reflection-vs-dns-mirai-technical-publication.pdf Accessed on Sept 1st, 2023.

[9]

Irina Chiscop, Francesca Soro, and Paul Smith. 2022. AI-Based Detection of DNS Misuse for Network Security. In Proceedings of the 1st International Workshop on Native Network Intelligence (Rome, Italy) (NativeNi '22). Association for Computing Machinery, New York, NY, USA, 27--32. https://doi.org/10.1145/3565009.3569523

Digital Library

[10]

Bruno Coelho and Alberto Schaeffer-Filho. 2022. BACKORDERS: using random forests to detect DDoS attacks in programmable data planes. In Proceedings of the 5th International Workshop on P4 in Europe. 1--7.

Digital Library

[11]

Evan Cooke, Farnam Jahanian, and Danny McPherson. 2005. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. (07 2005).

[12]

Rakesh Datta, Sean Choi, Anurag Chowdhary, and Younghee Park. 2018. P4Guard: Designing P4 Based Firewall. In MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM). 1--6. https://doi.org/10.1109/MILCOM.2018.8599726

Digital Library

[13]

Harsh Gondaliya, Ganesh C. Sankaran, and Krishna M. Sivalingam. 2020. Comparative Evaluation of IP Address Anti-Spoofing Mechanisms Using a P4/NetFPGA-Based Switch. In Proceedings of the 3rd P4 Workshop in Europe (Barcelona, Spain) (EuroP4 '20). Association for Computing Machinery, New York, NY, USA, 1--6. https://doi.org/10.1145/3426744.3431320

Digital Library

[14]

Keita Hasegawa, Daishi Kondo, and Hideki Tode. 2021. FQDN-Based Whitelist Filter on a DNS Cache Server Against the DNS Water Torture Attack. In 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM). 628--632.

[15]

Chih-Yu Hsieh, Hong-Yen Chen, Shan-Hsiang Shen, Chen-Hsiang Hung, and Tsung-Nan Lin. 2022. A P4-based content-aware approach to mitigate slow HTTP POST attacks. In Proceedings of the 5th International Workshop on P4 in Europe. 8--14.

Digital Library

[16]

Nicholas Ianelli and Aaron Hackworth. 2005. Botnets as a vehicle for online crime. CERT Coordination Center 1, 1 (2005), 28.

[17]

Qiao Kang, Lei Xue, Adam Morrison, Yuxin Tang, Ang Chen, and Xiapu Luo. 2020. Programmable {In-Network} Security for Context-aware {BYOD} Policies. In 29th USENIX Security Symposium (USENIX Security 20). 595--612.

[18]

Alexander Kaplan and Shir Landau Feibish. 2021. DNS water torture detection in the data plane. In Proceedings of the SIGCOMM'21 Poster and Demo Sessions. 24--26.

Digital Library

[19]

Alexander Kaplan and Shir Landau Feibish. 2022. Practical handling of DNS in the data plane. In Proceedings of the Symposium on SDN Research. 59--66.

Digital Library

[20]

Jason Kim, Hyojoon Kim, and Jennifer Rexford. 2021. Analyzing traffic by domain name in the data plane. In Proceedings of the ACM SIGCOMM Symposium on SDN Research (SOSR). 1--12.

Digital Library

[21]

Suneet Kumar Singh, Christian Esteve Rothenberg, Jonatan Langlet, Andreas Kassler, Péter Vörös, Sándor Laki, and Gergely Pongracz. 2022. Hybrid P4 Programmable Pipelines for 5G gNodeB and User Plane Functions. IEEE Transactions on Mobile Computing (2022), 1--18. https://doi.org/10.1109/TMC.2022.3201512

Digital Library

[22]

Jonghoon Kwon, Jehyun Lee, Heejo Lee, and Adrian Perrig. 2016. PsyBoG: A scalable botnet detection method for large-scale DNS traffic. Computer Networks 97 (2016), 48--73. https://doi.org/10.1016/j.comnet.2015.12.008

Digital Library

[23]

Yu-Kuen Lai, Se-Young Yu, Iek-Seng Chan, Bo-Hsun Huang, Che-Hao Chang, Jim Hao Chen, and Joe Mambretti. 2022. Sketch-Based Entropy Estimation: A Tabular Interpolation Approach Using P4. In Proceedings of the 5th International Workshop on P4 in Europe (Rome, Italy) (EuroP4 '22). Association for Computing Machinery, New York, NY, USA, 57--60. https://doi.org/10.1145/3565475.3569082

Digital Library

[24]

Hiba Mallouhi and Sándor Laki. 2022. Towards disaggregated P4 pipelines with information exchange minimization. In Proceedings of the 3rd International CoNEXT Student Workshop. 23--25.

Digital Library

[25]

Ahmed M. Manasrah, Thair Khdour, and Raeda Freehat. 2022. DGA-based botnets detection using DNS traffic mining. Journal of King Saud University - Computer and Information Sciences 34, 5 (2022), 2045--2061. https://doi.org/10.1016/j.jksuci.2022.03.001

Digital Library

[26]

Jian Mao, Jiemin Zhang, Zhi Tang, and Zhiling Gu. 2020. DNS anti-attack machine learning model for DGA domain name detection. Physical Communication 40 (2020), 101069. https://doi.org/10.1016/j.phycom.2020.101069

[27]

Gonçalo Matos, Salvatore Signorello, and Fernando M. V. Ramos. 2021. Generic Change Detection (Almost Entirely) in the Dataplane. In Proceedings of the Symposium on Architectures for Networking and Communications Systems (Layfette, IN, USA) (ANCS '21). Association for Computing Machinery, New York, NY, USA, 113--120. https://doi.org/10.1145/3493425.3502767

Digital Library

[28]

Moritz Mönnich, Nurefşan Sertbas Bülbül, Douğanalp Ergençc, and Mathias Fischer. 2021. Mitigation of IPv6 Router Spoofing Attacks with P4. In Proceedings of the Symposium on Architectures for Networking and Communications Systems. 144--150.

Digital Library

[29]

Daniele Moro, Giacomo Verticale, and Antonio Capone. 2021. Network function decomposition and offloading on heterogeneous networks with programmable data planes. IEEE Open Journal of the Communications Society 2 (2021), 1874--1885.

[30]

Hun Namkung, Zaoxing Liu, Daehyeok Kim, Vyas Sekar, and Peter Steenkiste. 2022 {SketchLib}: Enabling Efficient Sketch-based Monitoring on Programmable Switches. In 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22). 743--759.

[31]

Phillip Porras and Hassen Saïdi. 2009. A Foray into Conficker's Logic and Rendezvous Points. In 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET 09). USENIX Association, Boston, MA. https://www.usenix.org/conference/leet-09/foray-confickers-logic-and-rendezvous-points

[32]

Paul Royal. 2008. Analysis of the kraken botnet. http://crapfactory.free.fr/repo/malwares/KrakenWhitepaper.pdf

[33]

Dominik Scholz, Sebastian Gallenmüller, Henning Stubbe, and Georg Carle. 2020. SYN Flood Defense in Programmable Data Planes. In Proceedings of the 3rd P4 Workshop in Europe (Barcelona, Spain) (EuroP4'20). Association for Computing Machinery, New York, NY, USA, 13--20. https://doi.org/10.1145/3426744.3431323

Digital Library

[34]

Team SimPy. [n.,d.]. SimPy. https://simpy.readthedocs.io/en/latest/ [Online; accessed 7-September-2023].

[35]

Sivaguru, Raaghavi and Choudhary, Chhaya and Yu, Bin and Tymchenko, Vadym and Nascimento, Anderson and De Cock, Martine. 2018. An evaluation of DGA classifiers. In 2018 IEEE International conference on Big Data (Big Data 2018) (Seattle, WA, USA), Abe, N and Liu, H and Pu, C and Hu, X and Ahmed, N and Qiao, M and Song, Y and Kossmann, D and Liu, B and Lee, K and Tang, J and He, J and Saltz, J (Ed.). IEEE, 5058--5067.

[36]

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. 2009. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In Proceedings of the 16th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA) (CCS '09). Association for Computing Machinery, New York, NY, USA, 635--647. https://doi.org/10.1145/1653662.1653738

Digital Library

[37]

Nik Sultana, John Sonchack, Hans Giesen, Isaac Pedisich, Zhaoyang Han, Nishanth Shyamkumar, Shivani Burad, André DeHon, and Boon Thau Loo. 2021. Flightplan: Dataplane disaggregation and placement for p4 programs. In 18th USENIX Symposium on Networked Systems Design and Implementation (NSDI 21). 571--592.

[38]

Jackson Woodruff, Murali Ramanujam, and Noa Zilberman. 2019. P4dns: In-network dns. In 2019 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS). IEEE, 1--6.

[39]

Yutaro Yoshinaka, Junji Takemasa, Yuki Koizumi, and Toru Hasegawa. 2022. On implementing ChaCha on a programmable switch. In Proceedings of the 5th International Workshop on P4 in Europe. 15--18.

Digital Library

[40]

Eder Ollora Zaballa, David Franco, Zifan Zhou, and Michael S. Berger. 2020. P4Knocking: Offloading host-based firewall functionalities to the network. In 2020 23rd Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN). 7--12. https://doi.org/10.1109/ICIN48450.2020.9059298

[41]

Yonglin Zhou, Qing-shan Li, Qidi Miao, and Kangbin Yim. 2013. DGA-Based Botnet Detection Using DNS Traffic. J. Internet Serv. Inf. Secur. 3, 3/4 (2013), 116--123.

Cited By

Dr. Abhinandan Singh Dandotiya Palash Sharma Bharti gole Shruti Dubey Dr. Nidhi Dandotiya (2024)An Empirical Analysis of DDoS Attack Detection and Mitigation Techniques: A Comparative Review of Tools and MethodsInternational Journal of Scientific Research in Computer Science, Engineering and Information Technology10.32628/CSEIT241046210:6(1099-1108)Online publication date: 30-Nov-2024
https://doi.org/10.32628/CSEIT2410462

Index Terms

Poster: P4DME: DNS Threat Mitigation with P4 In-Network Machine Learning Offload
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Network security

Recommendations

DNS water torture detection in the data plane
SIGCOMM '21: Proceedings of the SIGCOMM '21 Poster and Demo Sessions

DNS Water Torture (also known as Random Subdomain attack) has been gaining popularity since the severe impact of the 2016 Mirai attack on Dyn DNS servers, which caused a large number of sites to become unavailable.

One existing solution is rate limiting, ...
P4-Compatible High-Level Synthesis of Low Latency 100 Gb/s Streaming Packet Parsers in FPGAs
FPGA '18: Proceedings of the 2018 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays

Packet parsing is a key step in SDN-aware devices. Packet parsers in SDN networks need to be both reconfigurable and fast, to support the evolving network protocols and the increasing multi-gigabit data rates. The combination of packet processing ...
DNS Security: Need and Role in the Context of Cloud Computing
ICECCS '14: Proceedings of the 2014 3rd International Conference on Eco-friendly Computing and Communication Systems

Domain Name System is a component of the Internet Infrastructure shortly referred as DNS. DNS provides simple service for lookup and translation of URL into IP addresses and IP addresses into URL. However, due to the enormous scale of the Internet, the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroP4 '23: Proceedings of the 6th on European P4 Workshop

December 2023

74 pages

ISBN:9798400704468

DOI:10.1145/3630047

General Chairs:
Fernando Ramos
University of Lisbon, PT
,
Muhammad Shahbaz
Purdue University, US
,
Program Chairs:
Vladimir Gurevich
P4ica, US
,
Salvatore Signorello
Telefonica Research, ES

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2023

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

Conference

CoNEXT 2023

Sponsor:

SIGCOMM

CoNEXT 2023: The 19th International Conference on emerging Networking EXperiments and Technologies

December 8, 2023

Paris, France

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
282
Total Downloads

Downloads (Last 12 months)282
Downloads (Last 6 weeks)30

Reflects downloads up to 11 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Dr. Abhinandan Singh Dandotiya Palash Sharma Bharti gole Shruti Dubey Dr. Nidhi Dandotiya (2024)An Empirical Analysis of DDoS Attack Detection and Mitigation Techniques: A Comparative Review of Tools and MethodsInternational Journal of Scientific Research in Computer Science, Engineering and Information Technology10.32628/CSEIT241046210:6(1099-1108)Online publication date: 30-Nov-2024
https://doi.org/10.32628/CSEIT2410462

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents