3D-PM: A ML-powered Probabilistic Detection of DDoS Attacks in P4 Switches

The Software-Defined Networking (SDN) technology has revolutionized network management and automation, enabling more efficient and centralized controls. However, network security and availability are threatened by DDoS attacks in SDN environments. During these attacks, the network can become overwhelmed with traffic, making the controller overloaded and unresponsive. Consequently, SDN networks require effective DDoS detection and mitigation solutions. In this paper, we propose a novel approach that leverages the potential of programmable data planes and machine learning to empower intelligent DDoS detection at line-rate. Our proposal involves securing SDN networks using machine learning and programmable switches. We call this solution "Data-Plane DDoS Attack Detection Based on P4 Switches and Machine Learning" or 3D-PM. To detect flooding attacks, we considered multiple machine learning models that are trained and tested on unique datasets gathered from realistic traffic. These datasets are then balanced using a variable sampling method to ensure unbiased and robust model training. Our evaluation revealed that the Random Forest model performed exceptionally well with an accuracy of 98.95%, highlighting its effectiveness as a resource-efficient solution. 3D-PM aim to detect attacks directly at the data plane using the P4 language, relieving controller overload and allowing direct detection at the data plane.


I. INTRODUCTION
With Software-Defined Networking (SDN), control functions are separated from devices for easier network management, enabling effective and centralized control across data, control, and application layers [1].Furthermore, programmable data planes introduced by P4 language [2] allow increased control of forwarding equipment and greater design flexibility.However, these innovative paradigms are prone to a number of security issues, with Denial of Service (DoS) attacks being one of the most common examples.
A DoS attack is a cyberattack primarily aimed at compromising the availability of a service and denying access to legitimate users [3].DDoS attacks affect all layers in an SDN network.These attacks often involve IP address spoofing, resulting in a significant number of PACKET_IN messages generated for each new flow.This puts a heavy load on the resources of the SDN controller.Furthermore, the southbound interface can become sat-urated with malicious traffic, leading to communication issues between the data and control plane.
The SDN architecture as initially defined does not include security mechanisms to identify legitimate traffic from malicious traffic.In order to address this issue, various solutions have been proposed, including statistical methods and additional SDN mechanisms [4] [5], as well as machine learning techniques [6] [7] to detect unusual traffic patterns.Although these solutions have proven to be effective, the majority of them does not take advantage of the data plane programmability enabled by the P4 language.In fact, the heavy reliance on the controller, either through extensions [8] or frequent statistics requests [9], puts a strain on the controller and consumes precious bandwidth that is already limited during an attack.Additionally, the effectiveness of ML-based solutions depends on the quantity and quality of data provided for training.ML models trained on synthetic data [7] may fail to replicate real-world DDoS attacks.
The purpose of this paper is to propose a new data plane DDoS attack detection technique based on P4 and machine learning (3D-PM) that takes into account the constraints imposed by SDNs under DoS/DDoS attacks.The solution aims to provide: • Detection of ICMP Flood, UDP Flood, TCP SYN Flood and HTTP GET Flood attacks in a single multi-classification system.• ML models trained on data extracted from realistic traffic rather than data originated from small scale testbeds.The rest of this paper is organized as follows.In section II, we provide a brief overview of related works.The design of 3D-PM solution is presented in section III, detailing its different components.In section IV, we discuss the implementation of the proposed system and report on the experimental results.A summary of the study's key implications and suggestions for further research are presented in the final section.

II. RELATED WORK
Several SDN security solutions were developed based on SDN architecture extensions and statistical analysis.Examples of that is SDN-Guard [4] which redirects malicious traffic and adjusts flow rules.And [5] that aims to prevent attacks targeting data planes by verifying the source IP addresses of packets.Some other approaches rely on machine learning techniques; for instance, Braga et al. [6] propose a solution with three modules in the controller, including a SOM (Self Organizing Maps) based classifier.In spite of being a lightweight solution, it can overlook controller overloading and bandwidth saturation.Novaes et al. [9] introduce a system using Adversarial Deep Learning and GAN framework for anomaly detection.Their approach shows impressive results but could possibly be a strain on the bandwidth due to frequent flow statistic requests.In [7], a notable TCP SYN DDoS detection solution uses data plane programmability with standalone and correlated architectures.The standalone architecture detects locally at switches, while the correlated architecture relies on a central module for global decisions.Nevertheless, the reliability of the ML models results trained with their dataset relies heavily on the traffic simulation's effectiveness in mimicking realistic DDoS attacks.In [10], programmable data planes collect, process, and store traffic flow information, while the control plane handles classification and detection.Noting that the data plane's storage mechanism can significantly grow with increasing computed statistics and streams, leading to substantial memory resource consumption, particularly during DDoS attacks.

A. Global Architecture
Data plane level solution is 3D-PM's primary objective by using machine learning and programmable switches.Two key components, namely the P4 switch and the detection module, are essential in our system's functionality. the system cycle starts with the detection module requesting traffic features from the P4 switch.During this time, various features are collected and calculated.This process is repeated after a predetermined time interval T.During each detection cycle, the P4 switch processes a time interval of traffic of duration T, which we will refer to as "sampling window" or simply "window" throughout this study.An attack is presumed to have occurred if a predetermined period of traffic is classified as malicious.To do so, we employ a method that involves aggregating the probabilities of membership in different classes provided by the ML models for each window.At the SDN network level, 3D-PM implementation depends on the network's specific implementation.For virtual switches mainly found in SDN/NFV (Network Function Virtualization) environments, the detection module and the P4 switch are deployed on the same physical device.Hardware switches use a separate host for detection.For better monitoring of messages between modules, separate hosts are implemented.Fig. 1 shows the abstract architecture of 3D-PM.
Both entities are designed over several phases that can be grouped into the following major stages: • Feature collection and extraction by P4 switch: To classify benign and attack traffic, a set of features has been selected for extraction and collection by the P4 switch.
• Detection module: The module's design is described by two major phases related to machine learning, namely a learning phase and a production or detection phase.

B. Feature Selection
Selecting features to extract from network traffic plays a critical role in a machine learning-based DDoS attack detection system.The performance of such a system in accurately identifying legitimate traffic from malicious traffic is highly dependent on the chosen features [11].
There are five categories of possible features to consider; namely packet-level, flow-level, connection-level, intra-flow and multi-flow [12].Our traffic classification scheme primarily relies on packet-level features at predetermined times (windows).The approach is light in terms of resource consumption, and it is suitable for detecting attacks in real time [13].On the other hand, flow-based classification is more resource-intensive, since information about individual flows and packets must be stored at the switches and then transmitted to the detection module.This can result in high latency and high consumption of storage and processing resources [10].
Taking into account the semantics of a DDoS flood attack and the specifications of its variants, we select 13 features to classify traffic as benign, or undergoing an ICMP flood, UDP flood, TCP SYN flood or HTTP GET flood attack.

C. Collecting, Storing and Sending Features
Data collection is the initial phase of the detection loop, during which traffic characteristics are generated and saved before being sent to the detection module.To accomplish this without controller intervention, we leverage the data plane programmability enabled by P4 switches.The switches program is designed to store the relevant information and transmit it upon request.Incoming packet inspection uses a set of protocol headers and parsers (e.g., Ethernet, IPv4, TCP/UDP) defined in a P4 code, which is used to retrieve information at packet level and forward it.A custom header named STAT and composed of 14 header fields is also defined, it is used to transmit traffic statistics of a time window T to the detection module.
The P4 switch maintains a set of registers (P4 Language Storage Object) storing the value of each window's characteristics.Upon packet entry, the relative registers are updated accordingly where most of them only require incrementing a packet field; others require the manipulation of a custom data structure.One example of such a situation is the calculation of distinct flows number which involves maintaining a vector that tracks the occurrences of each flow (Overview in Fig. 2).
The program operates through defined actions and tables, counting packets and updating registers based on incoming packets headers and metadata.Upon receiving a STAT Request packet, the registers' contents are dumped into the packet using the predefined custom header and returned to the detection module.Fig. 2 depicts the overall packet processing, including an example of the employed data structure.

D. Dataset generation
The dataset generated involves using realistic traffic data (PCAP files) and preparing it for use with ML algorithms.This is done by partitioning the packets into windows of a predefined size, replicating the processing carried out by the P4 switch.This realistic data is retrieved from three datasets, namely CTU-131 for ICMP flood attacks, CIC DoS 20172 for HTTP GET flood attacks and CIC-DDoS20193 for UDP and TCP SYN flood attacks.
Creating a dataset from multiple sources with varying attack durations presents a challenge in achieving balance across the 5 classes (Benign, ICMP flood, UDP flood, TCP SYN flood, and HTTP GET flood).Without intervention, the resulting dataset would be unbalanced.To avoid using classical balancing solutions, either by re-calibration to the minimum or by generating synthetic data, we use a variable sampling method.Indeed, all the final chosen features are not influenced by the window size; therefore, we can generate more windows by reducing the window size, a much more convenient method than synthetic data generation and all the more effective on dense traffic, being in particular a typical feature of traffic under flood attack.
The datasets obtained from the previous step are processed using the unsupervised K-Means binary clustering algorithm to obtain cleanly labeled data by partitioning them into subclasses of similar data.This approach is an easy-to-implement solution to the clustering problem and is more efficient than hierarchical clustering, especially when the parameter K is small [14].After filtering each dataset, the windows labeled as "benign" are grouped together to create a new dataset of legitimate traffic.This results in a balanced distribution of classes in the final dataset, which was achieved using the variable sampling method

E. ML Classifiers
In this study, we tackle the challenge of attack detection by modeling it as a multi-classification problem and leveraging the power of machine learning to solve it.Our primary goal is to determine the most effective solution by comparing the performance of multiple machine learning models; namely: KNN (K-Nearest Neighbors), RF (Random Forest), SVM (Support Vector Machine), ANN (Artificial Neural Networks), and NB (Naive Bayes).

F. Detection Module
In addition to running the ML algorithm, the detection module is responsible for handling requests sent to the P4 switch, applying pre-processing to received sampling windows, and interpreting the algorithm's results in order to trigger alerts when a DDoS attack is detected.Fig. 3 provides a schematic representation of how the detection module operates.At the end of each window, the detection module requests the P4 switch to send the collected data via a customized packet with the "STAT" header.These requests, called "STAT Requests", are made cyclically by the detection module according to a timer that represents the size of sampling windows.The implemented ML algorithm returns the most likely label for the current window: 0=Benign, 1=ICMP flood, 2=UDP flood, 3=TCP SYN flood, 4=HTTP GET flood; in this section, we use the label "Attack" to denote one of the 4 attack labels.To launch the final DDoS attack alert, we consider the following two variables: • T : Sample window size (in seconds) • Duration: Minimum duration to declare a DDoS attack (in seconds) In the case where T is greater than or equal to Duration, the first Attack window labeled as Attack triggers the alert.If T is strictly less than Duration, several windows must be taken into account before the alert is triggered.The successive summation of windows can be a fragile approach against dynamic variant DDoS attacks where a benign window can reset the successive window counter.
To address this, we propose a detection method based on the computation of a probabilistic score.
As mentioned before, the ML algorithm returns the probabilities of a window's membership to each class.With this information, we set up a probabilistic score that accumulates the weights assigned to the windows with respect to their state.This is done by defining a third intermediate state named "Suspicious" that is assigned to the windows having a high but not maximal probability of belonging to the Attack class.This state is taken into account during the calculation of the score upon satisfaction of the following conditions: • A window recognized as "Suspicious" must have a probability of belonging to one of the attack classes greater than or equal to 1 N umber of classes , in our case 0.2.
• If the current window is the first "Suspicious" window encountered, the score is incremented.• If the current "Suspicious" window is preceded by an "Attack" window, the score is neither incremented nor reset.• If the current "Suspicious" window is preceded by another "Suspicious" window, the score is reset to zero and then incremented.In this section, we abstract the attack type as 'Attack' for simplicity.In practice, the score array contains 4 cells, each representing a flooding attack and treated similarly.This process results in faster DDoS attack alert triggering and increased robustness against variant dynamic attacks.In the worst-case scenario, alerts are triggered in similar time-frame to the first approach (successive summation of windows belonging to an attack).

IV. IMPLEMENTATION A. Test environment
We conducted data processing and model training on an Ubuntu 16.04 machine with an I5-1135G7 @ 2.40GHz processor and 4GB of RAM.Our test scenario was built on the same machine using Mininet tool.Simulated networks consist of a BMv2 software P4 switch, four hosts, one of which contains a single machine learning algorithm at a time, and a controller that communicates with the switch through the P4Runtime4 API.Note that the controller's role is limited to rule insertion and not detection.

B. P4 Program
For the current time window, multiple static entry tables process incoming packets to identify the relevant protocols.In order to transmit the traffic statistics of the window to the detection module, a table called "stat_table" is defined.When a "STAT Request" packet is received, this table triggers the "set_stat" action, which copies the registers contents into the appropriate header fields, resets the registers, and generates a new identifier for the next window.The resulting STAT packet is then encapsulated in a UDP datagram and transmitted to the detection module.

C. Database creation
As mentioned in Section III.D, we used realistic traffic captures available online, namely CTU-13 for ICMP flood attacks, CIC-DDoS2019 for UDP and TCP SYN flood attacks, as well as CIC-DDoS2017 for HTTP flood attacks.The raw PCAP files underwent a multi-step process, divided into two main phases: a conversion and a sampling phase.

D. ML training
Malicious and legitimate instances are separated and labeled using the K-Means clustering technique, which is applied separately to each dataset.To ensure a balanced dataset, the variable size window sampling technique is used to produce datasets with a relatively similar number of entries.Following the labeling process, the values for  II.Instances labeled as "benign" from the four datasets are then aggregated into a single dataset representing legitimate traffic instances.

E. Parameters Tuning and Evaluation
We implemented the five multi-classification ML algorithms (KNN, RF, ANN, NB, SVM) using scikit-learn python library and conducted several learning iterations to determine the optimal hyperparameters with a 5-fold cross-validation.To compare and evaluate the performance of these models, we employed a set of evaluation metrics including accuracy, precision, recall, F1, and Cohen's Kappa score, as defined in [15].Our results, depicted in Fig. 5, showed that RF outperformed the other algorithms by achieving metric values close to 99%, making it highly effective for detecting and classifying DDoS attacks.We also assessed the effectiveness of our ML model (RF) and contrasted it with other P4/ML-based techniques reported in prior research.Fig. 6 illustrates that our model outperformed the most efficient models of each solution, showcasing its superior capability to differentiate between normal and malicious traffic.III presents additional information about the memory space occupied by the trained algorithms, their learning and testing time in a 5-fold cross-validation and the global system processing time in milliseconds.Naive Bayes is the fastest in terms of learning and testing despite its poor detection performance, while RF is the most memory-intensive algorithm.These aspects are crucial to consider in resource-constrained environments where time and memory usage can affect performance.Therefore, selecting the most suitable algorithm should take into account the trade-off between detection accuracy and resource usage.V. CONCLUSION This paper presented 3D-PM, a data plane DDoS attack detection system based on P4 language and Machine learning.The solution exploits machine learning and programmable switches to detect DDoS attacks by flooding (ICMP flood, UDP flood, TCP SYN flood, HTTP GET flood).An important aspect of the proposed system is the cooperation between two main entities: a P4 switch and a detection module for feature extraction and traffic classification respectively.Using a dataset generated from realistic traffic, we considered and evaluated five models for the detection problem: KNN, RF, ANN, NB and SVM.Random Forest model showed excellent performance reaching an accuracy of 98.95%.In addition, we proposed a new approach based on a probabilistic score to interpret the results of the ML algorithm.
To cover a wider range of DDoS attacks, we intend to expand the scope of our solution in future work.Moreover, we plan to implement incremental learning for our ML models.

Fig. 2 .
Fig. 2. Method of collecting, storing and sending traffic characteristics by the P4 switch

•
Conversion phase: The first step involves extracting the traffic segment corresponding to the specific attack, achieved through a combination of TShark filters and timestamp data provided by the file sites.Following this, we convert the PCAP files into CSV format, containing the following key fields: Identifier, Relative time, Source and Destination IP addresses, Source and Destination ports, Protocol, Packet size, ICMP Type, TCP Flags, Layer 7 Protocol, and HTTP Method.•Sampling phase: In this phase, the CSV attack captures resulting from the previous phase are grouped into windows.As described earlier, we use variable sampling windows to generate more instances on dense traffic.Fig.4illustrates the overall process, settings, and numerical results of the dataset creation.The dataset is also available online 5 .

•
Variable sampling for data extraction, preventing the use of synthetic data to balance data class effective.
Table I lists all selected features and abbreviations used to reference them.

TABLE III
Memory size, learning/test time and system processing time for the 5 ML models