Packet Header Fields Research Articles

Encrypted malicious traffic detection based on natural language processing and deep learning

The focus on privacy protection has brought much-encrypted network traffic. However, attackers always abuse traffic encryption to conceal malicious behaviors. Although researchers have proposed several enlightening detection methods, they must enhance the generalization ability or improve detection performance. Our inspiration is that the packet header fields, as do the underlying grammatical rules for constructing sentences, have a strict order. We consider the original packet as text and devise a robust approach with natural language processing and a deep learning model to improve the generalization ability and detection performance. We capture the critical keywords as characteristic representations of the traffic and design an adaptive domain generalization algorithm with a new loss function. It is robust against various datasets by generating more malicious samples to augment the minority of malicious samples. Simultaneously, we design an efficient feature selection algorithm, which obtains an optimal feature subset and reduces feature dimensions by 75.3%. To evaluate our work, we conducted extensive experiments with open-source datasets (CICIDS 2017, CICDDoS 2019, and USTC-TFC 2016), the synthetic dataset from IoT-23, and Internet backbone traffic (CERNET). Experimental results demonstrate that our proposal improves detection accuracy by up to 22.8% compared to others not using domain generalization algorithms and achieves an average detection latency of 0.67 s in the backbone. Besides, our work applies to the Industrial Internet of Things (IIoT) environment. It can be deployed at edge nodes to provide network security support for IIoT devices.

Scalable packet classification based on rule categorization and cross-producting

Packet classification performs multidimensional point location upon fields in packet headers to categorize packets into multiple forwarding classes based on pre-defined rules. It plays an important role for the data plane of software-defined networking (SDN). Packet classification is also applied to support quality of service and network security. In this work, we propose an algorithm, Segregated Cross-producting, to improve the scalability of cross-producting in term of storage. Our algorithm starts by categorizing rules according to their length combinations, where the rules of the same length combination do not incur any storage penalty for cross-producting. Then, the algorithm selectively merges rules of different length combinations to improve the search performance. Our scheme is suitable for parallel implementation to further improve speed performance and can support real-time incremental updates. We extensively evaluate the performance of our scheme with rulesets of different sizes and characteristics. The experiment results show that our scheme can provide superior scalability for both speed and space performance.

Network Layer Privacy Protection Using Format-Preserving Encryption

Format-Preserving Encryption (FPE) algorithms are symmetric cryptographic algorithms that encrypt an arbitrary-length plaintext into a ciphertext of the same size. Standardisation bodies recognised the first FPE algorithms (FEA-1, FEA-2, FF1 and FF3-1) in the last decade, and they have not been used for network layer privacy protection so far. However, their ability to encrypt arbitrary-length plaintext makes them suitable for encrypting selected packet header fields and replacing their original value with ciphertext of the same size without storing excessive information on the network element. If the encrypted fields carry personally identifiable information, it is possible to protect the privacy of the endpoints in the communication. This paper presents our research on using FPE for network layer privacy protection and describes LISPP, a lightweight, stateless network layer privacy protection system. The system was developed for programmable smart network interface cards (NIC) and thoroughly tested in a real network environment. We have created several implementations ranging from pure P4 to a mix of P4 and C implementations, exploring their performance and the suitability of target-independent P4 language for such processor-intensive applications. Finally, LISPP achieved line rate TCP throughput, up to 4.5 million packets per second, with the penalty of only 30 to 60 microseconds of additional one-way delay, proving that it is adequate for use in production networks. The most efficient implementation was with the FF3-1 algorithm developed in C and carefully adapted to the specific hardware configuration of the NIC.

Packet Classification Using TCAM of Narrow Entries

Packet classification based on rules of packet header fields is the key technology for enabling software-defined networking (SDN). Ternary content addressable memory (TCAM) is a widely used hardware for packet classification; however, commercially available TCAM chips have only limited storage. As the number of supported header fields in SDN increases, the number of supported rules in a TCAM chip is reduced. In this work, we present a novel scheme to enable packet classification using TCAM with entries that are narrower than rules by storing the most representative field of a ruleset in TCAM. Due to the fact that not all rules can be distinguished using one field, our scheme employs a TCAM-based multimatch packet classification technique to ensure correctness. We further develop approaches to reduce redundant TCAM accesses for multimatch packet classification. Although our scheme requires additional TCAM accesses, it supports packet classification upon long rules with narrow TCAM entries, and drastically reduces the required TCAM storage. Our experimental results show that our scheme requires a moderate number of additional TCAM accesses and consumes much less storage compared to the basic TCAM-based packet classification. Thus, it can provide the required scalability for long rules required by potential applications of SDN.

Implementation of Blockchain-Assisted Source Routing for Traffic Management in Software-Defined Networks

The control and infrastructure layers are split into Software-Defined Networks (SDNs). With the control and infrastructure planes split, new network applications may be developed with more simplicity and greater independence. On the other hand, the disadvantages of SDN create a slew of questions. In large-scale networks, such as Wide Area Networks (WANs) covering huge areas, more propagation delays substantially contribute to network convergence time. In addition, traditional SDN restricts network design flexibility due to the influence of controller location on network performance in large-scale networks. SDN-based source routing (SR) has emerged as a viable solution to the issues above, where the packet header field is used to specify a packet's route. This study presents an SR-based End-to-End (E2E) traffic management framework called SoRBlock. In SoRBlock, inter-domain routing uses blockchain technology, while intra-domain routing relies on the SR technique in SDNs. The simulation results show that the proposed SR-based SoRBlock framework outperforms the traditional hierarchical routing approach, HRA, in SDN networks by lowering path setup time (PST) and the number of controller messages. While the same (i.e., identical origin and target) service requests were used for all runs in the simulations, the proposed SoRBlock architecture presents almost three times less total PST between 45ms and 65ms than the HRA method between 130ms and 200ms due to the HRA approach's increased node-controller and controller-controller latencies. On the other hand, SoRBlock shows two times less PST ([75ms – 90ms]) than HRA ([150ms – 175ms]) when different service requests (i.e., different origin and target) were used. Concerning Controller Messages Processed (CMP), the HRA deals nearly 50% more controller messages between 7 and 15 than the SoRBlock between 3 and 10 when the number of domains varies, while the CMP in the SoRBlock scheme ([10 - 17]) approaches that in the HRA framework ([15 - 20]) regarding the ratio while the count of nodes rises in domains.

A Learned Bloom Filter-Assisted Scheme for Packet Classification in Software-Defined Networking

Traditional routing technologies based on a single IP address domain faces the challenge to meet the increasing demand for network services and security. Packet classification is a technique to differentiate multi-domain network traffic in a fine-grained manner using packet header fields. Packet classification requires to operate efficiently to avoid it becoming a bottleneck in the packet routing process. Tuple space search (TSS) used in SDN supports fast rule updates but low-speed packet classification. In this paper, we propose a learned Bloom filter (LBF)-based packet classification algorithm that combines LBF and TSS to promote classification speed by avoiding invalid hash table accesses. Specifically, LBF consists of multiple RNN models and one support Bloom filter (SBF), in which the learned models are trained with the positive and negative sets, and used as a pre-filter to identify the two sets. For the filter outcomes with a negative result from learned models, SBF is constructed to perform the second filtration. To ensure efficiency of RNN and SBF, we carefully select key features to be used in RNN and SBF, which can also maintain efficient search in the final stage of hash checking. Our experimental results show that the proposed algorithm saves more memory space than Tuple space pruning (TSP) given the same false positive rate. The proposed algorithm is competitive in terms of the number of memory accesses, while achieving almost one order of magnitude improvement on pre-processing time over NeuroCuts which is an advanced decision tree classifier.

Enabling low‐latency service function chains by merging duplicate match operations

Service function chains (SFCs) built by network functions (NFs) are usually required to be low-latency, especially in some tight latency scenarios such as Distributed Denial of Service (DDoS) defense. However, different NFs in SFCs are likely to perform identical operations of matching specific packet header fields (e.g., source IP address). Such a processing redundancy inevitably increases the overall end-to-end processing latency of SFCs, which in turn affects network management applications in their decision-making process of handling short-lived network events (e.g., microbursts). To address this problem, in this paper, we propose a novel NFV framework, DMO, that aims to eliminate those identical and redundant match operations among different NFs in input SFCs while maintaining the original SFC semantics of packet processing. To achieve this goal, our design proposes a semantic-preserving mechanism that merges duplicate match operations between different NFs and also preserves original SFC semantics. Also, to avoid potential conflicts among NF rules at runtime, DMO further offers another mechanism that resolves unnecessary conflicts among different NF rules by assigning reasonable priorities to these rules. We have implemented a prototype of DMO. Our experiments indicate that DMO achieves 26.7%–67.3% latency reduction for real-world SFCs.

CACS: A Context-Aware and Anonymous Communication Framework for an Enterprise Network Using SDN

The emergence of software-defined networking (SDN) has revolutionized the management of an enterprise network. The SDN-based design provides flexibility in network management, which spans over multiple applications, e.g., routing, switching, forwarding, and controlling. It reduces the reliance on vendor-specific devices and middlebox solutions, such as firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), etc. Furthermore, due to the integration of different technologies, privacy is one of the core issues faced by the enterprise. Host anonymity is one of the techniques to safeguard against privacy attacks; however, the existing anonymization solutions provide better anonymity, but at the cost of higher latency and are most suited for Internet traffic. To tackle this issue in an enterprise network, we propose an SDN-based communication framework using enterprise integration patterns (EIPs) that offers anonymous communication in an enterprise environment. Host anonymity is achieved by replacing the real IP address with the spoofed IP address during the transmission of data packets inside the network. Unlike the traditional networks, SDN can modify the header fields of packets as they traverse in the network from the source to the destination. In addition to the host anonymity, this framework also provides context-aware communication by leveraging the SDN global visibility characteristic, where application services are discoverable on the network without disclosing the addresses of the application servers. Moreover, context-aware services enable network traffic to be routed based on the application-layer services rather than the network-layer information. In the end, evaluation of the proposed framework is carried out with respect to the performance of anonymous communication, computational complexity, and security of the complete proposed framework. In addition, we also highlighted that the proposed framework is more suitable for heterogeneous network environments such as Internet of Things-based solutions.

A novel flow-vector generation approach for malicious traffic detection

Malicious traffic detection is one of the most important parts of cyber security. The approaches of using the flow as the detection object are recognized as effective. Benefiting from the development of deep learning techniques, raw traffic can be directly used as a feature to detect malicious traffic. Most existing work usually converts raw traffic into images or long sequences to express a flow and then uses deep learning technology to extract features and classify them, but the generated features contain much redundant or even useless information, especially for encrypted traffic. The packet header field contains most of the packet characteristics except the payload content, and it is also an important element of the flow. In this paper, we only use the fields of the packet header in the raw traffic to construct the characteristic representation of the traffic and propose a novel flow-vector generation approach for malicious traffic detection. The preprocessed header fields are embedded as field vectors, and then a two-layer attention network is used to progressively generate the packet vectors and the flow vector containing context information. The flow vector is regarded as the abstraction of the raw traffic and is used to classify. The experiment results illustrate that the accuracy rate can reach up to 99.48% in the binary classification task and the average of AUC-ROC can reach 0.9988 in the multi-classification task.

Augmenting DiffServ operations with dynamically learned classes of services

In this work, we provide a Machine Learning framework for augmenting the Differentiated Services (DiffServ) protocol with fine-grained dynamic traffic classification. The framework is called L-DiffServ. It is composed of two classification algorithms able to detect the QoS classes of incoming packets only looking at three packet header fields; the first algorithm, referred to as Inter-L-DiffServ, is a semi-supervised classification procedure able to replicate DiffServ classification; the second one, referred to as Intra-L-DiffServ, is an unsupervised algorithm for intra-class classification, useful for classes taking large portions of the overall traffic. We apply the latter to the low priority best-effort class. The performance evaluation shows that our solution is able to dynamically classify packets and to detect new QoS sub-classes hence adapting to traffic aggregate characteristics. We also show that network resource management can be improved exploiting the new generated QoS sub-classes: two active queue management algorithms based on WRED and CHOKe show a reduction of the number of sessions affected by packet losses up to 40% with respect to the legacy DiffServ procedure.

Physical layer authentication for extending battery life

Increasing population density in cities, and the increasing demand for efficiency in resource usage call for architectures enabling smart cities, such as the Internet of Things (IoT). In most such scenarios, the data generated by IoT sensors is not confidential, but its integrity is critical. Data integrity can be achieved by establishing certification mechanisms that provide cryptographic message authentication protocols; however, this requires relatively expensive components for storing and processing the encryption key on the sensor and consumes more power while processing and transmitting data, which leads to the renunciation of security issues in cost sensitive deployments. In this paper, we propose a security solution that provides data integrity without draining the batteries of IoT sensors. Our solution consists of, (i) differentiating legitimate sensors by taking advantage of their impurities formed during the manufacturing process of the transceiver components, and (ii) eliminating the complex components that carry out cryptography as well as the redundant packet header fields, thereby yielding power savings. The testbed implementation of the proposed solution yields power measurement results providing an estimate of 2.52 times improvement in battery life without compromising the integrity of communications in the system, in addition to offering an increase in spectral efficiency and a decrease in the overall IoT device cost.

Design and Implementation of Hardware to Perform Testing the Matching Packet Header Based on FPGA

The hardware architecture of the parallel process multiple RAM that emulates the behaviors of content addressable memory for packet classification is presents in this paper. With the increase in Internet networks’ speed, the speed of detection of intruders has become a basic requirement. In this work, a packet header field is used in a fast and efficient way to detect intruders to prevent them from accessing the data. The application test results were fast and compatible when used FPGA board technique from xilinx. Finally, the design, synthesis of this parallel process multiple RAM packet header detector has been achieved using Vivado 2018.2 simulator, and coding is written in Verilog HDL language and implemented on Virtex – 7 FPGA (Field Programmable Gate Array) kit.

Contracting VoIP Packet Payload Down to Zero

Abstract The inefficient use of the IP network bandwidth is a fundamental issue that restricts the exponential spreading of Voice over IP (VoIP). The primary reason for this is the big header size of the VoIP packet. In this paper, we propose a method, called Short Voice Frame (SVF), that addresses the big header size of the VoIP packet. The main idea of the SVF method is to make effective use of the VoIP packet header fields that are unneeded to the VoIP technology. In particular, these fields will be used for temporarily buffering the voice frame (VoIP packet payload) data. This will make the VoIP packet payload short or even zero in some cases. The performance evaluation of the proposed SVF method showed that the use of the IP network bandwidth has improved by up to 28.3% when using the G.723.1 codec.

Trident: Toward Distributed Reactive SDN Programming With Consistent Updates

Software-Defined Networking (SDN) enables more dynamic and fine-grained network control. In particular, network operators can route traffic not only based on packet header fields, but also higher-level parameters such as user settings, traffic characteristics, and application-layer information extracted by virtualized network functions such as DPI, firewall and authentication servers. Integrating these higher-level parameters into an SDN programming framework brings substantial benefits but is still missing in the SDN community. In this paper, we articulate the challenges and then propose Trident, a novel unified SDN programming framework. Trident extends algorithmic SDN programming with a new abstraction called stream attribute , which integrates meta parameters into the match-action programming paradigm. Further, Trident adopts the idea of reactive value from function reactive programming, eliminating the complexity of manually handling dynamicity. To effectively and efficiently realize these novel ideas, Trident introduces reactive table as the basic processing unit and develops a domain-specific distributed update protocol to maintain consistency during updates. Evaluations show that Trident puts very little overhead on integrating existing network management tools and network functions, and can handle up to $O(10^{5})$ routing requests per second with $O(100)$ milliseconds latency.

An Approach to the Translation of Software-Defined Network Switch Flow Table into Network Processing Unit Assembly Language

This paper considers the OpenFlow 1.3 switch based on a programmable network processing unit (NPU). OpenFlow switch performs flow entry lookup in a flow table by the values of packet header fields to determine actions to apply to incoming packet (classification). In the considered NPU assembly language, lookup operation may be implemented on the basis of search trees. But these trees cannot be directly used for OpenFlow classification because of compared operands width limitation. In this paper, we propose flow table representation designed for easy translation into NPU search trees. Another goal was to create a compact program that fits in NPU memory. Another NPU limitation requires program updating after each flow table modification. Consequently, the switch must maintain the current flow table state to provide a fast NPU program update. We developed algorithms for incremental update of flow table representation (flow addition and removal). To evaluate the proposed flow table translation approach, a set of flow tables was translated into NPU assembly language using a simple algorithm (based on related work) and an improved algorithm (our proposal). Evaluation was performed on the NPU simulation model and showed that our approach effectively reduces program size.

Security Policy Violations in SDN Data Plane

Software-defined networking (SDN) utilizes a centralized controller to distribute packet processing rules to network switches. However, rules are often generated by the applications developed by different organizations, so they may conflict with each other in data plane and lead to violations with security rules. The problem is similar to firewall conflicts in IP networks. Rule conflict resolution should incur negligible process delay, such that all rules can be correctly and safely enforced in the data plane in real time. However, since SDN allows users to use more than 35 fields to specify rules (including field transition rules), it is much more complicated to prevent enforcement of SDN rules from violating with security rules than to resolve firewall rule violation, and in particular, field transition rules are enforced. Therefore, it is extremely difficult to resolve such rule conflicts in real time before the rules are installed in SDN data plane. In this paper, we investigate the rule conflict problem in SDN and identify new covert channel attacks due to rule conflicts. To the end, we propose the covert channel defender (CCD) that prevents covert channel attacks by verifying and resolving rule conflicts. Specifically, CCD tracks all rule insertion and modification messages from applications running on the controller. It analyzes the correlation among rules based on multiple packet header fields and resolves any identified rule conflict in real time before rule installation. We implement CCD with the Floodlight controller and evaluate its performance with the real-world Stanford topology. We show that CCD can efficiently detect and prevent rule conflicts in the data plane that may raise covert channels within hundreds of microseconds and brings small overhead to the packet delivery.

Consistent State Updates for Virtualized Network Function Migration

Combining Network Functions Virtualization (NFV) with Software-Defined Networking (SDN) is an emerging and promising solution to provide scalable and elastic network control and service. In such a system, virtualized Network Functions (NFs) need to be consistently migrated from one instance to another for various purposes, such as resource optimization, fault tolerance, load balancing, etc. These migrations involve simultaneously coordinating updates to the NF state and SDN forwarding state. To solve this problem, we design two consistent NF state update schemes: a controller-forwarding based scheme and a tagging-based scheme. Through analysis of the update process, we demonstrate that they both guarantee loss-free and order-preserving migrations. We further implement a prototype and carry out experiments with diverse traffic settings. Results demonstrate that the controller-forwarding based solution achieves 77 percent migration time compared with the state-of-the-art solution OpenNF, while correcting an error of it. Moreover, the tagging-based solution not only achieves 4.4 percent migration time, but also reduces up to 75 percent controller overhead compared with OpenNF at the cost of adding a tag in the unused fields of packet header.

Condition Factorization: A Technique for Building Fast and Compact Packet Matching Automata

Rule-based matching on network packet headers is a central problem in firewalls, and network intrusion, monitoring, and access-control systems. To enhance performance, rules are typically compiled into a matching automaton that can quickly identify the subset of rules that are applicable to a given network packet. While deterministic automata provide the best performance, previous research has shown that such automata can be exponential in the size and/or number of rules. Nondeterministic automata can avoid size explosion, but their matching time can increase quickly with the number of rules. In contrast, we present a new technique that constructs polynomial size automata. Moreover, we show that the matching time of our automata is insensitive to the number of rules. The key idea in our approach is that of decomposing and reordering the tests on packet header fields so that the result of performing a test can be utilized on behalf of many rules. Our experiments demonstrate major reductions in space requirements over previous techniques, as well as significant improvements in matching speed. Our technique can uniformly handle prioritized and unprioritized rules, and support applications that require single-match as well as multi-match.

FPGA Based Packet Classification Using Multi-Pipeline Architecture

This paper proposes a decision-tree-based linear multi-pipeline architecture on FPGA’s for packet sorting. We reflect on the next-generation packet classification problems where more than 5-tuple packet header fields has been classified. From traditional fixed 5-tuple matching, Multi-field packet classification has been evolved for flexible matching with arbitrary combination of numerous packet header fields. The recently proposed Open Flow switching requires classifying each packet using up to 12-tuple packet header fields. It become a great task to develop scalable solutions for next-generation packet classification that support larger rule sets, additional packet header fields and higher throughput. This paper proposes a 2-D multi-pipeline decision-tree-based architecture for next-generation packet classification which exploits the abundant parallelism and other desirable features such as current field-programmable gate arrays (FPGAs),. We propose several optimization techniques for the state-of-the-art decision-tree-based algorithm by examine the various traditional 5-tuple packet classification methods. By using set of 12-tuple rules, the framework has been developed to partition the rule set into multiple subsets each of which is built into an optimized decision tree. To maximize the memory utilization. a tree-to-pipeline mapping scheme is carefully designed while underneath high throughput. Our proposed architecture can store up to 1K synthetic 12-tuple rules or 10K real-life 5-tuple rules in on-chip memory of a single up to date FPGA, and maintain 80 or 40 Gbps throughput for least packets of size (40 bytes) respectively. To utilize the memory properly and to sustaining high throughput, a mapping scheme based on tree-to-pipeline is designed carefully. This paper deal with the profuse parallelism and other preferred features provided by present field-programmable gate arrays and propose a 2-D multi-pipeline decision tree based architecture for next-generation packet sorting. The Verilog Hardware description languages (VHDL) are used to design the proposed architecture and synthesized using Xilinx Software.

Deceiving entropy based DoS detection

Denial of Service (DoS) attacks disable network services for legitimate users. As a result of growing dependence on the Internet by both the general public and service providers, the availability of Internet services has become a concern. While DoS attacks cause inconvenience for users, and revenue loss for service providers; their effects on critical infrastructures like the smart grid and public utilities could be catastrophic. For example, an attack on a smart grid system can cause cascaded power failures and lead to a major blackout. Researchers have proposed approaches for detecting these attacks in the past decade. Anomaly based DoS detection is the most common. The detector uses network traffic statistics; such as the entropy of incoming packet header fields (e.g. source IP addresses or protocol type). It calculates the observed statistical feature and triggers an alarm if an extreme deviation occurs. Entropy features are common in recent DDoS detection publications. They are also one of the most effective features for detecting these attacks. However, intrusion detection systems (IDS) using entropy based detection approaches can be a victim of spoofing attacks. An attacker can sniff the network and calculate background traffic entropy before a (D)DoS attack starts. They can then spoof attack packets to keep the entropy value in the expected range during the attack. This paper explains the vulnerability of entropy based network monitoring systems. We present a proof of concept entropy spoofing attack and show that by exploiting this vulnerability, the attacker can avoid detection or degrade detection performance to an unacceptable level.