Integrating machine learning (ML) into kernel packet processing, such as extended Berkeley Packet Filter (eBPF) and eXpress Data Path (XDP), represents a promising strategy for achieving fast and intelligent networking on generic hardware. This includes tasks like automating network operations and discerning traffic classification, exemplified by intrusion detection systems (IDS) combining Decision Tree (DT) and eBPF. However, the potential of ML-empowered packet processing remains to be fully explored. To ensure the integrity and security of kernel operations, eBPF/XDP programs must adhere to stringent constraints such as the maximum number of jump instructions, maximum stack space, and exclusion of floating-point arithmetic. These constraints pose challenges for implementing more intricate ML techniques (e.g., neural networks (NNs)) within eBPF/XDP programs. In such scenarios, AF_XDP provides an alternative solution by allowing XDP programs to redirect packets to user-space applications, bypassing the network stack. This paper initiates an exploration into fast packet classification through two distinct approaches: (1) an in-kernel approach employing eBPF/XDP and (2) a user-space approach assisted by AF_XDP. Specifically, to tackle the eBPF constraints, the in-kernel NN classifier adopts (1) quantization of trained model in the user space, (2) executing the integer-arithmetic-only NN within the kernel space, and (3) sequential layer operations through tail calls. These approaches are evaluated based on factors including packet processing speed, resource efficiency, and detection performance. Notably, our experimental findings demonstrate that (1) Classifiers relying solely on integer arithmetic, such as NN and DT, significantly reduce inference time while maintaining binary classification performance; (2) The lightweight NN classifier can improve the detection performance for most of attacks in case of the multi-class classification compared to the lightweight DT classifier; (3) In single-core scenarios, the DT-empowered in-kernel method can almost achieve the maximum packets per second (pps), i.e., about 800,000pps, whereas the NN-empowered one exhibits lower pps (i.e., about 450,000pps); (4) In multi-core scenarios, the NN-empowered packet processing can almost achieve the maximum pps with two or more cores in the AF_XDP approach and four or more cores in the in-kernel approaches.
Read full abstract