iGuard

iGuard: Efficient Isolation Forest Design for Malicious Traffic Detection in Programmable Switches

Abstract

Deploying machine learning (ML) models in programmable switch data planes facilitates low latency and high throughput traffic inference at line speed. However, data planes pose significant constraints due to the limited memory and minimal support for mathematical operations and data types. As a result, the only unsupervised ML models implemented in data planes to date are Isolation Forests (iForests). However, conventional iForest models yield suboptimal malicious traffic detection performance in various traffic use cases. To address this limitation, this paper proposes iGuard , the first iForest implementation that can accurately detect malicious traffic by incorporating the "knowledge" of more powerful autoencoders. We deploy iGuard in the form of a small set of whitelist rules that could be easily installed in the switch data planes. We implement iGuard using the P4 language, and assess its performance in an experimental platform based on Intel Tofino switches. Upon evaluating iGuard on various attack traffic use cases, our model can improve accuracy up to 48.3% while maintaining a similar or lower switch memory footprint over previous approaches to implement iForest models in real-world equipment.

Overview

We recently got accepted at ACM CoNext 2024!

Reproducing Artifacts

First, clone this repository.

Control plane (software) experiments

1. Populate DataSets/ folder by downloading datasets from here as shown in https://github.com/vicTorKd/HorusEye/. For data plane simulations, populate the DataSets/Dataplane folder using this link. Alternatively, simply download the DataSets folder from this link.
2. Run iGuard Artifact Evaluation.ipynb to completion and verify the plots for software experiments. Please make sure to update the datasets path wherever possible!
3. Verify the results from here. This is the document we have curated for all possible numbers!

Data plane (hardware) experiments

Reproducing these can be very cumbersome as main overhead is in setting up the switch. We recommend use these only to verify data plane simulations and we deem these not necessary for artifact reproducability.

1. Install hardware switch and P4 runtime by following this tutorial.
2. Download PCAP traces from https://github.com/vicTorKd/HorusEye/.
3. Using these traces, send the packets to the switch while compiling Data_plane/logic.p4.
4. Verify the results with data plane simulations from accuracy metrics.
5. Use the P4i tool (we do not have the license as of now) with logic.p4 as target to monitor resource and memory consumption gains compared to iForest models.