H IGH - THROUGHPUT M ACHINE L EARNING A PROACHES

Một phần của tài liệu A high performance anomaly based intrusion detection system for sdn networks (Trang 123 - 141)

Duc-Minh Ngo, Cuong Pham-Quoc, and Tran Ngoc Thinh.

Heterogeneous Hardware-based Network Intrusion Detection System with Multiple Approaches for SDN. In: Mobile Networks and Applications - Vol 25; issue 1, 1-15 (2020) -ISBN/ISSN: 1572-8153 (SCIE).

1 23

Mobile Networks and Applications The Journal of SPECIAL ISSUES on Mobility of Systems, Users, Data and Computing

ISSN 1383-469X Mobile Netw Appl

DOI 10.1007/s11036-019-01437-x

Heterogeneous Hardware-based Network Intrusion Detection System with Multiple Approaches for SDN

Duc-Minh Ngo, Cuong Pham-Quoc &

Tran Ngoc Thinh

1 23

Science+Business Media, LLC, part of

Springer Nature. This e-offprint is for personal use only and shall not be self-archived in electronic repositories. If you wish to self- archive your article, please use the accepted manuscript version for posting on your own website. You may further deposit the accepted manuscript version in any repository,

provided it is only made publicly available 12 months after official publication or later and provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: "The final publication is available at link.springer.com”.

Mobile Networks and Applications https://doi.org/10.1007/s11036-019-01437-x

Heterogeneous Hardware-based Network Intrusion Detection System with Multiple Approaches for SDN

Duc-Minh Ngo1ãCuong Pham-Quoc1 ãTran Ngoc Thinh1

©Springer Science+Business Media, LLC, part of Springer Nature 2019 Abstract

Software-Defined Networking has became one of the most efficient network architectures to deal with complexity, policy control improvement, and vendor dependencies removal. Besides, with the diversity of network attacks, the SDN architecture faces many security issues that need to be taken into account. In this work, we propose an architecture for SDN-based secured forwarding devices (switches) by extending our previous architecture - HPOFS with multiple security functions including lightweight DDoS mechanisms, signature-based and anomaly-based IDS. We implement our architecture on a heterogeneous system including host processors, GPU, and FPGA boards. To the best of our knowledge, this is the first forwarding device for SDN implemented on a heterogeneous system in the literature. Our system not only is enhanced security but also provides a high-speed switching capacity based on the OpenFlow standard. The implemented design on GTX Geforce 1080 G1 for training phase is 14×faster when compared to CPU Intel Core i7 – 4770, 3.4GHz, 16GB of RAM on the Ubuntu version 14.04. The switching function along with three lightweight DDoS detection/prevention mechanisms provide processing speed at 39.48 Gbps on a NetFPGA-10G board (with a Xilinx xc5vtx240t FPGA device). Especially, our neural network models on the NetFPGA-10G board outperform CPU in processing performance by reaching throughputs at 4.84 Gbps. Moreover, the implemented neural network model achieves 99.01% precision with only 0.02% false positive rate when processing a dataset.

Keywords SDNãHeterogeneous platformãNetwork attacksãMachine learning 1 Introduction

Over the past decades, security issues of Software Defined Networking architecture (SDN) [28] have never failed to draw public attention and provoke debate [18,33]. Although many researchers from all over the world have paid a great effort to strengthen the SDN architecture in both the control plane [15,32,35] and the data plane [1,7,36,39], there is no existing solution to fully protect this architecture from complicated and diversified development of network

Cuong Pham-Quoc cuongpham@hcmut.edu.vn Duc-Minh Ngo

ndminh@hcmut.edu.vn Tran Ngoc Thinh tnthinh@hcmut.edu.vn

1 Ho Chi Minh City University of Technology, VNU-HCM, Ho Chi Minh City, Vietnam

attacks. Our idea aim to reduce workload of the control plane by pre-processing and protecting networks at the data plane using multiple approaches.

In addition, the developing of Artificial Intelligence (AI) [38], which can train a machine to imitate intelligent human behaviors, has become a prominent research topic. AI has achieved several successes in practical applications such as visual perception, decision making, speech recognition, and also object classification. Likewise, Machine learning (ML) [9] is famous as a subset of AI with the ability to update and improve itself when exposed to more data. ML is flexible and does not require human intervention to make certain changes. One of the most practical applications of ML is to solve classification problems which are similar to the problem of detecting network intruders/attackers. Many classification techniques [37] such as Linear Classifiers, Logistic Regression, Naive Bayes Classifier, Support Vector Machines, Decision Trees and Neural Networks have been used to predict categories to which data belongs. However, ML-based real-time applications usually require heavy computational tasks; thus, processing on general-purpose

Author's personal copy

Mobile Netw Appl processors is not efficiency in performance. Meanwhile,

hardware accelerators such as Graphics Processing Units (GPUs) and Field-Programmable Gate Arrays (FPGAs) have been employed to improve throughputs of ML algorithms in these application domains.

Currently, GPU-based acceleration is a promise approach for improving performance of ML algorithms in tradi- tional processors due to the wide range of hardware providers and the impression of high-performance and high- throughput computing power. GPU offers significant com- putation throughputs due to a thousand parallel processing cores integrated. However, GPU platforms require large energy consumption for computation. Besides, a high-speed interconnect interface is needed to support high data-rate transferring between GPU and CPU. Although GPUs are extremely efficient in the training phase, it is not enough efficiency in the testing phase because of the bottleneck in data transfer [10]. GPUs are deployed only on dedicated cards requiring links to the host CPU and memory over data buses. The low bandwidth of these buses [29] to transfer the computed data severely limits the abilities of GPUs in high performance computing platforms [4].

Nowadays, FPGAs play an important role in data sampling and processing industries due to their flexibility in custom hardware, high parallelism level, and low energy consumption. In the Artificial Intelligence field, there is a soaring demand for high energy-efficiency hardware implementation and massively parallel computing capacity for training and testing. Therefore, GPUs are good for training while FPGA devices have emerged as the most appropriate choice for the testing phase [4, 26]. Some advantages of FPGAs can be listed as acceptable energy consumption with high-performance, efficiency in parallel processing, custom architectures allowed, high on-chip memory bandwidth, low-latency, high reliability, and a relatively short time to market.

1.1 Our contributions

In this work, we extend our current High-performance Secured OpenFlow Switch [30] to integrate two more intru- sion detection engines (IDS) for forwarding devices in Soft- ware Define Networks (SDN). The first IDS engine (called F-NIDS) uses snort rules to classify attacking packets while the second one (called F-ANIDS) is able to recognize ano- maly behaviors of network packets based on a ML model.

We implement the proposed architecture on a heteroge- neous platform including two FPGA boards and one GPU platform under handling of host processors. While the first FPGA board is used to implement the original HPOFS and F-NIDS, the trained neuron network for detecting anomaly behaviors is deployed on the second FPGA board. For train- ing the neuron network, the GPU platform is used. To the

best of our knowledge, this is the first SDN forwarding device implemented on a heterogeneous platform with both FPGA and GPU.

Finally, a number of testing scenarios for verifying and evaluating the system is introduced in this work. The system is tested with both standard and real datasets collected from our institute networks. We also analyze resources usage and power consumption of FPGA devices.

1.2 Organization

The rest of this work is organized as follows. Section 2 introduces classification techniques that we implement as IDS engines of our system, the dataset used, and related work. In Section3, we present our hardware architecture for forwarding devices in SDN network. Section4shows our heterogeneous system based on the proposed architecture.

We evaluate and analyze our system in Section5. Finally, conclusion and future work are discussed in Section6.

2 Background and related work

In this section, we briefly present background on techniques used for our IDS engines in the architecture. We then summarize related work in the literature.

2.1 Artificial neural network

Artificial Neural Network(ANN) [2,16] is a computing system that plays an important role in various application domains such as computer vision, speech recognition, or medical diagnosis. ANN imitates the human neurons system by learning, recording, and using experiences from happened events. For instance, an ANN computational model composes of multiple neuron layers, connections, and directions of data propagation. The ANN is able to learn features of data with multiple levels of abstraction by finding the suitable linear or non-linear mathematical manipulations to turn inputs into outputs. Figure1illustrates an ANN example with three layers.

There are five main elements needed for data processing in ANN as follows.

– Inputs are data entries (features).

– An output is a predicted result for the corresponding inputs.

– Weights present the significance of input features.

– A summation function sums up the weights of input entries for each neuron as shown in Equation1.

y= n i=1

xiwi (1)

Mobile Netw Appl

Fig. 1 An simple ANN with three layers of neurons

wherexi, wi, andyare inputsith, weightith, and corresponding result, respectively.

– An activation functionf (x)decides whether a neuron generates an output to another neuron in the next layer.

The widely used activation function is the sigmoid function [45]. The summation result at a neuron is sometimes large, thus the activation function limits this result before passing it to the next layer. In our design on hardware platforms, we prefer to use an alternative of the activation function as shown in Equation2proposed by Nordstrom and Svensson [25] due to better hardware resources required.

f (x)=1 2

y

1+ |y|+1

(2) The learning process, referred to as the training phase, of a neural network happens to determine values of parameters or hyper-parameters (such as the number of neurons of hidden layers, weights for activation functions, and bias values) from training datasets. When training a neural network, datasets are feed into the first layer of the network, also known as the input layer. Based on the task being performed, each individual neuron will be assigned a weight value to the input until it memorizes the correctness output.

The trained neuron network, then, can be used to perform its tasks by computing the output of the network according to new inputs and assigned weights. This is referred to as the testing phase.

Back propagation [2] has been dominated in ANN due to efficiency stable error-minimizing for activation functions.

Since the feed-forward is computed in the usual way, the back propagation depends on the output calculated from the activation function. Weights in ANN can be treated as inputs going to a single node and being fed to the network in feed- forward steps to produce the output of the single neuron.

The main idea of back-propagation is to use the output to calculate errors of the function and narrow weights to the most appropriate values.

2.2 Dataset

Our previous work [8] used the NDS-KDD dataset [6] to evaluate the implemented neural network on FPGA and proved that the system can achieve high accuracy with better performance compared to GPU. In this paper, we generate a dataset including packets which are collected and labelled from the Computer Engineering lab - Ho Chi Minh City University of Technology - VNU-HCM. We captured packets from a device providing web services in several times of day. Table1shows number of packets using for training and testing our system. The normal packets are captured in a usual network state while the attack packets are SYN flood packets generated by hping3 toolchain [41].

2.3 Related work

Many studies propose to deploy security functions in the control plane of a SDN such as research in [3,35]. For instance, SLICOTS [20] builds a lightweight module on the control plane to prevent TCP SYN Flooding attacks. How- ever, these proposals consume massive computing resources of the controller for performing security functions. To over- come this issue, authors in [1,7,21,49] propose to bring intelligent processes from the control to the data plane called thestateful SDN data plane. A stateful SDN data plane not only prevents flooding the communication chan- nel but also helps detect attacks sooner. However, this approach introduces new challenges such as switch memory saturation or CPU exhaustion.

In term of intrusion detection system (IDS), signature- based IDS [43,44] can only prevent known attacks lead- ing to the development of anomaly-based IDS. Classifica- tion and machine learning implementations are blockbuster research trends on FPGA platforms. A hardware-based clas- sification architecture named BV-TCAM, proposed in [40]

aims to implement a Network Intrusion Detection Sys- tem (NIDS). The proposed architecture is a combination of the two algorithms, including Ternary Content Addressable Memory (TCAM) and Bit Vector (BV). This combina- tion helps represent data effectively and increase system throughput.

Table 1 Dataset used for training and testing phases

Normal packets Attack packets

Training phase 1,445,135 8,328,298

Testing phase 428,021 7,895,321

Author's personal copy

Mobile Netw Appl There are various proposed neural networks implemented

on FPGA platforms to take full advantages of FPGA in the reconfiguration ability, high performance, and short developing time. The proposal in [5] allows different variants of neural networks to be quickly deployed.

Other studies focus on maximize resources utilization of FPGA hardware. Research of James-Roxby in [17]

proposes an implementation of multi-layer perceptron (MLP) with fixed weights, which can be modified via dynamic reconfiguration in a short interval. A similar exploration is found in [48]. However, in most FPGA-based ANNs implementations, weights are mainly represented in integers. Special algorithms are proposed in [19]

representing weights by power-of-two integers. On the other hand, floating-point precision weights are also investigated in [24]. In this paper, ANN models are proposed with 32-bit floating-point precision weights for classification purposes on NetFPGA platform.

3 Proposed architecture

In this section, we introduce an architecture for secured SDN-based forwarding devices. The architecture is extended from our HPOFS [30] to integrate two more secu- rity functions including a rule-based and an anomaly-based network intrusion detection engines.

3.1 Overview of SDN architecture

Figure 2 illustrates an overview of a secured SDN network architecture which includes application, control,

Fig. 2 An SDN with our proposed forwarding devices

and infrastructure layers. The following paragraphs explain details of layers.

TheApplication layeraccommodates SDN applications that collect information of the entire network through the control layer via the northbound interface to build an abstracted view of the network. Moreover, these applica- tions provide various services such as decision-making, analytics, network management, and also security functions.

TheControl layer holds logical entities called SDN con- trollers to receive instructions from SDN applications. The controllers manage flow controls of forwarding devices in the infrastructure layer by collecting network statistics via the southbound interface and also send information back to the SDN applications. TheInfrastructure layeror data plane of an SDN architecture includes forwarding devices which are responsible for controlling network behaviors (forward- ing and processing). The southbound interface is used for communication between SDN controllers in the control layer and the forwarding devices with real-time criteria.

OpenFlow is the first and probably the most well-known southbound interface developed by the Open Networking Foundation (ONF) [27]. It defines the protocol for inter- acting between SDN controllers and forwarding devices to make changes to the network.

3.2 The proposed architecture for secured hardware-based forwarding devices

In this work, we propose a hardware-based architecture for secured SDN forwarding devices in the data planes.

The hardware-based forwarding devices are targeted for implementing on parallel computing platforms like FPGA and GPU. Using parallel computing hardware platforms allows switching and security tasks to be performed concurrently and to increase performance in filtering and detecting malicious packets. Our previous work [30] has proposed a hardware-based architecture for a secured OpenFlow switch. In this work, we extend the architecture to accommodate two more security methods to protect the system against multiform of attacks. Figure3depicts our proposed architecture which includes four main components as follows.

(1) OpenFlow function: containing a flow-table and performing flows lookup for new incoming packets;

(2) Pre-scanner: including lightweight scanning cores which focus on prevention DDoS attacks [31];

(3) F-NIDS(FPGA-based - Network Intrusion Detection System): using installed snort rules to detect attacking packets;

(4) F-ANIDS (FPGA-based - Anomaly-based Network Intrusion Detection System): detecting harmful pack- ets based on trained neural network models.

Mobile Netw Appl

Header Extraction

Packet Controller

OpenFlow Function

E_Pkt

erawdraH-erutcetihcra desab FIFO

Ethernet Packet (Epkt) System Bus

Packet Queue F-NIDS Header Payload

Packaging

F-ANIDS

FEM

Trained Model Pre-scanner

Core 1 Detector

Core 2

Distributor

Collector Normalization Model Construction

Packaging Buffer Buffer

Controller

Core n

. . . Collector

Generated Packet (Gpkt)

Fig. 3 A hardware-based forwarding device architecture with an OpenFlow-based function and three security engines including DDoS prevention (Pre-scanner), and two IDS engines (F-NIDS and F-ANIDS)

The following paragraphs present details of blocks in our proposed architecture.

Header extraction block connects to five other components including F-ANIDS, F-NIDS, Pre-scanner, OpenFlow function, and FIFO. To execute scanning behaviors and to provide switching decisions, security mechanisms and the OpenFlow function need header fields of incoming packets.Header extraction receives network packets and is responsible for extracting necessary header fields for F-ANIDS,F-NIDS,Pre-scanner, andOpenFlow function.

Besides, after extracting header fields, this block forwards payloads of packets toF-NIDS(with snort rules installed) for contents matching purpose. Furthermore, we create a FIFO memory for storing packets; thus, the Header extraction block can process new incoming packets during the execution of security and switching blocks in pipeline.

F-ANIDS block is designed for a complete progression from training to inference of an ANN including following modules:

– TheFEMmodule (Feature Extraction Module) receives extracted header fields from the Header extraction block and creates a statistic report of each connection in an identical interval (kclocks). This module consists twoBuffersto store statistic reports and to ensure the responsive time of the system by swapping their roles. One buffer operates as a memory to collect the statistical data while the other executes as an output memory.

– TheNormalizationmodule receives reports from theFEMmodule and performs two tasks including inte- ger to floating-point number conversion and floating- point values normalization.

– TheModel Constructionmodule is responsible for building a neural network model based on normal- ized data from theNormalizationmodule.

– TheTrained Modelmodule accepts the constructed model from the Model Construction module and executes the inference phase with data from Normalization.

– The Packaging module collects both data from Normalization and scanning results from Trained Model to pack them into packets which are sent to the controller or administrator.

F-NIDS block detects attacks based on snort rules. This component consists of five modules as follows.

– The Controller module collects extracted data which are header fields and payloads (packet contents) from theHeader Extractionblock and forwards them to theHeaderandPayloadmodules.

– The Header module detects attacks by matching header fields with snort header rules.

– ThePayloadmodule compares the payload with snort payload rules.

– The Collectormodule collects both packet fields and results fromHeaderandPayload.

– The Packaging module obtains data from Collector to build packets which are sent to the controller or administrator.

Author's personal copy

Một phần của tài liệu A high performance anomaly based intrusion detection system for sdn networks (Trang 123 - 141)

Tải bản đầy đủ (PDF)

(167 trang)