当前位置:
X-MOL 学术
›
Int. J. Netw. Manag.
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
E-Replacement: Efficient scanner data collection method in P4-based software-defined networks
International Journal of Network Management ( IF 1.5 ) Pub Date : 2021-04-26 , DOI: 10.1002/nem.2162 Yun-Zhan Cai, Ting-Yu Lin, Yu-Ting Wang, Ya-Pei Tuan, Meng-Hsun Tsai
International Journal of Network Management ( IF 1.5 ) Pub Date : 2021-04-26 , DOI: 10.1002/nem.2162 Yun-Zhan Cai, Ting-Yu Lin, Yu-Ting Wang, Ya-Pei Tuan, Meng-Hsun Tsai
|
Internet of things (IoT) botnets such as Mirai are rampant in the past years. Port scanning is a well-known behavior of botnets for searching targets in networks. To detect port scanning, a detector requires network statistics with high discriminatory power. In P4-based software-defined network (SDN), switches take charge of recording characteristics about scanning behaviors, and controllers pull the statistics from the switches periodically for anomaly detection. Given storage resources in switches are limited, we proposed a scanner data collection method, 0-Replacement, in P4-based SDN to efficiently collect scanner data and improve the detection rate. 0-Replacement, however, does not consider performance degradation caused by the hash collision. In this paper, we combine the conception of Hashpipe with 0-Replacement and propose a new scanner data collection method named E-Replacement. By leveraging the conception of Hashpipe, E-Replacement can mitigate the performance degradation caused by the hash collision. Through simulations, we show that E-Replacement improves the detection rate by up to 6.73% and 210.82% compared to 0-Replacement and the traditional sample and hold method, respectively. Besides, E-Replacement improves the precision by around 528.2% compared to the count-min sketch and k-ary sketch methods. The memory usage in E-Replacement is the same as 0-Replacement. In simulations, E-Replacement can detect around 93.4% of scanners in a class B network with only 4.02-Mb SRAM. After implementing E-Replacement on a software P4 switch, BMv2, we observe the extra forwarding latency for E-Replacement is not greater than a millisecond.
中文翻译:
E-Replacement:基于 P4 的软件定义网络中的高效扫描仪数据收集方法
物联网 (IoT) 僵尸网络(例如 Mirai)在过去几年非常猖獗。端口扫描是僵尸网络在网络中搜索目标的一种众所周知的行为。为了检测端口扫描,检测器需要具有高辨别力的网络统计信息。在基于P4的软件定义网络(SDN)中,交换机负责记录扫描行为的特征,控制器定期从交换机中提取统计信息进行异常检测。鉴于交换机中的存储资源有限,我们在基于 P4 的 SDN 中提出了一种扫描仪数据收集方法,0-替换,以有效收集扫描仪数据并提高检测率。但是0-Replacement没有考虑散列冲突导致的性能下降。在本文中,我们将 Hashpipe 的概念与 0-Replacement 相结合,提出了一种新的扫描仪数据收集方法,名为 E-Replacement。通过利用Hashpipe的概念,E-Replacement可以缓解哈希冲突导致的性能下降。通过模拟,我们表明与 0-Replacement 和传统的采样保持方法相比,E-Replacement 分别将检测率提高了 6.73% 和 210.82%。此外,与 count-min 草图和 k-ary 草图方法相比,E-Replacement 将精度提高了约 528.2%。E-Replacement 中的内存使用与 0-Replacement 相同。在模拟中,E-Replacement 可以在仅 4.02-Mb SRAM 的 B 类网络中检测约 93.4% 的扫描仪。在软件 P4 交换机 BMv2 上实施 E-Replacement 后,
更新日期:2021-04-26
中文翻译:
E-Replacement:基于 P4 的软件定义网络中的高效扫描仪数据收集方法
物联网 (IoT) 僵尸网络(例如 Mirai)在过去几年非常猖獗。端口扫描是僵尸网络在网络中搜索目标的一种众所周知的行为。为了检测端口扫描,检测器需要具有高辨别力的网络统计信息。在基于P4的软件定义网络(SDN)中,交换机负责记录扫描行为的特征,控制器定期从交换机中提取统计信息进行异常检测。鉴于交换机中的存储资源有限,我们在基于 P4 的 SDN 中提出了一种扫描仪数据收集方法,0-替换,以有效收集扫描仪数据并提高检测率。但是0-Replacement没有考虑散列冲突导致的性能下降。在本文中,我们将 Hashpipe 的概念与 0-Replacement 相结合,提出了一种新的扫描仪数据收集方法,名为 E-Replacement。通过利用Hashpipe的概念,E-Replacement可以缓解哈希冲突导致的性能下降。通过模拟,我们表明与 0-Replacement 和传统的采样保持方法相比,E-Replacement 分别将检测率提高了 6.73% 和 210.82%。此外,与 count-min 草图和 k-ary 草图方法相比,E-Replacement 将精度提高了约 528.2%。E-Replacement 中的内存使用与 0-Replacement 相同。在模拟中,E-Replacement 可以在仅 4.02-Mb SRAM 的 B 类网络中检测约 93.4% 的扫描仪。在软件 P4 交换机 BMv2 上实施 E-Replacement 后,
京公网安备 11010802027423号