One of the effective ways of detecting malicious traffic in computer networks is intrusion detection systems (IDS). Though IDS identify malicious activities in a network, it might be difficult to detect distributed or coordinated attacks because they only have single vantage point. To combat this problem, cooperative intrusion detection system was proposed. In this detection system, nodes exchange attack features or signatures with a view of detecting an attack that has previously been detected by one of the other nodes in the system. Exchanging of attack features is necessary because a zero-day attacks (attacks without known signature) experienced in different locations are not the same. Although this solution enhanced the ability of a single IDS to respond to attacks that have been previously identified by cooperating nodes, malicious activities such as fake data injection, data manipulation or deletion and data consistency are problems threatening this approach. In this paper, we propose a solution that leverages blockchain’s distributive technology, tamper-proof ability and data immutability to detect and prevent malicious activities and solve data consistency problems facing cooperative intrusion detection. Focusing on extraction, storage and distribution stages of cooperative intrusion detection, we develop a blockchain-based solution that securely extracts features or signatures, adds extra verification step, makes storage of these signatures and features distributive and data sharing secured. Performance evaluation of the system with respect to its response time and resistance to the features/signatures injection is presented. The result shows that the proposed solution prevents stored attack features or signature against malicious data injection, manipulation or deletion and has low latency.
more »
« less
P4Chain: A Multichain Approach for Real-Time Anomaly Traffic Detection in P4 Network
Programming Protocol-independent Packet
Processors (P4) is an open-source domain-specific
language to aid the data plane devices in programming
packet forwarding. It has a variety of constructs
optimized for this purpose. With P4, one can program
ASICs, PISA chips, FPGAs, and many network devices
since the language constructs allow true independence in
some aspects that OpenFlow could not support.
However, there are some challenges facing this
technology. The first challenge is that P4 does not
account for malicious traffic detection in the data plane
pipeline. 2. The controllers have no secure medium of
attack signature exchange. This ongoing work presents a
multichain solution for detecting malicious traffic and
exchanging attack signatures among controllers. This
architecture uses an Artificial Immune System (AIS)
based Intrusion Detection System (IDS), which runs on a
distributed blockchain network, to introspect the P4
data plane to analyze and detect anomaly traffic flows.
This IDS resides on the SideChain smart contracts and
constantly monitors the traffic flow at the data planes
based on introspection. Once malicious traffic is detected
on any SideChain, the signatures are extracted and
passed through the signature forwarding node to the
MainChain for real-time storage. The malicious
signatures are sent to all controllers via the mainchain
network. We minimize the congestion the solution can
cause to the P4 network by utilizing a load balancer to
serve the SideChain. To evaluate the performance, we
evaluate the False Positive Rate (FPR), Detection Rate
(DR), and Accuracy (ACC) of the IDS. We also compute
the execution time, performance overhead, and
scalability of the proposed solution.
more »
« less
- Award ID(s):
- 2029295
- PAR ID:
- 10471043
- Publisher / Repository:
- IEEE 14th Annual Ubiquitous Computing, Electronics & Mobile Communications (UEMCON 2023)
- Date Published:
- Subject(s) / Keyword(s):
- Blockchain MainChain, SideChains, P4Chain AIS Smart contracts IDS P4 Signature
- Format(s):
- Medium: X
- Location:
- New York
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
P4 (Programming Protocol-Independent Packet Processors) represents a paradigm shift in network programmability by providing a high-level language to define packet processing behavior in network switches/devices. The importance of P4 lies in its ability to overcome the limitations of OpenFlow, the previous de facto standard for software-defined networking (SDN). Unlike OpenFlow, which operates on fixed match-action tables, P4 offers an approach where network operators can define packet processing behaviors at various protocol layers. P4 provides a programmable platform to create and implement custom network switches/devices protocols. However, this opens a new attack surface for threat actors who can access P4-enabled switches/devices and manipulate custom protocols for malicious purposes. Attackers can craft malicious packets to exploit protocol-specific vulnerabilities in these network devices. This ongoing research work proposes a blockchain-based model to secure P4 custom protocols. The model leverages the blockchain’s immutability, tamperproof ability, distributed consensus for protocol governance, and auditing to guarantee the transparency, security, and integrity of custom protocols defined in P4 programmable switches. The protocols are recorded as transactions and stored on the blockchain network. The model's performance will be evaluated using execution time in overhead computation, false positive rate, and network scalability.more » « less
-
Despite the increased accuracy of intrusion detection systems (IDS) in identifying cyberattacks in computer networks and devices connected to the internet, distributed or coordinated attacks can still go undetected or not detected on time. The single vantage point limits the ability of these IDSs to detect such attacks. Due to this reason, there is a need for attack characteristics’ exchange among different IDS nodes. Researchers proposed a cooperative intrusion detection system to share these attack characteristics effectively. This approach was useful; however, the security of the shared data cannot be guaranteed. More specifically, maintaining the integrity and consistency of shared data becomes a significant concern. In this paper, we propose a blockchain-based solution that ensures the integrity and consistency of attack characteristics shared in a cooperative intrusion detection system. The proposed architecture achieves this by detecting and preventing fake features injection and compromised IDS nodes. It also facilitates scalable attack features exchange among IDS nodes, ensures heterogeneous IDS nodes participation, and it is robust to public IDS nodes joining and leaving the network. We evaluate the security analysis and latency. The result shows that the proposed approach detects and prevents compromised IDS nodes, malicious features injection, manipulation, or deletion, and it is also scalable with low latency.more » « less
-
Despite the significant benefits of the widespread adoption of smart home Internet of Things (IoT) devices, these devices are known to be vulnerable to active and passive attacks. Existing literature has demonstrated the ability to infer the activities of these devices by analyzing their network traffic. In this study, we introduce a packet-based signature generation and detection system that can identify specific events associated with IoT devices by extracting simple features from raw encrypted network traffic. Unlike existing techniques that depend on specific time windows, our approach automatically determines the optimal number of packets to generate unique signatures, making it more resilient to network jitters. We evaluate the effectiveness, uniqueness, and correctness of our signatures by training and testing our system using four public datasets and an emulated dataset with varying network delays, verifying known signatures and discovering new ones. Our system achieved an average recall and precision of 98-99% and 98-100%, respectively, demonstrating the effectiveness and feasibility of using packet-level signatures to detect IoT device activities.more » « less
-
A programmable data plane composed of P4 switches, smartNICs, and hosts running software network functions can provide new opportunities for network security. Much work in this area has focused on monitoring high volume traffic such as denial of service attacks or heavy-hitter detection. However, slow attacks that carefully use small amounts of traffic to have a highly negative effect are much more challenging to detect since they typically require fine-grained analysis of all flows. Our work is exploring how a programmable data plane can provide accurate attack detection at nearly line rate while overcoming challenges such as the limited memory space available on network devices.more » « less