Application Layer Packet Processing Using PISA Switches
Abstract
:1. Introduction
2. Background
2.1. Protocol Independent Switch Architecture (PISA)
2.2. P4 Language
- The user develops a P4 program, which can be any type of network function, such as router, firewall, load balancer, or packet inspection switch.
- P4 compiler compiles the program as a JSON file and sends it to the switch, which can be a physical switch or a software model of it.
- The states of parser, match-parser, match-action tables, ingress, egress queue, and deparser is controlled by P4 execution.
- The states of match-action tables are additionally controlled by control-plane which can change the behavior of the P4 code at run-time.
- table_set_default <table_name> <action_name> <action_parameters>is used to set the default action (i.e., the action executed when no match is found) of a table.
- table_add <table_name> <action_name> <match_fields> => <action_parameters>is used to set the action related to a specific match in a table.
- mirror_add <source> <destination>is used to mirror a specific port internally.
2.3. In-Band Telemetry with Programmable Switches
2.4. Real-Time Data Streaming
2.5. Deep Packet Inspection (DPI) and Application Layer Visibility
3. Application Layer Processing with P4 Switches
3.1. Proposed System Architecture
While packet -> in ingres buffer Extract telemetry headers Put in Flow-Keys Telemetry Headers If Flow Not in Flow-Table Create flow in Flow-Table Else IF Flow-Packet-Count.< 2 Put Payload in Flow-Packets ... with Flow-Keys in Flow-Table Continue Else Create telemetry header with ... INT-XD options Send Flow-Table in Flow-Keys ... to External Telemetry
- Inline
- Out-of-Band
3.2. Simulation Environment
Simple_switch_bmv2: BMV2 software switch, based on Python2.7 m-veth-1: Ingres mininet Switch Port m-veth-2: Egres mininet Switch Port out-veth-1: Ingrest Server Host Port out-veth-2: Egres Server Host Port
4. Experimental Study
- Session is TCP (Session has 3-way handshake);
- Session is UDP (Session has no 3-way handshake);
- Session is detected by nDPI;
- Session is not detected by nDPI.
4.1. Experiment-1: Application Identification Performance Improvement DPI Application Classification on Mixed Flow Captures
4.1.1. TCP Session
--- Source -> Destination (SYN+Seq #) Destination -> Source (SYN ACK+Seq #) Source -> Destination (ACK+Seq #) ---
4.1.2. UDP Session
4.2. Sample Packet Captures
--- network_packets = rdpcap(infile) sessions = network_packets.sessions() for key in sessions: pktCount=0 for pkt in sessions[key]: if (pktCount < 2): write(pkt, outfile) pktCount = pktCount + 1 ---
4.3. Experiment-2: TCP-Based Application Identification Using Real-Life Data
4.4. Experiment-3: Application Identification in Full Stream Using Real-Life Data
4.5. Results and Discussion of the Experiments
5. Conclusions
6. Future Study
Author Contributions
Funding
Acknowledgments
Conflicts of Interest
Appendix A
// Flow key registers reg_src_ip = Register(); reg_dst_ip = Register(); reg_proto = Register(); reg_l4 = Register(); // Flow statistics registers reg_pkt_count = Register(); reg_byte_count = Register(); reg_time_start = Register(); reg_time_end = Register(); reg_flags = Register(); initialize_registers(hdr: PacketHeader, index: HashIndex, md: Metadata): reg_src_ip[index] = hdr.src_ip; reg_dst_ip[index] = hdr.dst_ip; reg_proto[index] = hdr.proto; reg_l4[index] = hdr.l4; reg_pkt_count[index] = 1; reg_byte_count[index] = length(hdr.ethernet) + hdr.ip_len reg_time_start[index] = md.timestamp; reg_time_end[index] = md.timestamp; reg_flags[index] = hdr.tcp_flags; with pkt = ingress.next_packet(): hdr = parse(pkt); md = pkt.metadata; index = hash({hdr.src_ip, hdr.dst_ip, hdr.proto, hdr. l4}); collision = hdr.src_ip != reg_src_ip[index] || hdr.dst_ip != reg_dst_ip[index] || hdr.proto != reg_proto[index] || hdr.l4 != reg_l4[index] if collision: // Export info and keep track of new flow flow_record = { reg_src_ip[index], reg_dst_ip[index], reg_proto[index], reg_l4[index], reg_pkt_count[index], reg_byte_count[index], reg_time_start[index], reg_time_end[index], reg_flags[index] } emit({hdr.ethernet, flow_record}); initialize_registers(hdr, index, md); else: // Update statistics of current flow reg_pkt_count[index] += 1; reg_byte_count[index] += length(hdr.ethernet) + hdr.ip_len reg_time_end[index] = md.timestamp; reg_flags[index] ||= hdr.tcp_flags;
BYTES | PACKETS | DET.STAT. | REDUCE RATE (%) | ||||
---|---|---|---|---|---|---|---|
ORG | RDC | ORG | RDC | POS. | NEG. | ||
anydesk | 2,962,572 | 767 | 6963 | 8 | 1 | 0 | 99.97 |
exe_download | 734,335 | 328 | 703 | 4 | 1 | 0 | 99.96 |
exe_download_as | 542,265 | 328 | 534 | 4 | 1 | 0 | 99.94 |
tor | 3,106,096 | 3524 | 3859 | 42 | 4 | 0 | 99.89 |
whatsappfiles | 467,113 | 760 | 620 | 8 | 1 | 0 | 99.84 |
wireguard | 791,758 | 1576 | 2399 | 4 | 1 | 0 | 99.80 |
ps_vue | 2,242,710 | 5184 | 1740 | 15 | 3 | 0 | 99.77 |
tls_long_cert | 121,969 | 380 | 182 | 4 | 1 | 0 | 99.69 |
ftp | 1,158,196 | 3805 | 1192 | 12 | 3 | 0 | 99.67 |
quic-mvfst | 408,962 | 1414 | 353 | 2 | 1 | 0 | 99.65 |
git | 76,165 | 376 | 90 | 4 | 1 | 0 | 99.51 |
netflix | 6,323,017 | 32,776 | 6999 | 217 | 5 | 0 | 99.48 |
coap_mqtt | 954,917 | 5505 | 8516 | 51 | 3 | 0 | 99.42 |
dns-tunnel | 80,668 | 528 | 438 | 8 | 1 | 0 | 99.35 |
bitcoin | 596,362 | 4816 | 637 | 24 | 1 | 0 | 99.19 |
wa_video | 998,593 | 8587 | 1567 | 38 | 6 | 0 | 99.14 |
ssh | 41,738 | 401 | 258 | 4 | 1 | 0 | 99.04 |
quic_t51 | 589,126 | 5664 | 642 | 4 | 1 | 0 | 99.04 |
quic-28 | 252,865 | 2782 | 253 | 4 | 1 | 0 | 98.90 |
bittorrent_ip | 519,514 | 6512 | 479 | 8 | 1 | 0 | 98.75 |
skype-conf | 44,487 | 616 | 200 | 4 | 1 | 0 | 98.62 |
dns_exfiltr | 80,745 | 1149 | 300 | 4 | 1 | 0 | 98.58 |
3,009,247 | 47,580 | 3443 | 122 | 7 | 0 | 98.42 | |
tls_verylong_ce | 23,381 | 380 | 48 | 4 | 1 | 0 | 98.37 |
check_mk_new | 22,594 | 391 | 98 | 4 | 1 | 0 | 98.27 |
quic-mvfst-22 | 300,063 | 5232 | 490 | 4 | 1 | 0 | 98.26 |
bad-dns-traffic | 108,542 | 1934 | 382 | 12 | 1 | 0 | 98.22 |
capwap | 108,037 | 2113 | 422 | 21 | 2 | 0 | 98.04 |
anyconnect-vpn | 1,088,929 | 23,234 | 3001 | 166 | 17 | 0 | 97.87 |
openvpn | 64,263 | 1392 | 298 | 12 | 1 | 0 | 97.83 |
webex | 902,823 | 19,937 | 1580 | 223 | 6 | 0 | 97.79 |
bittorrent_utp | 43,553 | 979 | 86 | 4 | 1 | 0 | 97.75 |
31,951 | 752 | 60 | 8 | 1 | 0 | 97.65 | |
nintendo | 357,057 | 9156 | 1000 | 66 | 3 | 0 | 97.44 |
simple-dnscrypt | 47,340 | 1344 | 111 | 16 | 1 | 0 | 97.16 |
443-opvn | 12,677 | 380 | 46 | 4 | 1 | 0 | 97.00 |
Oscar | 11,090 | 352 | 71 | 4 | 1 | 0 | 96.83 |
google_ssl | 9780 | 328 | 28 | 4 | 1 | 0 | 96.65 |
nest_log_sink | 137,036 | 4806 | 1000 | 60 | 3 | 0 | 96.49 |
modbus | 9129 | 358 | 102 | 4 | 1 | 0 | 96.08 |
quic046 | 93,697 | 3723 | 100 | 4 | 1 | 0 | 96.03 |
fix | 145,778 | 5858 | 1261 | 48 | 1 | 0 | 95.98 |
279,507 | 11,287 | 498 | 104 | 6 | 0 | 95.96 | |
tls_esni_sni_b | 16,811 | 696 | 38 | 8 | 1 | 0 | 95.86 |
pps | 2,307,979 | 104,799 | 2557 | 243 | 4 | 0 | 95.46 |
http-crash- | 3544 | 168 | 9 | 2 | 1 | 0 | 95.26 |
smb_deletefile | 33,172 | 1660 | 101 | 4 | 1 | 0 | 95.00 |
WebattackXSS | 4,946,124 | 248,266 | 9374 | 2641 | 1 | 0 | 94.98 |
teams | 1,554,287 | 78,248 | 2817 | 267 | 15 | 0 | 94.97 |
dnp3 | 51,786 | 2752 | 543 | 32 | 1 | 0 | 94.69 |
707,438 | 43,775 | 1672 | 287 | 15 | 0 | 93.81 | |
s7comm | 6580 | 408 | 55 | 4 | 1 | 0 | 93.80 |
telegram | 374,409 | 25,197 | 1566 | 119 | 15 | 0 | 93.27 |
youtube_quic | 198,575 | 13,389 | 289 | 12 | 2 | 0 | 93.26 |
1kxun | 664,361 | 45,690 | 1439 | 297 | 16 | 0 | 93.12 |
bittorrent | 312,904 | 21,595 | 299 | 74 | 1 | 0 | 93.10 |
ja3_lots_of1 | 7614 | 528 | 27 | 4 | 1 | 0 | 93.07 |
ja3_lots_of2 | 5396 | 380 | 11 | 4 | 1 | 0 | 92.96 |
wa_voice | 187,832 | 13,276 | 736 | 76 | 11 | 0 | 92.93 |
viber | 157,311 | 12,098 | 424 | 81 | 9 | 0 | 92.31 |
youtubeupload | 130,326 | 10,358 | 137 | 12 | 1 | 0 | 92.05 |
dropbox | 110,884 | 9056 | 848 | 48 | 1 | 0 | 91.83 |
amqp | 27,354 | 2284 | 160 | 12 | 1 | 0 | 91.65 |
iphone | 232,616 | 21,922 | 500 | 138 | 12 | 0 | 90.58 |
skype | 708,140 | 71,068 | 3284 | 639 | 13 | 0 | 89.96 |
WebattackSQLinj | 32,264 | 3384 | 94 | 36 | 1 | 0 | 89.51 |
quic | 360,998 | 37,893 | 518 | 34 | 4 | 0 | 89.50 |
hangout | 3230 | 340 | 19 | 2 | 1 | 0 | 89.47 |
ssdp-m-search | 1653 | 174 | 19 | 2 | 1 | 0 | 89.47 |
BGP_Cisco_hdlc | 1305 | 144 | 14 | 2 | 1 | 0 | 88.97 |
dos_win98_smb_ | 10,055 | 1130 | 220 | 9 | 3 | 0 | 88.76 |
skype_unknown | 537,720 | 60,508 | 2146 | 537 | 13 | 0 | 88.75 |
netbios | 30,922 | 3546 | 260 | 24 | 2 | 0 | 88.53 |
sip | 51,847 | 5966 | 112 | 11 | 3 | 0 | 88.49 |
whatsapp_l_call | 223,130 | 26,502 | 1253 | 187 | 11 | 0 | 88.12 |
rx | 29,643 | 3641 | 132 | 18 | 1 | 0 | 87.72 |
6in4tunnel | 43,341 | 5326 | 127 | 26 | 5 | 0 | 87.71 |
android | 143,354 | 18,809 | 500 | 167 | 14 | 0 | 86.88 |
ajp | 7414 | 1020 | 38 | 10 | 2 | 0 | 86.24 |
quic_q46 | 21,721 | 3028 | 20 | 4 | 1 | 0 | 86.06 |
quic_q50 | 20,914 | 3048 | 20 | 4 | 1 | 0 | 85.43 |
ethereum | 264,111 | 39,317 | 2000 | 260 | 2 | 0 | 85.11 |
malware | 8625 | 1347 | 26 | 10 | 4 | 0 | 84.38 |
teamspeak3 | 2223 | 354 | 13 | 2 | 1 | 0 | 84.08 |
quic_q39 | 25,625 | 4131 | 60 | 4 | 1 | 0 | 83.88 |
iec60780-5-104 | 12,561 | 2034 | 147 | 24 | 1 | 0 | 83.81 |
whatsapp_login | 32,369 | 5963 | 93 | 19 | 7 | 0 | 81.58 |
whatsapp_voice_ | 34,319 | 6492 | 261 | 52 | 3 | 0 | 81.08 |
quic-mvfst-exp | 27,029 | 5272 | 30 | 4 | 1 | 0 | 80.50 |
netflowv9 | 14,128 | 2832 | 10 | 2 | 1 | 0 | 79.95 |
ftp_failed | 2132 | 476 | 18 | 4 | 1 | 0 | 77.67 |
smpp_in_general | 1552 | 347 | 17 | 4 | 1 | 0 | 77.64 |
EAQ | 26,563 | 6732 | 197 | 82 | 2 | 0 | 74.66 |
upnp | 10,248 | 2928 | 14 | 4 | 1 | 0 | 71.43 |
fuzz-2020-02 | 158,043 | 46,445 | 366 | 125 | 3 | 0 | 70.61 |
quic-29 | 9746 | 3011 | 15 | 4 | 1 | 0 | 69.11 |
quic-24 | 8360 | 3029 | 15 | 4 | 1 | 0 | 63.77 |
zabbix | 955 | 376 | 10 | 4 | 1 | 0 | 60.63 |
4in4tunnel | 970 | 388 | 5 | 2 | 1 | 0 | 60.00 |
quic-27 | 13,367 | 5664 | 20 | 4 | 1 | 0 | 57.63 |
quic-mvfst-27 | 13,367 | 5664 | 20 | 4 | 1 | 0 | 57.63 |
quic_q46_b | 7500 | 3239 | 20 | 4 | 1 | 0 | 56.81 |
fuzzing | 32,268 | 15,422 | 131 | 81 | 3 | 0 | 52.21 |
mongodb | 3388 | 1648 | 27 | 16 | 2 | 0 | 51.36 |
mssql_tds | 17,172 | 8728 | 38 | 20 | 1 | 0 | 49.17 |
malformed_dns | 6004 | 3096 | 6 | 4 | 1 | 0 | 48.43 |
quic-23 | 7671 | 3956 | 20 | 4 | 1 | 0 | 48.43 |
fuzz-2006 | 99,986 | 53,930 | 691 | 399 | 9 | 0 | 46.06 |
dnscrypt-v2-doh | 230,431 | 132,987 | 577 | 136 | 1 | 0 | 42.29 |
skype_udp | 459 | 278 | 5 | 3 | 1 | 0 | 39.43 |
teredo | 3150 | 1980 | 24 | 14 | 1 | 0 | 37.14 |
quic_t50 | 8708 | 5664 | 12 | 4 | 1 | 0 | 34.96 |
smbv1 | 1365 | 895 | 7 | 4 | 1 | 0 | 34.43 |
diameter | 2124 | 1488 | 6 | 4 | 1 | 0 | 29.94 |
websocket | 561 | 428 | 5 | 4 | 1 | 0 | 23.71 |
steam | 11,516 | 10,218 | 104 | 97 | 1 | 0 | 11.27 |
kerberos | 30,139 | 29,412 | 77 | 75 | 4 | 0 | 2.41 |
encrypted_sni | 2382 | 2382 | 3 | 3 | 1 | 0 | 0.00 |
tls-esni-fuzzed | 2382 | 2382 | 3 | 3 | 1 | 0 | 0.00 |
4in6tunnel | 2284 | 2284 | 4 | 4 | 1 | 0 | 0.00 |
mysql-8 | 463 | 463 | 4 | 4 | 1 | 0 | 0.00 |
ubntac2 | 1928 | 1928 | 8 | 8 | 1 | 0 | 0.00 |
filtered | 21,595 | 21,595 | 74 | 74 | 1 | 0 | 0.00 |
dnscrypt-v1 | 321,274 | 321,274 | 608 | 564 | 2 | 0 | 0.00 |
WebattackRCE | 210,131 | 210,131 | 797 | 797 | 2 | 0 | 0.00 |
APPNAME | REDUCED BYTES | ORIGINAL B. | REDUCED PACKET | ORIGINAL P. | REDUCTION % |
---|---|---|---|---|---|
AFP | 75.888 | 142.848 | 136 | 256 | 46.88% |
Amazon | 222.810 | 3.539.200 | 1.892 | 10.959 | 93.70% |
AmongUs | 74.772 | 187.488 | 134 | 336 | 60.12% |
Ayiya | 70.308 | 167.400 | 126 | 300 | 58.00% |
BitTorrent | 264.492 | 566.928 | 474 | 1.016 | 53.35% |
BJNP | 110.484 | 223.200 | 198 | 400 | 50.50% |
CAPWAP | 110.484 | 225.432 | 198 | 404 | 50.99% |
CiscoVPN | 90.636 | 174.456 | 166 | 318 | 48.05% |
Cloudflare | 3.432 | 57.108 | 52 | 290 | 93.99% |
COAP | 205.344 | 429.660 | 368 | 770 | 52.21% |
Collectd | 94.860 | 180.792 | 170 | 324 | 47.53% |
CPHA | 149.544 | 305.784 | 268 | 548 | 51.09% |
DHCP | 188.802 | 575.730 | 355 | 1.259 | 67.21% |
DHCPV6 | 6.178 | 238.728 | 42 | 1.624 | 97.41% |
DNS | 1.285.798 | 1.528.164 | 11.150 | 12.354 | 15.86% |
Dropbox | 118.296 | 232.128 | 212 | 416 | 49.04% |
EAQ | 162.936 | 363.816 | 292 | 652 | 55.21% |
78.980 | 83.836 | 804 | 848 | 5.79% | |
FTP_CONTROL | 9.736 | 27.940 | 148 | 430 | 65.15% |
Github | 8.592 | 8.986 | 92 | 96 | 4.38% |
GMail | 20.928 | 704.538 | 192 | 4.458 | 97.03% |
2.274.505 | 44.542.510 | 23.970 | 142.071 | 94.89% | |
GoogleServices | 115.472 | 2.215.516 | 964 | 9.062 | 94.79% |
GTP | 263.376 | 565.812 | 472 | 1.014 | 53.45% |
H323 | 159.588 | 351.540 | 286 | 630 | 54.60% |
HTTP | 799.416 | 17.123.436 | 11.300 | 59.257 | 95.33% |
HTTP_Proxy | 3.132 | 3.252 | 52 | 54 | 3.69% |
IAX | 118.296 | 241.056 | 212 | 432 | 50.93% |
ICMP | 380.064 | 6.251.658 | 4.052 | 48.536 | 93.92% |
ICMPV6 | 5.548 | 88.904 | 62 | 954 | 93.76% |
74.948 | 77.950 | 484 | 512 | 3.85% | |
IPsec | 279.632 | 590.996 | 500 | 1.058 | 52.68% |
IRC | 95.976 | 213.156 | 172 | 382 | 54.97% |
iSCSI | 212.040 | 449.748 | 380 | 806 | 52.85% |
Kerberos | 48.228 | 124.116 | 90 | 226 | 61.14% |
LDAP | 94.860 | 249.984 | 170 | 448 | 62.05% |
15.346 | 17.774 | 144 | 168 | 13.66% | |
LISP | 156.240 | 330.336 | 280 | 592 | 52.70% |
LLMNR | 149.644 | 304.968 | 282 | 588 | 50.93% |
MDNS | 213.722 | 678.891 | 416 | 2.023 | 68.52% |
Megaco | 46.872 | 103.788 | 84 | 186 | 54.84% |
Memcached | 8.052 | 15.864 | 18 | 32 | 49.24% |
Microsoft | 76.694 | 784.104 | 640 | 2.493 | 90.22% |
Microsoft365 | 5.064 | 144.776 | 44 | 314 | 96.50% |
MsSQL-TDS | 2.640 | 3.600 | 44 | 60 | 26.67% |
NetBIOS | 134.656 | 300.524 | 248 | 582 | 55.19% |
NFS | 111.600 | 243.288 | 200 | 436 | 54.13% |
NTP | 54.684 | 112.716 | 98 | 202 | 51.49% |
OpenVPN | 105.024 | 224.436 | 190 | 404 | 53.21% |
OSPF | 21.368 | 880.742 | 228 | 9.307 | 97.57% |
Playstation | 75.012 | 167.760 | 138 | 306 | 55.29% |
Radius | 213.156 | 444.168 | 382 | 796 | 52.01% |
RDP | 110.964 | 221.568 | 206 | 406 | 49.92% |
9.332 | 10.292 | 88 | 96 | 9.33% | |
RemoteScan | 190.836 | 379.440 | 342 | 680 | 49.71% |
RTSP | 45.756 | 100.440 | 82 | 180 | 54.44% |
RX | 8.928.188 | 25.862.372 | 16.002 | 46.350 | 65.48% |
sFlow | 131.688 | 280.116 | 236 | 502 | 52.99% |
SIP | 245.320 | 512.044 | 446 | 924 | 52.09% |
SMBv1 | 1.458 | 16.524 | 6 | 68 | 91.18% |
SMBv23 | 9.192 | 12.360 | 152 | 204 | 25.63% |
SOCKS | 64.092 | 141.096 | 122 | 260 | 54.58% |
SOMEIP | 386.136 | 850.392 | 692 | 1.524 | 54.59% |
SSDP | 169.968 | 230.160 | 418 | 766 | 26.15% |
SSH | 254.024 | 7.116.608 | 3.406 | 46.888 | 96.43% |
Starcraft | 90.396 | 196.416 | 162 | 352 | 53.98% |
Syslog | 128.340 | 262.260 | 230 | 470 | 51.06% |
TeamViewer | 116.064 | 247.752 | 208 | 444 | 53.15% |
Telnet | 7.080 | 8.520 | 118 | 142 | 16.90% |
Teredo | 107.136 | 234.360 | 192 | 420 | 54.29% |
TFTP | 51.336 | 109.368 | 92 | 196 | 53.06% |
TINC | 100.440 | 223.200 | 180 | 400 | 55.00% |
TLS | 229.370 | 16.020.578 | 2.900 | 35.105 | 98.57% |
12.500 | 12.828 | 132 | 136 | 2.56% | |
UBNTAC2 | 106.020 | 233.244 | 190 | 418 | 54.55% |
UbuntuONE | 7.114 | 3.997.352 | 80 | 3.252 | 99.82% |
VHUA | 80.352 | 181.908 | 144 | 326 | 55.83% |
Viber | 686.340 | 1.487.628 | 1.230 | 2.666 | 53.86% |
VMware | 217.620 | 501.084 | 390 | 898 | 56.57% |
Wikipedia | 24.352 | 26.832 | 280 | 296 | 9.24% |
WireGuard | 112.716 | 255.564 | 202 | 458 | 55.90% |
Xbox | 229.896 | 510.012 | 412 | 914 | 54.92% |
XDMCP | 100.440 | 213.156 | 180 | 382 | 52.88% |
YouTube | 14.960 | 15.360 | 92 | 96 | 2.60% |
APPNAME | REDUCED BYTES | ORIGINAL B. | REDUCED PACKET | ORIGINAL P. | REDUCTION % |
---|---|---|---|---|---|
Amazon | 49.814 | 3.358.944 | 752 | 9.755 | 98.52% |
CiscoVPN | 240 | 360 | 4 | 6 | 33.33% |
Cloudflare | 3.432 | 57.108 | 52 | 290 | 93.99% |
FTP_CONTROL | 9.612 | 27.816 | 146 | 428 | 65.44% |
556.515 | 42.745.086 | 7.630 | 124.991 | 98.70% | |
HTTP | 796.644 | 17.120.664 | 11.256 | 59.213 | 95.35% |
HTTP_Proxy | 240 | 360 | 4 | 6 | 33.33% |
ICMP | 532 | 1.024 | 6 | 12 | 48.05% |
Microsoft365 | 264 | 20.034 | 4 | 40 | 98.68% |
MsSQL-TDS | 2.640 | 3.600 | 44 | 60 | 26.67% |
Playstation | 240 | 360 | 4 | 6 | 33.33% |
RDP | 480 | 600 | 8 | 10 | 20.00% |
SMBv23 | 8.700 | 11.868 | 144 | 196 | 26.69% |
SSH | 253.900 | 7.116.484 | 3.404 | 46.886 | 96.43% |
Telnet | 6.600 | 8.040 | 110 | 134 | 17.91% |
TLS | 223.754 | 16.014.962 | 2.808 | 35.013 | 98.60% |
UbuntuONE | 1.510 | 3.991.232 | 20 | 3.188 | 99.96% |
References
- Yazici, M.A.; Oztoprak, K. Policy broker-centric traffic classifier architecture for deep packet inspection systems with route asymmetry. In Proceedings of the 2017 IEEE International Black Sea Conference on Communications and Networking (BlackSeaCom), Istanbul, Turkey, 5–8 June 2017; pp. 1–5. [Google Scholar] [CrossRef]
- Sandvine Inc. Virtual ActiveLogic—Hyperscale Data Plane for Next, Generation Telco Networks. Available online: https://www.sandvine.com/hubfs/Sandvine_Redesign_2019/Downloads/2020/Datasheets/Network%20Optimization/Sandvine_DS_Virtual_ActiveLogic.pdf (accessed on 20 June 2021).
- Lim, H.K.; Kim, J.B.; Heo, J.S.; Kim, K.; Hong, Y.G.; Han, Y.H. Packet-based network traffic classification using deep learning. In Proceedings of the 2019 International Conference on Artificial Intelligence in Information and Communication (ICAIIC), Okinawa, Japan, 11–13 February 2019; pp. 046–051. [Google Scholar]
- Zolotukhin, M.; Hämäläinen, T.; Kokkonen, T.; Siltanen, J. Increasing web service availability by detecting application-layer DDoS attacks in encrypted traffic. In Proceedings of the 2016 23rd International Conference on Telecommunications (ICT), Thessaloniki, Greece, 16–18 May 2016; pp. 1–6. [Google Scholar]
- Bosshart, P.; Gibb, G.; Kim, H.S.; Varghese, G.; McKeown, N.; Izzard, M.; Mujica, F.; Horowitz, M. Forwarding metamorphosis: Fast programmable match-action processing in hardware for SDN. ACM SIGCOMM Comput. Commun. Rev. 2013, 43, 99–110. [Google Scholar] [CrossRef]
- Kim, C. Programming the Network Dataplane; ACM SIGCOMM: Florianopolis, Brazil, 2016. [Google Scholar]
- Gupta, A.; Harrison, R.; Canini, M.; Feamster, N.; Rexford, J.; Willinger, W. Sonata: Query-driven streaming network telemetry. In Proceedings of the 2018 conference of the ACM special interest group on data communication, Budapest, Hungary, 20–25 August 2018; pp. 357–371. [Google Scholar]
- Wang, S.Y.; Hu, H.W.; Lin, Y.B. Design and Implementation of TCP-Friendly Meters in P4 Switches. IEEE/ACM Trans. Netw. 2020, 28, 1885–1898. [Google Scholar] [CrossRef]
- Yan, Y.; Beldachi, A.F.; Nejabati, R.; Simeonidou, D. P4-enabled Smart NIC: Enabling Sliceable and Service-Driven Optical Data Centres. J. Light. Technol. 2020, 38, 2688–2694. [Google Scholar] [CrossRef]
- Fernández, C.; Giménez, S.; Grasa, E.; Bunch, S. A P4-Enabled RINA Interior Router for Software-Defined Data Centers. Computers 2020, 9, 70. [Google Scholar] [CrossRef]
- Kundel, R.; Nobach, L.; Blendin, J.; Maas, W.; Zimber, A.; Kolbe, H.J.; Schyguda, G.; Gurevich, V.; Hark, R.; Koldehofe, B.; et al. OpenBNG: Central office network functions on programmable data plane hardware. Int. J. Netw. Manag. 2021, 31, e2134. [Google Scholar] [CrossRef]
- Bosshart, P.; Daly, D.; Gibb, G.; Izzard, M.; McKeown, N.; Rexford, J.; Schlesinger, C.; Talayco, D.; Vahdat, A.; Varghese, G.; et al. P4: Programming protocol-independent packet processors. ACM SIGCOMM Comput. Commun. Rev. 2014, 44, 87–95. [Google Scholar] [CrossRef]
- Hang, Z.; Wen, M.; Shi, Y.; Zhang, C. Programming protocol-independent packet processors high-level programming (P4HLP): Towards unified high-level programming for a commodity programmable switch. Electronics 2019, 8, 958. [Google Scholar] [CrossRef] [Green Version]
- The P4.org Applications Working Group. In-Band Network Telemetry (INT) Data Plane Specification. Available online: https://github.com/p4lang/p4-applications/blob/master/docs/INT_v2_1.pdf (accessed on 10 March 2021).
- The P4 Language Consortium. Getting Started with P4 Language. Available online: https://p4.org/p4/getting-started-with-p4.html (accessed on 15 March 2021).
- Parol, P. P4 Network Programming Language—What Is It All About? Available online: https://codilime.com/p4-network-programming-language-what-is-it-all-about/ (accessed on 21 March 2021).
- Sgambelluri, A.; Paolucci, F.; Giorgetti, A.; Scano, D.; Cugini, F. Exploiting telemetry in multi-layer networks. In Proceedings of the 2020 22nd International Conference on Transparent Optical Networks (ICTON), Bari, Italy, 19–23 July 2020; pp. 1–4. [Google Scholar]
- Sari, A.; Lekidis, A.; Butun, I. Industrial networks and IIoT: Now and future trends. In Industrial IoT; Springer: Cham, Switzerland, 2020; pp. 3–55. [Google Scholar]
- Butun, I.; Almgren, M.; Gulisano, V.; Papatriantafilou, M. Intrusion Detection in Industrial Networks via Data Streaming. In Industrial IoT; Springer: Cham, Switzerland, 2020; pp. 213–238. [Google Scholar]
- Zaharia, M.; Xin, R.S.; Wendell, P.; Das, T.; Armbrust, M.; Dave, A.; Meng, X.; Rosen, J.; Venkataraman, S.; Franklin, M.J.; et al. Apache Spark: A Unified Engine for Big Data Processing. Commun. ACM 2016, 59, 56–65. [Google Scholar] [CrossRef]
- Apache Foundation. Apache Flink - Stateful Computations over Data Streams. Available online: https://flink.apache.org/ (accessed on 13 February 2021).
- Oztoprak, K. Subscriber Profiling for Connection Service Providers by Considering Individuals and Different Timeframes. IEICE Trans. Commun. 2016, E99.B, 1353–1361. [Google Scholar] [CrossRef]
- Oztoprak, K. Profiling subscribers according to their internet usage characteristics and behaviors. In Proceedings of the 2015 IEEE International Conference on Big Data (Big Data), Santa Clara, CA, USA, 29 October–1 November 2015; pp. 1492–1499. [Google Scholar] [CrossRef]
- Sharafaldin, I.; Lashkari, A.H.; Hakak, S.; Ghorbani, A. Developing Realistic Distributed Denial of Service (DDoS) Attack Dataset and Taxonomy. In Proceedings of the 2019 International Carnahan Conference on Security Technology (ICCST), Chennai, India, 1–3 October 2019; pp. 1–8. [Google Scholar]
- Deri, L.; Martinelli, M.; Bujlow, T.; Cardigliano, A. ndpi: Open-source high-speed deep packet inspection. In Proceedings of the 2014 International Wireless Communications and Mobile Computing Conference (IWCMC), Nicosia, Cyprus, 4–8 August 2014; pp. 617–622. [Google Scholar]
- Jurkiewicz, P.; Rzym, G.; Boryło, P. Flow length and size distributions in campus Internet traffic. Comput. Commun. 2021, 167, 15–30. [Google Scholar] [CrossRef]
REDUCTION RATIO | 82% |
REDUCTION FACTOR | 5.5 |
DETECTION RATE | 84% |
REDUCTION RATIO | 97.88% |
REDUCTION FACTOR | 47.16 |
DETECTION RATE | 95% |
REDUCTION RATIO | 84.73% |
REDUCTION FACTOR | 6.5 |
DETECTION RATE | 99.83% |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Butun, I.; Tuncel, Y.K.; Oztoprak, K. Application Layer Packet Processing Using PISA Switches. Sensors 2021, 21, 8010. https://doi.org/10.3390/s21238010
Butun I, Tuncel YK, Oztoprak K. Application Layer Packet Processing Using PISA Switches. Sensors. 2021; 21(23):8010. https://doi.org/10.3390/s21238010
Chicago/Turabian StyleButun, Ismail, Yusuf Kursat Tuncel, and Kasim Oztoprak. 2021. "Application Layer Packet Processing Using PISA Switches" Sensors 21, no. 23: 8010. https://doi.org/10.3390/s21238010