分散式阻斷攻擊(DDoS)會造成服務無法正常被存取。為了減少 DDoS 帶來的損
失，我們必須盡快偵測到 DDoS 攻擊。機器學習可以用來確定封包流量(Flow)是攻擊
或是正常流量。因此我們嘗試將機器學習模型部屬在交換機上，來提早預防攻擊封包
到達使用者端。
我們選擇隨機森林作為我們分類封包的機器學習方式。因為隨機森林的模型計算
量比其他分類的機器學習方法來的少。藉由隨機森林的模型來進行分類只需要做一些
數值的比較，不像其他的方式(例如支持向量機、K-近鄰演算法)需要很多的加減乘除
來得到結果。
在此論文中，我們首先使用隨機森林訓練網路上開放的 UNSW-NB15 資料集，接
著將得到的模型實作在可程式化交換機上。現今可以藉由 P4 來實現在交換機上的封
包處理邏輯，因此我們撰寫 P4 程式來偵測 DDoS 攻擊。我們使用 Intel 所提出的 TNA
架構來撰寫 P4 程式，並且使用 P4 studio SDE 來編譯以及模擬 P4 程式行為。TNA 為
了讓 P4 程式能夠有效率的運行在實體商業化交換機，相對於 P4 社群一開始所提出
的 PISA 架構，TNA 對開發者做了更多的限制。因為 TNA 的限制，對於原先使用
BMv2 作為模擬器的開發者有一定程度的困難。我們也藉由比較兩者的差異來提出一
些容易讓原 BMv2 開發者較容易上手的方法。我們提出了兩種將隨機森林模型轉換
到 Tofino 交換機的方法，也藉由使用 Range Encoding 和 Parallel Packet Classification (PPC)來減少交換器上的規則數量，來減少現有的方式所使用的記憶體數量。

To reduce the damage caused by DDoS, we need to properly detect DDoS attacks as soon as possible. Besides, machine learning is a good way to classify the flows of packets in the network into the types of normal and attack. Therefore, in this thesis, we will implement a machine learning method on the switches to protect users from the DDoS attacks. We choose Random Forest as the classification method because the computation power needed in the Random Forest model is less than other classification methods using machine learning. In the model of Random Forest, we only need perform comparison operations instead of multiplication and division operations needed in other methods such as SVM and KNN.
We first train a Random Forest model for classifying the attack or normal flow from the UNSW-NB15 dataset. Then we implement the Random Forest model on the programmable switch. Programming Protocol-independent Packet Processors (P4) applications can be used to control the packet processing in a switch. Therefore, we write the P4 code to detect DDoS attacks. We use P4 studio SDE to compile our code in Tofino Native Architecture (TNA) and simulate the software switch. TNA is used to fit the commodity switch ASIC. The architecture limits us to write efficient code to make the switch perform well. We propose two methods to map the model of Random Forest onto the Tofino switch. We reduce the number of rules of the existing method by range-encoding and Parallel Packet Classification (PPC), so that memory consumption is reduced. We also describe the solution of parsing packet features on Tofino.

[1] S. T. Zargar, J. Joshi, and D. Tipper, “A survey of defense mechanisms against distributed denial of service (DDOS) flooding attacks,” IEEE Communications Surveys and Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013, doi: 10.1109/SURV.2013.031413.00127.
[2] “Four years after the Dyn DDoS attack, critical DNS dependencies have only gone up | ZDNet.” https://www.zdnet.com/article/four-years-after-the-dyn-ddos-attack-critical-dns-dependencies-have-only-gone-up/ (accessed Aug. 07, 2022).
[3] “Friday’s East Coast Internet Outage Is a Major DDOS Attack | WIRED.” https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/ (accessed Aug. 07, 2022).
[4] “DDoS attack takes out Melbourne IT DNS servers - ARN.” https://www.arnnet.com.au/article/617665/ddos-attack-takes-melbourne-it-dns-servers/ (accessed Aug. 07, 2022).
[5] “February 28th DDoS Incident Report | The GitHub Blog.” https://github.blog/2018-03-01-ddos-incident-report/ (accessed Aug. 08, 2022).
[6] “Memcrashed - Major amplification attacks from UDP port 11211.” https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/ (accessed Aug. 08, 2022).
[7] C. Rossow, “Amplification Hell: Revisiting Network Protocols for DDoS Abuse,” NDSS’14, Feb. 2014, Accessed: Aug. 07, 2022. [Online]. Available: http://dx.doi.org/
[8] “NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack | NETSCOUT.” https://www.netscout.com/blog/asert/netscout-arbor-confirms-17-tbps-ddos-attack-terabit-attack-era (accessed Aug. 08, 2022).
[9] “AWS Shield Threat Landscape report is now available | AWS Security Blog.” https://aws.amazon.com/tw/blogs/security/aws-shield-threat-landscape-report-now-available/ (accessed Aug. 08, 2022).
[10] “CLDAP Protocol Allows DDoS Attacks with 70x Amplification Factor.” https://www.bleepingcomputer.com/news/security/cldap-protocol-allows-ddos-attacks-with-70x-amplification-factor/ (accessed Aug. 08, 2022).
[11] “Massive DDoS Attack Disrupts Belgium Parliament | Threatpost.” https://threatpost.com/ddos-disrupts-belgium/165911/ (accessed Aug. 08, 2022).
[12] “DISTRIBUTED DENIAL-OF-SERVICE (DDoS) ATTACKS: AN ECONOMIC PERSPECTIVE,” NSFOCUS. https://nsfocusglobal.com/wp-content/uploads/2017/01/Distributed_Denial_of_Service_Attacks__An_Economic_Perspective__Whitepaper.pdf (accessed Aug. 08, 2022).
[13] P. Bosshart et al., “P4: Programming protocol-independent packet processors,” Computer Communication Review, vol. 44, no. 3, pp. 87–95, 2014, doi: 10.1145/2656877.2656890.
[14] “Drive Programmable Networking Innovation with Intel® P4 Studio.” https://www.intel.com/content/www/us/en/products/network-io/programmable-ethernet-switch/p4-suite/p4-studio.html (accessed Aug. 10, 2022).
[15] “Open-Tofino/PUBLIC_Tofino-Native-Arch.pdf at master · barefootnetworks/Open-Tofino.” https://github.com/barefootnetworks/Open-Tofino/blob/master/PUBLIC_Tofino-Native-Arch.pdf (accessed Aug. 13, 2022).
[16] McKeownNick et al., “OpenFlow,” ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69–74, Mar. 2008, doi: 10.1145/1355734.1355746.
[17] “P4~16~ Language Specification.” https://p4.org/p4-spec/docs/P4-16-v1.0.0-spec.html (accessed Jul. 25, 2022).
[18] “P4~16~ Portable Switch Architecture (PSA).” https://p4.org/p4-spec/docs/PSA.html (accessed Jul. 25, 2022).
[19] “p4lang/behavioral-model: The reference P4 software switch.” https://github.com/p4lang/behavioral-model (accessed Jul. 25, 2022).
[20] B. Lantz, B. Heller, and N. Mckeown, “A Network in a Laptop: Rapid Prototyping for Software-Defined Networks,” Proceedings of the Ninth ACM SIGCOMM Workshop on Hot Topics in Networks - Hotnets ’10, doi: 10.1145/1868447.
[21] “p4lang/tutorials: P4 language tutorials.” https://github.com/p4lang/tutorials (accessed Jul. 26, 2022).
[22] “nsg-ethz/p4-learning: Compilation of P4 exercises, examples, documentation, slides for learning or teaching.” https://github.com/nsg-ethz/p4-learning (accessed Jul. 26, 2022).
[23] J. W. Lockwood et al., “NetFPGA - An open platform for gigabit-rate network switching and routing,” Proceedings - MSE 2007: 2007 IEEE International Conference on Microelectronic Systems Education: Educating Systems Designers for the Global Economy and a Secure World, pp. 160–161, 2007, doi: 10.1109/MSE.2007.69.
[24] S. Ibanez, G. Brebner, N. Mckeown, and N. Zilberman, “The P4→NetFPGA Workflow for Line-Rate Packet Processing,” Proceedings of the 2019 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays, 2019, doi: 10.1145/3289602.
[25] T. Høiland-Jørgensen et al., “The eXpress Data Path: Fast Programmable Packet Processing in the Operating System Kernel,” Proceedings of the 14th International Conference on emerging Networking EXperiments and Technologies, vol. 18, p. 13, doi: 10.1145/3281411.
[26] “vmware/p4c-xdp: Backend for the P4 compiler targeting XDP.” https://github.com/vmware/p4c-xdp (accessed Jul. 25, 2022).
[27] “Barefoot Networks may have built the world’s fastest networking switch chip | Computerworld.” https://www.computerworld.com/article/3083761/barefoot-networks-may-have-built-the-worlds-fastest-networking-switch-chip.html (accessed Sep. 10, 2022).
[28] “Open Network Linux.” http://opennetlinux.org/ (accessed Aug. 10, 2022).
[29] “sonic-net/SONiC: Landing page for Software for Open Networking in the Cloud (SONiC) - https://sonic-net.github.io/SONiC/.” https://github.com/sonic-net/SONiC (accessed Aug. 10, 2022).
[30] “openargus - Home.” https://openargus.org/ (accessed Aug. 03, 2022).
[31] N. Moustafa and J. Slay, “UNSW-NB15: A comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set),” 2015 Military Communications and Information Systems Conference, MilCIS 2015 - Proceedings, Dec. 2015, doi: 10.1109/MILCIS.2015.7348942.
[32] N. Moustafa and J. Slay, “The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set,” http://dx.doi.org/10.1080/19393555.2015.1125974, vol. 25, no. 1–3, pp. 18–31, Apr. 2016, doi: 10.1080/19393555.2015.1125974.
[33] N. Moustafa, J. Slay, and G. Creech, “Novel Geometric Area Analysis Technique for Anomaly Detection Using Trapezoidal Area Estimation on Large-Scale Networks,” IEEE Trans Big Data, vol. 5, no. 4, pp. 481–494, Jun. 2017, doi: 10.1109/TBDATA.2017.2715166.
[34] N. Moustafa, G. Creech, J. Slay, N. Moustafa, G. Creech, and • J Slay, “Big Data Analytics for Intrusion Detection System: Statistical Decision-Making Using Finite Dirichlet Mixture Models,” pp. 127–156, 2017, doi: 10.1007/978-3-319-59439-2_5.
[35] “PerfectStorm | Keysight.” https://www.keysight.com/tw/zh/products/network-test/network-test-hardware/perfectstorm.html (accessed Aug. 03, 2022).
[36] “Home | TCPDUMP & LIBPCAP.” https://www.tcpdump.org/ (accessed Aug. 03, 2022).
[37] “The Zeek Network Security Monitor.” https://zeek.org/ (accessed Aug. 03, 2022).
[38] I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy,” Proceedings - International Carnahan Conference on Security Technology, vol. 2019-October, Oct. 2019, doi: 10.1109/CCST.2019.8888419.
[39] “CICFlowMeter: CICFlowmeter-V4.0 (formerly known as ISCXFlowMeter) is a network traffic Bi-flow generator and analyzer for anomaly detection that has been used in many Cybersecurity datsets such as Android Adware-General Malware dataset (CICAAGM2017), IPS/IDS dataset (CICIDS2017), Android Malware dataset (CICAndMal2017) and Distributed Denial of Service (CICDDoS2019).” https://github.com/CanadianInstituteForCybersecurity/CICFlowMeter (accessed Aug. 14, 2022).
[40] L. Breiman, J. H. Friedman, R. A. Olshen, and C. J. Stone, “Classification and regression trees,” Classification and Regression Trees, p. 368, 1984, doi: 10.1201/9781315139470/CLASSIFICATION-REGRESSION-TREES-LEO-BREIMAN-JEROME-FRIEDMAN-RICHARD-OLSHEN-CHARLES-STONE.
[41] F. Pedregosa et al., “Scikit-learn: Machine Learning in Python,” Journal of Machine Learning Research, vol. 12, no. 85, pp. 2825–2830, 2011, [Online]. Available: http://jmlr.org/papers/v12/pedregosa11a.html
[42] T. K. Ho, “Random decision forests,” Proceedings of the International Conference on Document Analysis and Recognition, ICDAR, vol. 1, pp. 278–282, 1995, doi: 10.1109/ICDAR.1995.598994.
[43] Y. K. Chang, C. C. Su, Y. C. Lin, and S. Y. Hsieh, “Efficient gray-code-based range encoding schemes for packet classification in TCAM,” IEEE/ACM Transactions on Networking, vol. 21, no. 4, pp. 1201–1214, 2013, doi: 10.1109/TNET.2012.2220566.
[44] B. Schieber, D. Geist, and A. Zaks, “Computing the minimum DNF representation of Boolean functions defined by intervals,” Discrete Appl Math (1979), vol. 149, no. 1–3, pp. 154–173, Aug. 2005, doi: 10.1016/J.DAM.2004.08.009.
[45] A. Bremler-Barr and D. Hendler, “Space-efficient TCAM-based classification using Gray coding,” IEEE Transactions on Computers, vol. 61, no. 1, pp. 18–30, 2012, doi: 10.1109/TC.2010.267.
[46] J. van Lunteren and T. Engbersen, “Fast and scalable packet classification,” IEEE Journal on Selected Areas in Communications, vol. 21, no. 4, pp. 560–571, May 2003, doi: 10.1109/JSAC.2003.810527.
[47] C. Busse-Grawitz, R. Meier, A. Dietmüller, T. Bühler, L. Vanbever, and E. Zürich, “pForest: In-Network Inference with Random Forests,” Sep. 2019, doi: 10.48550/arxiv.1909.05680.
[48] J. H. Lee and K. Singh, “SwitchTree: in-network computing and traffic analyses with Random Forests,” Neural Computing and Applications 2020, pp. 1–12, Nov. 2020, doi: 10.1007/S00521-020-05440-2.
[49] Z. Xiong and N. Zilberman, “Do Switches Dream of Machine Learning? Toward In-Network Classification,” Proceedings of the 18th ACM Workshop on Hot Topics in Networks, 2019, doi: 10.1145/3365609.
[50] C. Zheng and N. Zilberman, “Planter: Seeding Trees Within Switches,” Proceedings of the SIGCOMM ’21 Poster and Demo Sessions, pp. 12–14, Aug. 2021, doi: 10.1145/3472716.
[51] C. Zheng et al., “Automating In-Network Machine Learning,” May 2022, doi: 10.48550/arxiv.2205.08824.
[52] S. Laki, R. Stoyanov, D. Kis, R. Soulé, P. Vörös, and N. Zilberman, “P4Pi,” ACM SIGCOMM Computer Communication Review, vol. 51, no. 3, pp. 17–21, Jul. 2021, doi: 10.1145/3477482.3477486.
[53] C. Zheng et al., “IIsy: Practical In-Network Classification,” May 2022, doi: 10.48550/arxiv.2205.08243.
[54] M. Karnaugh, “The map method for synthesis of combinational logic circuits,” Transactions of the American Institute of Electrical Engineers, Part I: Communication and Electronics, vol. 72, no. 5, pp. 593–599, Jul. 2013, doi: 10.1109/TCE.1953.6371932.
[55] “Edgecore Networks.” https://www.edge-core.com/tw/index.php (accessed Aug. 14, 2022).