On Offloading Network Forensic Analytics to Programmable Data Plane Switches,
Authors: Friday, Kurt; Bou-Harb, Elias; Crichigno, Jorge; Scanlon, Mark and Beebe, Nicole
Publication Date: September 2021
Publication Name: Book Series: World Scientific Series in Digital Forensics and Cybersecurity,
The extent to which cyber crimes are now being executed has reached a frequency that has never been observed before. To detect these events and extract relevant network artifacts for investigations, network forensics has long been the de-facto approach. However, the time and data storage necessary to perform traditional forensic procedures has put investigators at odds, often resulting in substantial artifact extraction latency and poor incident response. To mitigate what have now become inherent pitfalls for the forensics community, we propose a novel means of transforming network forensics to a procedure that functions at line rate, while the event of interest is taking place, by harnessing the new-found programmable switch technology. Amid the prevailing cybercrime themes dominating today’s headlines are Distributed Denial of Service (DDoS) activities and the misuse of Internet of Things (IoT) devices. To this end, we implement two switch-based use cases for conducting the relevant network forensics associated with each of these classes of misdemeanors, respectively. In particular, the first use case employs dynamic thresholds generated from real-time artifact statistics extracted by the switch to infer contemporary DDoS attacks. The empirical results confirm that the proposed approach mitigates UDP amplification at line rate and SYN flooding attacks within a fraction of a second. Moreover, the complete remediation time of slow DDoS is reduced from near 10 seconds down to 2 seconds. The second use case instruments the switch with a rule-based Projective Adaptive Resonance Theory (PART) algorithm to accurately fingerprinting the origin IoT device of network traffic from a single TCP packet at line rate. We also provide a methodology for automating the translation of such rule-based Machine Learning (ML) output to P4 programs, thereby enabling its deployment without the need for additional background expertise. The proposed fingerprinting engine was evaluated against a dataset consisting of devices of both IoT and non-IoT in nature. The results indicate that such devices can be fingerprinted with 99% accuracy. It is our hope that the research undertaken herein not only aids in the conducting of efficient and effective network forensic procedures associated with DDoS attacks and IoT devices but also in promoting the utilization of programmable switches in future forensic research endeavors. Furthermore, we expect that the proposed approach’s automated translation of rule-based classifiers into P4 code will provoke the subsequent harnessing of ML’s pattern recognition abilities for enhancing a number of other network forensic tasks on the switch.