Internet DRAFT - draft-li-cats-attack-detection
draft-li-cats-attack-detection
Cats Working Group M.Li.
Internet-Draft H.Zhou
Intended status: Proposed Standard S.Deng
Expires: June 13, 2024 W.Wang
Beijing Jiaotong University
Computing-aware Traffic Steering for attack detection
draft-li-cats-attack-detection-00
Abstract
This document describes the closed-loop framework for computing-aware
traffic steering for attack detection (CATS-AD). The computing-aware
traffic steering is determined by composing selected service
instances and overlay links. The service instances are selected
according to the computing power of service instances. This document
describes the closed-loop framework for attacks detection
and how to select and combine service instances to form a
computing-aware service function chain (SFC).
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 13, 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
Li, et al. Expires June 13, 2024 [Page 1]
Internet-Draft Attack detection October 2023
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. CATS-AD Framework and Components . . . . . . . . . . . . .4
3.1. Service Sites and Service Instances . . . . . 5
3.2. CATS-Network Metric Agent (C-NMA). . . . . . . . . . 5
3.3. CATS-Path Selector (C-PS) . . . . . . . . . . . . . . . . .6
3.4. CATS service instances manager (C-SM). . . . . 6
3.5. CATS Manager (CM) . . . . . . . . . . . . . . . . . . .6
3.6. CATS Classifier (CC) . . . . . . . . . . . . . . . . . . . .6
4. CATS-AD Framework Workflow. . . . . . . . . . .7
5. Security Considerations . . . . . . . . . . . . . . . . . .8
6. IANA Considerations . . . . . . . . . . . . . . 9
7. References . . . . . . . . . . . . . . . . . . . . . 9
7.1. Normative References . . . . . . . . . . . . . . . 9
7.2. Informative References . . . . . . . . . . . . 9
Acknowledgments . . . . . . . . . . . . . . . . . . . 9
Author's Addresses. . . . . . . . . . . . . . . .10
1. Introduction
In this document, the computing power includes
service instances' detection results, traffic features,
and resource usage status. In the
CATS-AD framework, the CATS path selector (C-PS) can select
service instances based on their computing power,
form computing-aware high-level branching path policies and
send such data to the CATS service instances manager (C-SM).
The C-SM translates high-level branching path policies
into low-level branching path policies and
sends the low-level branching path policies to CATS manager (CM),
in which the CM transforms the low-level branching path policies
into the flow tables and deliver the flow tables to the CATS
classifier (CC) and service instances. The CC and service
instances receive flow tables and service instances are connected
sequentially to form computing-aware service
function chains (SFC) according to the flow tables
[I-D. ietf-cats-computing-aware-sfc-usecase].
Li, et al. Expires June 13, 2024 [Page 1]
Internet-Draft Attack detection October 2023
The computing-aware service instances in the computing-aware SFCs
include various malicious traffic detection modules and firewall,
which are used to detect different types of malicious traffic,
such as DDoS attacks. The traffic is first directed to
the computing-aware SFC through the CC, and
then sequentially passes through the selected
computing-aware service instances to complete
attack detection. Based on the computing power,
the C-PS adjust the branching path policies to improve the malicious
traffic detection capability. Thus, the framework can form a
closed-loop architecture. This document mainly introduces
the closed-loop CATS-AD framework and how to select and
combine service instances based on
the computing-aware service instances.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP14
[RFC2119] [RFC8174].
This document makes use of the
following terms: Computing-Aware Traffic Steering for
Attack Detection (CATS-AD): A traffic engineering
approach [I-D. ietf-cats-framework-03] that considers
detection results, traffic features, and resource usage
status to optimize computing-aware service function
chains (SFCs) for various security requirements.
Service instance: An instance is a computing-aware security
module that typically run in a service site.
Different service sites have different detection capability
and apply to various types of attacks,
such as DDoS attacks.
Service site: A service site consists of a service instance and
CATS-forwarder, which is required to
provide security services.
CATS-forwarder:A network device that directs traffic to
different service sites in the correct order.
CATS-Network Metric Agent (C-NMA):A functional entity responsible for
collecting computing power information, which includes
detection results and resource usage status,
and for reporting them to a CATS path selector (C-PS).
CATS path selector (C-PS): A computational logic that selects and
combines service instances, generates branching path information
based on the detection results, traffic features,
and resource usage status.
Subsequently, the path information can be delivered to both CATS
service instances manager (C-SM) and CATS Manager (CM)
for the creation of the flow tables.
CATS service instances manager (C-SM):An entity that controls
and manages service instances, which translates a high-level
branching path policy into the corresponding
low-level path policy.
CATS Manager (CM):An entity that receives the path information of
low-level policy and updates the flow tables. Based on the
flow tables, the CM decides how to modify the
original rules for incoming
new traffic to guide attack traffic detection.
CATS classifier (CC):An entity that is responsible for guiding the
packets along a computing-aware SFC and deciding packets
arrive at which destination host.
Li, et al. Expires June 13, 2024 [Page 1]
Internet-Draft Attack detection October 2023
3. CATS-AD Framework and Components
Facing with attackers' traffic requests, the CATS-AD provides
computing-aware SFCs on demand to meet security
requirements based on detection results,
traffic features, and resource usage status. The main CATS-AD
functional elements and their interactions are shown in Figure 1.
+------------------------------------------------------------------+
| +---------+ +---------+ +---------+ +---------+ |
| | | | | | | | | |
| | C-NMA +---->+ C-PS +---->+ C-SM +---->+ CM | |
| | | | | | | | | |
| +---------+ +-------+-+ +-------+-+ +---------+ |
+-------+-------------------|---------------|----------------------+
^ | |
| v v
+-------+-------------------+---------------+----------------------+
| +-----------+ |
| +-----------+ +-------------+ +-------------+ |Destination| |
| |Attack host| | +---------+ | | +---------+ | | host | |
| +----+------+ | | CATS | | | | CATS | | +----+------+ |
| | | |Forwarder| | | |Forwarder| | ^ |
| +----v-----+ | +---------+ | | +---------+ | +-----+------+ |
| |Ingress CC| | +---------+ +->+ +---------+ | | Egress CC | |
| +----+-----+ | | Service | | | | Service | | +-----+------+ |
| | | | instance| | | | instance| | ^ |
+------v-------+ | | (BCSM) | | | | (ACSM) | | +--------------+
|| +---------+ +->+ +---------+ | | +---------+ +->+ +---------+ ||
|| | CATS | | +-------------+ +-------------+ | | CATS | ||
|| |Forwarder| | | |Forwarder| ||
|| +---------+ | +-------------+ +-------------+ | +---------+ ||
|| +---------+ | | +---------+ | | +---------+ | | +---------+ ||
|| | Service | | | | CATS | | | | CATS | | | | Service | ||
|| | instance| | | |Forwarder| | | |Forwarder| | | | instance| ||
|| | (LCSM) | +->+ +---------+ +->+ +---------+ +->+ | Firewall| ||
|| +---------+ | | +---------+ | | +---------+ | | +---------+ ||
+--------------+ | | Service | | | | Service | | +--------------+
| Service site | | instance| | | | instance| | Service site |
| | | (DCSM) | | | | (NCSM) | | |
| | +---------+ | | +---------+ | |
| +-------------+ +-------------+ |
| Service site Service site |
+------------------------------------------------------------------+
Figure 1 CATS-AD Functional Components
3.1 Service Sites and Service Instances
The service site consists of CATS-forwarders and service instances.
The CATS-forwarders direct traffic to different service sites
in the correct order. The service instances
are used to host specific network functions or services,
in which these network
functions are typically run in a virtualized manner,
(i.e. containers). The containers contain one or more
specific service instances, such as computing-aware
security modules. The service instances have
low-rate attack computing-aware
security module (LCSM), application computing-aware
security module (ACSM), botnet computing-aware security
detection module (BCSM), network attack computing-aware
security module (NCSM), DRDoS computing-aware security module
(DCSM), and firewall. The LCSM detects slow body, shrew,
slow headers, and slow read attacks. The ACSM detects
CC, HTTP-Get, HTTP-Post, and HTTP-Flood attacks.
The BCSM detects Ares, Byob, Mirai, and Zeus attacks.
The NCSM detects ACK, UDP, and SYN attacks.
The DCSM detects TFTP, SSDP, NTP, and Chargen attacks.
The firewall inspects packet payloads and makes decisions
on whether to forward or discard the packets.
The service sites receive the low-level branching
path policy of the C-SM to configure the service site to
implement detection traffic.
3.2 CATS-Network Metric Agent (C-NMA)
The C-NMA is a functional component that gathers
computing power information. The computing power information
includes service instances' detection results, traffic
features, and resource usage status
[I-D. ietf-i2nsf-intelligent-detection-00].
The service instances' detection results reflect the
detection performance of the detection module,
which are the service instances' accuracy,
precision, and recall etc. The traffic features are network traffic
attributes and aid in the detection of anomalies and
security analysis, which includes packet rate,
average packet length, source IP entropy,
and destination port entropy etc.
The resource usage status reflects the performance of
computing-aware SFCs, which includes CPU utilization rate,
memory utilization rate, TTL entropy, and packets variance etc.
Li, et al. Expires June 13, 2024 [Page 1]
Internet-Draft Attack detection October 2023
3.3 CATS-Path Selector (C-PS)
The C-PS utilizes computing power information collected by the C-NMA
to select the optimal branching path and infer the branching
path policy, which can then be delivered to both C-SM and CM to
create the flow tables. An algorithm is used to select the best main
path for the computing-aware SFC. The implementation details of this
algorithm are not elaborated on in the draft. Once the main path
is generated, the C-PS can obtain the detection results for
each service instance, which serves as a basis for determining
whether a service instance (i.e., LCSM in Figure 1) functions
as a branching point. The detected attack traffic is directed
through branching paths
(i.e., DCSM and NCSM as shown in Figure 1)
for detection and then forwarded to the firewall for blocking.
3.4 CATS service instances manager (C-SM)
The C-SM can extract the high-level branching path policy
attributes, perform data transformation, and generate
low-level branching path policies
[I-D. ietf-i2nsf-security-management-automation].
The C-SM extracts attributes from the high-level policy, matches
them with corresponding IP addresses, and transforms them
into specific path information. Subsequently, the C-SM sends
this data to the CM for further path policy conversion.
3.5 CATS Manager (CM)
The CM receives path policy information from the C-SM and
converts it into flow tables, which are subsequently deployed
to the CATS-classifiers and CATS-forwarders. The flow tables
are collectively determined by integrating classification
criteria and path information from the path policy.
The CATS-classifiers route different types of traffic through
distinct SFCs based on characteristics such as IP addresses,
port numbers, protocol numbers, and so on. The role of the
CATS-forwarders has been explained in section 3.1.
Li, et al. Expires June 13, 2024 [Page 1]
Internet-Draft Attack detection October 2023
3.6 CATS Classifier (CC)
The CATS-classifiers have ingress classifier and egress classifier.
In the ingress classifier, the flow table guides the packets
passing through a path, and the forwarders are responsible
for forwarding the traffic. In the egress classifier,
the flow table decides which packets arrive at
which destination host.
4.CATS-AD Framework Workflow
When network exsits DDoS attacks, the C-SM sends
subscription commands to the service sites and collects
computing power information from service sites. The algorithm
processes and analyzes these data to provide the optimal
branching path. The C-SM translates the paths into high-level
policies and sends them to the CM. The C-SM extracts data
from the high-level policies. This data is then mapped to
corresponding path data and generates low-level policies.
The path information of the low-level policies is transmitted
to the CM to update the flow tables. Subsequently,
the flow tables can be passed to the service sites, which use
them to forward traffic to the selected service instances.
Each computing-aware service instance follows the same
operational flow in Figure 2, whereas their detection methods
are different. Further details on the computing-aware service
sites are described as follows
[Two-Stage Intelligent Model for Detecting Malicious DDoS Behavior]:
+---------+ +-----------------------------------------+
+---->+ C-NMA | | |
| +----+----+ | |
| | | |
| v | +-------------+ +-----------------+ |
| +----+----+ | | parsing | | feature | |
| | C-PS | | | module +-->+ extraction | |
| +----+----+ | +-------------+ +--------+--------+ |
| | | | |
| v | | |
| +----+----+ | v |
| | C-SM | | +-------------+ +--------+--------+ |
| +----+----+ | | feature | | data | |
| | | | selection +<--+ preprocessing | |
| v | +------+------+ +-----------------+ |
| +----+----+ | | |
| | CM | | | |
| +----+----+ | v |
| | | +------+------+ +-----------------+ |
| v | | well-trained| | Security | |
| +---------------+ | | model +-->+ detection | |
| | +-----------+ | | +-------------+ +--------+--------+ |
| | | CC | | | | |
| | +-----------+ | | | |
| | +-----------+ | | v |
| | | CATS | | | +-------------+ +--------+--------+ |
| | | Forwarder | | | | drop | | Computing | |
| | +-----------+ | | | flow +<--+ power metrics | |
| | +-----------+ | | +-------------+ +-----------------+ |
| | | Service | | | |
+----+ instance +---->+ |
| +-----------+ | | |
+---------------+ +-----------------------------------------+
Figure 2 CATS-AD Framework Workflow
Li, et al. Expires June 13, 2024 [Page 1]
Internet-Draft Attack detection October 2023
1.The parsing module is responsible for listening to
transmitted traffic. Additionally, a network diagnostic tool
periodically collects raw traffic using a pcap file.
2. A network traffic analysis tool extracts flow-based
features based raw traffic, including statistical attributes,
e.g., timestamp, source port, destination port, source IP,
destination IP, flow duration, max, mean, and
min values of packet's size.
3. To ensure data quality, data preprocessing is
responsible for cleaning flow-based features,
including normalization and standardization.
4. The next step involves feature selection. Feature selection
aims to extract and gather the most representative
network features for detection in each
computing-aware security module.
5. The selected features are extracted into the
well-trained model to finely classify the traffic.
A well-trained model is a machine learning or deep learning
model trained on sufficient historical attack traffic and
can accurately classify new attack traffic.
6. The well-trained model can automatically learn the nonlinear
relationship between the selected features, which can
quickly complete coarse-grained and fine-grained detections.
Coarse-grained detection refers to all computing-aware
security modules distinguishing attack traffic from benign traffic,
and fine-grained detection is that attack traffic
should be classiffied as specific types.
7. The well-trained model's computing power metrics are
precision, recall, malicious traffic detection capability (MTDC),
and F1-score.
8. If SIP, DIP, SP, DP, and Pro traffic features are in the blacklist,
the malicious traffic will be dropped, in which normal traffic
has not interfered with attack traffic, and benign traffic
can smoothly reach the destination hosts.
Li, et al. Expires June 13, 2024 [Page 1]
Internet-Draft Attack detection October 2023
5. Security Considerations
Attackers may pose various threats to the operation of
the CAT-AD framework, including the theft or tampering of
information collected by C-NMA, which is crucial for network
management and service delivery. Therefore, CATS-AD should
be equipped with anti-attack capabilities to defend against
intruders' attacks, ensuring the security of computational and
network information, as well as the reliability
and stability of the network.
6. IANA Considerations
This document has no IANA actions
7. References
7.1 Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs
to Indicate Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfceditor. org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase
in RFC 2119 Key Words", BCP 14, RFC 8174,
DOI 10.17487/RFC8174, May 2017,
<https://www.rfc-editor.org/info/rfc8174>.
7.2 Informative References
[I-D. ietf-cats-computing-aware-sfc-usecase]
S. Zhang, X. Chen, "Use Cases of Computing-aware Service
Function Chaining (SFC)", Work in Progress, Internet-Draft,
draft-zhang-cats-computing-aware-sfc-usecase-00,
September 2023.
[I-D. ietf-cats-framework-03]
C. Li, Z. Du, M. Boucadair, L. M. Contreras, J. Drake,
G. Huang, and G. Mishra, "A Framework for Computing-Aware
Traffic Steering (CATS)", Work in Progress, Internet-Draft,
draft-ldbc-cats-framework-03, August 2023.
[I-D. ietf-i2nsf-intelligent-detection-00]
W.Wang, H.Zhou, M.Li, Q.Guo, S.Deng, "YANG Data Models for
Attacks Intelligent Detection",
Work in Progress, Internet-Draft,
draft-wang-i2nsf-intelligent-detection, February 2023.
[I-D. ietf-i2nsf-security-management-automation]
Jeong, J. (., Lingga, P., and J. Park, "An Extension of I2NSF
Framework for Security Management Automation
in Cloud-Based Security Services",
Work in Progress, Internet-Draft,
draft-jeong-i2nsf-security-management-automation-04,
25 July 2022.
[Two-Stage Intelligent Model for Detecting Malicious DDoS Behavior]
Li, M.; Zhou, H.; Qin, Y. Two-Stage Intelligent Model for
Detecting Malicious DDoS Behavior. Sensors 2022, 22, 2532.
Li, et al. Expires June 13, 2024 [Page 1]
Internet-Draft Attack detection October 2023
8. Acknowledgments
TBC
Author's Addresses
Man Li
Beijing Jiaotong University
Beijing
Phone: <86-18810911698>
Email: 20111018@bjtu.edu.cn
Huachun Zhou
Beijing Jiaotong University
Beijing
Phone: <86-13718168186>
Email: hchzhou@bjtu.edu.cn
Shuangxing Deng
Beijing Jiaotong University
Beijing
Phone: <86-13040062046>
Email: 21120038@bjtu.edu.cn
Weilin Wang
Beijing Jiaotong University
Beijing
Phone: <86-15910887582>
Email: 21111026@bjtu.edu.cn
