P4Control: Line-Rate Cross-Host Attack Prevention via In-Network Information Flow Control Enabled by Programmable Switches and eBPF
- URL: http://arxiv.org/abs/2405.14970v1
- Date: Thu, 23 May 2024 18:19:10 GMT
- Title: P4Control: Line-Rate Cross-Host Attack Prevention via In-Network Information Flow Control Enabled by Programmable Switches and eBPF
- Authors: Osama Bajaber, Bo Ji, Peng Gao,
- Abstract summary: P4Control is a network defense system that confines end-to-end information flows in a network and prevents cross-host attacks at line rate.
We conduct extensive evaluations to show that P4Control can effectively prevent cross-host attacks in real time.
- Score: 14.787290539225245
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Modern targeted attacks such as Advanced Persistent Threats use multiple hosts as stepping stones and move laterally across them to gain deeper access to the network. However, existing defenses lack end-to-end information flow visibility across hosts and cannot block cross-host attack traffic in real time. In this paper, we propose P4Control, a network defense system that precisely confines end-to-end information flows in a network and prevents cross-host attacks at line rate. P4Control introduces a novel in-network decentralized information flow control (DIFC) mechanism and is the first work that enforces DIFC at the network level at network line rate. This is achieved through: (1) an in-network primitive based on programmable switches for tracking inter-host information flows and enforcing line-rate DIFC policies; (2) a lightweight eBPF-based primitive deployed on hosts for tracking intra-host information flows. P4Control also provides an expressive policy framework for specifying DIFC policies against different attack scenarios. We conduct extensive evaluations to show that P4Control can effectively prevent cross-host attacks in real time, while maintaining line-rate network performance and imposing minimal overhead on the network and host machines. It is also noteworthy that P4Control can facilitate the realization of a zero trust architecture through its fine-grained least-privilege network access control.
Related papers
- Saflo: eBPF-Based MPTCP Scheduler for Mitigating Traffic Analysis Attacks in Cellular Networks [5.449956884943377]
Saflo scheduler employs multipath communication combined with additional security-related tasks.
It significantly reduces the accuracy of video identification and user identification attacks in cellular networks.
arXiv Detail & Related papers (2025-02-06T17:20:07Z) - MIETT: Multi-Instance Encrypted Traffic Transformer for Encrypted Traffic Classification [59.96233305733875]
Classifying traffic is essential for detecting security threats and optimizing network management.
We propose a Multi-Instance Encrypted Traffic Transformer (MIETT) to capture both token-level and packet-level relationships.
MIETT achieves results across five datasets, demonstrating its effectiveness in classifying encrypted traffic and understanding complex network behaviors.
arXiv Detail & Related papers (2024-12-19T12:52:53Z) - Red Pill and Blue Pill: Controllable Website Fingerprinting Defense via Dynamic Backdoor Learning [93.44927301021688]
Website fingerprint (WF) attacks covertly monitor user communications to identify the web pages they visit.
Existing WF defenses attempt to reduce the attacker's accuracy by disrupting unique traffic patterns.
We introduce Controllable Website Fingerprint Defense (CWFD), a novel defense perspective based on backdoor learning.
arXiv Detail & Related papers (2024-12-16T06:12:56Z) - Manipulating OpenFlow Link Discovery Packet Forwarding for Topology Poisoning [7.162877379128359]
We introduce Marionette, a new topology poisoning technique that manipulates OpenFlow link forwarding to alter topology information.
Our approach exposes an overlooked yet widespread attack vector.
Marionette successfully attacks five open-source controllers and nine OpenFlow-based discovery protocols.
arXiv Detail & Related papers (2024-08-29T23:30:36Z) - Federated Learning for Zero-Day Attack Detection in 5G and Beyond V2X Networks [9.86830550255822]
Connected and Automated Vehicles (CAVs) on top of 5G and Beyond networks (5GB) make them vulnerable to increasing vectors of security and privacy attacks.
We propose in this paper a novel detection mechanism that leverages the ability of the deep auto-encoder method to detect attacks relying only on the benign network traffic pattern.
Using federated learning, the proposed intrusion detection system can be trained with large and diverse benign network traffic, while preserving the CAVs privacy, and minimizing the communication overhead.
arXiv Detail & Related papers (2024-07-03T12:42:31Z) - EmInspector: Combating Backdoor Attacks in Federated Self-Supervised Learning Through Embedding Inspection [53.25863925815954]
Federated self-supervised learning (FSSL) has emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data.
While FSSL offers advantages, its susceptibility to backdoor attacks has not been investigated.
We propose the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models.
arXiv Detail & Related papers (2024-05-21T06:14:49Z) - Breaking On-Chip Communication Anonymity using Flow Correlation Attacks [2.977255700811213]
We investigate the security strength of existing anonymous routing protocols in Network-on-Chip (NoC) architectures.
We show that the existing anonymous routing is vulnerable to machine learning (ML) based flow correlation attacks on NoCs.
We propose lightweight anonymous routing with traffic obfuscation techniques to defend against ML-based flow correlation attacks.
arXiv Detail & Related papers (2023-09-27T14:32:39Z) - Efficient and Low Overhead Website Fingerprinting Attacks and Defenses
based on TCP/IP Traffic [16.6602652644935]
Website fingerprinting attacks based on machine learning and deep learning tend to use the most typical features to achieve a satisfactory performance of attacking rate.
To defend against such attacks, random packet defense (RPD) with a high cost of excessive network overhead is usually applied.
We propose a filter-assisted attack against RPD, which can filter out the injected noises using the statistical characteristics of TCP/IP traffic.
We further improve the list-based defense by a traffic splitting mechanism, which can combat the mentioned attacks as well as save a considerable amount of network overhead.
arXiv Detail & Related papers (2023-02-27T13:45:15Z) - BlockCopy: High-Resolution Video Processing with Block-Sparse Feature
Propagation and Online Policies [57.62315799929681]
BlockCopy is a scheme that accelerates pretrained frame-based CNNs to process video more efficiently.
A lightweight policy network determines important regions in an image, and operations are applied on selected regions only.
Features of non-selected regions are simply copied from the preceding frame, reducing the number of computations and latency.
arXiv Detail & Related papers (2021-08-20T21:16:01Z) - Decentralized Control with Graph Neural Networks [147.84766857793247]
We propose a novel framework using graph neural networks (GNNs) to learn decentralized controllers.
GNNs are well-suited for the task since they are naturally distributed architectures and exhibit good scalability and transferability properties.
The problems of flocking and multi-agent path planning are explored to illustrate the potential of GNNs in learning decentralized controllers.
arXiv Detail & Related papers (2020-12-29T18:59:14Z) - A Self-supervised Approach for Adversarial Robustness [105.88250594033053]
Adversarial examples can cause catastrophic mistakes in Deep Neural Network (DNNs) based vision systems.
This paper proposes a self-supervised adversarial training mechanism in the input space.
It provides significant robustness against the textbfunseen adversarial attacks.
arXiv Detail & Related papers (2020-06-08T20:42:39Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.