Peregrine: ML-based Malicious Traffic Detection for Terabit Networks
João Romeiras Amado, Francisco Pereira, David Pissarra, Salvatore Signorello, Miguel Correia, Fernando M. V. Ramos
TL;DR
The paper tackles the challenge of applying ML-based malicious traffic detection at Terabit speeds, where existing detectors rely on substantial traffic sampling that degrades observability. It introduces Peregrine, a cross-platform architecture that offloads per-packet feature computation to the data plane of a programmable switch while performing ML inference on a middlebox server, fed by epoch-based feature records. By computing rich, per-packet features across all traffic and streaming concise summaries to a detector, Peregrine achieves high detection performance (AUC > 0.8 for the majority of attacks) at Tbps scales and significantly improves efficiency compared to a multi-server approach. The implementation on Intel Tofino (two generations) and KitNET-based detection demonstrates practical viability, offering a path toward scalable, energy- and cost-efficient malicious traffic detection for Terabit networks.
Abstract
Malicious traffic detectors leveraging machine learning (ML), namely those incorporating deep learning techniques, exhibit impressive detection capabilities across multiple attacks. However, their effectiveness becomes compromised when deployed in networks handling Terabit-speed traffic. In practice, these systems require substantial traffic sampling to reconcile the high data plane packet rates with the comparatively slower processing speeds of ML detection. As sampling significantly reduces traffic observability, it fundamentally undermines their detection capability. We present Peregrine, an ML-based malicious traffic detector for Terabit networks. The key idea is to run the detection process partially in the network data plane. Specifically, we offload the detector's ML feature computation to a commodity switch. The Peregrine switch processes a diversity of features per-packet, at Tbps line rates - three orders of magnitude higher than the fastest detector - to feed the ML-based component in the control plane. Our offloading approach presents a distinct advantage. While, in practice, current systems sample raw traffic, in Peregrine sampling occurs after feature computation. This essential trait enables computing features over all traffic, significantly enhancing detection performance. The Peregrine detector is not only effective for Terabit networks, but it is also energy- and cost-efficient. Further, by shifting a compute-heavy component to the switch, it saves precious CPU cycles and improves detection throughput.