Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

P4-NIDS: High-Performance Network Monitoring and Intrusion Detection in P4

Yaying Chen, Siamak Layeghy, Liam Daly Manocchio, Marius Portmann

TL;DR

The paper tackles the challenge of providing real-time security analytics in ultra-high-speed networks by proposing an in-band, P4-based architecture that combines a wire-speed NetFlow exporter with a lightweight, pre-trained decision-tree NIDS operating entirely in the data plane. It introduces a NetFlow generator that supports enhancedNetFlow v9 fields and an in-band ML model that leverages 12 NetFlow features to classify traffic with low overhead. The approach is evaluated both in a software-emulated environment and on a 40 Gbps P4-compatible hardware setup, demonstrating negligible throughput impact, superior NetFlow throughput compared to the state-of-the-art (FlowStalker), and strong detection performance across benchmark datasets. The results indicate that in-band monitoring and intrusion detection in P4 can meet the demands of large-scale, high-performance networks, enabling real-time visibility and security without controller-based bottlenecks.

Abstract

This paper presents a high-performance, scalable network monitoring and intrusion detection system (IDS) implemented in P4. The proposed solution is designed for high-performance environments such as cloud data centers, where ultra-low latency, high bandwidth, and resilient infrastructure are essential. Existing state-of-the-art (SoA) solutions, which rely on traditional out-of-band monitoring and intrusion detection techniques, often struggle to achieve the necessary latency and scalability in large-scale, high-speed networks. Unlike these approaches, our in-band solution provides a more efficient, scalable alternative that meets the performance needs of Terabit networks. Our monitoring component captures extended NetFlow v9 features at wire speed, while the in-band IDS achieves high-accuracy detection without compromising on performance. In evaluations on real-world P4 hardware, both the NetFlow monitoring and IDS components maintain negligible impact on throughput, even at traffic rates up to 8 million packets per second (mpps). This performance surpasses SoA in terms of accuracy and throughput efficiency, ensuring that our solution meets the requirements of large-scale, high-performance environments.

P4-NIDS: High-Performance Network Monitoring and Intrusion Detection in P4

TL;DR

The paper tackles the challenge of providing real-time security analytics in ultra-high-speed networks by proposing an in-band, P4-based architecture that combines a wire-speed NetFlow exporter with a lightweight, pre-trained decision-tree NIDS operating entirely in the data plane. It introduces a NetFlow generator that supports enhancedNetFlow v9 fields and an in-band ML model that leverages 12 NetFlow features to classify traffic with low overhead. The approach is evaluated both in a software-emulated environment and on a 40 Gbps P4-compatible hardware setup, demonstrating negligible throughput impact, superior NetFlow throughput compared to the state-of-the-art (FlowStalker), and strong detection performance across benchmark datasets. The results indicate that in-band monitoring and intrusion detection in P4 can meet the demands of large-scale, high-performance networks, enabling real-time visibility and security without controller-based bottlenecks.

Abstract

This paper presents a high-performance, scalable network monitoring and intrusion detection system (IDS) implemented in P4. The proposed solution is designed for high-performance environments such as cloud data centers, where ultra-low latency, high bandwidth, and resilient infrastructure are essential. Existing state-of-the-art (SoA) solutions, which rely on traditional out-of-band monitoring and intrusion detection techniques, often struggle to achieve the necessary latency and scalability in large-scale, high-speed networks. Unlike these approaches, our in-band solution provides a more efficient, scalable alternative that meets the performance needs of Terabit networks. Our monitoring component captures extended NetFlow v9 features at wire speed, while the in-band IDS achieves high-accuracy detection without compromising on performance. In evaluations on real-world P4 hardware, both the NetFlow monitoring and IDS components maintain negligible impact on throughput, even at traffic rates up to 8 million packets per second (mpps). This performance surpasses SoA in terms of accuracy and throughput efficiency, ensuring that our solution meets the requirements of large-scale, high-performance environments.

Paper Structure

This paper contains 18 sections, 7 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Background
  3. P4 Programming
  4. NetFlow
  5. Related Work
  6. In-band Network Monitoring
  7. In-band Intrusion Detection
  8. Method
  9. NetFlow Generator in P4
  10. ML-based NIDS in P4
  11. Evaluation and Results
  12. Emulated Environment
  13. Experimental Setup
  14. Performance Evaluation
  15. P4-compatible Hardware
  16. ...and 3 more sections

Figures (7)

  • Figure 1: P4-NIDS architecture in left) Hardware data plane and Right) BMv2 emulation environment
  • Figure 2: NetFlow Table, and fields used to create the hash value for a flow entry
  • Figure 3: Emulated network setup
  • Figure 4: Throughput comparison of P4-NIDS and FlowStalker by NetFlow features
  • Figure 5: Throughput drop of P4-NIDS and FlowStalker by NetFlow features
  • ...and 2 more figures