Topology-aware Detection and Localization of Distributed Denial-of-Service Attacks in Network-on-Chips

TL;DR

This paper tackles securing on-chip communication against distributed DoS attacks in Network-on-Chips by modeling the NoC as a graph and applying a topology-aware Graph Neural Network to raw inter-flit delay data. The method learns spatiotemporal traffic patterns through a two-stage process: converting router traces into a fixed graph and processing it with a temporal-then-spatial GNN to perform graph-level attack detection and node-level localization of malicious IPs. It reports near-perfect detection (up to 100%) and high localization accuracy (up to 99%) that generalizes to both 2D mesh and 3D TSV-based NoCs, including challenging scenarios with multiple attackers and varying traffic loads. The approach requires only a lightweight security engine for runtime inference and eliminates manual feature engineering, making it practical for real-time defense in modern heterogeneous SoCs and scalable to future stacked architectures.

Abstract

Network-on-Chip (NoC) enables on-chip communication between diverse cores in modern System-on-Chip (SoC) designs. With its shared communication fabric, NoC has become a focal point for various security threats, especially in heterogeneous and high-performance computing platforms. Among these attacks, Distributed Denial of Service (DDoS) attacks occur when multiple malicious entities collaborate to overwhelm and disrupt access to critical system components, potentially causing severe performance degradation or complete disruption of services. These attacks are particularly challenging to detect due to their distributed nature and dynamic traffic patterns in NoC, which often evade static detection rules or simple profiling. This paper presents a framework to conduct topology-aware detection and localization of DDoS attacks using Graph Neural Networks (GNNs) by analyzing NoC traffic patterns. Specifically, by modeling the NoC as a graph, our method utilizes spatiotemporal traffic features to effectively identify and localize DDoS attacks. Unlike prior works that rely on handcrafted features or threshold-based detection, our GNN-based approach operates directly on raw inter-flit delay data, learning complex traffic dependencies without manual intervention. Experimental results demonstrate that our approach can detect and localize DDoS attacks with high accuracy (up to 99\%) while maintaining consistent performance under diverse attack strategies. Furthermore, the proposed method exhibits strong robustness across varying numbers and placements of malicious IPs, different packet injection rates, application workloads, and architectural configurations, including both 2D mesh and 3D TSV-based NoCs. Our work provides a scalable, flexible, and architecture-agnostic defense mechanism, significantly improving the availability and trustworthiness of on-chip communication in future SoC designs.

Figures (6)

• Figure 1: 4x4 mesh NoC topology. Only corner nodes have shared Memory Controllers (MCs). Malicious IPs (MIPs) can target MCs and flood packets to launch DDoS attack.
• Figure 2: 4x4x4 3D mesh NoC topology with TSVs for vertical communication.
• Figure 3: MIP placement scenarios: (a) one MIP, (b) two MIPs attacking the same VIP, (c) three MIPs with overlapping paths targeting one VIP, (d) three MIPs attacking two VIPs.
• Figure 4: Overview of the proposed DDoS detection and localization method at runtime: The traffic trace from each node, a spatiotemporal multivariate time series, is collected and transformed into a series-as-node in the graph. The graph is then processed by a GNN temporally and spatially (across nodes), which detects the attack and identifies the nodes with MIPs.
• Figure 5: Accuracy of detection and localization for increasing number of malicious IPs (MIPs).