Peregrine: ML-based Malicious Traffic Detection for Terabit Networks

TL;DR

Peregrine is a novel ML-based malicious traffic detection system for Terabit networks that processes features at line rate in the data plane, significantly improving detection accuracy and efficiency.

Contribution

It introduces a method to offload ML feature computation to commodity switches, enabling high-speed detection over all traffic without sampling, unlike prior systems.

Findings

Processes features at Tbps line rate, three orders of magnitude faster than traditional detectors.

Enhances detection accuracy by computing features over all traffic, not just sampled data.

Reduces energy and cost by shifting computation to the network switch.

Abstract

Malicious traffic detectors leveraging machine learning (ML), namely those incorporating deep learning techniques, exhibit impressive detection capabilities across multiple attacks. However, their effectiveness becomes compromised when deployed in networks handling Terabit-speed traffic. In practice, these systems require substantial traffic sampling to reconcile the high data plane packet rates with the comparatively slower processing speeds of ML detection. As sampling significantly reduces traffic observability, it fundamentally undermines their detection capability. We present Peregrine, an ML-based malicious traffic detector for Terabit networks. The key idea is to run the detection process partially in the network data plane. Specifically, we offload the detector's ML feature computation to a commodity switch. The Peregrine switch processes a diversity of features per-packet, at Tbps line rates - three orders of magnitude higher than the fastest detector - to feed the ML-based component in the control plane. Our offloading approach presents a distinct advantage. While, in practice, current systems sample raw traffic, in Peregrine sampling occurs after feature computation. This essential trait enables computing features over all traffic, significantly enhancing detection performance. The Peregrine detector is not only effective for Terabit networks, but it is also energy- and cost-efficient. Further, by shifting a compute-heavy component to the switch, it saves precious CPU cycles and improves detection throughput.