P4-NIDS: High-Performance Network Monitoring and Intrusion Detection in P4

TL;DR

This paper introduces P4-NIDS, a high-performance, scalable in-band network monitoring and intrusion detection system implemented in P4, capable of handling Terabit network speeds with minimal impact on throughput.

Contribution

It presents a novel in-band monitoring and intrusion detection system in P4 that achieves high accuracy and scalability in high-speed network environments.

Findings

Maintains negligible impact on throughput at 8 million packets per second

Outperforms state-of-the-art solutions in accuracy and scalability

Supports real-world P4 hardware deployment

Abstract

This paper presents a high-performance, scalable network monitoring and intrusion detection system (IDS) implemented in P4. The proposed solution is designed for high-performance environments such as cloud data centers, where ultra-low latency, high bandwidth, and resilient infrastructure are essential. Existing state-of-the-art (SoA) solutions, which rely on traditional out-of-band monitoring and intrusion detection techniques, often struggle to achieve the necessary latency and scalability in large-scale, high-speed networks. Unlike these approaches, our in-band solution provides a more efficient, scalable alternative that meets the performance needs of Terabit networks. Our monitoring component captures extended NetFlow v9 features at wire speed, while the in-band IDS achieves high-accuracy detection without compromising on performance. In evaluations on real-world P4 hardware, both the NetFlow monitoring and IDS components maintain negligible impact on throughput, even at traffic rates up to 8 million packets per second (mpps). This performance surpasses SoA in terms of accuracy and throughput efficiency, ensuring that our solution meets the requirements of large-scale, high-performance environments.