Immune-Based Intrusion Detection Methods for Programmable Data Plane

doi:10.3969/j.issn.1671-1122.2025.08.008

Abstract

Abstract:

This study, aiming at the prominent issue of performance bottlenecks in traditional intrusion detection systems, drawed inspiration from the higher biological immune system and broken through the architectural foundation of the shell-based defense approach in traditional intrusion detection systems. A bio-inspired immune intrusion detection method suitable for programmable data planes was designed. This method utilized the innate immune system to filter traffic, preliminarily intercepting some intrusive traffic. For traffic that remains suspicious, the bio-inspired adaptive immune system was activated to conduct deep feature collection, identification, and processing, achieving efficient detection of intrusive traffic. Experimental results demonstrate that this method can achieve high detection accuracy and low controller load.

Key words: bionic immunity, programmable data plane, intrusion detection, P4 language

CLC Number:

TP309

SUN Nan, QIN Zhongyuan, HU Aiqun, LI Tao. Immune-Based Intrusion Detection Methods for Programmable Data Plane[J]. Netinfo Security, 2025, 25(8): 1263-1275.

Figures/Tables 13

References 27

[1]	CHAMOU D, TOUPAS P, KETZAKI E, et al. Intrusion Detection System Based on Network Traffic Using Deep Neural Networks[C]// IEEE. 2019 IEEE 24th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks. New York: IEEE, 2019: 1-6.
[2]	KIM J, BENTLEY P J, AICKELIN U, et al. Immune System Approaches to Intrusion Detection-A Review[J]. Natural Computing, 2007, 6(4): 413-466.
[3]	LI Tao, HU Aiqun, FANG Lanting. Bionic Control Mechanism Based Research of Endogenous Immune Architecture for Information System[J]. Journal of Cyber Security, 2022, 7(2): 87-100.
[4]	GONG Feili. Medical Immunology[M]. Beijing: Science Press, 2012.
	龚非力. 医学免疫学[M]. 北京: 科学出版社, 2012.
[5]	SONG C, PARK Y, GOLANI K, et al. Machine-Learning Based Threat-Aware System in Software Defined Networks[C]// IEEE. 2017 26th International Conference on Computer Communication and Networks (ICCCN). New York: IEEE, 2017: 1-9.
[6]	SANTOS D S A, WICKBOLDT J A, GRANVILLE L Z, et al. ATLANTIC:A Framework for Anomaly Traffic Detection, Classification, and Mitigation in SDN[C]// IEEE. NOMS 2016-2016 IEEE/IFIP Network Operations and Management Symposium. New York: IEEE, 2016: 27-35.
[7]	CHEN Zhuo, JIANG Fu, CHENG Yijun, et al. XGBoost Classifier for DDoS Attack Detection and Analysis in SDN-Based Cloud[C]// IEEE. 2018 IEEE International Conference on Big Data and Smart Computing. New York: IEEE, 2018: 251-256.
[8]	SWAMI R, DAVE M, RANGA V. Voting-Based Intrusion Detection Framework for Securing Software-Defined Networks[J]. Concurrency and Computation: Practice and Experience, 2020, 32(24): 1-16.
[9]	ELSAYED R A, HAMADA R A, ABDALLA M I, et al. Securing IoT and SDN Systems Using Deep-Learning Based Automatic Intrusion Detection[EB/OL]. (2023-03-03)[2024-06-10]. https://doi.org/10.1016/j.asej.2023.102211.
[10]	AL R M, JAVEED D, KHAN M T, et al. Cyber Threats Detection in Smart Environments Using SDN-Enabled DNN-LSTM Hybrid Framework[J]. IEEE Access, 2022, 10: 53015-53026.
[11]	KRANTHI S, KANCHANA M, SUNEETHA M. A Study of IDS-Based Software-Defined Networking by Using Machine Learning Concept[EB/OL]. (2022-02-08)[2024-06-10]. https://doi.org/10.1007/978-981-16-5689-7_6.
[12]	HAIDER S, AKHUNZADA A, MUSTAFA I, et al. A Deep CNN Ensemble Framework for Efficient DDoS Attack Detection in Software Defined Networks[J]. IEEE Access, 2020, 8: 53972-53983.
[13]	LI Jiaqi, ZHAO Zhifeng, LI Rongpeng, et al. AI-Based Two-Stage Intrusion Detection for Software Defined IoT Networks[J]. IEEE Internet of Things Journal, 2019, 6(2): 2093-2102. doi: 10.1109/JIOT.2018.2883344
[14]	BARRADAS D, SANTOS N, RODRIGUES L, et al. FlowLens: Enabling Efficient Flow Classification for ML-Based Network Security Applications[EB/OL]. (2021-02-21)[2024-06-10]. https://www.ndss-symposium.org/wp-content/uploads/ndss2021_7C-2_24067_paper.pdf.
[15]	XIONG Zhaoqi, ZILBERMAN N. Do Switches Dream of Machine Learning? Toward In-Network Classification[C]// ACM. The 18th ACM Workshop on Hot Topics in Networks. New York: ACM, 2019: 25-33.
[16]	XAVIER B M, GUIMARAES R S, COMARELA G, et al. Programmable Switches for In-Networking Classification[C]// IEEE. IEEE INFOCOM 2021-IEEE Conference on Computer Communications. New York: IEEE, 2021: 1-10.
[17]	LUO Junming, LIU Waixi, TAN Miaoquan, et al. Binary Neural Network with P4 on Programmable Data Plane[C]// IEEE. 2022 18th International Conference on Mobility, Sensing and Networking. New York: IEEE, 2022: 960-965.
[18]	ZHENG Changgang, XIONG Zhaoqi, BUI T T, et al. IIsy: Practical In-Network Classification[EB/OL]. (2022-06-19)[2024-06-10]. https://arxiv.org/abs/2205.08243.
[19]	Canadian Institute for Cybersecurity. CIC-IDS-2017 Dataset[EB/OL]. [2024-06-10]. https://www.unb.ca/cic/datasets/ids-2017.html.
[20]	XAVIER B M, SILVA G R, COMARELA G, et al. MAP4: A Pragmatic Framework for In-Network Machine Learning Traffic Classification[J]. IEEE Transactions on Network and Service Management, 2022, 19(4): 4176-4188.
[21]	LI Yu. Research on Internet Intrusion Detection Technology Based on Deep Learning[D]. Chengdu: University of Electronic Science and Technology of China, 2023.
	李宇. 基于深度学习的互联网入侵检测技术研究[D]. 成都: 电子科技大学, 2023.
[22]	LOPEZ-MARTIN M, CARRO B, SANCHEZ-ESGUEVILLAS A. Application of Deep Reinforcement Learning to Intrusion Detection for Supervised Problems[EB/OL]. (2019-09-18)[2024-06-10]. https://doi.org/10.1016/j.eswa.2019.112963.
[23]	ELSAYED M S, LE-KHAC N A, JURCUT A D. InSDN: A Novel SDN Intrusion Dataset[J]. IEEE Access, 2020, 8: 165263-165284.
[24]	XU Yuhua, SUN Zhixin. Research Development of Abnormal Traffic Detection in Software Defined Networking[J]. Journal of Software, 2020, 31(1): 183-207.
	徐玉华, 孙知信. 软件定义网络中的异常流量检测研究进展[J]. 软件学报, 2020, 31(1): 183-207.
[25]	YANG Yintan. Research on SDN Intrusion Detection Technology Based on Convolutional Neural Network[D]. Xi'an: Xidian University, 2019.
	杨垠坦. 基于卷积神经网络的SDN入侵检测技术研究[D]. 西安: 西安电子科技大学, 2019.
[26]	KRISHNAN A S, SIVALINGAM K M, SHAMI G, et al. Flow Classification for Network Security Using P4-Based Programmable Data Plane Switches[C]// IEEE. 2023 IEEE 9th International Conference on Network Softwarization. New York: IEEE, 2023: 374-379.
[27]	LI Yuliang, MIAO Rui, KIM C, et al. FlowRadar: A Better NetFlow for Data Centers[EB/OL]. (2019-09-18)[2024-06-10]. https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/li-yuliang.

特征	描述
Dst-Port	目的端口
Src-Port	源端口
Protocol-Type	协议类型
Packet Size	数据包大小
IP-Flag	数据包是否分段

类型	评价指标
类型	精确率	召回率	F1分数	准确率
Attack	0.96	1.00	0.98	0.97
Benign	1.00	0.95	0.97	0.97
平均值	0.98	0.97	0.97	—

类型	评价指标
类型	精确率	召回率	F1分数	准确率
Benign	0.99	0.99	0.99	0.99
DoS	0.99	1.00	0.99
DDoS	1.00	1.00	1.00
Patator	1.00	1.00	1.00
Web Attack	0.53	0.27	0.36
Bot	0.94	1.00	0.96
PortScan	0.99	1.00	1.00
Infiltration	1.00	0.75	0.86
平均值	0.93	0.87	0.89	—

类型	评价指标
类型	精确率	召回率	F1分数	准确率
Normal	1.00	0.98	0.99	0.99
DoS	1.00	1.00	1.00
DDoS	1.00	1.00	1.00
BFA	0.84	0.99	0.91
Probe	1.00	1.00	1.00
Web Attack	0.87	1.00	0.93
Botnet	1.00	1.00	1.00
平均值	0.96	0.99	0.98	—