Use case system 1 - Blink

[divyapathak24]

1. Design: Component 1: Config file

• Features - flow size and flow duration
• Registers - registers that samples 64 flows

Component 2: Control Plane collecting features after regular intervals

• bmv2 setup: After every 5 secs
• CAIDA setup: After every 0.8 secs

Component 3: ML model

• Isolation Forest
• Training data: Normal instances (normal, normal congestion/pkt loss, attack)
• Testing data: Normal + attack instances Question: Issue with the function of features.

2. Blink experiments: - Work done so far and to-do items:

• bmv2 (synthetic)

  1. Component 1: Implementation of collection logic on bmv2 for features flow size and flow duration
  2. Component 2: Features collected for normal (no congestion/pkt loss), normal link failure and attack experiments
  3. Component 3:

• Train IF with normal and normal link failure dataset with varied thresholds and contamination parameter - Function 1: Feed per instance 64 x ( FS,FD) pairs to the IF ML model

• Test IF with normal, normal link failure and attack datasets

  4. Plot 2 (2.a and 2.b) completed
  5. To do: Experiment plot 3

• python (CAIDA)

  1. Component 1: Implementation of collection logic for features flow size and flow duration
  2. Component 2:

• Collected flow size, flow duration for normal (<15%), normal link failure (15% & above) and attack pcaps

• Todo: Get Plot 1 to label normal instances and get concrete boundary (~% retrans represents link failure, congestion/pkt loss )

  4. Component 3:

• Todo: Fix an appropriate representation of flow stats for training IF (Function 1 (FS,FD) tuple not working)

• Todo: Train IF with normal, normal link failure pcaps

• Todo: Test IF with attack pcaps

  5. To do: Plots 2 and 3

[praveenabt]

@divyapathak24
Update BMV2 and CAIDA attack generations steps..

[divyapathak24]

Attack generation steps:

• BMV2:

• Legitimate traffic:

  1. We open 3000 TCP sockets at end hosts h1 and h2 using a multiprocess python3 script. The flows are generated at the rate of 20 flows per second.

• Attack traffic:

  1. We generate 5.25% of malicious TCP flows, that is, a total of ~150 TCP flows.
  2. We did not establish any real TCP connection with the end host h2.
  3. We use scapy library to craft a packet for a flow.
  4. We send the same packet multiple times with random packets per second (PPS), emulating fake TCP retransmissions ensuring that attack flows are active (at least 1 packet per 2 seconds)
  5. As soon as the threshold crosses 32, blink reroutes traffic to the backup paths, although there is no link failure.

• CAIDA:

• Legitimate traffic: CAIDA 2018 dirA /24 pcaps having retransmission in the range 0-15% and avg flows per window around 50. The following table shows link failure pcaps.

% retransmission	prefix	pcap_name	Average Flows per Window(monitored by blink)	Average Flow Duration
15.625	138-152-126	135600	52.216	7.212
20.3125	215-177-242	135600	60.31	10.715
15.625	199-169-194	135600	47.216	7.768
20.3125	251-100-166	135600	41.594	12.027
17.1875	207-183-82	135600	56.027	10.81
20.3125	251-100-165	135600	52.972	14.535
15.625	198-231-53	135600	56.175	12.017
18.75	0215-4-19	135600	53.459	3.713
20.3125	199-169-194	132100	53.067	8.303
18.75	116-246-215	131600	63.972	17.848
18.75	207-183-82	131600	56.054	10.69
17.1875	131-26-13	132100	24.027
17.1875	199-169-194	130100	52.918	8.958
15.625	73-165-69	130100	29.743

• Attack traffic: Steps used for generation:
  1. Extract random 2% TCP flows from normal trace (0-15% retransmission) and remove these 2% flows from original normal trace
  2. Extract a payload packet from each of the 2% flows. We treat these flows as attack flows
  3. Create a new pcap using python3 such that a new attack flow is started every second
  4. So, at 1st sec, we have a packet from attack flow1, at 2nd sec, we have re-transmitted packet from attack flow1 plus a packet from a new attack flow2 and so on.
  5. Within 2 sec, we observe packets of same attack flow -- we infer that attack flows are active
  6. Attack flows are active till the end of the experiment i.e 60 secs

% retransmission	prefix	pcap	Average Flows per Window(monitored by blink)	Average Flow Duration	Total TCP flows	pps	% Attack flows required to launch attack
3.125	251-215-113	131600	52.68	10.299	1800	588
6.25	135-79-171	130100	63.91	10.52	13000	11858	1.6%
10.9375	205-139-35	131600	60.79	11.2	2100	428	1.92%
14.065	205-164-190	130100	58.79	12.3	1000	337	1.36%

[divyapathak24]

Datasets details for component 3: Train and test IF

1. BMV2: Training Dataset - 122 instances
   • 50 normal case - 0% packet loss
   • 52 Packet loss - 5,10,15% packet loss - 17,18,17 instances each
   • 20 normal link failure case (>50%)

Testing Dataset- 20 experiments (collection of instances)

• 6 normal experiments (3 normal, 3 packet loss 5%, 10%, 12%)
• 7 normal link failure experiments - influences FPR
• 7 attack case experiments - influences FNR

2. CAIDA Training dataset:
   • Normal : 2 pcaps ( each pcap having ~70 instances )
   • Normal-Link-Failure : 4 pcaps ( each pcap having ~70 instances )

Testing Dataset:

• Normal : 2 pcaps
• Normal-Link-Failure : 4 pcaps
• Attack-Scenario : 4 pcaps