Cats Working Group M.Li. Internet-Draft H.Zhou Intended status: Proposed Standard S.Deng Expires: November 15, 2024 W.Wang Beijing Jiaotong University Computing-aware Traffic Steering for attack detection draft-li-cats-attack-detection-01 Abstract This document describes the closed-loop framework for computing-aware traffic steering for attack detection (CATS-AD). The computing-aware traffic steering is determined by composing selected service instances and overlay links. The service instances are selected according to the computing power of service instances. This document describes the closed-loop framework for attacks detection and how to select and combine service instances to form a computing-aware service function chain (SFC). Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on November 15, 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. Li, et al. Expires November 15, 2024 [Page 1] Internet-Draft Attack detection April 2024 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. CATS-AD Framework and Components . . . . . . . . . . . . .4 3.1. Service Sites and Service Instances . . . . . 5 3.2. CATS-Network Metric Agent (C-NMA). . . . . . . . . . 5 3.3. CATS-Path Selector (C-PS) . . . . . . . . . . . . . . . . .6 3.4. CATS service instances manager (C-SM). . . . . 6 3.5. CATS Manager (CM) . . . . . . . . . . . . . . . . . . .6 3.6. CATS Classifier (CC) . . . . . . . . . . . . . . . . . . . .6 4. CATS-AD Framework Workflow. . . . . . . . . . .7 5. Security Considerations . . . . . . . . . . . . . . . . . .8 6. IANA Considerations . . . . . . . . . . . . . . 9 7. References . . . . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . 9 7.2. Informative References . . . . . . . . . . . . 9 Acknowledgments . . . . . . . . . . . . . . . . . . . 9 Author's Addresses. . . . . . . . . . . . . . . .10 1. Introduction In this document, the computing power includes service instances' detection results, traffic features, and resource usage status. In the CATS-AD framework, the CATS path selector (C-PS) can select service instances based on their computing power, form computing-aware high-level branching path policies and send such data to the CATS service instances manager (C-SM). The C-SM translates high-level branching path policies into low-level branching path policies and sends the low-level branching path policies to CATS manager (CM), in which the CM transforms the low-level branching path policies into the flow tables and deliver the flow tables to the CATS classifier (CC) and service instances. The CC and service instances receive flow tables and service instances are connected sequentially to form computing-aware service function chains (SFC) according to the flow tables [I-D. ietf-cats-computing-aware-sfc-usecase]. Li, et al. Expires November 15, 2024 [Page 1] Internet-Draft Attack detection April 2024 The computing-aware service instances in the computing-aware SFCs include various malicious traffic detection modules and firewall, which are used to detect different types of malicious traffic, such as DDoS attacks. The traffic is first directed to the computing-aware SFC through the CC, and then sequentially passes through the selected computing-aware service instances to complete attack detection. Based on the computing power, the C-PS adjust the branching path policies to improve the malicious traffic detection capability. Thus, the framework can form a closed-loop architecture. This document mainly introduces the closed-loop CATS-AD framework and how to select and combine service instances based on the computing-aware service instances. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP14 [RFC2119] [RFC8174]. This document makes use of the following terms: Computing-Aware Traffic Steering for Attack Detection (CATS-AD): A traffic engineering approach [I-D. ietf-cats-framework-03] that considers detection results, traffic features, and resource usage status to optimize computing-aware service function chains (SFCs) for various security requirements. Service instance: An instance is a computing-aware security module that typically run in a service site. Different service sites have different detection capability and apply to various types of attacks, such as DDoS attacks. Service site: A service site consists of a service instance and CATS-forwarder, which is required to provide security services. CATS-forwarder:A network device that directs traffic to different service sites in the correct order. CATS-Network Metric Agent (C-NMA):A functional entity responsible for collecting computing power information, which includes detection results and resource usage status, and for reporting them to a CATS path selector (C-PS). CATS path selector (C-PS): A computational logic that selects and combines service instances, generates branching path information based on the detection results, traffic features, and resource usage status. Subsequently, the path information can be delivered to both CATS service instances manager (C-SM) and CATS Manager (CM) for the creation of the flow tables. CATS service instances manager (C-SM):An entity that controls and manages service instances, which translates a high-level branching path policy into the corresponding low-level path policy. CATS Manager (CM):An entity that receives the path information of low-level policy and updates the flow tables. Based on the flow tables, the CM decides how to modify the original rules for incoming new traffic to guide attack traffic detection. CATS classifier (CC):An entity that is responsible for guiding the packets along a computing-aware SFC and deciding packets arrive at which destination host. Li, et al. Expires November 15, 2024 [Page 1] Internet-Draft Attack detection April 2024 3. CATS-AD Framework and Components Facing with attackers' traffic requests, the CATS-AD provides computing-aware SFCs on demand to meet security requirements based on detection results, traffic features, and resource usage status. The main CATS-AD functional elements and their interactions are shown in Figure 1. +------------------------------------------------------------------+ | +---------+ +---------+ +---------+ +---------+ | | | | | | | | | | | | | C-NMA +---->+ C-PS +---->+ C-SM +---->+ CM | | | | | | | | | | | | | +---------+ +-------+-+ +-------+-+ +---------+ | +-------+-------------------|---------------|----------------------+ ^ | | | v v +-------+-------------------+---------------+----------------------+ | +-----------+ | | +-----------+ +-------------+ +-------------+ |Destination| | | |Attack host| | +---------+ | | +---------+ | | host | | | +----+------+ | | CATS | | | | CATS | | +----+------+ | | | | |Forwarder| | | |Forwarder| | ^ | | +----v-----+ | +---------+ | | +---------+ | +-----+------+ | | |Ingress CC| | +---------+ +->+ +---------+ | | Egress CC | | | +----+-----+ | | Service | | | | Service | | +-----+------+ | | | | | instance| | | | instance| | ^ | +------v-------+ | | (BCSM) | | | | (ACSM) | | +--------------+ || +---------+ +->+ +---------+ | | +---------+ +->+ +---------+ || || | CATS | | +-------------+ +-------------+ | | CATS | || || |Forwarder| | | |Forwarder| || || +---------+ | +-------------+ +-------------+ | +---------+ || || +---------+ | | +---------+ | | +---------+ | | +---------+ || || | Service | | | | CATS | | | | CATS | | | | Service | || || | instance| | | |Forwarder| | | |Forwarder| | | | instance| || || | (LCSM) | +->+ +---------+ +->+ +---------+ +->+ | Firewall| || || +---------+ | | +---------+ | | +---------+ | | +---------+ || +--------------+ | | Service | | | | Service | | +--------------+ | Service site | | instance| | | | instance| | Service site | | | | (DCSM) | | | | (NCSM) | | | | | +---------+ | | +---------+ | | | +-------------+ +-------------+ | | Service site Service site | +------------------------------------------------------------------+ Figure 1 CATS-AD Functional Components 3.1 Service Sites and Service Instances The service site consists of CATS-forwarders and service instances. The CATS-forwarders direct traffic to different service sites in the correct order. The service instances are used to host specific network functions or services, in which these network functions are typically run in a virtualized manner, (i.e. containers). The containers contain one or more specific service instances, such as computing-aware security modules. The service instances have low-rate attack computing-aware security module (LCSM), application computing-aware security module (ACSM), botnet computing-aware security detection module (BCSM), network attack computing-aware security module (NCSM), DRDoS computing-aware security module (DCSM), and firewall. The LCSM detects slow body, shrew, slow headers, and slow read attacks. The ACSM detects CC, HTTP-Get, HTTP-Post, and HTTP-Flood attacks. The BCSM detects Ares, Byob, Mirai, and Zeus attacks. The NCSM detects ACK, UDP, and SYN attacks. The DCSM detects TFTP, SSDP, NTP, and Chargen attacks. The firewall inspects packet payloads and makes decisions on whether to forward or discard the packets. The service sites receive the low-level branching path policy of the C-SM to configure the service site to implement detection traffic. 3.2 CATS-Network Metric Agent (C-NMA) The C-NMA is a functional component that gathers computing power information. The computing power information includes service instances' detection results, traffic features, and resource usage status [I-D. ietf-i2nsf-intelligent-detection-00]. The service instances' detection results reflect the detection performance of the detection module, which are the service instances' accuracy, precision, and recall etc. The traffic features are network traffic attributes and aid in the detection of anomalies and security analysis, which includes packet rate, average packet length, source IP entropy, and destination port entropy etc. The resource usage status reflects the performance of computing-aware SFCs, which includes CPU utilization rate, memory utilization rate, TTL entropy, and packets variance etc. Li, et al. Expires November 15, 2024 [Page 1] Internet-Draft Attack detection April 2024 3.3 CATS-Path Selector (C-PS) The C-PS utilizes computing power information collected by the C-NMA to select the optimal branching path and infer the branching path policy, which can then be delivered to both C-SM and CM to create the flow tables. An algorithm is used to select the best main path for the computing-aware SFC. The implementation details of this algorithm are not elaborated on in the draft. Once the main path is generated, the C-PS can obtain the detection results for each service instance, which serves as a basis for determining whether a service instance (i.e., LCSM in Figure 1) functions as a branching point. The detected attack traffic is directed through branching paths (i.e., DCSM and NCSM as shown in Figure 1) for detection and then forwarded to the firewall for blocking. 3.4 CATS service instances manager (C-SM) The C-SM can extract the high-level branching path policy attributes, perform data transformation, and generate low-level branching path policies [I-D. ietf-i2nsf-security-management-automation]. The C-SM extracts attributes from the high-level policy, matches them with corresponding IP addresses, and transforms them into specific path information. Subsequently, the C-SM sends this data to the CM for further path policy conversion. 3.5 CATS Manager (CM) The CM receives path policy information from the C-SM and converts it into flow tables, which are subsequently deployed to the CATS-classifiers and CATS-forwarders. The flow tables are collectively determined by integrating classification criteria and path information from the path policy. The CATS-classifiers route different types of traffic through distinct SFCs based on characteristics such as IP addresses, port numbers, protocol numbers, and so on. The role of the CATS-forwarders has been explained in section 3.1. Li, et al. Expires November 15, 2024 [Page 1] Internet-Draft Attack detection April 2024 3.6 CATS Classifier (CC) The CATS-classifiers have ingress classifier and egress classifier. In the ingress classifier, the flow table guides the packets passing through a path, and the forwarders are responsible for forwarding the traffic. In the egress classifier, the flow table decides which packets arrive at which destination host. 4.CATS-AD Framework Workflow When network exsits DDoS attacks, the C-SM sends subscription commands to the service sites and collects computing power information from service sites. The algorithm processes and analyzes these data to provide the optimal branching path. The C-SM translates the paths into high-level policies and sends them to the CM. The C-SM extracts data from the high-level policies. This data is then mapped to corresponding path data and generates low-level policies. The path information of the low-level policies is transmitted to the CM to update the flow tables. Subsequently, the flow tables can be passed to the service sites, which use them to forward traffic to the selected service instances. Each computing-aware service instance follows the same operational flow in Figure 2, whereas their detection methods are different. Further details on the computing-aware service sites are described as follows [Two-Stage Intelligent Model for Detecting Malicious DDoS Behavior]: +---------+ +-----------------------------------------+ +---->+ C-NMA | | | | +----+----+ | | | | | | | v | +-------------+ +-----------------+ | | +----+----+ | | parsing | | feature | | | | C-PS | | | module +-->+ extraction | | | +----+----+ | +-------------+ +--------+--------+ | | | | | | | v | | | | +----+----+ | v | | | C-SM | | +-------------+ +--------+--------+ | | +----+----+ | | feature | | data | | | | | | selection +<--+ preprocessing | | | v | +------+------+ +-----------------+ | | +----+----+ | | | | | CM | | | | | +----+----+ | v | | | | +------+------+ +-----------------+ | | v | | well-trained| | Security | | | +---------------+ | | model +-->+ detection | | | | +-----------+ | | +-------------+ +--------+--------+ | | | | CC | | | | | | | +-----------+ | | | | | | +-----------+ | | v | | | | CATS | | | +-------------+ +--------+--------+ | | | | Forwarder | | | | drop | | Computing | | | | +-----------+ | | | flow +<--+ power metrics | | | | +-----------+ | | +-------------+ +-----------------+ | | | | Service | | | | +----+ instance +---->+ | | +-----------+ | | | +---------------+ +-----------------------------------------+ Figure 2 CATS-AD Framework Workflow Li, et al. Expires November 15, 2024 [Page 1] Internet-Draft Attack detection April 2024 1.The parsing module is responsible for listening to transmitted traffic. Additionally, a network diagnostic tool periodically collects raw traffic using a pcap file. 2. A network traffic analysis tool extracts flow-based features based raw traffic, including statistical attributes, e.g., timestamp, source port, destination port, source IP, destination IP, flow duration, max, mean, and min values of packet's size. 3. To ensure data quality, data preprocessing is responsible for cleaning flow-based features, including normalization and standardization. 4. The next step involves feature selection. Feature selection aims to extract and gather the most representative network features for detection in each computing-aware security module. 5. The selected features are extracted into the well-trained model to finely classify the traffic. A well-trained model is a machine learning or deep learning model trained on sufficient historical attack traffic and can accurately classify new attack traffic. 6. The well-trained model can automatically learn the nonlinear relationship between the selected features, which can quickly complete coarse-grained and fine-grained detections. Coarse-grained detection refers to all computing-aware security modules distinguishing attack traffic from benign traffic, and fine-grained detection is that attack traffic should be classiffied as specific types. 7. The well-trained model's computing power metrics are precision, recall, malicious traffic detection capability (MTDC), and F1-score. 8. If SIP, DIP, SP, DP, and Pro traffic features are in the blacklist, the malicious traffic will be dropped, in which normal traffic has not interfered with attack traffic, and benign traffic can smoothly reach the destination hosts. Li, et al. Expires November 15, 2024 [Page 1] Internet-Draft Attack detection April 2024 5. Security Considerations Attackers may pose various threats to the operation of the CAT-AD framework, including the theft or tampering of information collected by C-NMA, which is crucial for network management and service delivery. Therefore, CATS-AD should be equipped with anti-attack capabilities to defend against intruders' attacks, ensuring the security of computational and network information, as well as the reliability and stability of the network. 6. IANA Considerations This document has no IANA actions 7. References 7.1 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 7.2 Informative References [I-D. ietf-cats-computing-aware-sfc-usecase] S. Zhang, X. Chen, "Use Cases of Computing-aware Service Function Chaining (SFC)", Work in Progress, Internet-Draft, draft-zhang-cats-computing-aware-sfc-usecase-00, September 2023. [I-D. ietf-cats-framework-03] C. Li, Z. Du, M. Boucadair, L. M. Contreras, J. Drake, G. Huang, and G. Mishra, "A Framework for Computing-Aware Traffic Steering (CATS)", Work in Progress, Internet-Draft, draft-ldbc-cats-framework-03, August 2023. [I-D. ietf-i2nsf-intelligent-detection-00] W.Wang, H.Zhou, M.Li, Q.Guo, S.Deng, "YANG Data Models for Attacks Intelligent Detection", Work in Progress, Internet-Draft, draft-wang-i2nsf-intelligent-detection, February 2023. [I-D. ietf-i2nsf-security-management-automation] Jeong, J. (., Lingga, P., and J. Park, "An Extension of I2NSF Framework for Security Management Automation in Cloud-Based Security Services", Work in Progress, Internet-Draft, draft-jeong-i2nsf-security-management-automation-04, 25 July 2022. [Two-Stage Intelligent Model for Detecting Malicious DDoS Behavior] Li, M.; Zhou, H.; Qin, Y. Two-Stage Intelligent Model for Detecting Malicious DDoS Behavior. Sensors 2022, 22, 2532. Li, et al. Expires November 15, 2024 [Page 1] Internet-Draft Attack detection April 2024 8. Acknowledgments TBC Author's Addresses Man Li Beijing Jiaotong University Beijing Phone: <86-18810911698> Email: 20111018@bjtu.edu.cn Huachun Zhou Beijing Jiaotong University Beijing Phone: <86-13718168186> Email: hchzhou@bjtu.edu.cn Shuangxing Deng Beijing Jiaotong University Beijing Phone: <86-13040062046> Email: 21120038@bjtu.edu.cn Weilin Wang Beijing Jiaotong University Beijing Phone: <86-15910887582> Email: 21111026@bjtu.edu.cn