Cats Working Group                                        M.Li.
Internet-Draft                                                   H.Zhou
Intended status: Proposed Standard               S.Deng
Expires: June 13, 2024                                     W.Wang
                                          Beijing Jiaotong University


              Computing-aware Traffic Steering for attack detection
                       draft-li-cats-attack-detection-00

Abstract

   This document describes the closed-loop framework for computing-aware
   traffic steering for attack detection (CATS-AD). The computing-aware
   traffic steering is determined by composing selected service
   instances and overlay links. The service instances are selected
   according to the computing power of service instances. This document
   describes the closed-loop framework for attacks detection
   and how to select and combine service instances to form a
   computing-aware service function chain (SFC).

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

  This Internet-Draft will expire on June 13, 2023.

Copyright Notice

  Copyright (c) 2023 IETF Trust and the persons identified as the
  document authors. All rights reserved.

Li, et al.            Expires June 13, 2024                [Page 1]


Internet-Draft   Attack detection     October 2023

  This document is subject to BCP 78 and the IETF Trust's Legal
  Provisions Relating to IETF Documents
  (https://trustee.ietf.org/license-info) in effect on the date of
  publication of this document. Please review these documents
  carefully, as they describe your rights and restrictions with respect
  to this document. Code Components extracted from this document must
  include Revised BSD License text as described in Section 4.e of
  the Trust Legal Provisions and are provided without warranty as
  described in the Revised BSD License.

Table of Contents

  1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  CATS-AD Framework and Components . . . . . . . . . . . . .4
     3.1.  Service Sites and Service Instances . . . . .   5
     3.2.  CATS-Network Metric Agent (C-NMA). . . . . . . . . .  5
     3.3.  CATS-Path Selector (C-PS) . . . . . . . . . . . . . . . . .6
     3.4.  CATS service instances manager (C-SM). . . . . 6
     3.5.  CATS Manager (CM) . . . . . . . . . . . . . . . . . . .6
     3.6.  CATS Classifier (CC) . . . . . . . . . . . . . . . . . . . .6
   4.  CATS-AD Framework Workflow. . . . . . . . . . .7
   5.  Security Considerations . . . . . . . . . . . . . . . . . .8
   6.  IANA Considerations . . . . . . . . . . . . . . 9
   7. References  . . . . . . . . . . . . . . . . . . . . . 9
     7.1.  Normative References . . . . . . . . . . . . . . .  9
     7.2.  Informative References . . . . . . . . . . . .  9
   Acknowledgments . . . . . . . . . . . . . . . . . . .  9
   Author's Addresses. . . . . . . . . . . . . . . .10

1. Introduction

   In this document, the computing power includes
   service instances' detection results, traffic features,
   and resource usage status. In the
   CATS-AD framework, the CATS path selector (C-PS) can select
   service instances based on their computing power,
   form computing-aware high-level branching path policies and
   send such data to the CATS service instances manager (C-SM).
   The C-SM translates high-level branching path policies
   into low-level branching path policies and
   sends the low-level branching path policies to CATS manager (CM),
   in which the CM transforms the low-level branching path policies
   into the flow tables and deliver the flow tables to the CATS
   classifier (CC) and service instances. The CC and service
   instances receive flow tables and service instances are connected
   sequentially to form computing-aware service
   function chains (SFC) according to the flow tables
   [I-D. ietf-cats-computing-aware-sfc-usecase].

Li, et al.            Expires June 13, 2024                [Page 1]


Internet-Draft   Attack detection     October 2023

   The computing-aware service instances in the computing-aware SFCs
   include various malicious traffic detection modules and firewall,
   which are used to detect different types of malicious traffic,
   such as DDoS attacks. The traffic is first directed to
   the computing-aware  SFC through the CC, and
   then sequentially passes through the selected
   computing-aware service instances to complete
   attack detection. Based on the computing power,
   the C-PS adjust the branching path policies to improve the malicious
   traffic detection capability. Thus, the framework can form a
   closed-loop architecture. This document mainly introduces
   the closed-loop CATS-AD framework and how to select and
   combine service instances based on
   the computing-aware service instances.

2. Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
   "SHALL NOT", "SHOULD", "SHOULD NOT",
   "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in BCP14
   [RFC2119] [RFC8174].
   This document makes use of the
   following terms: Computing-Aware Traffic Steering for
   Attack Detection (CATS-AD): A traffic engineering
   approach [I-D. ietf-cats-framework-03] that considers
   detection results, traffic features, and resource usage
   status to optimize computing-aware service function
   chains (SFCs) for various security requirements.

   Service instance: An instance is a computing-aware security
   module that typically run in a service site.
   Different service sites have different detection capability
   and apply to various types of attacks,
   such as DDoS attacks.

   Service site: A service site consists of a service instance and
   CATS-forwarder, which is required to
   provide security services.

   CATS-forwarder:A network device that directs traffic to
   different service sites in the correct order.

   CATS-Network Metric Agent (C-NMA):A functional entity responsible for
   collecting computing power information, which includes
   detection results and resource usage status,
   and for reporting them to a CATS path selector (C-PS).

   CATS path selector (C-PS): A computational logic that selects and
   combines service instances, generates branching path information
   based on the detection results, traffic features,
   and resource usage status.
   Subsequently, the path information can be delivered to both CATS
   service instances manager (C-SM) and CATS Manager (CM)
   for the creation of the flow tables.

   CATS service instances manager (C-SM):An entity that controls
   and manages service instances, which translates a high-level
   branching path policy into the corresponding
   low-level path policy.

   CATS Manager (CM):An entity that receives the path information of
   low-level policy and updates the flow tables. Based on the
   flow tables, the CM decides how to modify the
   original rules for incoming
   new traffic to guide attack traffic detection.

   CATS classifier (CC):An entity that is responsible for guiding the
   packets along a computing-aware SFC and deciding packets
   arrive at which destination host.

Li, et al.            Expires June 13, 2024                [Page 1]


Internet-Draft   Attack detection     October 2023

3. CATS-AD Framework and Components

   Facing with attackers' traffic requests, the CATS-AD provides
   computing-aware SFCs on demand to meet security
   requirements based on detection results,
   traffic features, and resource usage status. The main CATS-AD
   functional elements and their interactions are shown in Figure 1.

+------------------------------------------------------------------+
|   +---------+     +---------+     +---------+     +---------+    |
|   |         |     |         |     |         |     |         |    |
|   |  C-NMA  +---->+  C-PS   +---->+  C-SM   +---->+   CM    |    |
|   |         |     |         |     |         |     |         |    |
|   +---------+     +-------+-+     +-------+-+     +---------+    |
+-------+-------------------|---------------|----------------------+
        ^                   |               |
        |                   v               v
+-------+-------------------+---------------+----------------------+
|                                                    +-----------+ |
| +-----------+   +-------------+  +-------------+   |Destination| |
| |Attack host|   | +---------+ |  | +---------+ |   |    host   | |
| +----+------+   | |  CATS   | |  | |  CATS   | |   +----+------+ |
|      |          | |Forwarder| |  | |Forwarder| |        ^        |
| +----v-----+    | +---------+ |  | +---------+ |  +-----+------+ |
| |Ingress CC|    | +---------+ +->+ +---------+ |  | Egress CC  | |
| +----+-----+    | | Service | |  | | Service | |  +-----+------+ |
|      |          | | instance| |  | | instance| |        ^        |
+------v-------+  | | (BCSM)  | |  | | (ACSM)  | |  +--------------+
|| +---------+ +->+ +---------+ |  | +---------+ +->+ +---------+ ||
|| |  CATS   | |  +-------------+  +-------------+  | |  CATS   | ||
|| |Forwarder| |                                    | |Forwarder| ||
|| +---------+ |  +-------------+  +-------------+  | +---------+ ||
|| +---------+ |  | +---------+ |  | +---------+ |  | +---------+ ||
|| | Service | |  | |  CATS   | |  | |  CATS   | |  | | Service | ||
|| | instance| |  | |Forwarder| |  | |Forwarder| |  | | instance| ||
|| | (LCSM)  | +->+ +---------+ +->+ +---------+ +->+ | Firewall| ||
|| +---------+ |  | +---------+ |  | +---------+ |  | +---------+ ||
+--------------+  | | Service | |  | | Service | |  +--------------+
| Service site    | | instance| |  | | instance| |   Service site  |
|                 | | (DCSM)  | |  | | (NCSM)  | |                 |
|                 | +---------+ |  | +---------+ |                 |
|                 +-------------+  +-------------+                 |
|                  Service site     Service site                   |
+------------------------------------------------------------------+
Figure 1 CATS-AD Functional Components

3.1 Service Sites and Service Instances

   The service site consists of CATS-forwarders and service instances.
   The CATS-forwarders direct traffic to different service sites
   in the correct order. The service instances
   are used to host specific network functions or services,
   in which these network
   functions are typically run in a virtualized manner,
   (i.e. containers). The containers contain one or more
   specific service instances, such as computing-aware
   security modules. The service instances have
   low-rate attack computing-aware
   security module (LCSM), application computing-aware
   security module (ACSM), botnet computing-aware security
   detection module (BCSM), network attack computing-aware
   security module (NCSM), DRDoS computing-aware security module
   (DCSM), and firewall. The LCSM detects slow body, shrew,
   slow headers, and slow read attacks. The ACSM detects
   CC, HTTP-Get, HTTP-Post, and HTTP-Flood attacks.
   The BCSM detects Ares, Byob, Mirai, and Zeus attacks.
   The NCSM detects ACK, UDP, and SYN attacks.
   The DCSM detects TFTP, SSDP, NTP, and Chargen attacks.
   The firewall inspects packet payloads and makes decisions
   on whether to forward or discard the packets.
   The service sites receive the low-level branching
   path policy of the  C-SM to configure the service site to
   implement detection traffic.


3.2 CATS-Network Metric Agent (C-NMA)

   The C-NMA is a functional component that gathers
   computing power information. The computing power information
   includes service instances' detection results, traffic
   features, and resource usage status
   [I-D. ietf-i2nsf-intelligent-detection-00].
   The service instances' detection results reflect the
   detection performance of the detection module,
   which are the service instances' accuracy,
   precision, and recall etc. The traffic features are network traffic
   attributes and aid in the detection of anomalies and
   security analysis, which includes packet rate,
   average packet length, source IP entropy,
   and destination port entropy etc.
   The resource usage status reflects the performance of
   computing-aware SFCs, which includes CPU utilization rate,
   memory utilization rate, TTL entropy, and packets variance etc.

Li, et al.            Expires June 13, 2024                [Page 1]


Internet-Draft   Attack detection     October 2023

3.3 CATS-Path Selector (C-PS)

   The C-PS utilizes computing power information collected by the C-NMA
   to select the optimal branching path and infer the branching
   path policy, which can then be delivered to both C-SM and CM to
   create the flow tables. An algorithm is used to select the best main
   path for the computing-aware SFC. The implementation details of this
   algorithm are not elaborated on in the draft. Once the main path
   is generated, the C-PS can obtain the detection results for
   each service instance, which serves as a basis for determining
   whether a service instance (i.e., LCSM in Figure 1) functions
   as a branching point. The detected attack traffic is directed
   through branching paths
   (i.e., DCSM and NCSM as shown in Figure 1)
   for detection and then forwarded to the firewall for blocking.


3.4 CATS service instances manager (C-SM)

   The C-SM can extract the high-level branching path policy
   attributes, perform data transformation, and generate
   low-level branching path policies
   [I-D. ietf-i2nsf-security-management-automation].
   The C-SM extracts attributes from the high-level policy, matches
   them with corresponding IP addresses, and transforms them
   into specific path information. Subsequently, the C-SM sends
   this data to the CM for further path policy conversion.


3.5 CATS Manager (CM)

   The CM receives path policy information from the C-SM and
   converts it into flow tables, which are subsequently deployed
   to the CATS-classifiers and CATS-forwarders. The flow tables
   are collectively determined by integrating classification
   criteria and path information from the path policy.
   The CATS-classifiers route different types of traffic through
   distinct SFCs based on characteristics such as IP addresses,
   port numbers, protocol numbers, and so on. The role of the
   CATS-forwarders has been explained in section 3.1.

Li, et al.            Expires June 13, 2024                [Page 1]


Internet-Draft   Attack detection     October 2023

3.6 CATS Classifier (CC)

   The CATS-classifiers have ingress classifier and egress classifier.
   In the ingress classifier, the flow table guides the packets
   passing through a path, and the forwarders are responsible
   for forwarding the traffic. In the egress classifier,
   the flow table decides which packets arrive at
   which destination host.

4.CATS-AD Framework Workflow

   When network exsits DDoS attacks, the C-SM sends
   subscription commands to the service sites and collects
   computing power information from service sites. The algorithm
   processes and analyzes these data to provide the optimal
   branching path. The C-SM translates the paths into high-level
   policies and sends them to the CM. The C-SM extracts data
   from the high-level policies. This data is then mapped to
   corresponding path data and generates low-level policies.
   The path information of the low-level policies is transmitted
   to the CM to update the flow tables. Subsequently,
   the flow tables can be passed to the service sites, which use
   them to forward traffic to the selected service instances.
   Each computing-aware service instance follows the same
   operational flow in Figure 2, whereas their detection methods
   are different. Further details on the computing-aware service
   sites are described as follows
   [Two-Stage Intelligent Model for Detecting Malicious DDoS Behavior]:

      +---------+      +-----------------------------------------+
+---->+  C-NMA  |      |                                         |
|     +----+----+      |                                         |
|          |           |                                         |
|          v           |  +-------------+   +-----------------+  |
|     +----+----+      |  |   parsing   |   |     feature     |  |
|     |  C-PS   |      |  |   module    +-->+   extraction    |  |
|     +----+----+      |  +-------------+   +--------+--------+  |
|          |           |                             |           |
|          v           |                             |           |
|     +----+----+      |                             v           |
|     |  C-SM   |      |  +-------------+   +--------+--------+  |
|     +----+----+      |  |   feature   |   |      data       |  |
|          |           |  |  selection  +<--+  preprocessing  |  |
|          v           |  +------+------+   +-----------------+  |
|     +----+----+      |         |                               |
|     |   CM    |      |         |                               |
|     +----+----+      |         v                               |
|          |           |  +------+------+   +-----------------+  |
|          v           |  | well-trained|   |    Security     |  |
|  +---------------+   |  |    model    +-->+    detection    |  |
|  | +-----------+ |   |  +-------------+   +--------+--------+  |
|  | |    CC     | |   |                             |           |
|  | +-----------+ |   |                             |           |
|  | +-----------+ |   |                             v           |
|  | |   CATS    | |   |  +-------------+   +--------+--------+  |
|  | | Forwarder | |   |  |    drop     |   |    Computing    |  |
|  | +-----------+ |   |  |    flow     +<--+  power metrics  |  |
|  | +-----------+ |   |  +-------------+   +-----------------+  |
|  | |  Service  | |   |                                         |
+----+  instance +---->+                                         |
   | +-----------+ |   |                                         |
   +---------------+   +-----------------------------------------+

Figure 2 CATS-AD Framework Workflow

Li, et al.            Expires June 13, 2024                [Page 1]


Internet-Draft   Attack detection     October 2023

   1.The parsing module is responsible for listening to
    transmitted traffic. Additionally, a network diagnostic tool
    periodically collects raw traffic using a pcap file.
   2. A network traffic analysis tool extracts flow-based
   features based raw traffic, including statistical attributes,
   e.g., timestamp, source port, destination port, source IP,
   destination IP, flow duration, max, mean, and
   min values of packet's size.
   3. To ensure data quality, data preprocessing is
   responsible for cleaning flow-based features,
   including normalization and standardization.
   4. The next step involves feature selection. Feature selection
   aims to extract and gather the most representative
   network features for detection in each
   computing-aware security module.
   5. The selected features are extracted into the
   well-trained model to finely classify the traffic.
   A well-trained model is a machine learning or deep learning
   model trained on sufficient historical attack traffic and
   can accurately classify new attack traffic.
  6. The well-trained model can automatically learn the nonlinear
   relationship between the selected features, which can
   quickly complete coarse-grained and fine-grained detections.
   Coarse-grained detection refers to all computing-aware
   security modules distinguishing attack traffic from benign traffic,
   and fine-grained detection is that attack traffic
   should be classiffied as specific types.
  7. The well-trained model's computing power metrics are
   precision, recall, malicious traffic detection capability (MTDC),
   and F1-score.
  8. If SIP, DIP, SP, DP, and Pro traffic features are in the blacklist,
  the malicious traffic will be dropped, in which normal traffic
  has not interfered with attack traffic, and benign traffic
  can smoothly reach the destination hosts.

Li, et al.            Expires June 13, 2024                [Page 1]


Internet-Draft   Attack detection     October 2023

5. Security Considerations

   Attackers may pose various threats to the operation of
   the CAT-AD framework, including the theft or tampering of
   information collected by C-NMA, which is crucial for network
   management and service delivery. Therefore, CATS-AD should
   be equipped with anti-attack capabilities to defend against
   intruders' attacks, ensuring the security of computational and
   network information, as well as the reliability
   and stability of the network.


6. IANA Considerations

   This document has no IANA actions

7. References


7.1 Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs
   to Indicate Requirement Levels", BCP 14, RFC 2119,
   DOI 10.17487/RFC2119, March 1997,
   <https://www.rfceditor. org/info/rfc2119>.

   [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase
   in RFC 2119 Key Words", BCP 14, RFC 8174,
   DOI 10.17487/RFC8174, May 2017,
   <https://www.rfc-editor.org/info/rfc8174>.

7.2 Informative References

    [I-D. ietf-cats-computing-aware-sfc-usecase]
           S. Zhang, X. Chen, "Use Cases of Computing-aware Service
           Function Chaining (SFC)", Work in Progress, Internet-Draft,
           draft-zhang-cats-computing-aware-sfc-usecase-00,
           September 2023.

    [I-D. ietf-cats-framework-03]
           C. Li, Z. Du, M. Boucadair, L. M. Contreras, J. Drake,
           G. Huang, and G. Mishra, "A Framework for Computing-Aware
           Traffic Steering (CATS)", Work in Progress, Internet-Draft,
           draft-ldbc-cats-framework-03, August 2023.

    [I-D. ietf-i2nsf-intelligent-detection-00]
           W.Wang, H.Zhou, M.Li, Q.Guo, S.Deng, "YANG Data Models for
           Attacks Intelligent Detection",
           Work in Progress, Internet-Draft,
           draft-wang-i2nsf-intelligent-detection, February 2023.

   [I-D. ietf-i2nsf-security-management-automation]
          Jeong, J. (., Lingga, P., and J. Park, "An Extension of I2NSF
          Framework for Security Management Automation
          in Cloud-Based Security Services",
          Work in Progress, Internet-Draft,
          draft-jeong-i2nsf-security-management-automation-04,
          25 July 2022.

   [Two-Stage Intelligent Model for Detecting Malicious DDoS Behavior]
          Li, M.; Zhou, H.; Qin, Y. Two-Stage Intelligent Model for
          Detecting Malicious DDoS Behavior. Sensors 2022, 22, 2532.

Li, et al.            Expires June 13, 2024                [Page 1]

Internet-Draft   Attack detection     October 2023

    8. Acknowledgments

   TBC

Author's Addresses


   Man Li
   Beijing Jiaotong University
   Beijing
   Phone: <86-18810911698>
   Email: 20111018@bjtu.edu.cn


   Huachun Zhou
   Beijing Jiaotong University
   Beijing
   Phone: <86-13718168186>
   Email: hchzhou@bjtu.edu.cn

   Shuangxing Deng
   Beijing Jiaotong University
   Beijing
   Phone: <86-13040062046>
   Email: 21120038@bjtu.edu.cn

  Weilin Wang
  Beijing Jiaotong University
  Beijing
  Phone: <86-15910887582>
  Email: 21111026@bjtu.edu.cn