Programmable data planes offer precise control over the low-level processing steps applied to network packets, serving as a valuable tool for analysing malicious flows in the field of intrusion detection. Albeit with limitations on physical resources and capabilities, they allow for the efficient extraction of detailed traffic information, which can then be utilised by Machine Learning (ML) algorithms responsible for identifying security threats. In addressing resource constraints, existing solutions in the literature rely on compressing network data through the collection of statistical traffic features in the data plane. While this compression saves memory resources in switches and minimises the burden on the control channel between the data and the control plane, it also results in a loss of information available to the Network Intrusion Detection System (NIDS), limiting access to packet payload, categorical features, and the semantic understanding of network communications, such as the behaviour of packets within traffic flows. This paper proposes P4DDLe, a framework that exploits the flexibility of P4-based programmable data planes for packet-level feature extraction and pre-processing. P4DDLe leverages the programmable data plane to extract raw packet features from the network traffic, categorical features included, and to organise them in a way that the semantics of traffic flows is preserved. To minimise memory and control channel overheads, P4DDLe selectively processes and filters packet-level data, so that all and only the relevant features required by the NIDS are collected. The experimental evaluation with recent Distributed Denial of Service (DDoS) attack data demonstrates that the proposed approach is very efficient in collecting compact and high-quality representations of network flows, ensuring precise detection of DDoS attacks.

翻译：可编程数据平面能够对网络数据包的低级处理步骤实施精确控制，成为入侵检测领域中分析恶意流量的重要工具。尽管受限于物理资源和计算能力，它们仍可高效提取详细的流量信息，这些信息随后可被负责识别安全威胁的机器学习算法所利用。为应对资源约束，现有文献中的解决方案通常依赖在数据平面中收集统计流量特征来压缩网络数据。这种压缩虽能节省交换机内存资源并减轻数据平面与控制平面之间的控制信道负担，但也会导致网络入侵检测系统可获取的信息损失，限制了对数据包载荷、分类特征以及网络通信语义理解（如流量流中数据包的行为）的访问。本文提出P4DDLe框架，该框架利用基于P4的可编程数据平面的灵活性，进行数据包级特征提取与预处理。P4DDLe借助可编程数据平面从网络流量中提取原始数据包特征（包括分类特征），并以保留流量流语义的方式组织这些特征。为最小化内存和控制信道开销，P4DDLe对数据包级数据进行选择性处理与过滤，仅收集网络入侵检测系统所需的全部相关特征。基于最新分布式拒绝服务攻击数据的实验评估表明，所提方法在收集网络流的紧凑且高质量表示方面非常高效，能确保对DDoS攻击的精确检测。