Malicious traffic detectors leveraging machine learning (ML), namely those incorporating deep learning techniques, exhibit impressive detection capabilities across multiple attacks. However, their effectiveness becomes compromised when deployed in networks handling Terabit-speed traffic. In practice, these systems require substantial traffic sampling to reconcile the high data plane packet rates with the comparatively slower processing speeds of ML detection. As sampling significantly reduces traffic observability, it fundamentally undermines their detection capability. We present Peregrine, an ML-based malicious traffic detector for Terabit networks. The key idea is to run the detection process partially in the network data plane. Specifically, we offload the detector's ML feature computation to a commodity switch. The Peregrine switch processes a diversity of features per-packet, at Tbps line rates - three orders of magnitude higher than the fastest detector - to feed the ML-based component in the control plane. Our offloading approach presents a distinct advantage. While, in practice, current systems sample raw traffic, in Peregrine sampling occurs after feature computation. This essential trait enables computing features over all traffic, significantly enhancing detection performance. The Peregrine detector is not only effective for Terabit networks, but it is also energy- and cost-efficient. Further, by shifting a compute-heavy component to the switch, it saves precious CPU cycles and improves detection throughput.

翻译：基于机器学习（ML）的恶意流量检测器，尤其是融合深度学习技术的检测器，在应对多种攻击时展现出卓越的检测能力。然而，当部署于处理太比特级流量的网络环境中时，其有效性会大打折扣。实践中，这类系统需要进行大量流量采样，以协调高速数据平面数据包速率与相对较慢的ML检测处理速度之间的矛盾。由于采样会显著降低流量可观测性，这从根本上削弱了检测能力。我们提出Peregrine，一种面向太比特网络的基于机器学习的恶意流量检测方案。其核心思想是在网络数据平面部分执行检测流程。具体而言，我们将检测器中的ML特征计算卸载至商用交换机。Peregrine交换机能够以Tbps线速（比最快检测器快三个数量级）对每个数据包处理多种特征，为控制平面中的ML组件提供输入。这种卸载方法具有显著优势：当前系统在实践中需对原始流量进行采样，而Peregrine则在特征计算完成后才进行采样。这一关键特性使得系统能对所有流量进行特征计算，大幅提升检测性能。Peregrine检测器不仅对太比特网络有效，同时还兼具能效与成本效益。此外，通过将计算密集型组件迁移至交换机，它节省了宝贵的CPU周期，并提升了检测吞吐量。