Programmable data planes offer precise control over the low-level processing steps applied to network packets, serving as a valuable tool for analysing malicious flows in the field of intrusion detection. Albeit with limitations on physical resources and capabilities, they allow for the efficient extraction of detailed traffic information, which can then be utilised by Machine Learning (ML) algorithms responsible for identifying security threats. In addressing resource constraints, existing solutions in the literature rely on compressing network data through the collection of statistical traffic features in the data plane. While this compression saves memory resources in switches and minimises the burden on the control channel between the data and the control plane, it also results in a loss of information available to the Network Intrusion Detection System (NIDS), limiting access to packet payload, categorical features, and the semantic understanding of network communications, such as the behaviour of packets within traffic flows. This paper proposes P4DDLe, a framework that exploits the flexibility of P4-based programmable data planes for packet-level feature extraction and pre-processing. P4DDLe leverages the programmable data plane to extract raw packet features from the network traffic, categorical features included, and to organise them in a way that the semantics of traffic flows are preserved. To minimise memory and control channel overheads, P4DDLe selectively processes and filters packet-level data, so that only the features required by the NIDS are collected. The experimental evaluation with recent Distributed Denial of Service (DDoS) attack data demonstrates that the proposed approach is very efficient in collecting compact and high-quality representations of network flows, ensuring precise detection of DDoS attacks.

翻译：可编程数据平面提供了对网络数据包所应用的低层次处理步骤的精确控制，成为入侵检测领域中分析恶意流量的有力工具。尽管存在物理资源和能力上的限制，它们仍能有效提取详细的流量信息，这些信息随后可用于负责识别安全威胁的机器学习算法。为应对资源约束，现有文献中的解决方案通常依赖在数据平面中通过收集统计流量特征来压缩网络数据。虽然这种压缩节省了交换机中的内存资源，并最小化了数据平面与控制平面之间控制通道的负担，但它也导致网络入侵检测系统（NIDS）可获取的信息损失，限制了其对数据包有效载荷、分类特征以及网络通信语义理解（例如流量流中数据包的行为）的访问。本文提出P4DDLe框架，该框架利用基于P4的可编程数据平面的灵活性进行包级特征提取与预处理。P4DDLe利用可编程数据平面从网络流量中提取原始包特征（包括分类特征），并以保留流量流语义的方式组织这些特征。为最小化内存和控制通道开销，P4DDLe选择性地处理和过滤包级数据，仅收集NIDS所需的特征。使用近期分布式拒绝服务（DDoS）攻击数据进行的实验评估表明，所提出的方法在收集紧凑且高质量的网络流表示方面非常高效，确保了DDoS攻击的精确检测。