-
Fair Queuing Aware Congestion Control
Authors:
Maximilian Bachl
Abstract:
Fair queuing is becoming increasingly prevalent in the internet and has been shown to improve performance in many circumstances. Performance could be improved even more if endpoints could detect the presence of fair queuing on a certain path and adjust their congestion control accordingly. If fair queuing is detected, the congestion control would not have to take cross traffic into account, which…
▽ More
Fair queuing is becoming increasingly prevalent in the internet and has been shown to improve performance in many circumstances. Performance could be improved even more if endpoints could detect the presence of fair queuing on a certain path and adjust their congestion control accordingly. If fair queuing is detected, the congestion control would not have to take cross traffic into account, which allows for more flexibility. In this paper, we develop the first algorithm that continuously checks if fair queuing is present on a path, with an accuracy of over 95%. When fair queuing is detected, a different congestion control can be chosen, which can result in reduced latency. Also, each flow can then specify how much queuing delay it allows, meaning that it can choose its own tradeoff between throughput and latency.
△ Less
Submitted 9 June, 2023; v1 submitted 21 June, 2022;
originally announced June 2022.
-
A flow-based IDS using Machine Learning in eBPF
Authors:
Maximilian Bachl,
Joachim Fabini,
Tanja Zseby
Abstract:
eBPF is a new technology which allows dynamically loading pieces of code into the Linux kernel. It can greatly speed up networking since it enables the kernel to process certain packets without the involvement of a userspace program. So far eBPF has been used for simple packet filtering applications such as firewalls or Denial of Service protection. We show that it is possible to develop a flow ba…
▽ More
eBPF is a new technology which allows dynamically loading pieces of code into the Linux kernel. It can greatly speed up networking since it enables the kernel to process certain packets without the involvement of a userspace program. So far eBPF has been used for simple packet filtering applications such as firewalls or Denial of Service protection. We show that it is possible to develop a flow based network intrusion detection system based on machine learning entirely in eBPF. Our solution uses a decision tree and decides for each packet whether it is malicious or not, considering the entire previous context of the network flow. We achieve a performance increase of over 20% compared to the same solution implemented as a userspace program.
△ Less
Submitted 4 March, 2022; v1 submitted 19 February, 2021;
originally announced February 2021.
-
Detecting Fair Queuing for Better Congestion Control
Authors:
Maximilian Bachl,
Joachim Fabini,
Tanja Zseby
Abstract:
Low delay is an explicit requirement for applications such as cloud gaming and video conferencing. Delay-based congestion control can achieve the same throughput but significantly smaller delay than loss-based one and is thus ideal for these applications. However, when a delay- and a loss-based flow compete for a bottleneck, the loss-based one can monopolize all the bandwidth and starve the delay-…
▽ More
Low delay is an explicit requirement for applications such as cloud gaming and video conferencing. Delay-based congestion control can achieve the same throughput but significantly smaller delay than loss-based one and is thus ideal for these applications. However, when a delay- and a loss-based flow compete for a bottleneck, the loss-based one can monopolize all the bandwidth and starve the delay-based one. Fair queuing at the bottleneck link solves this problem by assigning an equal share of the available bandwidth to each flow. However, so far no end host based algorithm to detect fair queuing exists. Our contribution is the development of an algorithm that detects fair queuing at flow startup and chooses delay-based congestion control if there is fair queuing. Otherwise, loss-based congestion control can be used as a backup option. Results show that our algorithm reliably detects fair queuing and can achieve low delay and high throughput in case fair queuing is detected.
△ Less
Submitted 19 February, 2021; v1 submitted 16 October, 2020;
originally announced October 2020.
-
EagerNet: Early Predictions of Neural Networks for Computationally Efficient Intrusion Detection
Authors:
Fares Meghdouri,
Maximilian Bachl,
Tanja Zseby
Abstract:
Fully Connected Neural Networks (FCNNs) have been the core of most state-of-the-art Machine Learning (ML) applications in recent years and also have been widely used for Intrusion Detection Systems (IDSs). Experimental results from the last years show that generally deeper neural networks with more layers perform better than shallow models. Nonetheless, with the growing number of layers, obtaining…
▽ More
Fully Connected Neural Networks (FCNNs) have been the core of most state-of-the-art Machine Learning (ML) applications in recent years and also have been widely used for Intrusion Detection Systems (IDSs). Experimental results from the last years show that generally deeper neural networks with more layers perform better than shallow models. Nonetheless, with the growing number of layers, obtaining fast predictions with less resources has become a difficult task despite the use of special hardware such as GPUs. We propose a new architecture to detect network attacks with minimal resources. The architecture is able to deal with either binary or multiclass classification problems and trades prediction speed for the accuracy of the network. We evaluate our proposal with two different network intrusion detection datasets. Results suggest that it is possible to obtain comparable accuracies to simple FCNNs without evaluating all layers for the majority of samples, thus obtaining early predictions and saving energy and computational efforts.
△ Less
Submitted 15 October, 2020; v1 submitted 27 July, 2020;
originally announced July 2020.
-
LFQ: Online Learning of Per-flow Queuing Policies using Deep Reinforcement Learning
Authors:
Maximilian Bachl,
Joachim Fabini,
Tanja Zseby
Abstract:
The increasing number of different, incompatible congestion control algorithms has led to an increased deployment of fair queuing. Fair queuing isolates each network flow and can thus guarantee fairness for each flow even if the flows' congestion controls are not inherently fair. So far, each queue in the fair queuing system either has a fixed, static maximum size or is managed by an Active Queue…
▽ More
The increasing number of different, incompatible congestion control algorithms has led to an increased deployment of fair queuing. Fair queuing isolates each network flow and can thus guarantee fairness for each flow even if the flows' congestion controls are not inherently fair. So far, each queue in the fair queuing system either has a fixed, static maximum size or is managed by an Active Queue Management (AQM) algorithm like CoDel. In this paper we design an AQM mechanism (Learning Fair Qdisc (LFQ)) that dynamically learns the optimal buffer size for each flow according to a specified reward function online. We show that our Deep Learning based algorithm can dynamically assign the optimal queue size to each flow depending on its congestion control, delay and bandwidth. Comparing to competing fair AQM schedulers, it provides significantly smaller queues while achieving the same or higher throughput.
△ Less
Submitted 15 October, 2020; v1 submitted 6 July, 2020;
originally announced July 2020.
-
SparseIDS: Learning Packet Sampling with Reinforcement Learning
Authors:
Maximilian Bachl,
Fares Meghdouri,
Joachim Fabini,
Tanja Zseby
Abstract:
Recurrent Neural Networks (RNNs) have been shown to be valuable for constructing Intrusion Detection Systems (IDSs) for network data. They allow determining if a flow is malicious or not already before it is over, making it possible to take action immediately. However, considering the large number of packets that has to be inspected, for example in cloud/fog and edge computing, the question of com…
▽ More
Recurrent Neural Networks (RNNs) have been shown to be valuable for constructing Intrusion Detection Systems (IDSs) for network data. They allow determining if a flow is malicious or not already before it is over, making it possible to take action immediately. However, considering the large number of packets that has to be inspected, for example in cloud/fog and edge computing, the question of computational efficiency arises. We show that by using a novel Reinforcement Learning (RL)-based approach called SparseIDS, we can reduce the number of consumed packets by more than three fourths while kee** classification accuracy high. To minimize the computational expenses of the RL-based sampling we show that a shared neural network can be used for both the classifier and the RL logic. Thus, no additional resources are consumed by the sampling in deployment. Comparing to various other sampling techniques, SparseIDS consistently achieves higher classification accuracy by learning to sample only relevant packets. A major novelty of our RL-based approach is that it can not only skip up to a predefined maximum number of samples like other approaches proposed in the domain of Natural Language Processing but can even skip arbitrarily many packets in one step. This enables saving even more computational resources for long sequences. Inspecting SparseIDS's behavior of choosing packets shows that it adopts different sampling strategies for different attack types and network flows. Finally we build an automatic steering mechanism that can guide SparseIDS in deployment to achieve a desired level of sparsity.
△ Less
Submitted 4 May, 2020; v1 submitted 10 February, 2020;
originally announced February 2020.
-
Explainability and Adversarial Robustness for RNNs
Authors:
Alexander Hartl,
Maximilian Bachl,
Joachim Fabini,
Tanja Zseby
Abstract:
Recurrent Neural Networks (RNNs) yield attractive properties for constructing Intrusion Detection Systems (IDSs) for network data. With the rise of ubiquitous Machine Learning (ML) systems, malicious actors have been catching up quickly to find new ways to exploit ML vulnerabilities for profit. Recently developed adversarial ML techniques focus on computer vision and their applicability to network…
▽ More
Recurrent Neural Networks (RNNs) yield attractive properties for constructing Intrusion Detection Systems (IDSs) for network data. With the rise of ubiquitous Machine Learning (ML) systems, malicious actors have been catching up quickly to find new ways to exploit ML vulnerabilities for profit. Recently developed adversarial ML techniques focus on computer vision and their applicability to network traffic is not straightforward: Network packets expose fewer features than an image, are sequential and impose several constraints on their features.
We show that despite these completely different characteristics, adversarial samples can be generated reliably for RNNs. To understand a classifier's potential for misclassification, we extend existing explainability techniques and propose new ones, suitable particularly for sequential data. Applying them shows that already the first packets of a communication flow are of crucial importance and are likely to be targeted by attackers. Feature importance methods show that even relatively unimportant features can be effectively abused to generate adversarial samples. Since traditional evaluation metrics such as accuracy are not sufficient for quantifying the adversarial threat, we propose the Adversarial Robustness Score (ARS) for comparing IDSs, capturing a common notion of adversarial robustness, and show that an adversarial training procedure can significantly and successfully reduce the attack surface.
△ Less
Submitted 19 February, 2020; v1 submitted 20 December, 2019;
originally announced December 2019.
-
Cocoa: Congestion Control Aware Queuing
Authors:
Maximilian Bachl,
Joachim Fabini,
Tanja Zseby
Abstract:
Recent model-based congestion control algorithms such as BBR use repeated measurements at the endpoint to build a model of the network connection and use it to achieve optimal throughput with low queuing delay. Conversely, applying this model-based approach to Active Queue Management (AQM) has so far received less attention. We propose the new AQM scheduler cocoa based on fair queuing, which adapt…
▽ More
Recent model-based congestion control algorithms such as BBR use repeated measurements at the endpoint to build a model of the network connection and use it to achieve optimal throughput with low queuing delay. Conversely, applying this model-based approach to Active Queue Management (AQM) has so far received less attention. We propose the new AQM scheduler cocoa based on fair queuing, which adapts the buffer size depending on the needs of each flow without requiring active participation from the endpoint. We implement this scheduler for the Linux kernel and show that it interacts well with the most common congestion control algorithms and can significantly increase throughput compared to fair CoDel while avoiding overbuffering.
△ Less
Submitted 22 November, 2019; v1 submitted 23 October, 2019;
originally announced October 2019.
-
Walling up Backdoors in Intrusion Detection Systems
Authors:
Maximilian Bachl,
Alexander Hartl,
Joachim Fabini,
Tanja Zseby
Abstract:
Interest in poisoning attacks and backdoors recently resurfaced for Deep Learning (DL) applications. Several successful defense mechanisms have been recently proposed for Convolutional Neural Networks (CNNs), for example in the context of autonomous driving. We show that visualization approaches can aid in identifying a backdoor independent of the used classifier. Surprisingly, we find that common…
▽ More
Interest in poisoning attacks and backdoors recently resurfaced for Deep Learning (DL) applications. Several successful defense mechanisms have been recently proposed for Convolutional Neural Networks (CNNs), for example in the context of autonomous driving. We show that visualization approaches can aid in identifying a backdoor independent of the used classifier. Surprisingly, we find that common defense mechanisms fail utterly to remove backdoors in DL for Intrusion Detection Systems (IDSs). Finally, we devise pruning-based approaches to remove backdoors for Decision Trees (DTs) and Random Forests (RFs) and demonstrate their effectiveness for two different network security datasets.
△ Less
Submitted 5 April, 2020; v1 submitted 17 September, 2019;
originally announced September 2019.
-
City-GAN: Learning architectural styles using a custom Conditional GAN architecture
Authors:
Maximilian Bachl,
Daniel C. Ferreira
Abstract:
Generative Adversarial Networks (GANs) are a well-known technique that is trained on samples (e.g. pictures of fruits) and which after training is able to generate realistic new samples. Conditional GANs (CGANs) additionally provide label information for subclasses (e.g. apple, orange, pear) which enables the GAN to learn more easily and increase the quality of its output samples. We use GANs to l…
▽ More
Generative Adversarial Networks (GANs) are a well-known technique that is trained on samples (e.g. pictures of fruits) and which after training is able to generate realistic new samples. Conditional GANs (CGANs) additionally provide label information for subclasses (e.g. apple, orange, pear) which enables the GAN to learn more easily and increase the quality of its output samples. We use GANs to learn architectural features of major cities and to generate images of buildings which do not exist. We show that currently available GAN and CGAN architectures are unsuited for this task and propose a custom architecture and demonstrate that our architecture has superior performance for this task and verify its capabilities with extensive experiments.
△ Less
Submitted 26 May, 2020; v1 submitted 3 July, 2019;
originally announced July 2019.