A Scalable and Dynamic ACL System for In-Network Defense

Changhun Jung; Sian Kim; Rhongho Jang; David Mohaisen; Dae Hun Nyang

doi:10.1145/3548606.3560606

A Scalable and Dynamic ACL System for In-Network Defense

Changhun Jung, Sian Kim, Rhongho Jang, David Mohaisen, Dae Hun Nyang

Department of Cyber Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

12 Scopus citations

Abstract

In-network/in-switch Access Control List (ACL) is an essential security component of modern networks. In high-speed networks, ACL rules are often placed in a switch's Ternary Content-Addressable Memory (TCAM) for timely ACL match-action and management (e.g. insertion and deletion). However, TCAM-based ACL systems are encountering an scalability issue owing to increasing demand on AI-powered autonomous defenses that detect and block attacks online, which inevitably derives finer-grained ACL rules. Existing solutions minimize the TCAM usage by partially offloading ACL matching into larger Static Random-Access Memory (SRAM) or customized hardware. Nevertheless, current SRAM-based solutions induce high management costs, especially a high rule-deployment latency, which delays time-sensitive defense actions. Also, the customized hardware approaches have its own scalability issue. To support autonomous defenses at a scale, in this paper, we propose an in-switch ACL system called PortCatcher, which breaks the trade-off between scalability and rule management latency. System-wise, we detach layer-4 port matching from TCAM for improving its memory efficiency. Algorithm-wise, we introduce a novel port (range) rule representation concept, called linear range map (LRM), which enables port (range) matching in SRAM-based hash tables. LRM guarantees not only fast and scalable port matching but also low-latency ACL management for timely defenses. With real-world ACL datasets, we show that PortCatcher saves 74%-90% TCAM space compared to state-of-the-art approaches by adding small overhead to SRAM (0.49 SRAM entry per ACL rule). Also, we deploy PortCatcher on a programmable switch to demonstrate that PortCatcher can serve 5-tuple rule matching at a line rate, where port rules are completely matched in SRAM. With a use case study, namely autonomous attack mitigation, we show that PortCatcher has a negligible rule management latency to block attack flows (i.e. 94.42% of rules deployed within 10 ms).

Original language	English
Title of host publication	CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security
Publisher	Association for Computing Machinery
Pages	1679-1693
Number of pages	15
ISBN (Electronic)	9781450394505
DOIs	https://doi.org/10.1145/3548606.3560606
State	Published - 7 Nov 2022
Event	28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 - Los Angeles, United States Duration: 7 Nov 2022 → 11 Nov 2022

Publication series

Name	Proceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)	1543-7221

Conference

Conference	28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022
Country/Territory	United States
City	Los Angeles
Period	7/11/22 → 11/11/22

Bibliographical note

Publisher Copyright:
© 2022 ACM.

Keywords

dynamic management
in-network acl
low-latency defense
scalable port (range) matching

Access to Document

10.1145/3548606.3560606

Cite this

Jung, C., Kim, S., Jang, R., Mohaisen, D., & Nyang, D. H. (2022). A Scalable and Dynamic ACL System for In-Network Defense. In CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (pp. 1679-1693). (Proceedings of the ACM Conference on Computer and Communications Security). Association for Computing Machinery. https://doi.org/10.1145/3548606.3560606

@inproceedings{3056f98a6a7d42bc9bcb2f1e9a67d2a3,

title = "A Scalable and Dynamic ACL System for In-Network Defense",

abstract = "In-network/in-switch Access Control List (ACL) is an essential security component of modern networks. In high-speed networks, ACL rules are often placed in a switch's Ternary Content-Addressable Memory (TCAM) for timely ACL match-action and management (e.g. insertion and deletion). However, TCAM-based ACL systems are encountering an scalability issue owing to increasing demand on AI-powered autonomous defenses that detect and block attacks online, which inevitably derives finer-grained ACL rules. Existing solutions minimize the TCAM usage by partially offloading ACL matching into larger Static Random-Access Memory (SRAM) or customized hardware. Nevertheless, current SRAM-based solutions induce high management costs, especially a high rule-deployment latency, which delays time-sensitive defense actions. Also, the customized hardware approaches have its own scalability issue. To support autonomous defenses at a scale, in this paper, we propose an in-switch ACL system called PortCatcher, which breaks the trade-off between scalability and rule management latency. System-wise, we detach layer-4 port matching from TCAM for improving its memory efficiency. Algorithm-wise, we introduce a novel port (range) rule representation concept, called linear range map (LRM), which enables port (range) matching in SRAM-based hash tables. LRM guarantees not only fast and scalable port matching but also low-latency ACL management for timely defenses. With real-world ACL datasets, we show that PortCatcher saves 74%-90% TCAM space compared to state-of-the-art approaches by adding small overhead to SRAM (0.49 SRAM entry per ACL rule). Also, we deploy PortCatcher on a programmable switch to demonstrate that PortCatcher can serve 5-tuple rule matching at a line rate, where port rules are completely matched in SRAM. With a use case study, namely autonomous attack mitigation, we show that PortCatcher has a negligible rule management latency to block attack flows (i.e. 94.42% of rules deployed within 10 ms).",

keywords = "dynamic management, in-network acl, low-latency defense, scalable port (range) matching",

author = "Changhun Jung and Sian Kim and Rhongho Jang and David Mohaisen and Nyang, {Dae Hun}",

note = "Publisher Copyright: {\textcopyright} 2022 ACM.; 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022 ; Conference date: 07-11-2022 Through 11-11-2022",

year = "2022",

month = nov,

day = "7",

doi = "10.1145/3548606.3560606",

language = "English",

series = "Proceedings of the ACM Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery",

pages = "1679--1693",

booktitle = "CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security",

}

Jung, C, Kim, S, Jang, R, Mohaisen, D & Nyang, DH 2022, A Scalable and Dynamic ACL System for In-Network Defense. in CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. Proceedings of the ACM Conference on Computer and Communications Security, Association for Computing Machinery, pp. 1679-1693, 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, United States, 7/11/22. https://doi.org/10.1145/3548606.3560606

A Scalable and Dynamic ACL System for In-Network Defense. / Jung, Changhun; Kim, Sian; Jang, Rhongho et al.
CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, 2022. p. 1679-1693 (Proceedings of the ACM Conference on Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A Scalable and Dynamic ACL System for In-Network Defense

AU - Jung, Changhun

AU - Kim, Sian

AU - Jang, Rhongho

AU - Mohaisen, David

AU - Nyang, Dae Hun

PY - 2022/11/7

Y1 - 2022/11/7

N2 - In-network/in-switch Access Control List (ACL) is an essential security component of modern networks. In high-speed networks, ACL rules are often placed in a switch's Ternary Content-Addressable Memory (TCAM) for timely ACL match-action and management (e.g. insertion and deletion). However, TCAM-based ACL systems are encountering an scalability issue owing to increasing demand on AI-powered autonomous defenses that detect and block attacks online, which inevitably derives finer-grained ACL rules. Existing solutions minimize the TCAM usage by partially offloading ACL matching into larger Static Random-Access Memory (SRAM) or customized hardware. Nevertheless, current SRAM-based solutions induce high management costs, especially a high rule-deployment latency, which delays time-sensitive defense actions. Also, the customized hardware approaches have its own scalability issue. To support autonomous defenses at a scale, in this paper, we propose an in-switch ACL system called PortCatcher, which breaks the trade-off between scalability and rule management latency. System-wise, we detach layer-4 port matching from TCAM for improving its memory efficiency. Algorithm-wise, we introduce a novel port (range) rule representation concept, called linear range map (LRM), which enables port (range) matching in SRAM-based hash tables. LRM guarantees not only fast and scalable port matching but also low-latency ACL management for timely defenses. With real-world ACL datasets, we show that PortCatcher saves 74%-90% TCAM space compared to state-of-the-art approaches by adding small overhead to SRAM (0.49 SRAM entry per ACL rule). Also, we deploy PortCatcher on a programmable switch to demonstrate that PortCatcher can serve 5-tuple rule matching at a line rate, where port rules are completely matched in SRAM. With a use case study, namely autonomous attack mitigation, we show that PortCatcher has a negligible rule management latency to block attack flows (i.e. 94.42% of rules deployed within 10 ms).

AB - In-network/in-switch Access Control List (ACL) is an essential security component of modern networks. In high-speed networks, ACL rules are often placed in a switch's Ternary Content-Addressable Memory (TCAM) for timely ACL match-action and management (e.g. insertion and deletion). However, TCAM-based ACL systems are encountering an scalability issue owing to increasing demand on AI-powered autonomous defenses that detect and block attacks online, which inevitably derives finer-grained ACL rules. Existing solutions minimize the TCAM usage by partially offloading ACL matching into larger Static Random-Access Memory (SRAM) or customized hardware. Nevertheless, current SRAM-based solutions induce high management costs, especially a high rule-deployment latency, which delays time-sensitive defense actions. Also, the customized hardware approaches have its own scalability issue. To support autonomous defenses at a scale, in this paper, we propose an in-switch ACL system called PortCatcher, which breaks the trade-off between scalability and rule management latency. System-wise, we detach layer-4 port matching from TCAM for improving its memory efficiency. Algorithm-wise, we introduce a novel port (range) rule representation concept, called linear range map (LRM), which enables port (range) matching in SRAM-based hash tables. LRM guarantees not only fast and scalable port matching but also low-latency ACL management for timely defenses. With real-world ACL datasets, we show that PortCatcher saves 74%-90% TCAM space compared to state-of-the-art approaches by adding small overhead to SRAM (0.49 SRAM entry per ACL rule). Also, we deploy PortCatcher on a programmable switch to demonstrate that PortCatcher can serve 5-tuple rule matching at a line rate, where port rules are completely matched in SRAM. With a use case study, namely autonomous attack mitigation, we show that PortCatcher has a negligible rule management latency to block attack flows (i.e. 94.42% of rules deployed within 10 ms).

KW - dynamic management

KW - in-network acl

KW - low-latency defense

KW - scalable port (range) matching

UR - http://www.scopus.com/inward/record.url?scp=85143049653&partnerID=8YFLogxK

U2 - 10.1145/3548606.3560606

DO - 10.1145/3548606.3560606

M3 - Conference contribution

AN - SCOPUS:85143049653

T3 - Proceedings of the ACM Conference on Computer and Communications Security

SP - 1679

EP - 1693

BT - CCS 2022 - Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

PB - Association for Computing Machinery

T2 - 28th ACM SIGSAC Conference on Computer and Communications Security, CCS 2022

Y2 - 7 November 2022 through 11 November 2022

ER -

A Scalable and Dynamic ACL System for In-Network Defense

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Fingerprint

Cite this