A High-Performance Golang-Based Network Intrusion Detection System

Hämtar...
Bild (thumbnail)

Publicerad

Typ

Examensarbete för masterexamen
Master's Thesis

Modellbyggare

Tidskriftstitel

ISSN

Volymtitel

Utgivare

Sammanfattning

Distributed Denial of Service (DDoS) attacks remain a serious threat to transport networks, with recent attack volumes exceeding 30 Tbps, and the telecommunica tions industry being the main target. However, recent work has yet to study the impact of different architectures to host monitoring solutions, nor to assess the use of recent algorithms to improve attack detection. This thesis presents a Golang-based Network Intrusion Detection System (NIDS) for DDoS detection in transport net work environments, developed in collaboration with Ericsson’s Radio and Transport Engineering division. The work builds on a baseline that utilised a statistical model and improves it in two directions. First, it improves detection effectiveness by utilising an Isolation Forest model that is trained on a wider set of flow features. These features are extracted by GoFlowMeter, an open source Go implementation of CICFlowMeter that we publish as part of this thesis. Second, it studies how the choice of software architecture affects the performance of the NIDS by comparing a monolithic deployment, a Kafka based microservice deployment, and a gRPC-based microservice deployment. The system is evaluated on a Raspberry Pi 5 testbed using the CIC-DDoS2019 dataset, which is replayed as real network traffic through a separate sequential replayer. Extended Berkeley Packet Filter (eBPF) and Express Data Path (XDP) were also utilised to allow the NIDS to be able to process real traffic. The results show that detection quality is governed mainly by the choice of detector rather than by the transport layer. The transport is not entirely neutral, however: the monolithic and gRPC variants reach almost the same accuracy, while the asyn chronous Kafka pipeline trails them by roughly nine percentage points, an effect we attribute to its decoupled, online-updated delivery rather than to the detector itself. Compared with the statistical baseline, the Isolation Forest model achieves a higher recall and F1 score, which means that it can flag low-volume attack windows that the baseline misses. On the software side, the gRPC variant adds less than 2 milliseconds of transport time per window, while the Kafka variant adds about 27 milliseconds, which reflects the cost of the durability and decoupling that Kafka offers. The monolithic variant shows the smallest processing time degradation when the detector is switched to Isolation Forest, although this advantage may depend on the volume-heavy nature of the dataset. Together, these findings give practitioners a clearer view of the trade-off between detection quality and architectural overhead when deploying a NIDS on resource-constrained hardware.

Beskrivning

Ämne/nyckelord

Network Intrusion Detection, Distributed Denial-of-Service, eBPF, XDP, Isolation Forest, microservice, gRPC, GoFlowMeter, Golang

Citation

Arkitekt (konstruktör)

Geografisk plats

Byggnad (typ)

Byggår

Modelltyp

Skala

Teknik / material

Index

Endorsement

Review

Supplemented By

Referenced By