A High-Performance Golang-Based Network Intrusion Detection System
Hämtar...
Ladda ner
Publicerad
Författare
Typ
Examensarbete för masterexamen
Master's Thesis
Master's Thesis
Modellbyggare
Tidskriftstitel
ISSN
Volymtitel
Utgivare
Sammanfattning
Distributed Denial of Service (DDoS) attacks remain a serious threat to transport
networks, with recent attack volumes exceeding 30 Tbps, and the telecommunica
tions industry being the main target. However, recent work has yet to study the
impact of different architectures to host monitoring solutions, nor to assess the use of
recent algorithms to improve attack detection. This thesis presents a Golang-based
Network Intrusion Detection System (NIDS) for DDoS detection in transport net
work environments, developed in collaboration with Ericsson’s Radio and Transport
Engineering division.
The work builds on a baseline that utilised a statistical model and improves it in two
directions. First, it improves detection effectiveness by utilising an Isolation Forest
model that is trained on a wider set of flow features. These features are extracted by
GoFlowMeter, an open source Go implementation of CICFlowMeter that we publish
as part of this thesis. Second, it studies how the choice of software architecture
affects the performance of the NIDS by comparing a monolithic deployment, a Kafka
based microservice deployment, and a gRPC-based microservice deployment. The
system is evaluated on a Raspberry Pi 5 testbed using the CIC-DDoS2019 dataset,
which is replayed as real network traffic through a separate sequential replayer.
Extended Berkeley Packet Filter (eBPF) and Express Data Path (XDP) were also
utilised to allow the NIDS to be able to process real traffic.
The results show that detection quality is governed mainly by the choice of detector
rather than by the transport layer. The transport is not entirely neutral, however:
the monolithic and gRPC variants reach almost the same accuracy, while the asyn
chronous Kafka pipeline trails them by roughly nine percentage points, an effect
we attribute to its decoupled, online-updated delivery rather than to the detector
itself. Compared with the statistical baseline, the Isolation Forest model achieves a
higher recall and F1 score, which means that it can flag low-volume attack windows
that the baseline misses. On the software side, the gRPC variant adds less than
2 milliseconds of transport time per window, while the Kafka variant adds about
27 milliseconds, which reflects the cost of the durability and decoupling that Kafka
offers. The monolithic variant shows the smallest processing time degradation when
the detector is switched to Isolation Forest, although this advantage may depend on
the volume-heavy nature of the dataset. Together, these findings give practitioners
a clearer view of the trade-off between detection quality and architectural overhead
when deploying a NIDS on resource-constrained hardware.
Beskrivning
Ämne/nyckelord
Network Intrusion Detection, Distributed Denial-of-Service, eBPF, XDP, Isolation Forest, microservice, gRPC, GoFlowMeter, Golang
