A High-Performance Golang-Based Network Intrusion Detection System

dc.contributor.authorKoshovyi, Oleksii
dc.contributor.authorWu, Shiqi
dc.contributor.departmentChalmers tekniska högskola / Institutionen för data och informationstekniksv
dc.contributor.departmentChalmers University of Technology / Department of Computer Science and Engineeringen
dc.contributor.examinerDuvignau, Romaric
dc.contributor.supervisorMorel, Victor
dc.date.accessioned2026-06-26T07:42:43Z
dc.date.issued2026
dc.date.submitted
dc.description.abstractDistributed Denial of Service (DDoS) attacks remain a serious threat to transport networks, with recent attack volumes exceeding 30 Tbps, and the telecommunica tions industry being the main target. However, recent work has yet to study the impact of different architectures to host monitoring solutions, nor to assess the use of recent algorithms to improve attack detection. This thesis presents a Golang-based Network Intrusion Detection System (NIDS) for DDoS detection in transport net work environments, developed in collaboration with Ericsson’s Radio and Transport Engineering division. The work builds on a baseline that utilised a statistical model and improves it in two directions. First, it improves detection effectiveness by utilising an Isolation Forest model that is trained on a wider set of flow features. These features are extracted by GoFlowMeter, an open source Go implementation of CICFlowMeter that we publish as part of this thesis. Second, it studies how the choice of software architecture affects the performance of the NIDS by comparing a monolithic deployment, a Kafka based microservice deployment, and a gRPC-based microservice deployment. The system is evaluated on a Raspberry Pi 5 testbed using the CIC-DDoS2019 dataset, which is replayed as real network traffic through a separate sequential replayer. Extended Berkeley Packet Filter (eBPF) and Express Data Path (XDP) were also utilised to allow the NIDS to be able to process real traffic. The results show that detection quality is governed mainly by the choice of detector rather than by the transport layer. The transport is not entirely neutral, however: the monolithic and gRPC variants reach almost the same accuracy, while the asyn chronous Kafka pipeline trails them by roughly nine percentage points, an effect we attribute to its decoupled, online-updated delivery rather than to the detector itself. Compared with the statistical baseline, the Isolation Forest model achieves a higher recall and F1 score, which means that it can flag low-volume attack windows that the baseline misses. On the software side, the gRPC variant adds less than 2 milliseconds of transport time per window, while the Kafka variant adds about 27 milliseconds, which reflects the cost of the durability and decoupling that Kafka offers. The monolithic variant shows the smallest processing time degradation when the detector is switched to Isolation Forest, although this advantage may depend on the volume-heavy nature of the dataset. Together, these findings give practitioners a clearer view of the trade-off between detection quality and architectural overhead when deploying a NIDS on resource-constrained hardware.
dc.identifier.coursecodeDATX05
dc.identifier.urihttps://hdl.handle.net/20.500.12380/311556
dc.language.isoeng
dc.setspec.uppsokTechnology
dc.subjectNetwork Intrusion Detection, Distributed Denial-of-Service, eBPF, XDP, Isolation Forest, microservice, gRPC, GoFlowMeter, Golang
dc.titleA High-Performance Golang-Based Network Intrusion Detection System
dc.type.degreeExamensarbete för masterexamensv
dc.type.degreeMaster's Thesisen
dc.type.uppsokH
local.programmeSoftware engineering and technology (MPSOF), MSc

Ladda ner

Original bundle

Visar 1 - 1 av 1
Hämtar...
Bild (thumbnail)
Namn:
CSE 26-102 OK SW.pdf
Size:
4.67 MB
Format:
Adobe Portable Document Format

License bundle

Visar 1 - 1 av 1
Hämtar...
Bild (thumbnail)
Namn:
license.txt
Size:
2.35 KB
Format:
Item-specific license agreed upon to submission
Description: