Cerberus: Enabling Efficient and Effective In-Network Monitoring on Programmable Switches

With the increasing volume of network traffic and the emergence of new types of attacks, traditional network monitoring is facing significant challenges in ensuring network security and performance. In-network monitoring (INM) systems based on programmable switches, e.g., P4-based INM systems, have emerged as a more promising approach for high-performance and real-time network monitoring. However, existing P4-based INM systems have resource limitations in handling diverse and high-volume INM tasks such as multi-vector DDoS defenses. Worse still, attackers may try to dynamically change attack vectors to disrupt inadaptable systems and even lead to denial-of-service (DoS) attacks against INM.To address these challenges, we present Cerberus, an efficient and effective in-network security monitoring system. To support various INM tasks, we abstract them into key-feature (K-F) pairs and design a novel memory slicing mechanism to share memory among multiple K-F pairs. To handle high-volume traffic, we propose a new co-monitoring mechanism that complements the data and control planes, thereby greatly enhancing the efficiency of Cerberus. To adapt to changing network conditions, we design a new resource manager that dynamically reallocates resources for INM tasks and adjusts loads for the data and control planes without interrupting running services. We design a series of INM modules, including DDoS defenses, and develop a prototype of Cerberus. We conduct extensive evaluations to demonstrate that Cerberus can enhance the concurrency and capacity of programmable switches by an order of magnitude. Moreover, Cerberus is more adaptable in handling various INM tasks.