A Programmable Security Architecture for Layer 3 Network Defense Based on P4

Zilu Kong

doi:10.54254/2755-2721/2025.LD25968

Applied and Computational EngineeringOpen access

A Programmable Security Architecture for Layer 3 Network Defense Based on P4

Research Article

Open Access

A Programmable Security Architecture for Layer 3 Network Defense Based on P4

Zilu Kong ^1*

¹ Beijing University of Technology, Beijing, China, 100124

^*Corresponding author: Kongzilu2023@outlook.com

Published on 13 August 2025

ACE Vol.184

ISSN (Print): 2755-273X

ISSN (Online): 2755-2721

ISBN (Print): 978-1-80590-307-9

ISBN (Online): 978-1-80590-308-6

Download Cover

Abstract

With the rapid development of the internet, cybersecurity threats, including malicious attacks, data breaches, and network viruses, have become increasingly severe. Traditional security mechanisms, which rely on external devices like firewalls and intrusion detection systems, face challenges in scalability, cost, and adaptability. The study employs P4 programming to develop security functions such as protocol and port filtering, and flood attack detection, replay attack detection, and decision-making based on Ethernet, and IPv4, IPv6, TCP, and UDP header fields. The study developed P4-based functions for protocol/port filtering, flood/replay attack detection using Ethernet, IPv4/v6, TCP/UDP header analysis. The implemented P4-based security architecture effectively filters unauthorized protocols and ports, detects and mitigates flood attacks, and identifies replay attacks. The findings suggest that P4 technology offers a flexible and efficient solution for modern network security challenges. Specifically, the study achieved a filtering success rate of 98% for unauthorized protocols and ports, demonstrated a 90% reduction in traffic during flood attack defense, and maintained high throughput and network stability even under extreme stress conditions. These results highlight the ability of P4-based security solutions to significantly improve network performance and security, particularly in handling common and volumetric attacks.

Keywords:

P4 Programming, Network Security, Switch-Based Defense, Flood Attack Detection, Replay Attack Mitigation

View PDF

References

[1]. Gracy, S. S. (2025). A global analysis of data breaches from 2004 to 2024. https: //doi.org/10.48550/arxiv.2502.05205

[2]. Benabbou, J., Elbaamrani, K., & Idboufker, N. (2019). Security in OpenFlow-based SDN, opportunities and challenges. Photonic Network Communications, 37(1), 1-23. https: //doi.org/10.1007/s11107-018-0803-7

[3]. Bosshart, P., Daly, D., Gibb, G., Izzard, M., McKeown, N., Rexford, J., Schlesinger, C., Talayco, D., Vahdat, A., Varghese, G., & Walker, D. (2014). P4: Programming protocol-independent packet processors. Computer Communication Review, 44(3), 87-95. https: //doi.org/10.1145/2656877.2656890

[4]. Mazloum, Ali & Alsabeh, Ali & Kfoury, Elie & Crichigno, Jorge. (2024). Security applications in P4: Implementation and lessons learned. Computer Networks. 257. 111011. 10.1016/j.comnet.2024.111011.

[5]. Chen, Y., Layeghy, S., Manocchio, L. D., & Portmann, M. (2024). P4-NIDS: High-performance network monitoring and intrusion detection in P4. (). Ithaca: Cornell University Library, arXiv.org.

[6]. Azzouni, A., Mai Trang, N. T., Boutaba, R., & Pujolle, G. (2017). Limitations of openflow topology discovery protocol. Paper presented at the 1-3. https: //doi.org/10.1109/MedHocNet.2017.8001642

[7]. Bellamkonda, S. (2024). Next-gen firewalls and network security: Enhancing defense through advanced threat mitigation techniques. International Journal of Scientific Research in Computer Science, Engineering and Information Technology, 10(6), 692-702. https: //doi.org/10.32628/CSEIT241061110

[8]. Radanliev, P. (2024). Digital security by design. Security Journal, 37(4), 1640-1679.

[9]. Liatifis, A., Sarigiannidis, P., Argyriou, V., & Lagkas, T. (2023). Advancing SDN from OpenFlow to P4: A survey. ACM Computing Surveys, 55(9), 1-37. https: //doi.org/10.1145/3556973

[10]. Fernando, O. A., Xiao, H., Spring, J., & Che, X. (2025). A Performance Evaluation for Software Defined Networks with P4. Network, 5(2), 21. https: //doi.org/10.3390/network5020021

[11]. Sivaraman, A., Kim, C., Krishnamoorthy, R., Dixit, A., & Budiu, M. (2015). DC.p4: Programming the forwarding plane of a data-center switch. Paper presented at the 1-8. https: //doi.org/10.1145/2774993.2775007

[12]. Kreutz, D., Ramos, F. M. V., Verissimo, P. E., Rothenberg, C. E., Azodolmolky, S., & Uhlig, S. (2015). Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103(1), 14-76.

References

[1]. Gracy, S. S. (2025). A global analysis of data breaches from 2004 to 2024. https: //doi.org/10.48550/arxiv.2502.05205

[5]. Chen, Y., Layeghy, S., Manocchio, L. D., & Portmann, M. (2024). P4-NIDS: High-performance network monitoring and intrusion detection in P4. (). Ithaca: Cornell University Library, arXiv.org.

[6]. Azzouni, A., Mai Trang, N. T., Boutaba, R., & Pujolle, G. (2017). Limitations of openflow topology discovery protocol. Paper presented at the 1-3. https: //doi.org/10.1109/MedHocNet.2017.8001642

[8]. Radanliev, P. (2024). Digital security by design. Security Journal, 37(4), 1640-1679.

[9]. Liatifis, A., Sarigiannidis, P., Argyriou, V., & Lagkas, T. (2023). Advancing SDN from OpenFlow to P4: A survey. ACM Computing Surveys, 55(9), 1-37. https: //doi.org/10.1145/3556973

[10]. Fernando, O. A., Xiao, H., Spring, J., & Che, X. (2025). A Performance Evaluation for Software Defined Networks with P4. Network, 5(2), 21. https: //doi.org/10.3390/network5020021

Cite this article

Kong,Z. (2025). A Programmable Security Architecture for Layer 3 Network Defense Based on P4. Applied and Computational Engineering,184,16-23.

Data availability

The datasets used and/or analyzed during the current study will be available from the authors upon reasonable request.

About volume

Volume title: Proceedings of CONF-MLA 2025 Symposium: Intelligent Systems and Automation: AI Models, IoT, and Robotic Algorithms

ISBN: 978-1-80590-307-9(Print) / 978-1-80590-308-6(Online)

Editor: Hisham AbouGrad

Conference website: https://www.confmla.org/

Conference date: 17 November 2025

Series: Applied and Computational Engineering

Volume number: Vol.184

ISSN: 2755-2721(Print) / 2755-273X(Online)

© 2024 by the author(s). Licensee EWA Publishing, Oxford, UK. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license. Authors who publish this series agree to the following terms:

1. Authors retain copyright and grant the series right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this series.

2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the series's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this series.

3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See Open access policy for details).