NetNN: Neural Intrusion Detection System in Programmable Networks
Kamran Razavi, Shayan Davari Fard, George Karlos, Vinod Nigade, Max Mühlhäuser, Lin Wang
TL;DR
NetNN tackles the latency bottleneck of DNN-based intrusion detection by moving inference entirely into the network data plane using programmable switches. It partitions a DNN across switches, processes raw packet data (the first $68$ bytes) plus inter-arrival times, and uses packets to carry intermediate activations between switches, eliminating feature engineering. The authors present a P4 prototype with components Mapper, Neural Network Executor, and Packet Generator, and show that packet- and flow-level detection accuracy reach 83% and 99%, respectively, on a covert-channel dataset. This data-plane approach enables real-time intrusion detection at line rate and demonstrates a scalable path toward in-network ML with practical security benefits.
Abstract
The rise of deep learning has led to various successful attempts to apply deep neural networks (DNNs) for important networking tasks such as intrusion detection. Yet, running DNNs in the network control plane, as typically done in existing proposals, suffers from high latency that impedes the practicality of such approaches. This paper introduces NetNN, a novel DNN-based intrusion detection system that runs completely in the network data plane to achieve low latency. NetNN adopts raw packet information as input, avoiding complicated feature engineering. NetNN mimics the DNN dataflow execution by mapping DNN parts to a network of programmable switches, executing partial DNN computations on individual switches, and generating packets carrying intermediate execution results between these switches. We implement NetNN in P4 and demonstrate the feasibility of such an approach. Experimental results show that NetNN can improve the intrusion detection accuracy to 99\% while meeting the real-time requirement.