Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Optimal In-Network Distribution of Learning Functions for a Secure-by-Design Programmable Data Plane of Next-Generation Networks

Mattia Giovanni Spina, Edoardo Scalzo, Floriano De Rango, Francesca Guerriero, Antonio Iera

TL;DR

This work addresses the challenge of securely deploying in-network learning for intrusion detection by distributing learning functions across programmable data plane devices. It introduces Split-AI, which disaggregates a Strong Learner into odd numbers of Weak Learners (WLs) and maps them to WL-VNFs within the network, coupled with an All-Pairs Shortest Path Coloring (APSPC) optimization solved via an ILP and a BRKGA-based meta-heuristic. The authors demonstrate, through model and network evaluations, that the split distribution preserves forwarding performance while enhancing security coverage and resilience under heavy traffic attacks, achieving favorable classification times and throughput compared to monolithic in-network models. The approach promises scalable, autonomous defense in 6G-like networks, with practical implications for distributed AI in PDPs and secure-by-design data planes.

Abstract

The rise of programmable data plane (PDP) and in-network computing (INC) paradigms paves the way for the development of network devices (switches, network interface cards, etc.) capable of performing advanced processing tasks. This allows running various types of algorithms, including machine learning, within the network itself to support user and network services. In particular, this paper delves into the deployment of in-network learning models with the aim of implementing fully distributed intrusion detection systems (IDS) or intrusion prevention systems (IPS). Specifically, a model is proposed for the optimal distribution of the IDS/IPS workload among data plane devices with the aim of ensuring complete network security without excessively burdening the normal operations of the devices. Furthermore, a meta-heuristic approach is proposed to reduce the long computation time required by the exact solution provided by the mathematical model and its performance is evaluated. The analysis conducted and the results obtained demonstrate the enormous potential of the proposed new approach for the creation of intelligent data planes that act effectively and autonomously as the first line of defense against cyber attacks, with minimal additional workload on the network devices involved.

Optimal In-Network Distribution of Learning Functions for a Secure-by-Design Programmable Data Plane of Next-Generation Networks

TL;DR

This work addresses the challenge of securely deploying in-network learning for intrusion detection by distributing learning functions across programmable data plane devices. It introduces Split-AI, which disaggregates a Strong Learner into odd numbers of Weak Learners (WLs) and maps them to WL-VNFs within the network, coupled with an All-Pairs Shortest Path Coloring (APSPC) optimization solved via an ILP and a BRKGA-based meta-heuristic. The authors demonstrate, through model and network evaluations, that the split distribution preserves forwarding performance while enhancing security coverage and resilience under heavy traffic attacks, achieving favorable classification times and throughput compared to monolithic in-network models. The approach promises scalable, autonomous defense in 6G-like networks, with practical implications for distributed AI in PDPs and secure-by-design data planes.

Abstract

The rise of programmable data plane (PDP) and in-network computing (INC) paradigms paves the way for the development of network devices (switches, network interface cards, etc.) capable of performing advanced processing tasks. This allows running various types of algorithms, including machine learning, within the network itself to support user and network services. In particular, this paper delves into the deployment of in-network learning models with the aim of implementing fully distributed intrusion detection systems (IDS) or intrusion prevention systems (IPS). Specifically, a model is proposed for the optimal distribution of the IDS/IPS workload among data plane devices with the aim of ensuring complete network security without excessively burdening the normal operations of the devices. Furthermore, a meta-heuristic approach is proposed to reduce the long computation time required by the exact solution provided by the mathematical model and its performance is evaluated. The analysis conducted and the results obtained demonstrate the enormous potential of the proposed new approach for the creation of intelligent data planes that act effectively and autonomously as the first line of defense against cyber attacks, with minimal additional workload on the network devices involved.

Paper Structure

This paper contains 20 sections, 10 equations, 7 figures, 4 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Works
  3. Deployment of an ML-enabled IPS in a network dataplane
  4. Projecting the Ensemble Learning over the Network
  5. Problem Formulation
  6. SL model decomposition into component WLs
  7. Optimization problem definition
  8. Exact Model
  9. Meta-heuristic
  10. Strong Learner Splitting and #colors Selection
  11. Performance Evaluation
  12. Model Evaluation Campaigns
  13. Instances and Parameter Setting
  14. Experimental Results
  15. Network Evaluation Campaigns
  16. ...and 5 more sections

Figures (7)

  • Figure 1: Proposed Split-AI In-Network Distribution Strategy.
  • Figure 2: From WL-VNFs to Colors domain.
  • Figure 3: Average Packet Size for DDoS attack in CIC-DDoS2019.
  • Figure 4: Average Classification Time for Experimental Scenarios: a)$\#colors=3$, b)$\#colors=5$ ,$\#colors=7$.
  • Figure 5: Average Throughput for Experimental Scenarios: a)$\#colors=3$, b)$\#colors=5$ ,$\#colors=7$.
  • ...and 2 more figures