Toward an Intrusion Detection System for a Virtualization Framework in Edge Computing
Everton de Matos, Hazaa Alameri, Willian Tessaro Lunardi, Martin Andreoni, Eduardo Viegas
TL;DR
This work tackles intrusion detection in edge computing by deploying LDPI, a lightweight deep anomaly detector, as an isolated service inside the Ghaf virtualization framework to minimize the Trusted Computing Base. LDPI employs one-class contrastive pretraining (InfoNCE) followed by semi-supervised fine-tuning with the Deep SAD loss on benign traffic, using a ResCNN encoder to analyze the initial packets of flows up to $n$ bytes per packet with a limit of $l$ bytes. It achieves an AUC of $≈0.999$ across 5-fold cross-validation on a dataset derived from Ghaf traffic, with modest overhead on a laptop-class edge node, and outperforms traditional signature-based IDS in memory footprint. The evaluation demonstrates LDPI’s ability to detect unseen threats and supports a practical cascading defense where LDPI filters early traffic and forwards suspicious slices to rule-based engines, balancing recall and resource use in edge environments.
Abstract
Edge computing pushes computation closer to data sources, but it also expands the attack surface on resource-constrained devices. This work explores the deployment of the Lightweight Deep Anomaly Detection for Network Traffic (LDPI) integrated as an isolated service within a virtualization framework that provides security by separation. LDPI, adopting a Deep Learning approach, achieved strong training performance, reaching AUC 0.999 (5-fold mean) across the evaluated packet-window settings (n, l), with high F1 at conservative operating points. We deploy LDPI on a laptop-class edge node and evaluate its overhead and performance in two scenarios: (i) comparing it with representative signature-based IDSes (Suricata and Snort) deployed on the same framework under identical workloads, and (ii) while detecting network flooding attacks.