PS-IPS: Deploying Intrusion Prevention System with machine learning on programmable switch

Abstract

Intrusion prevention is significant to avoid device damage and financial losses. Researchers have proposed various Intrusion Prevention Systems (IPS) to prevent malware, including traditional and SDN-based IPS. However, existing IPSs suffer from low throughput problems caused by detection and rule-installation delays. Here, we propose a programmable switch-base IPS (named PS-IPS), which utilizes the switch CPU and pipeline to detect malware. PS-IPS consists of four main components: (1) parser, (2) flow filter, (3) recirculation director, and (4) malware detector. According to the experiment, PS-IPS achieves a 183X throughput than the SDN-based IPS. The response time of PS-IPS is also reduced by 99.99%, showing that PS-IPS effectively prevents malware with a single programmable switch.