Data plane programmability enables the embedding of a network intrusion detection system (NIDS) on programmable switches to dynamically control the efficiency of attack type detection and the overhead in the computation and network side. However, it is a challenging task to implement a feasible embedded detection model with advanced machine learning techniques such as deep learning. It is due to the limited support provided by programming languages on the data plane and the computing resource constraints at the edge. We propose a joint traffic classification architecture called <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">JointNIDS</i> that splits a classification model into two sequential sub-models. In this model, the primary switch is dedicated to major attack classification. The secondary switch is used mainly for a further in-depth inspection of the rest of the minor traffic types. The presence of some partially overlapping hidden units in the two sequential switches can help to reduce the computational overhead at the edge, while increasing the packet inspection throughput. Experimental results on the P4 framework demonstrate that <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">JointNIDS</i> has reduced attack detection time, while achieving a similar accuracy performance, as other counterpart algorithms. To further develop the proposed architecture, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">JointNIDS</i> implements an optimization step. It maximizes the amount of data to be inspected by a system, taking into account the constraints of computing resources and network bandwidth for a given performance requirement. We validate the effectiveness of collaborative joint optimization in various scenarios.
Read full abstract