pForest: In-Network Inference with Random Forests

TL;DR

pForest is a system that enables in-network classification of network flows as early as possible by dynamically switching between tailored random forest models during a flow's lifetime, optimizing for speed and accuracy.

Contribution

It introduces a novel approach for real-time in-network classification using adaptive random forest models tailored to flow phases, implemented on programmable data planes.

Findings

Classifies flows ASAP with high accuracy

Operates efficiently on programmable switches

Handles hundreds of thousands of flows simultaneously

Abstract

When classifying network traffic, a key challenge is deciding when to perform the classification, i.e., after how many packets. Too early, and the decision basis is too thin to classify a flow confidently; too late, and the tardy labeling delays crucial actions (e.g., shutting down an attack) and invests computational resources for too long (e.g., tracking and storing features). Moreover, the optimal decision timing varies across flows. We present pForest, a system for "As Soon As Possible" (ASAP) in-network classification according to supervised machine learning models on top of programmable data planes. pForest automatically classifies each flow as soon as its label is sufficiently established, not sooner, not later. A key challenge behind pForest is finding a strategy for dynamically adapting the features and the classification logic during the lifetime of a flow. pForest solves this problem by: (i) training random forest models tailored to different phases of a flow; and (ii) dynamically switching between these models in real time, on a per-packet basis. pForest models are tuned to fit the constraints of programmable switches (e.g., no floating points, no loops, and limited memory) while providing a high accuracy. We implemented a prototype of pForest in Python (training) and P4 (inference). Our evaluation shows that pForest can classify traffic ASAP for hundreds of thousands of flows, with a classification score that is on-par with software-based solutions.