Optimal In-Network Distribution of Learning Functions for a Secure-by-Design Programmable Data Plane of Next-Generation Networks

TL;DR

This paper proposes an optimal distribution model for in-network intrusion detection and prevention, utilizing a meta-heuristic approach to efficiently deploy security functions within programmable data planes of next-generation networks.

Contribution

It introduces a novel mathematical model and a meta-heuristic solution for distributing IDS/IPS workloads across network devices, enhancing security without disrupting normal operations.

Findings

The model ensures comprehensive network security with minimal device workload.

The meta-heuristic significantly reduces computation time compared to exact solutions.

Results demonstrate the approach's potential for autonomous, efficient cyber defense.

Abstract

The rise of programmable data plane (PDP) and in-network computing (INC) paradigms paves the way for the development of network devices (switches, network interface cards, etc.) capable of performing advanced processing tasks. This allows running various types of algorithms, including machine learning, within the network itself to support user and network services. In particular, this paper delves into the deployment of in-network learning models with the aim of implementing fully distributed intrusion detection systems (IDS) or intrusion prevention systems (IPS). Specifically, a model is proposed for the optimal distribution of the IDS/IPS workload among data plane devices with the aim of ensuring complete network security without excessively burdening the normal operations of the devices. Furthermore, a meta-heuristic approach is proposed to reduce the long computation time required by the exact solution provided by the mathematical model and its performance is evaluated. The analysis conducted and the results obtained demonstrate the enormous potential of the proposed new approach for the creation of intelligent data planes that act effectively and autonomously as the first line of defense against cyber attacks, with minimal additional workload on the network devices involved.