Detecting Attacks at Switching Speed: AI/ML and Active Learning for in-Network Monitoring in Data Planes

Early decision-making at the network device is crucial for network security. This entails moving beyond traditional forwarding functions towards more intelligent network devices. One possible strategy to speed up decision-making is to incorporate intelligent traffic analysis functionality directly into the data plane, such that traffic can be analyzed before forwarding. Integrating Artificial Intelligence/Machine Learning (AI/ML) models into the data plane enables quicker processing and reduced reliance on the control plane. We address the development of an AI/ML-driven Intrusion Detection System (IDS) where network devices autonomously make security decisions or defer to an expert oracle, relying on in-band and off-band traffic analysis. Programmable devices, such as those using P4, are essential to enable these functionalities and allow for network device retraining to adapt to changing traffic patterns. We introduce HALIDS, a prototype for in-band AI/ML-IDS using P4, complemented with off-band oracles which support in-network ML-driven classification with more confident classifications, targeting an active learning logic for more accurate in-band analysis. We implement HALIDS using the open source software switch BMv2, and show its operation with real traffic traces publicly available. Evaluation results show that the proposed system is sound and could be implemented in a real network as an efficient and highly adaptive security mechanism.