A Two-Stage Confidence-Based Intrusion Detection System in Programmable Data-Planes

The frequent occurrence of network attacks highlights the criticality of developing effective intrusion detection systems (IDSs) that can promptly detect and respond to malicious flows. The proliferation of programmable devices has opened up new possibilities for integrating intelligent IDSs into the data-plane. This allows the execution of machine learning (ML)-based detection models at line-rate, meeting the low latency requirements of anomaly detection. We propose a two-stage confidence-based Intrusion Detection System (TSCIDS) that aims at early detection while considering the level of certainty of prediction. The control-plane adopts a customized transfer learning scheme, wherein two interdependent convolutional neural network (CNN) models are trained, one using the early context of flows and the other adding the later context. A post-hoc calibration method is applied to improve the performance of models. TSCIDS detects anomalous behavior in different phases of flows while allowing the latter CNN to leverage the hidden state of the early CNN. TSCIDS ensures that the two CNN models are integrated into the data-plane pipeline by building the inference steps of CNN into different modules, using switch-supported operations. Simulation results show that the calibrated model can detect more attacks in the early phase compared to the uncalibrated model. Additionally, the training scheme saves the memory consumption of running models on programmable devices.