Deploying machine learning (ML) models in programmable switch data planes facilitates low latency and high throughput traffic inference at line speed. However, data planes pose significant constraints due to the limited memory and minimal support for mathematical operations and data types. As a result, the only unsupervised ML models implemented in data planes to date are Isolation Forests (iForests). However, conventional iForest models yield suboptimal malicious traffic detection performance in various traffic use cases. To address this limitation, this paper proposes iGuard, the first iForest implementation that can accurately detect malicious traffic by incorporating the "knowledge" of more powerful autoencoders. We deploy iGuard in the form of a small set of whitelist rules that could be easily installed in the switch data planes. We implement iGuard using the P4 language, and assess its performance in an experimental platform based on Intel Tofino switches. Upon evaluating iGuard on various attack traffic use cases, our model can improve accuracy up to 48.3% while maintaining a similar or lower switch memory footprint over previous approaches to implement iForest models in real-world equipment.
- We present a novel iForest model (iGuard) that accurately detects malicious traffic in the data plane at line speed. This model design is achieved through autoencoder-guided training, knowledge distillation from autoencoders to trained iForest, and conversion of iForest to a small set of whitelist rules that can be installed on target switch.
- We clarify the challenges of implementing iGuard on Intel’s Tofino switch and developing a working prototype.
- We extensively evaluate iGuard in a real-world testbed, revealing iGuard’s increasing accuracy gains over previous implementations of iForest models on various attack datasets and normal datasets while maintaining similar or lower switch memory footprint.
Sankalp Mittal
V. Harikrishnan
Patel Heetkumar