A COLLABORATIVE NETWORK INTRUSION DETECTION ARCHITECTURE FOR A PROGRAMMABLE DATA PLANE
For early detection and response to network threats, a network intrusion detection system should be executed on a data plane. However, due to high model complexity, an intrusion detection model based on advanced machine learning techniques becomes unsuitable for limited-resource switches. To address this problem, we propose a lightweight joint detection model that is inspired by classification parallelism and neuron pruning. Specifically, the traditional multi-label classification model is decoupled into several class-specific sub-models and each sub-model takes charge of detecting one or several traffic classes. In our model, the number of participating switches can vary based on network traffic and available computing resources of edge devices. Moreover, to reduce the size of sub-models, magnitude pruning is applied for each sub-model to only keep salient connections. Evaluation experiments are conducted with various network parameters and results show that the proposed architecture achieves much lower model complexity than the traditional multi-label classifier without a reduction in classification performance.