Real-Time IoT Intrusion Detection on P4 Programmable Data Planes: Technical Practice of Embedding Machine Learning into Network Switches

The p4sec project is based on the P4 programmable data plane, embedding Principal Component Analysis (PCA) and machine learning models into network switches to achieve line-rate traffic analysis and real-time IoT threat identification, addressing bottlenecks of traditional centralized intrusion detection systems such as high bandwidth consumption, high detection latency, and expensive deployment costs.

The explosive growth of IoT devices brings severe security challenges. Traditional centralized intrusion detection systems rely on traffic mirroring to dedicated servers for analysis, facing bottlenecks in bandwidth, latency, and cost in scenarios with massive IoT devices. The sudden nature of IoT attacks (e.g., DDoS, brute force attacks) requires real-time blocking, making offloading detection capabilities to the network edge (switch level) a key solution.

P4 is a programming language for describing packet processing behaviors of network devices, supporting the redefinition of processing pipelines in programmable data planes. The p4sec system architecture includes seven phases: feature extraction (extracting 20-dimensional bidirectional flow features from PCAP, maintained via register arrays), dimensionality reduction and quantization (reducing dimensions to 7 via PCA, approximating projection with a decision tree regressor), classifier training (decision tree/random forest, splitting training and test sets via stratified sampling), code generation and deployment (generating P4 table entries, compiling and deploying to BMv2 switches, etc.).

Evaluated on the CIC-IoT 2023 dataset, the PCA + decision tree configuration achieved a macro-average F1 score of 97.07% on BMv2 (with approximately 118,000 table entries); the baseline method of raw features + decision tree achieved an F1 score of 97.09% (only 436 table entries, but requiring a 552-bit composite key), reflecting the trade-off between algorithm complexity and hardware resources.

Deployment is divided into two layers: IoT gateway scenario (BMv2/P4Pi running on Raspberry Pi), industrial IoT aggregation switch scenario (feasibility analysis of Tofino-class ASICs); current limitations: tcpreplay cannot accurately reproduce packet timing leading to deviations, and mixed traffic in public datasets causes incomplete matching between labels and content.

p4sec provides a complete technical reference implementation for in-network machine learning inference, demonstrating the capabilities of the P4 programmable plane and a systematic methodology; future directions include more precise traffic replay mechanisms, finer-grained traffic annotation methods, and promoting the architectural development of offloading intelligence to network infrastructure.