Toward Continuous Threat Defense: in-Network Traffic Analysis for IoT Gateways

The widespread use of IoT devices has unveiled overlooked security risks. With the advent of ultrareliable low-latency communications (URLLCs) in 5G, fast threat defense is critical to minimize damage from attacks. IoT gateways, equipped with wireless/wired interfaces, serve as vital frontline defense against emerging threats on IoT edge. However, current gateways struggle with dynamic IoT traffic and have limited defense capabilities against attacks with changing patterns. In-network computing offers fast machine learning (ML)-based attack detection and mitigation within network devices, but leveraging its capability in IoT gateways requires new continuous learning capability and runtime model updates. In this work, we present P4Pir, a novel in-network traffic analysis framework for IoT gateways. P4Pir incorporates programmable data plane into IoT gateway, pioneering the utilization of in-network ML inference for fast mitigation. It facilitates continuous and seamless updates of in-network inference models within gateways. P4Pir is prototyped in P4 language on raspberry pi and Dell Edge Gateway. With ML inference offloaded to gateway's data plane, P4Pir's in-network approach achieves swift attack mitigation and lightweight deployment compared to prior ML-based solutions. Evaluation results using three public data sets show that P4Pir accurately detects and fastly mitigates emerging attacks (>30% accuracy improvement and submillisecond mitigation time). The proposed model updates method allows seamless runtime updates without disrupting network traffic.