Verify All Traffic: Towards Zero-Trust In-Network Intrusion Detection Against Multipath Routing

With the popularity of encryption protocols, machine learning (ML)-based traffic analysis technologies have attracted widespread attention. To adapt to modern high-speed bandwidth, recent research is dedicated to advancing zero-trust intrusion detection by offloading feature extraction and model inference into the network dataplane. Especially, with the rise of programmable switches, achieving line-speed ML inference becomes promising. However, existing research only considers a single switch node as a relay to conduct evaluation. This is far from real-world deployments involving multiple switches (given that zero-trust security assumes that threats can originate from anywhere, including within the network), particularly the multipath routing phenomenon that exists in practice. In this paper, we reveal practical challenges in the context of enabling line-speed model inference in the network dataplane. Furthermore, we propose FCPlane, the forwarding and computing integrated dataplane for zero-trust intrusion detection that aims to enable efficient load balancing while providing reliable traffic analysis results, even against multipath routing. The core idea is to reconcile forwarding and computation to the flowlet level, for which a tailor-made Markov chain model is designed. Based on two public traffic datasets, we evaluate seven state-of-the-art in-network traffic analysis models deployed in four types of topologies (three with multipath routing and one without) to explore performance impact and demonstrate the effectiveness of our proposal.