pith. sign in

arxiv: 2509.12291 · v1 · submitted 2025-09-15 · 💻 cs.CR

Collaborative P4-SDN DDoS Detection and Mitigation with Early-Exit Neural Networks

Ouassim Karrakchou , Alaa Zniber , Anass Sebbar , Mounir Ghogho This is my paper

Pith reviewed 2026-05-18 17:18 UTC · model grok-4.3

classification 💻 cs.CR
keywords DDoS detectionP4 programmable data planeSDN control planeearly-exit neural networksquantized CNNGRUline-rate inferencenetwork security
0
0 comments X

The pith

A split early-exit neural network lets P4 data planes classify most DDoS flows at line rate while escalating uncertain cases to an SDN control-plane GRU.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes a collaborative P4-SDN architecture for real-time DDoS detection and mitigation. It centers on an early-exit neural network that runs a quantized CNN for fast partial inference directly in the programmable data plane. Only low-confidence flows are sent upward to a GRU model in the control plane for deeper analysis. This split design targets both high detection accuracy and sharply lower inference latency plus control-plane load. A reader would care because it offers a concrete way to reconcile line-rate speed with adaptive machine-learning power in network defense.

Core claim

The authors introduce a collaborative architecture that integrates a P4-programmable data plane with an SDN control plane through a split early-exit neural network. A quantized CNN performs initial classification at line rate inside the data plane, while flows whose confidence falls below threshold are escalated to a GRU module residing in the control plane. Evaluation on real-world DDoS datasets shows that the system maintains high detection accuracy while achieving substantially lower inference latency and reduced control-plane overhead compared with centralized approaches.

What carries the argument

split early-exit neural network that runs a quantized CNN for partial inference in the P4 data plane and escalates uncertain flows to a GRU in the SDN control plane

If this is right

  • Most traffic receives line-rate classification without control-plane involvement.
  • Control-plane load drops because only uncertain flows trigger escalation.
  • Real-time mitigation becomes feasible through direct data-plane actions on confident detections.
  • Overall system accuracy stays high when tested against real-world DDoS traces.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same split-inference pattern could be tested on other time-sensitive network security tasks such as port-scan or botnet detection.
  • Adaptive thresholds that change with observed traffic volume might further reduce escalations without sacrificing accuracy.
  • Deployment in production P4 switches would require measuring the exact resource cost of embedding the quantized CNN weights.

Load-bearing premise

The quantized CNN inside the P4 data plane can correctly classify the great majority of flows at line rate so that only a small fraction must be escalated to the control-plane GRU without missing attacks or generating excessive overhead.

What would settle it

A measurement campaign that records either a high false-negative rate for the data-plane CNN on attack traffic or a large fraction of flows escalated to the control plane, resulting in missed attacks or control-plane saturation, would falsify the central performance claim.

Figures

Figures reproduced from arXiv: 2509.12291 by Alaa Zniber, Anass Sebbar, Mounir Ghogho, Ouassim Karrakchou.

Figure 1
Figure 1. Figure 1: Overview of the proposed architecture existing approaches, our design enables adaptive, confidence￾based early exits at the P4 switch to minimize control plane load, while preserving high detection accuracy through deeper inference at the controller when necessary. III. PROPOSED ARCHITECTURE This section presents the design of our collaborative P4- SDN framework for DDoS detection, detailing its key com￾po… view at source ↗
Figure 2
Figure 2. Figure 2: Exit Ratios for Different Thresholds on Test Data [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Measured Network Metrics during the DDOS NS-3 simulation. [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
read the original abstract

Distributed Denial of Service (DDoS) attacks pose a persistent threat to network security, requiring timely and scalable mitigation strategies. In this paper, we propose a novel collaborative architecture that integrates a P4-programmable data plane with an SDN control plane to enable real-time DDoS detection and response. At the core of our approach is a split early-exit neural network that performs partial inference in the data plane using a quantized Convolutional Neural Network (CNN), while deferring uncertain cases to a Gated Recurrent Unit (GRU) module in the control plane. This design enables high-speed classification at line rate with the ability to escalate more complex flows for deeper analysis. Experimental evaluation using real-world DDoS datasets demonstrates that our approach achieves high detection accuracy with significantly reduced inference latency and control plane overhead. These results highlight the potential of tightly coupled ML-P4-SDN systems for efficient, adaptive, and low-latency DDoS defense.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper proposes a collaborative P4-SDN architecture for DDoS detection and mitigation that uses a split early-exit neural network: a quantized CNN performs partial inference directly in the P4 data plane to classify flows at line rate, while uncertain cases are escalated to a GRU module running in the SDN control plane. The authors state that experiments on real-world DDoS datasets show high detection accuracy together with substantially lower inference latency and control-plane overhead.

Significance. If the P4 implementation of the quantized CNN can be shown to meet line-rate constraints without material accuracy loss or pipeline violations, the approach would offer a practical route to embedding lightweight ML inference in the forwarding plane, reducing reliance on the control plane for high-volume traffic and thereby improving scalability of DDoS defenses in programmable networks.

major comments (2)
  1. [§4] §4 (Data-plane implementation): The central claim that the quantized CNN classifies the large majority of flows at line rate rests on an unverified assumption that the convolution operations fit within P4 match-action pipeline limits on arithmetic, state, and stage count. No description is given of the mapping to tables, any use of recirculation, or measured per-packet stage utilization, leaving open the possibility that the reported latency and overhead reductions cannot be realized on real hardware at 40–100 Gbps.
  2. [§5] §5 (Experimental evaluation): The manuscript asserts “high detection accuracy” and “significantly reduced inference latency” yet supplies no numerical results, baselines, error bars, dataset sizes, or attack-type breakdowns. Without these data it is impossible to determine whether the early-exit design actually preserves detection performance on attack flows or merely trades accuracy for speed.
minor comments (1)
  1. [Abstract] The abstract would be strengthened by the inclusion of at least one concrete performance figure (e.g., accuracy or latency reduction) rather than qualitative statements.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our manuscript. We have reviewed the comments carefully and provide point-by-point responses below. We will revise the manuscript to address the identified gaps in implementation details and experimental reporting.

read point-by-point responses

  1. Referee: [§4] §4 (Data-plane implementation): The central claim that the quantized CNN classifies the large majority of flows at line rate rests on an unverified assumption that the convolution operations fit within P4 match-action pipeline limits on arithmetic, state, and stage count. No description is given of the mapping to tables, any use of recirculation, or measured per-packet stage utilization, leaving open the possibility that the reported latency and overhead reductions cannot be realized on real hardware at 40–100 Gbps.

    Authors: We acknowledge that the current version of the manuscript does not provide sufficient detail on the P4 pipeline mapping. In the revised manuscript we will add an expanded subsection in §4 that explicitly describes the mapping of the quantized CNN convolution and pooling operations to P4 match-action tables, any recirculation required for multi-stage arithmetic, and measured per-packet stage utilization on the target hardware. These additions will confirm that the design respects pipeline limits and sustains line-rate operation at 40–100 Gbps. revision: yes

  2. Referee: [§5] §5 (Experimental evaluation): The manuscript asserts “high detection accuracy” and “significantly reduced inference latency” yet supplies no numerical results, baselines, error bars, dataset sizes, or attack-type breakdowns. Without these data it is impossible to determine whether the early-exit design actually preserves detection performance on attack flows or merely trades accuracy for speed.

    Authors: We agree that the experimental section requires more concrete quantitative evidence. In the revision we will expand §5 to report specific accuracy metrics (precision, recall, F1-score), direct numerical comparisons against relevant baselines, error bars from repeated experimental runs, exact dataset sizes and compositions, and per-attack-type performance breakdowns. These additions will demonstrate that the early-exit mechanism preserves detection performance on attack flows while delivering the claimed latency and overhead reductions. revision: yes

Circularity Check

0 steps flagged

No circularity: performance claims rest on external experimental evaluation

full rationale

The paper describes a split early-exit architecture (quantized CNN in P4 data plane, GRU escalation to control plane) and supports its claims of high detection accuracy plus reduced latency/overhead solely through experimental results on real-world DDoS datasets. No equations, predictions, or uniqueness arguments are presented that reduce by construction to fitted parameters or prior self-citations; the central results are falsifiable against independent hardware benchmarks and datasets rather than being definitionally forced.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on standard assumptions about neural-network applicability to traffic classification and introduces a new architectural split without external validation visible in the abstract.

axioms (1)
  • domain assumption A quantized CNN can perform accurate partial inference on network flow features at line rate in P4 hardware.
    Implicit in the description of the data-plane component.
invented entities (1)
  • Split early-exit neural network for P4-SDN no independent evidence
    purpose: Enable fast local classification with escalation of uncertain flows to control plane.
    Core novel component introduced by the paper.

pith-pipeline@v0.9.0 · 5705 in / 1291 out tokens · 55169 ms · 2026-05-18T17:18:22.848835+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

30 extracted references · 30 canonical work pages

  1. [1]

    DDoS attacks in Industrial IoT: A survey,

    S. Chaudhary and P. K. Mishra, “DDoS attacks in Industrial IoT: A survey,”Computer Networks, vol. 236, p. 110015, Nov. 2023

    work page 2023

  2. [2]

    Survey of network-based defense mechanisms countering the DoS and DDoS problems,

    T. Peng, C. Leckie, and K. Ramamohanarao, “Survey of network-based defense mechanisms countering the DoS and DDoS problems,”ACM Comput. Surv., vol. 39, no. 1, pp. 3–es, Apr. 2007

    work page 2007

  3. [3]

    A comprehensive survey on DDoS defense systems: New trends and challenges,

    Q. Li, H. Huang, R. Li, J. Lv, Z. Yuan, L. Ma, Y . Han, and Y . Jiang, “A comprehensive survey on DDoS defense systems: New trends and challenges,”Computer Networks, vol. 233, p. 109895, Sep. 2023

    work page 2023

  4. [4]

    Deep learning approaches for detecting DDoS attacks: a systematic review,

    M. Mittal, K. Kumar, and S. Behal, “Deep learning approaches for detecting DDoS attacks: a systematic review,”Soft Comput., vol. 27, no. 18, pp. 1–37, Jan. 2022

    work page 2022

  5. [5]

    Software-defined networking: A com- prehensive survey,

    D. Kreutz, F. M. V . Ramos, P. E. Ver ´ıssimo, C. E. Rothenberg, S. Azodolmolky, and S. Uhlig, “Software-defined networking: A com- prehensive survey,”Proc. IEEE, vol. 103, no. 1, pp. 14–76, Jan. 2015

    work page 2015

  6. [6]

    Software-defined Networking-based DDoS Defense Mechanisms,

    R. Swami, M. Dave, and V . Ranga, “Software-defined Networking-based DDoS Defense Mechanisms,”ACM Comput. Surv., vol. 52, no. 2, pp. 28:1–28:36, Apr. 2019

    work page 2019

  7. [7]

    P4: Programming protocol-independent packet processors,

    P. Bosshart, G. Varghese, D. Walker, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford, C. Schlesinger, D. Talayco, and A. Vahdat, “P4: Programming protocol-independent packet processors,”SIGCOMM Comput. Commun. Rev., vol. 44, no. 3, pp. 87–95, Jul. 2014

    work page 2014

  8. [8]

    A Machine Learning-Based Toolbox for P4 Programmable Data-Planes,

    K. Zhang, N. Samaan, and A. Karmouch, “A Machine Learning-Based Toolbox for P4 Programmable Data-Planes,”IEEE Trans. Netw. Service Manag., vol. 21, no. 4, pp. 4450–4465, Aug. 2024

    work page 2024

  9. [9]

    Collaborative Defense Against Hybrid Network Attacks by SDN Controllers and P4 Switches,

    Y .-C. Wang and P.-Y . Su, “Collaborative Defense Against Hybrid Network Attacks by SDN Controllers and P4 Switches,”IEEE Trans. Netw. Sci. Eng., vol. 11, no. 2, pp. 1480–1495, Mar. 2024

    work page 2024

  10. [10]

    A Two-Stage Confidence- Based Intrusion Detection System in Programmable Data-Planes,

    K. Zhang, N. Samaan, and A. Karmouch, “A Two-Stage Confidence- Based Intrusion Detection System in Programmable Data-Planes,” in GLOBECOM 2023 - 2023 IEEE Global Communications Conference, Dec. 2023, pp. 6850–6855

    work page 2023

  11. [11]

    Introducing packet-level analysis in programmable data planes to advance Network Intrusion Detection,

    R. Doriguzzi-Corin, L. A. D. Knob, L. Mendozzi, D. Siracusa, and M. Savi, “Introducing packet-level analysis in programmable data planes to advance Network Intrusion Detection,”Computer Networks, vol. 239, p. 110162, Feb. 2024

    work page 2024

  12. [12]

    Machine-Learning-Enabled DDoS Attacks Detection in P4 Pro- grammable Networks,

    F. Musumeci, A. C. Fidanci, F. Paolucci, F. Cugini, and M. Torna- tore, “Machine-Learning-Enabled DDoS Attacks Detection in P4 Pro- grammable Networks,”Journal of Network and Systems Management, vol. 30, no. 1, p. 21, Nov. 2021

    work page 2021

  13. [13]

    Early-exit deep neural network - a comprehensive survey,

    H. Rahmath P, V . Srivastava, K. Chaurasia, R. G. Pacheco, and R. S. Couto, “Early-exit deep neural network - a comprehensive survey,”ACM Comput. Surv., vol. 57, no. 3, Nov. 2024

    work page 2024

  14. [14]

    Shallow-deep networks: Under- standing and mitigating network overthinking,

    Y . Kaya, S. Hong, and T. Dumitras, “Shallow-deep networks: Under- standing and mitigating network overthinking,” inProceedings of the 36th International Conference on Machine Learning, 2019, pp. 3301– 3310

    work page 2019

  15. [15]

    Adadet: An adaptive object detection system based on early-exit neural networks,

    L. Yang, Z. Zheng, J. Wang, S. Song, G. Huang, and F. Li, “Adadet: An adaptive object detection system based on early-exit neural networks,” IEEE Trans. Cogn. Devel. Syst., vol. 16, no. 1, pp. 332–345, 2024

    work page 2024

  16. [16]

    PCEE- BERT: Accelerating BERT inference via patient and confident early exiting,

    Z. Zhang, W. Zhu, J. Zhang, P. Wang, R. Jin, and T.-S. Chung, “PCEE- BERT: Accelerating BERT inference via patient and confident early exiting,” inFindings of the Association for Computational Linguistics: NAACL 2022, Jul. 2022, pp. 327–338

    work page 2022

  17. [17]

    Dynamic nsnet2: Efficient deep noise suppression with early exiting,

    R. Miccini, A. Zniber, C. Laroche, T. Piechowiak, M. Schoeberl, L. Pezzarossa, O. Karrakchou, J. Sparsø, and M. Ghogho, “Dynamic nsnet2: Efficient deep noise suppression with early exiting,” in2023 IEEE 33rd International Workshop on Machine Learning for Signal Processing (MLSP), 2023, pp. 1–6

    work page 2023

  18. [18]

    Split computing and early exiting for deep learning applications: Survey and research challenges,

    Y . Matsubara, M. Levorato, and F. Restuccia, “Split computing and early exiting for deep learning applications: Survey and research challenges,” ACM Comput. Surv., vol. 55, no. 5, Dec. 2022

    work page 2022

  19. [19]

    Boosted dynamic neural networks,

    H. Yu, H. Li, G. Hua, G. Huang, and H. Shi, “Boosted dynamic neural networks,” inProceedings of the Thirty-Seventh AAAI Conference on Artificial Intelligence, 2023

    work page 2023

  20. [20]

    Deep feature surgery: Towards accurate and efficient multi- exit networks,

    C. Gong, Y . Chen, Q. Luo, Y . Lu, T. Li, Y . Zhang, Y . Sun, and L. Zhang, “Deep feature surgery: Towards accurate and efficient multi- exit networks,” inComputer Vision – ECCV 2024, 2025, pp. 435–451

    work page 2024

  21. [21]

    Detecting denial of service attacks using machine learning algorithms,

    K. Kumari and M. Mrunalini, “Detecting denial of service attacks using machine learning algorithms,”J. Big Data, vol. 9, no. 1, Dec. 2022

    work page 2022

  22. [22]

    Cyber-secure sdn: A cnn-based ap- proach for efficient detection and mitigation of ddos attacks,

    A. A. Najar and S. Manohar Naik, “Cyber-secure sdn: A cnn-based ap- proach for efficient detection and mitigation of ddos attacks,”Computers & Security, vol. 139, p. 103716, 2024

    work page 2024

  23. [23]

    Dl-ads: Improved grey wolf optimiza- tion enabled ae-lstm technique for efficient network anomaly detection in internet of thing edge computing,

    J. Manokaran and G. Vairavel, “Dl-ads: Improved grey wolf optimiza- tion enabled ae-lstm technique for efficient network anomaly detection in internet of thing edge computing,”IEEE Access, vol. 12, pp. 75 983– 76 002, 2024

    work page 2024

  24. [24]

    Optimizing ddos detection with time series transformers,

    C. Ejikeme, N. Kahani, and S. A. Ajila, “Optimizing ddos detection with time series transformers,” in2024 34th International Conference on Collaborative Advances in Software and COmputiNg (CASCON), 2024, pp. 1–6

    work page 2024

  25. [25]

    A gru deep learning system against attacks in software defined networks,

    M. V . Assis, L. F. Carvalho, J. Lloret, and M. L. Proenc ¸a, “A gru deep learning system against attacks in software defined networks,”Journal of Network and Computer Applications, vol. 177, p. 102942, 2021

    work page 2021

  26. [26]

    A hybrid cnn+lstm-based intrusion detection system for industrial iot networks,

    H. C. Altunay and Z. Albayrak, “A hybrid cnn+lstm-based intrusion detection system for industrial iot networks,”Engineering Science and Technology, an International Journal, vol. 38, p. 101322, 2023

    work page 2023

  27. [27]

    Cybernet model: A new deep learning model for cyber ddos attacks detection and recognition,

    A. A. Salih and M. B. Abdulrazaq, “Cybernet model: A new deep learning model for cyber ddos attacks detection and recognition,” Computers, Materials and Continua, vol. 78, no. 1, pp. 1275–1295, 2024

    work page 2024

  28. [28]

    Quantization and Training of Neural Networks for Efficient Integer-Arithmetic-Only Inference,

    B. Jacob, S. Kligys, B. Chen, M. Zhu, M. Tang, A. Howard, H. Adam, and D. Kalenichenko, “Quantization and Training of Neural Networks for Efficient Integer-Arithmetic-Only Inference,” inProceedings of the IEEE Conference on Computer Vision and Pattern Recognition, 2018, pp. 2704–2713

    work page 2018

  29. [29]

    Devel- oping realistic distributed denial of service (ddos) attack dataset and taxonomy,

    I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “Devel- oping realistic distributed denial of service (ddos) attack dataset and taxonomy,” in2019 International Carnahan Conference on Security Technology (ICCST), 2019, pp. 1–8

    work page 2019

  30. [30]

    EP4: An application- aware network architecture with a customizable data plane,

    O. Karrakchou, N. Samaan, and A. Karmouch, “EP4: An application- aware network architecture with a customizable data plane,” inProc. IEEE 22nd Int. Conf. on High Performance Switching and Routing (HPSR), 2021, pp. 1–6

    work page 2021