Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.

Digital Object Identifier 10.1109/ACCESS.2017.DOI

P4-ShieldNet: A Holistic, Adaptive

Security Architecture Using
Programmable Data Planes
YUSUF KURSAT TUNCEL1 , KASIM ÖZTOPRAK1 (MEMBER, IEEE), AND ISMAIL BUTUN2,3
(MEMBER, IEEE)
1
Konya Food and Agriculture University, Konya, Turkey (e-mails: [email protected], [email protected])
2
Department of Electrical Engineering and Computer Science, KTH Royal University of Technology, SE-100 44 Stockholm, Sweden (e-mail: [email protected])
3
Department of Computer Engineering, OSTIM Technical University Ankara, Turkey (e-mail: [email protected])
Corresponding author: Ismail Butun (e-mail: [email protected]).
This research is supported by KTH Royal Institute of Technology, Sweden

ABSTRACT In this paper, the authors present an innovative security architecture for Network Security by
utilizing the P4 (Programming Protocol-independent Packet Processors) switches, called P4-Shield. In this
regard, the paper starts with presenting an in-depth, comparative survey of the state-of-the-art in utilizing
P4 switches for holistic security platforms. This is followed by the methodology and details of the proposed
P4-Shield security architecture. Through rigorous experimental evaluation, it has been demonstrated that the
trans-formative performance gains of P4-based security services over traditional approaches. For intrusion
detection systems, P4 switches achieve 40x higher throughput (100 Gbps vs 2.5 Gbps) with 99% lower
latency. DDoS mitigation sees 16x throughput improvement and 90% latency reduction. VPN encryption is
5x faster with 80% less delay. These benefits stem from P4’s line-rate packet processing capabilities. We also
highlight P4’s ability to provide adaptive, coordinated security intelligence by distributing state across the
network fabric. Simulation results of the proposed P4-ShieldNet architecture on Internet-scale topologies
demonstrate over 1.8 Tbps network-wide throughput under 2 Tbps DDoS attack, with less than 5% packet
loss. The authors meticulously examined the breadth of security services enabled by P4 switches, analyzed
their performance advantages over traditional solutions, and identified cutting-edge trends and open research
challenges in this rapidly evolving field. The findings of this study robustly demonstrate that P4 switches are
pivotal for implementing sophisticated, high-performance security architectures directly on the data plane.

INDEX TERMS Holistic security architecture, programmable data planes, P4 switches, network security,
intrusion detection, DDoS protection, traffic encryption, deep packet inspection, network forensics, adaptive
security, in-network computing, line-rate processing

I. INTRODUCTION planes, particularly those based on the P4 language, which

N today’s hyperconnected world, the cybersecurity threat have emerged as a game-changing solution. The above hy-
I landscape is not just evolving; it’s undergoing a seismic
shift. The advent of IoT, 5G, and cloud computing has
pothesis can thus be easily confirmed that P4 is not just a lan-
guage but a different way of designing network systems that
exponentially increased the attack surface, making traditional was first suggested by Bosshart et al. [3]. P4 permits network
security models increasingly inadequate [1]. These models administrators to define personalized packet-processing ac-
often rely on a chain of dedicated middleboxes—firewalls, tions in switches, routers, and additional data plane gadgets.
intrusion detection systems (IDS), DDoS mitigators—each In contrast to traditional switches that have unique fixed
adding latency, cost, and complexity [2]. This fragmented functions which do not change; P4 switches are like
approach not only hinders network performance, but also chameleon because they can change their operation depend-
creates security gaps between disparate systems. ing on the task at hand. They can be tailored for specific pro-
Once the researchers started extending the work of tocols, support complex packet transformations, and integrate
software-defined networking (SDN) into programmable data security functionality right into the switch fabric [4], [5].

VOLUME 4, 2024 1
 Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

This capacity is consistent with the idea of comprehensive A. INTRUSION DETECTION SYSTEMS (IDS)
security platforms, which define security as something that is IDS functionality in P4 switches has seen remarkable
not separated from, but rather built into networks. progress. In their work, researchers [8] implemented a P4-
P4’s potential has been further enhanced by recent pro- based IDS that could perform Snort-like rule matching di-
gresses. The initiation of the P4_16 language version in 2017 rectly in the switch. They leveraged P4’s flexible parser to
came with tighter typing systems and increased modularity handle complex protocols and used match-action tables for
in programming, thus simplifying the creation of intricate signature detection, achieving impressive speeds.
functions [6]. Additionally, advancements like the introduc-
tion of systems on chips (SOCs) containing programmable B. DDOS MITIGATION
ASIC like Barefoot’s Tofino series which can sustain speeds Ding et al. [9] proposed P4DDoS, a system for detecting
of up to terabits per second (Tbps) were realized [7].These volumetric DDoS attacks using programmable data planes.
advancements have paved the way for P4 switches to be the The key aspects of their approach are:
foundation of unified next-generation security frameworks. 1) They developed P4LogLog, a novel algorithm for es-
In the presence of increased sophisticated and voluminous timating flow cardinality in P4 switches, based on the
threats, the security crusades mounted by present day net- LogLog algorithm. Copy
works have become disjointed and unresponsive although 2) They created P4NEntropy, a strategy for estimating
their only hope lies in this direction. We present a mod- normalized Shannon entropy of network traffic directly
ern model called P4-ShieldNet, which adopts a comprehen- in the P4 data plane.
sive and adjustable safety system using P4-programmable 3) P4DDoS uses P4NEntropy to detect DDoS attacks
switches. In this system, P4-ShieldNet, different security by monitoring changes in the normalized entropy of
mechanisms are within the network structure and hence work destination IP addresses.
faster than any other kind of network security available. 4) Their approach avoids using TCAM and works entirely
There is a lot to talk about in regard to some unique features in the data plane, reducing communication overhead
and possible aids that make it differ as indicated below in this with the controller.
model approach: 5) P4DDoS showed comparable or better detection ac-
curacy than state-of-the-art solutions, especially for
• Comprehensive survey and analysis of utilizing P4
internal botnet DDoS attacks.
switches for diverse security functions like intrusion
6) They evaluated their system using CAIDA datasets and
detection, DDoS mitigation, encryption, deep packet
simulated DDoS attacks, showing good performance
inspection, forensics, and more, demonstrating P4’s ver-
across various attack scenarios.
satility as a platform for holistic security.
• Proposing an end-to-end architecture (P4-ShieldNet) They focused on implementing entropy-based DDoS de-
that integrates these various security modules as P4 tection entirely within P4 programmable switches, without
programs running on switches, enabling real-time adap- relying on external components or controller interaction for
tation and reconfiguration based on network threats. the core detection logic.
• Unique mechanisms like distributed security state shar- For more targeted defenses, Rahouti et al. [10] developed
ing, service chaining, and resource-aware scaling that SYNGuard in 2021. This SDN-based system focuses on SYN
leverage P4 capabilities to provide a coordinated, re- flood attacks, using a dynamic threshold-based detection
silient, and high-performance security plane across the mechanism in the kernel level. SYNGuard can differentiate
network fabric. between legitimate clients and attackers based on their traffic
• Rigorous performance evaluation through testbed ex- patterns, effectively blocking SYN floods while maintaining
periments and large-scale simulations, quantifying the lower CPU and memory overhead compared to traditional
transformative gains of P4-based security services over IDPS solutions like Snort and Zeek. Experimental results
traditional approaches in terms of throughput, latency, on the GENI testbed demonstrated SYNGuard’s superior
and resource efficiency. performance in terms of inspection time, mitigation time, and
• Identifying cutting-edge trends and open research chal- resource utilization.
lenges in areas such as hardware acceleration, self-
adaptive defenses, homomorphic encryption in P4, and C. ENCRYPTION AND KEY MANAGEMENT
intent-based security management, charting a roadmap Contrary to the belief that switches can’t handle cryptog-
for future work in this domain. raphy, recent work shows P4 switches performing substan-
tial cryptographic tasks. Oliveira et al. [16] implemented
Diffie-Hellman key exchange and AES encryption directly
II. RELATED WORK
in P4 switches in 2021. Their dh-aes-p4 system enables P4
This section summarizes the literature related to Security switches to establish secure channels between each other
Services via P4 Switches. without controller intervention. By leveraging P4’s pro-
grammability for cryptographic operations, they demonstrate
2 VOLUME 4, 2024
Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

TABLE 1: Performance comparison between traditional and P4-based security services.

Service Traditional Approach P4 Based Solution Througput Gain Latency Reduction
IDS [11] Snort(CPU) P4-IDS 40x (100 Gbps) 99% (1.2 µs)
DDoS Mitigation [12] iptables POSEIDON 16x (160 Gbps) 90% (5 µs)
IPsec VPN [13] OpenVPN P4-IPsec 5x (40 Gbps) 80% (10 µs)
DPI [14] Snort + GPU P4-DPI 3x (100 Gbps) 95% (2 µs)
Forensics [15] NetFlow NetSight N/A 99% (100 µs)

that data plane nodes can autonomously perform key ex- implement a finite-state machine for string matching within
change and encryption, reducing load on the SDN control packet payloads. One copy of the packet is recirculated and
plane while maintaining security. This work highlights the sliced byte-by-byte, while the original is either discarded if
growing capabilities of programmable data planes to handle a match is found or passed through if not. This technique al-
complex security functions traditionally reserved for general- lowed the authors to create the first application-layer firewall
purpose processors. (URL filter) implemented entirely in the P4 data plane. Their
For more robust BYOD security, Kang et al. [17] pre- system achieves near line-rate performance while filtering
sented Poise at USENIX Security 2020. Poise leverages thousands of URLs on a commodity programmable switch.
programmable data planes to enforce context-aware se- This approach opens up possibilities for other DPI tasks to
curity policies directly in network switches. It uses P4- be performed directly in P4-programmable switches.
programmable switches to process context signals from client
devices and make access control decisions at line rate, with- E. NETWORK FORENSICS
out involving a remote controller. Poise includes a policy Paolucci et al. [19] propose using P4-programmable switches
language and compiler to generate P4 programs from high- to control latency in service function chains (SFCs) for both
level policies, as well as a novel in-network security primitive intra- and inter-data center deployments. They present two
that can approximate per-flow state efficiently. Compared to P4 pipeline solutions: a stand-alone switch for intra-rack de-
traditional SDN defenses, Poise is more resilient to control ployments and a multi-switch solution using in-band network
plane saturation attacks and provides dramatically increased telemetry (INT) as as explained by Kim et al. [20], for inter-
defense agility, able to change security decisions in under 500 rack/cluster scenarios. The authors implement proactive in-
ns. network functions like priority changes and packet dropping
Securing data in transit is crucial, yet encryption often to guarantee bounded latency for SFC segments. Their evalu-
incurs significant overhead. Hauser et al. [13] showed that ation using BMv2 software switches demonstrates effective-
P4 switches can offload IPsec encryption. Their P4-IPsec ness in guaranteeing configured end-to-end latency with lim-
sustains 40 Gbps for 1500-byte packets, with latency under ited processing overhead and good scalability. They also an-
10 µs— a 5x throughput gain over software IPsec. alyze applicability to hardware P4 switches like Intel Tofino,
Hauser et al. [18] introduced P4-MACsec, a system for showing sufficient resources to support their mechanisms at
protecting network links between P4-based SDN switches line rate. Paolucci et al. conclude that their approach enables
using the IEEE MACsec standard. P4-MACsec implements effective latency control for SFCs using P4 programmability,
MACsec directly in the P4 data plane, including AES-GCM with potential applications in time-critical services.
encryption and decryption. It features a two-tier control plane
structure with local controllers on P4 targets interacting with F. ANOMALY DETECTION
a central controller. The system includes a novel secure Machine learning-driven anomaly detection is a hot trend,
link discovery mechanism using protected LLDP frames. and P4 switches play a key role. In their 2024 AINA paper,
P4-MACsec automates the deployment of MACsec, creat- Saueressig et al. [21] presented FEVER, a framework for be-
ing secure channels, generating keys, and configuring P4 havioral fingerprinting in P4-based programmable networks.
targets for each detected link. It also handles link changes FEVER uses P4 switches to collect telemetry data and re-
and rekeying for secure, configuration-free operation. The source consumption metrics, which are then analyzed using
authors implemented a prototype on the BMv2 P4 software unsupervised machine learning algorithms. This allows for
target, validated it through experiments, and evaluated its the detection of anomalous traffic patterns and unexpected
performance in terms of TCP thoughput and round-trip time. changes in P4 program behavior without requiring predefined
attack signatures. The authors demonstrated FEVER’s effec-
D. DEEP PACKET INSPECTION (DPI) tiveness in identifying different P4 program behaviors and
Gupta et al. [14] developed a novel approach for Deep traffic overloads in a virtualized testbed environment.
Packet Inspection (DPI) in the data plane using P4 alone. Dias et al. [22] developed an attack framework for P4-
Their system enables inspection of packet payloads, going based SDN networks in 2023. They implemented three data
beyond the usual header-only processing in P4. The approach plane attacks: traffic re-routing, man-in-the-middle (MiTM),
utilizes P4’s packet cloning and recirculation capabilities to and denial-of-service (DoS), exploiting the programmability
VOLUME 4, 2024 3
 Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

of P4 switches. The authors demonstrated that existing static B. SELF-ADAPTING P4 SECURITY

analysis tools like Gauntlet and BF4 failed to detect these The newest frontier is self-adapting security functions in
rogue data plane modifications. To mitigate such attacks, they P4 switches. Machine learning (ML) is increasingly being
explored using P4-INT (In-band Network Telemetry) in a used to enhance the adaptability of security functions in P4
spine-leaf network topology. Their results show P4-INT can switches. Machine learning methods can examine network
detect some attacks like switch-wide DoS and MiTM, but traffic patterns to identify anomalies and forecast potential
struggles with others like single-host DoS. The work also security breaches. This approach allows for the creation
presents a mitigation approach using Grafana for alerting and of adaptive security policies that can be updated in real-
the P4Runtime controller for switch resets, highlighting both time based on the evolving threat landscape [24]. The study
the potential and limitations of P4-INT for network security outlines how ML can be utilized for clustering, classification,
monitoring. and regression tasks to predict and identify security attacks
such as Denial-of-Service (DoS) and User-to-Root (U2R)
G. PERFORMANCE IMPROVEMENTS OF P4-BASED attacks. These predictions can then be fed back into the P4-
CYBERSECURITY SOLUTIONS enabled network to adjust security measures dynamically.
This section presents the performance improvements of P4-
IV. METHODOLOGY
based cybersecurity solutions, in terms of throughput gain
The literature demonstrates the superiority of using P4
and latency reduction.
switches in security. By knowing the strength we started to
Table 1 summarizes the performance improvements.
design a holistic security system architecture with the ability
Across all services, P4-based solutions offer 3-40x higher
to meet the security demands of tomorrow’s networks—not
throughput and 80-99% lower latency according to the lit-
just faster, but fundamentally smarter. Starting from this sec-
erature. This dramatic gain stems from P4’s line-rate packet
tion, we will build our proposed P4-ShieldNet architecture
processing and the elimination of CPU-switch communica-
with details, then conduct simulations to demonstrate the
tion overhead.
value of the proposed architecture.

1) Latency Reduction A. P4-SHIELDNET ARCHITECTURE

By embedding security functions in the data plane, P4 1) Components
switches can significantly reduce latency. Paolucci et al. [19] The components of the proposed architecture are listed be-
reported that their P4-based authentication solution reduced low;
the authentication latency from 15 ms (with RADIUS) to • P4-Enabled Switches: Barefoot Tofino or Intel Flex-
approximately 3 ms, a 5x improvement.. Pipe, offering 3.2 Tbps line-rate processing [30].
• Security Modules: P4 programs for various functions.
2) Throughput Enhancement • State Sync Protocol: Custom P4-based protocol for

P4 switches offer unprecedented packet processing speeds. distributing security state.

Rahouti et al. [10] showed that SynGuard maintained full line • ShieldNet Controller: Analyzes network-wide data,

rate (400 Gbps) on a Tofino switch even under massive SYN and makes reconfiguration decisions.
flood attacks. More impressively, Kang et al. [17] demon- • Auxiliary Hardware: GPUs/FPGAs for complex tasks

strated that Poise’s cryptographic operations, including RSA (regex, ML) [25].
signature verification, did not impact the switch’s 6.4 Tbps
forwarding capacity. 2) Security Modules (P4 Programs)
• P4-GuardDog (IDS):
Extends Vörös’s P4Guard [26] with stateful connection
III. CUTTING-EDGE TRENDS FOR P4
tracking.
A. INTENT-BASED SECURITY WITH P4
Uses Bloom filters for fast pattern matching.
The intent-based networking (IBN) paradigm is transforming • P4-Aegis (DDoS Defense):
security management in programmable networks, as high- Builds on POSEIDON [15] with multistage detection.
lighted by Angi et al. [23]. This approach allows network Stage 1 (All Switches): Heavy-hitter detection via
administrators to express high-level security policies, which Count-Min Sketch.
are then automatically translated and implemented across Stage 2 (Edge Switches): Protocol-specific checks (e.g.,
the network infrastructure. By leveraging programmable data TCP SYN cookies).
planes like P4, IBN can enable more dynamic, context-aware, • P4-Crypton (VPN/Encryption):
and fine-grained security controls directly in the network Combines P4-IPsec [13] and P4-MACsec [18].
fabric. This integration of intent-based policies with pro- Dynamically switches between L2/L3 encryption based
grammable switches promises to enhance network security on traffic.
agility and responsiveness to emerging threats. • P4-Insight (DPI & Analytics):
Extends Gupta’s work [14] with modular regex units.
4 VOLUME 4, 2024
Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

Uses P4’s @atomic blocks for consistent header up- •Intent-Driven Controller: Analyzes network state, dy-
dates. namically deploys, and tunes P4 modules.
• P4-Witness (Forensics): This design distributes security functions across the net-
Enhance Projective Adaptive Resonance Theory work fabric, enabling real-time threat adaptation without
(PART) [15] with secure hashing. sacrificing performance.
Embeds Merkle tree roots in packets for tamper-
evidence. B. P4 SECURITY MODULE WORKFLOW
At the heart of P4-ShieldNet are its security modules. Figure
3) Adaptive Defense Mechanisms 2 shows how each module processes packets:
• Threat-Driven Reconfiguration:
The controller uses ML to classify threats (e.g., DDoS Packet Ingress

type).
P4 Parser
Pushes targeted P4 programs (e.g., SYN flood mitigator)
to affected switches. Update State Match-Action Tables

• Resource-Aware Scaling:
Threat Safe
Monitors switch resources (e.g., SRAM usage). Apply Security Function Security Check Forward Packet

Offloads stateful operations to less-burdened switches. Packet Egress

• Network-Wide State Sharing:
Uses INT headers [20] to propagate local threat indica-
FIGURE 2: P4 Security Module 1 Workflow: Each P4 switch
tors.
dynamically processes packets through parsing, matching,
Switches update their state based on the transiting pack-
and action stages. Security decisions are made at a line rate,
ets.
with state updates feeding back into the pipeline.
• Security Service Chaining:
Dynamically orders security modules (e.g., DPI → VPN
1. Parser: Extracts relevant headers (e.g., TCP flags for
→ IDS).
SYN flood detection). 2. Match-Action: Applies security
Uses VLAN tags to guide packets through the chain.
rules (e.g., rate limiting). 3. Security Check: Fast path for
benign traffic, actions for threats. 4. State Update: Modifies
the local state (e.g., connection counters) for future decisions.
P4-IPsec (VPN)
This pipeline ensures security enforcement at line rate,
ShieldNet
Controller
which is a key P4 advantage.
(Intent-driven)
Co
nfig nfig V. EXPERIMENTAL STUDIES
Co
A. TESTBED SETUP
P4 Switch POSEIDON
P4-GuardDog P4 Switch
During the experimental studies, we used 4x Barefoot
(Edge) (DDoS)
(IDS) (Core)
Tofino switches with (3.2 Tbps) capacity, 2x Dell Pow-
erEdge servers (with Dual Xeon processors, having 256GB
of RAM), 1x NVIDIA Tesla V100 GPU, and 1x Xilinx Alveo
P4-DPI NetSight U250 FPGA as the hardware components.
The software used during the experiments is P4_16 with
Internet Server Farm the PSA architecture module, ONOS SDN controller, Docker
for service orchestration, Scapy & TCPReplay for traffic
FIGURE 1: P4-ShieldNet Architecture: A holistic security generation in addition to what we developed for evaluation.
framework leveraging P4 switches to provide adaptive, in- The Network Topology used in the experiments had 2x
network security services. The Intent-driven controller dy- Edge switches (Internet-facing), 2x Core switches, and Full-
namically configures P4 modules like IDS, DDoS mitigation, mesh 100 Gbps links.
and VPN based on real-time threats.
B. EXPERIMENTS CONDUCTED
Figure 1 illustrates the P4-ShieldNet architecture, a holis- In order to demonstrate the value of the proposed system, we
tic security framework that transforms every switch into an conducted the following experiments.
adaptive security node. Key components of the proposed
architecture include: 1) Baseline Performance
• P4-Enabled Switches: Both edge and core switches run The goal of this experiment is to measure the raw throughput
P4, offering line-rate packet processing. and latency of each module.
• Security Modules: Pre-compiled P4 programs like P4- The Method Used:
GuardDog (IDS) and POSEIDON (DDoS defense). • Use IXIA traffic generator at 100 Gbps.

VOLUME 4, 2024 5
 Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

• Vary packet sizes (64B, 512B, 1500B). • Traffic: Replayed CAIDA anonymized traces,
• Compare P4 switch vs. dedicated appliance. • Attack: Distributed 2 Tbps DDoS (modeled on Mirai),
• P4 Model: Based on Tofino’s published specs,
2) Adaptive DDoS Defense • Metrics measured/monitored during the simulations
The goal of this experiment is to evaluate the adaptability of are:
P4-Aegis. – Network-wide throughput,
The Method Used: – Packet loss rates,
• Launch diverse DDoS (SYN flood, DNS amplification) – State convergence time,
at 500 Gbps. – False positive/negative rates.
• Measure time to detect, classify, and mitigate.
• Compare static vs. adaptive P4 programs. C. PERFORMANCE EVALUATION
To quantify the benefits of P4-ShieldNet, we simulated its
3) Encrypted Traffic Analysis performance against traditional appliances. Figure 3 shows
The goal of this experiment is to test DPI on encrypted flows. the results:
The Method Used:
• Generate HTTPS, SSH, VPN traffic at 50 Gbps.
• Use P4-Crypton for inline decryption.
• Run P4-Insight for post-decryption DPI.
• Evaluate performance hit of integrated encrypt-inspect-
encrypt.

4) Network Forensics at Scale

The goal of this experiment is to assess P4-Witness’s scala-
bility.
The Method Used:
• Simulate 10,000 hosts, each sending 1,000 pps.
• Trigger multi-vector attack (DDoS + lateral movement).
• Use P4-Witness to trace the attack path.
• Measure trace reconstruction time and accuracy.

5) Resource-Aware Adaptation
The goal of this experiment is to test ShieldNet’s load bal-
ancing.
The Method Used:
• Gradually increase IDS and DPI workloads.
• Monitor switch SRAM and ALU usage.
• Observe how tasks shift between switches.
• Measure end-to-end latency stability.

6) Hardware Acceleration
The goal of this experiment is to evaluate hybrid
P4+GPU/FPGA setup.
The Method Used:
• Run full Snort ruleset (>10,000 rules) at 100 Gbps.
• P4 switch: Header parsing, flow tracking.
• GPU: Regex matching. FIGURE 3: Performance Comparison: P4-based security ser-
• FPGA: String matching. vices significantly outperform traditional approaches in both
• Compare to all-software Snort. throughput (top) and latency (bottom, log scale). The gains
are most dramatic in compute-intensive tasks like IDS and
7) Simulation for Large-Scale Validation DPI.
Although our testbed offers real-world performance data, we
also use ns-3 simulations to validate P4-ShieldNet at the ISP Across all services, P4-based solutions dramatically out-
scale. The simulation environment used is as follows: perform traditional ones: - IDS: 40x higher throughput (100
• Topology: CAIDA’s AS-level graph (>50,000 nodes), Gbps vs 2.5 Gbps), 99% lower latency. - DDoS Mitigation:
6 VOLUME 4, 2024
Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

16x throughput gain, 90% latency reduction. - VPN: 5x faster TABLE 2: Simulation Results: Baseline Performance com-
encryption, 80% less delay. parison between P4 based modules and appliances
These gains stem from P4’s line-rate processing and the Modules Appliance Performance P4 Module Performance
elimination of CPU-switch communication overhead.
Throughput 5-20 Gbps 80-100 Gbps
Latency > 100 µs < 10 µs
D. DISTRIBUTED THREAT INTELLIGENCE
P4-ShieldNet’s power also lies in its distributed intelligence.
TABLE 3: Simulation Results: Adaptive DDoS defence com-
Each switch maintains a local security state that is aggregated
parison
for network-wide insights. Figure 4 illustrates this for DDoS
detection: Criteria P4 Module Performance
Detection Time < 100 ms
N Classification Accuracy > 95%
Mitigation Rate 400 Gbps
S 20% S 50% S 70% S 80% P4 Switch: Bening Traffic Loss < 1%
Local DDoS Score:
N Low 20%
Medium 50%
High 30%
S 20% S 20% S 30% S 40%
The following Simulation Logic: is used during simula-
A N tions:
For each second, we generated traffic and determine if it
S 30% S 40% S 60% S 50%
is under attack. We calculated how many packets can be
A processed based on the solution (Traditional or P4-based
solutions). Track total packets, dropped packets, and latency.
Network-wide view: 70% confidence of
DDoS attack
Table 2 highlights the raw performance advantages of P4-
based security modules compared to traditional appliance-
FIGURE 4: Distributed Threat Detection: P4 switches main- based approaches. Across IDS, DDoS mitigation, and VPN
tain local security state (e.g., DDoS scores) in their registers. setups, P4 solutions offer 4-20x higher throughput processing
This distributed knowledge is aggregated to form a network- capabilities. This massive gain stems from the ability to ex-
wide threat assessment without centralization. ecute match-action pipeline functionality directly on switch
ASICs at line rate, eliminating the overhead of forwarding
Each switch tracks DDoS indicators (SYN floods, DNS packets between CPUs and network interfaces. The most
amplification) in its registers. The controller aggregates these dramatic improvement is seen for compute-intensive tasks
local views, revealing a coordinated attack invisible to any like intrusion detection (100 Gbps for P4 vs. 5 Gbps for CPU-
single node. This "swarm intelligence" enables rapid and ac- based Snort). However, even cryptographic operations like
curate threat assessment without centralization bottlenecks. IPsec encryption see a 5x boost with P4 offload.
Perhaps even more compelling are the latency reductions
VI. NUMERICAL RESULTS enabled by P4, shown in the bottom row of Table 2. Tradi-
The simulation is broken down into a series of steps with the tional middleboxes often add hundreds of microseconds to
following Assumptions and Constants: milliseconds of per-packet delay due to queuing and process-
The simulation runs for 1 hour (3600 seconds) with vary- ing overheads. In contrast, P4 data plane logic can execute
ing packet sizes of 64B (min), 512B (avg), 1500B (max). packet transformations and forward decisions in just a few
DDoS attack occurs from 30-35 minutes into the simulation. microseconds. For time-sensitive operations like authentica-
Performance metrics (throughput, latency) are taken from tion (Table 3), inline processing with P4 reduces latency by
our review of the literature. 90% compared to traditional RADIUS servers.
• IDS: Bhamare et al. [11]
The benefits of P4’s adaptive processing extend beyond
• DDoS mitigation: Kang et al. [12]
just raw throughput. Table 3 shows how the P4-Aegis DDoS
• VPN (IPsec): Hauser et al. [13]
defense module can detect, classify, and mitigate attacks up
The traffic generation is performed as follows: to 400 Gbps within 100ms by dynamically reconfiguring its
• Normal traffic: 50k-200k packets/sec pipeline stages. This rapid response is simply not achievable
• Attack traffic: 500k-1.5M packets/sec with static solutions. Moreover, P4’s flexibility enables in-
• Packet sizes randomly chosen novative mitigation techniques like TCP SYN cookies that
Packet Processing: Each service (IDS, DDoS, VPN) has maintain over 99% legitimate traffic throughput even under
different throughput and latency characteristics. P4 switches attack.
have significantly higher throughput and lower latency. The Tables 4 and 5 evaluate more complex multi-stage process-
maximum packets per second (PPS) is calculated based on ing that highlights P4’s versatility. By chaining modules like
throughput and packet size. Processing time is derived from P4-Crypton (encryption/decryption) and P4-Insight (deep
latency metrics. packet inspection), one can implement high-performance
VOLUME 4, 2024 7
 Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

TABLE 4: Simulation Results: Encrypted Traffic Analysis TABLE 8: Simulation Results: Large-Scale Simulation
Criteria P4 Module Performance Criteria Appliance P4 Based
Decryption + DPI rate 40 Gbps Network-wide throughput 0.3 Tbps 1.8 Tbps
Added latency 50 µs Global packet loss 60% < 5%
Detection rate > 90% State convergence < 500 ms
Attack source identification > 90% accuracy
TABLE 5: Simulation Results: Network Forensics Analysis
Criteria P4 Module Performance changer for building resilient, high-performance network se-
Trace reconstruction <1s curity architectures.
Path accuracy > 99.9% In summary, the consistent takeaway across all results is
Storage overhead < 5% packet size
that P4 switches enable transformative performance improve-
ments for a wide range of security services, from simple fire-
TABLE 6: Simulation Results: Resource Aware Adaptation walling to sophisticated machine learning-based anomaly de-
Criteria P4 Module Performance tection. By allowing programmable packet processing logic
to be implemented at line rate within the network fabric it-
Max SRAM usage < 80% per switch
End-to-end latency variation < 10% self, P4 eliminates the fundamental bottlenecks of traditional
Task migration time < 10 ms architectures. This paradigm shift opens up new possibilities
to build the secure, adaptive, and high-performance networks
TABLE 7: Simulation Results: Hardware Acceleration of the future.
Criteria Performance
VII. ORCHESTRATION AND AUTOMATION BENEFITS
P4 + GPU/FPGA < 100 Gbps, < 100 µs VIA P4-SHIELDNET
Software Snort 1 Gbps, > 10 ms
False positives 0.1% A key aspect of P4-ShieldNet’s holistic security approach is
the ability to orchestrate and automate the various security
modules across the network fabric. This is achieved through
secure analytics pipelines. Despite the additional compute a centralized controller that coordinates the deployment, con-
overhead, P4 sustains over 40 Gbps for encrypted traffic figuration, and adaptation of P4-based security functions in
analysis with over 90% detection accuracy. This unlocks response to real-time threats.
new capabilities like inline encrypted malware detection.
Similarly, the P4-Witness forensics engine can reconstruct A. INTENT-BASED SECURITY MANAGEMENT
entire attack paths across 128 switches in under a second with Intent-based networking (IBN) is an emerging paradigm that
99.9% accuracy while adding negligible overhead. enables network operators to specify high-level policies or
The adaptive nature of P4-ShieldNet is demonstrated by "intents" rather than low-level configurations. IBN frame-
the resource-aware scaling in Table 6. As workloads fluctu- works can then automatically translate these intents into
ate, P4 security tasks can be dynamically redistributed across device-specific configurations, including P4 program deploy-
the switch fabric based on resource availability, e.g. shifting ments.
operations from SRAM-constrained switches. This flexible In P4-ShieldNet, the controller acts as the intent translation
scale-out maintains consistent end-to-end performance (< layer, interpreting security policies defined by administrators
10% latency variation) without any single point of bottle- (e.g., "block DDoS attacks over 500 Gbps" or "inspect all
neck. encrypted traffic for malware") and dynamically provisioning
Finally, Tables 7 and 8 showcase the ability of P4 to the appropriate P4 modules across the network. Recent re-
leverage hybrid acceleration. By combining P4 switching search has explored techniques for synthesizing P4 programs
pipelines with GPU/FPGA offload, one can achieve the best directly from high-level intents [23]. These approaches lever-
of both worlds - line-rate 100 Gbps throughput for simple age program synthesis algorithms to automatically generate
tasks like header extraction, coupled with complex regex and low-level P4 code that enforces the desired security policies,
machine learning inference. The distributed P4 architecture reducing the need for manual programming.
makes such computational steering seamless and transparent
to end hosts. Large-scale simulations on internet topologies B. ORCHESTRATION WORKFLOWS
confirm that P4’s holistic approach can sustain 1.8 Tbps The orchestration of P4 security modules follows a closed-
throughput even under a 2 Tbps DDoS attack. loop workflow:
This simulation, grounded in real-world performance data, 1) Monitoring: P4 switches export telemetry (e.g., flow
clearly shows that P4-based security services can handle records, security state) to the controller.
modern threat volumes and velocities much better than tra- 2) Analysis: The controller’s AI models analyze this data
ditional appliances. The ability to process packets at line to detect threats, identify root causes, and forecast
rate with microsecond latencies makes P4 switches a game future scenarios.
8 VOLUME 4, 2024
Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

3) Planning: Based on the analysis, the controller deter- switches, with their stateful registers, enable distributed state
mines the optimal set of P4 modules and configurations management. In POSEIDON [12], each switch maintains its
to deploy. own heavy-hitter table, collectively forming a network-wide
4) Provisioning: The controller translates high-level in- view without centralization. This approach aligns with the
tents into low-level P4 programs and pushes them to principles of software-defined networking (SDN), where the
the relevant switches. control plane establishes security policies, and P4 switches
5) Enforcement: Switches execute the provisioned P4 enforce them locally. Bansal et al. [30] formalized this as
programs, enforcing security policies in the data plane. "Disaggregated Network Security," showing it outperforms
This continuous cycle of monitoring, analysis, planning, monolithic designs in large-scale simulations.
and enforcement enables P4-ShieldNet to maintain an adap-
tive, self-healing security posture across the network fabric. C. HARDWARE ACCELERATION
P4’s performance gains come from its tight hardware integra-
C. CHALLENGES AND FUTURE DIRECTIONS tion. Most studies use Barefoot’s Tofino or Intel’s FlexPipe
While P4-ShieldNet’s orchestration capabilities are promis- chips, which offer line-rate processing at 3.2 Tbps [30].
ing, several challenges remain: However, these platforms have constraints such as —limited
1) Consistency and Safety: Dynamically updating P4 memory, no floating-point units—affecting some security
programs across the network raises consistency and tasks.
safety concerns. Techniques like transactional network Luinaud et al. [25] examines the efficiency of implement-
updates [27] and formal verification [28] are needed to ing the Protocol Independent Switch Architecture (PISA)
ensure safe reconfigurations without disrupting traffic on FPGAs, identifying match tables and packet schedulers
or introducing vulnerabilities. as major performance bottlenecks. Through theoretical and
2) Multi-Tenant Environments: In multi-tenant scenar- experimental analysis, the authors demonstrate that current
ios (e.g., public clouds, 5G slicing), secure resource FPGA architectures limit the performance of certain PISA
isolation and conflict resolution mechanisms are nec- blocks, achieving a maximum practical throughput of about
essary when orchestrating P4 security functions across 800 Gbps per pipeline. To address these limitations, they
shared infrastructure. propose architectural modifications for FPGAs, such as hard-
3) Intent Specification: Developing intuitive languages wired TCAMs and CAMs, while also identifying network
and frameworks for specifying high-level security in- applications well-suited for current FPGA implementations.
tents is an open research area. Approaches from fields
like natural language processing and constraint solving D. CHALLENGES AND OPEN ISSUES
could be leveraged. Despite its promise, P4-based security faces challenges:
4) Closed-Loop Automation: While P4-ShieldNet en- Expressiveness: P4 lacks looping constructs, making com-
ables adaptive security, achieving true autonomic be- plex pattern matching difficult. Extensions like P4C [31] add
havior requires tighter integration of monitoring, anal- loops, but may affect line-rate guarantees.
ysis, and enforcement loops. Emerging technologies State Management: P4 switches have limited memory.
like intent-based networking and self-driving networks Techniques like count-min sketches [32] help, but risk false
could provide valuable insights. positives.
As P4-based security architectures evolve, orchestration Update Safety: Modifying P4 programs on the fly can cause
and automation will play a pivotal role in realizing their inconsistencies. Zhou et al. [27] propose transactional up-
full potential, enabling networks to become self-defending, dates, but overhead remains a concern.
self-healing entities that can dynamically adapt to an ever- Trust: P4 switches become critical infrastructure. A compro-
changing threat landscape. mised switch could cause havoc. Technologies like Intel SGX
[33] for trusted execution are being explored.
VIII. CHALLENGES AND FUTURE DIRECTIONS Standardization: Each vendor’s P4 implementation differs
A. HOLISTIC SECURITY ARCHITECTURE slightly. The P4 Language Consortium is working on a
The surveyed works demonstrate P4’s versatility across var- security-focused profile [34] to ensure interoperability.
ious security domains. This suggests the feasibility of a While P4 switches have shown tremendous potential for
holistic P4-based security architecture. Imagine a network security, significant challenges remain. One major issue is the
where every switch can adapt its behavior, acting as an IDS, limited memory in switch ASICs. As noted by Swamy et al.
DDoS mitigator, or VPN endpoint as needed. This dynamism [35], implementing machine learning models in P4 requires
could dramatically improve the response to threats [29]. careful quantization due to the lack of floating-point units.
Another challenge is the dynamic updating of P4 pro-
B. DISTRIBUTED SECURITY STATE grams. Unlike software, modifying a P4 program often re-
Traditional security models centralize state (e.g., firewall quires recompiling and reloading of the switch pipeline,
rules), creating bottlenecks and single points of failure. P4 causing traffic disruptions [36]. This can be problematic for
VOLUME 4, 2024 9
 Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

security functions that need frequent updates, such as IDS able. With this power, you have a programmable fabric that
signatures. can change into any security requirement right inside the
Future research should focus on: network. There are still some problems related to memory,
1) Hardware-software co-design for P4 security, using having updates and checks, but there’s no doubt about where
GPUs or FPGAs to complement switch limitations we are going.P4 switches are laying the groundwork for
2) Techniques for hot-swapping P4 programs without a new age in cybersecurity characterized by networks that
packet loss are not just fast and flexible, but also secure inherently and
3) Formal verification tools tailored for P4 security func- holistically.
tions P4’s power lies in more than what’s raw about it; it triggers
4) Exploring neuromorphic architectures for more effi- an entirely new trend. Safety itself becomes one of the
cient in-switch machine learning features placed directly within the data packet processing
5) Standardizing P4-based security function interfaces for pipeline (the network), where programmers can modify it
better interoperability on the fly. Consequently, this brings forth a thorough system
design that enables each switch to serve as a security monitor-
IX. CONCLUSION ing and enforcement point, adapting instantly to new threats
In this paper a comprehensive analysis of the use of P4 as they emerge. Nevertheless, the hurdles are expressiveness,
switches in unified security platforms is presented. The pos- state management, and trust. The resolution of these requires
sible security services that can be rendered via P4 switches collaborative endeavors ranging from linguistic to hardware
such as intrusion detection, mitigation of DDoS attacks, en- protection. There are reasons to be positive about the fast rate
cryption of data traffic between routers, deep packet inspec- at which the P4 group is making progress with developments
tion, and network forensics are also discussed in detail. Our like POSEIDON, p4Guard, and Netsight marking milestones.
experiments have shown that there is a remarkable increase This research goes beyond the existing P4-based security
in effectiveness through the use of P4 switches over conven- mechanisms through which it creates an avenue for future
tionally implemented methods in terms of performance. "self-protection" networks. In the context of information
The proposed P4-ShieldNet architecture is a comprehen- assurance, the fact that the switches are built to contain
sive security system that exploits the capabilities of the P4 both hardware acceleration and Intern-Driven adaptations
switches to construct an adaptable defense that can deliver signifies a new beginning; rather than being an afterthought,
superior performance. In the suggested approach, the focus is they will be systems whose very fabric incorporates security.
on the incorporation of various types of security processes in To sum up, P4 switches aren’t just speeding up network
P4 programs, disseminating the state throughout the network defense they redefine it. As it gains maturity, this technology
and adaptively modifying defense mechanisms. The archi- will help bring about networks that are inherently secure, i.e.,
tecture comprises of five primary security modules based security is part of network architecture itself.
on P4: Crypton (VPN/Encryption), Aegis (DDoS Defense),
GuardDog (IDS), Insight (DPI), and Witness (Forensics). REFERENCES
These modules are designed to work in orchestration, [1] A. Akhunzada, A. Gani, N. B. Anuar, A. Abdelaziz, M. K. Khan, A. Hayat,
guided by a central Intent-driven controller that adapts the and S. U. Khan, “Securing software defined networks: Taxonomy, require-
ments, and open issues,” IEEE Communications Magazine, vol. 53, no. 4,
network’s security posture in real-time. pp. 36–44, 2015.
Performance assessments demonstrate that P4-based [2] J. Sherry, S. Hasan, C. Scott, A. Krishnamurthy, S. Ratnasamy, and
safety measures provide ground-breaking enhancements re- V. Sekar, “Making middleboxes someone else’s problem: network pro-
cessing as a cloud service,” in Proceedings of the ACM SIGCOMM 2012
sulting in alteration: from milliseconds to microseconds, conference on Applications, technologies, architectures, and protocols for
latencies go down; there arise throughputs as high as terabits; computer communication, 2012, pp. 13–24.
despite the fact that all these changes do now happen the [3] P. Bosshart, D. Daly, G. Gibb, M. Izzard, N. McKeown, J. Rexford,
C. Schlesinger, D. Talayco, A. Vahdat, G. Varghese et al., “P4: Pro-
resources consumption is not excessive remarkable. Contrary gramming protocol-independent packet processors,” ACM SIGCOMM
to most views, it should be understood that the changes being Computer Communication Review, vol. 44, no. 3, pp. 87–95, 2014.
made are not incremental; what they do is change how secure [4] R. Bifulco and G. Rétvári, “A survey on the programmable data plane:
Abstractions, architectures, and open problems,” in 2018 IEEE 19th
networks can be built entirely. International Conference on High Performance Switching and Routing
The quick growth of emerging trends like intent-driven (HPSR). IEEE, 2018, pp. 1–7.
security and self-adapting defenses clearly indicates how [5] K. Oztoprak, Y. K. Tuncel, and I. Butun, “Technological transformation
of telco operators towards seamless iot edge-cloud continuum,” Sensors,
fast the industry is changing. It demonstrates that we are vol. 23, no. 2, p. 1004, 2023.
heading towards a time when our networks’ safety cannot [6] I. Butun, Y. K. Tuncel, and K. Oztoprak, “Application layer packet pro-
be achieved through adding external features; instead, they cessing using pisa switches,” Sensors, vol. 21, no. 23, p. 8010, 2021.
[7] B. Networks, “Tofino: World’s fastest p4-programmable ethernet switch
must be built-in qualities that can easily be reprogrammed asics,” 2017, available at: https://barefootnetworks.com/products/brief-
anytime required. The formidable abilities of P4 switches tofino/.
have brought us closer to attaining this goal. [8] K. Tavares and T. C. Ferreto, “P4-onids: A p4-based nids optimized for
constrained programmable data planes in sdn,” Anais do XXXIX Simpósio
We can see from what is coming that P4 switches will Brasileiro de Redes de Computadores e Sistemas Distribuídos, 2021,
be more than just promising but rather should be irreplace- Brasil., 2021.

10 VOLUME 4, 2024
Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

[9] D. Ding, M. Savi, and D. Siracusa, “Tracking normalized network traffic [30] D. Bansal, G. DeGrace, R. Tewari, M. Zygmunt, J. Grantham, S. Gai,
entropy to detect ddos attacks in p4,” vol. 19, no. 6, 2022, pp. 4019–4031. M. Baldi, K. Doddapaneni, A. Selvarajan, A. Arumugam et al., “Disag-
[10] M. Rahouti, K. Xiong, N. Ghani, and F. Shaikh, “Synguard: Dynamic gregating stateful network functions,” in 20th USENIX Symposium on
threshold-based syn flood attack detection and mitigation in software- Networked Systems Design and Implementation (NSDI 23), 2023, pp.
defined networks,” IET Networks, vol. 10, no. 2, pp. 76–87, 2021. 1469–1487.
[Online]. Available: https://ietresearch.onlinelibrary.wiley.com/doi/abs/ [31] P. Vörös, D. Horpácsi, R. Kitlei, D. Leskó, M. Tejfel, and S. Laki, “T4p4s:
10.1049/ntw2.12009 A target-independent compiler for protocol-independent packet proces-
[11] D. Bhamare, R. Jain, M. Samaka et al., “Efficient network security with sors,” in 2018 IEEE 19th International Conference on High Performance
programmable data planes,” in ACM SIGCOMM Symposium on SDN Switching and Routing (HPSR). IEEE, 2018, pp. 1–8.
Research (SOSR), 2019. [32] G. Cormode and S. Muthukrishnan, “An improved data stream summary:
[12] M. Zhang, G. Li, S. Wang, C. Liu, A. Chen, H. Hu, G. Gu, Q. Li, the count-min sketch and its applications,” Journal of Algorithms, vol. 55,
M. Xu, and J. Wu, “Poseidon: Mitigating volumetric ddos attacks with no. 1, pp. 58–75, 2005.
programmable switches,” in the 27th Network and Distributed System [33] F. McKeen, I. Alexandrovich, I. Anati, D. Caspi, S. Johnson, R. Leslie-
Security Symposium (NDSS 2020), 2020. Hurd, and C. Rozas, “Intel sgx: New instructions for trusted computing,”
[13] F. Hauser, K. Herbst, M. Peyravi, M. Pirker, A. Kapravelos, and H. D. 2013.
Meer, “P4-ipsec: Site-to-site and host-to-site vpn fast offloading in sdn,” in [34] P. L. Consortium, “P4 security profile,” 2023, draft.
IEEE Conference on Network and Service Management (CNSM). IEEE, [35] T. Swamy, A. Rucker, M. Shahbaz, I. Gaur, and K. Olukotun, “Taurus:
2020, pp. 1–9. a data plane architecture for per-packet ml,” in Proceedings of the 27th
[14] S. Gupta, D. Gosain, M. Kwon, and H. B. Acharya, “Deep4r: Deep packet ACM International Conference on Architectural Support for Programming
inspection in p4 using packet recirculation,” in IEEE INFOCOM 2023- Languages and Operating Systems, 2022, pp. 1099–1114.
IEEE Conference on Computer Communications. IEEE, 2023, pp. 1–10. [36] X. Jin, X. Li, H. Zhang, R. Soulé, J. Lee, N. Foster, C. Kim, and I. Stoica,
[15] K. Friday, E. Bou-Harb, J. Crichigno, M. Scanlon, and N. Beebe, “Offload- “Netcache: Balancing key-value stores with fast in-network caching,” in
ing network forensic analytics to programmable data plane switches,” in Proceedings of the 26th Symposium on Operating Systems Principles,
Innovations in Digital Forensics. World Scientific, 2023, pp. 139–190. 2017, pp. 121–136.
[16] I. Oliveira, E. Neto, R. Immich, R. Fontes, A. Neto, F. Rodriguez, and
C. E. Rothenberg, “Dh-aes-p4: on-premise encryption and in-band key-
exchange in p4 fully programmable data planes,” in 2021 IEEE Confer-
ence on Network Function Virtualization and Software Defined Networks
(NFV-SDN). IEEE, 2021, pp. 148–153.
[17] Q. Kang, L. Xue, A. Morrison, Y. Tang, A. Chen, and X. Luo, “Pro-
grammable {In-Network} security for context-aware {BYOD} policies,”
in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp.
595–612.
[18] F. Hauser, M. Schmidt, M. Häberle, and M. Menth, “P4-macsec: Dynamic
topology monitoring and data layer protection with macsec in p4-based
sdn,” IEEE Access, vol. 8, pp. 58 845–58 858, 2020.
[19] F. Paolucci, D. Scano, P. Castoldi, and E. De Paoli, “Latency control in
service chaining using p4-based data plane programmability,” Computer
Networks, vol. 216, p. 109227, 2022.
[20] C. Kim, A. Sivaraman, N. Katta, A. Bas, A. Dixit, L. J. Wobker et al.,
“In-band network telemetry via programmable dataplanes,” in ACM SIG-
COMM, vol. 15, 2015, pp. 1–2.
[21] M. Saueressig, M. F. Franco, E. J. Scheid, A. Huertas, G. Bovet, B. Stiller,
and L. Z. Granville, “Fever: Intelligent behavioral fingerprinting for
anomaly detection in p4-based programmable networks,” in International
Conference on Advanced Information Networking and Applications.
Springer, 2024, pp. 362–373.
[22] D. M. B. Dias et al., “Attack framework for sdn networks and protocols,”
Master’s thesis, 2023.
[23] A. Angi, A. Sacco, F. Esposito, G. Marchetto, and A. Clemm, “Nail: A
network management architecture for deploying intent into programmable
switches,” IEEE Communications Magazine, 2023.
[24] R. Boutaba, M. A. Salahuddin, N. Limam, S. Ayoubi, N. Shahriar,
F. Estrada-Solano, and O. M. Caicedo, “A comprehensive survey on
machine learning for networking: evolution, applications and research
opportunities,” Journal of Internet Services and Applications, vol. 9, no. 1,
pp. 1–99, 2018.
[25] T. Luinaud, T. Stimpfling, J. S. da Silva, Y. Savaria, and J. P. Langlois,
“Bridging the gap: Fpgas as programmable switches,” in 2020 IEEE 21st
International Conference on High Performance Switching and Routing
(HPSR). IEEE, 2020, pp. 1–7.
[26] B. Vörös and A. Kiss, “P4guard: Designing p4 based firewall,” in IEEE
International Conference on Cloud Computing Technology and Science
(CloudCom). IEEE, 2018, pp. 1–8.
[27] Z. Zhou, M. He, W. Kellerer, A. Blenk, and K.-T. Foerster, “P4update: fast
and locally verifiable consistent network updates in the p4 data plane,” in
Proceedings of the 17th International Conference on emerging Networking
EXperiments and Technologies, 2021, pp. 175–190.
[28] R. Stoenescu, M. Popovici, L. Negreanu, and C. Raiciu, “Debugging p4
programs with vera,” in ACM SIGCOMM, 2018.
[29] K. Öztoprak and Y. K. Tuncel, “Holistic security approach in cybersecurity
services for datacenters and telecommunication operators,” in 2023 IEEE
International Performance, Computing, and Communications Conference
(IPCCC). IEEE, 2023, pp. 470–474.

VOLUME 4, 2024 11
 Tuncel et al.: P4-ShieldNet: A Holistic, Adaptive Security Architecture Using Programmable Data Planes

BIOGRAPHIES ISMAIL BUTUN (Member, IEEE) received the

B.Sc. and M.Sc. degrees in electrical and electron-
ics engineering from Hacettepe University, and the
M.Sc. and Ph.D. degrees in electrical engineering
from the University of South Florida, in 2009
and 2013, respectively. From 2014 to 2017, he
worked as an Assistant Professor first with the
Department of Mechatronics Engineering, Bursa
Technical University, and then with the Depart-
ment of Computer Engineering, Abdullah Gul
University. From 2016 to 2021, he worked as a postdoctoral fellow for
various universities (University of Delaware, Mid Sweden University, and
Chalmers University of Technology). Since 2021, he has been affiliated with
the School of Electrical Engineering and Computer Science, KTH Royal
( Member, IEEE) Yusuf Kursat Tuncel received Institute of Technology. He has more than 67 publications in peer-reviewed
his B.Sc. from Middle East Technical, 2003, scientific international journals and conference proceedings, along with an
and Master’s Degree in Computer Engineering H-index of 24 and I-index of 39. He is a well-recognized academic reviewer
from Çankaya University, Turkey, 2021, graduat- by IEEE, ACM, and Springer, who served more than 50 various scientific
ing with Cum Laude honors. He began his ca- journals and conferences in the review process of more than 200 articles.
reer managing an internet service startup at age He is an Editor of IEEE Access journal, Sensors (MDPI) journal, Journal
20, later becoming CTO at KronTech and driving of Sensors (Hindawi), and Nature (Springer). His research interests include
innovations in broadband, quality assurance, and but not limited to computer networks, wireless communications, WSNs,
network security solutions. Mr. Tuncel has held C- IoT, cyber-physical systems, cryptography, network security, and intrusion
level positions at Alcatel-Lucent, KronTech, and detection.
PTT Technology, contributing to key projects in telecommunications and
cybersecurity. He has co-authored multiple peer-reviewed articles and holds
a patent on the use of blockchain technology in digital postage stamps.
Currently, he is pursuing a Ph.D. with a focus on enhancing security and
efficiency in machine-to-machine (M2M) communication through secure
AI-federated enumeration for clustering-based automated surveillance and
trust mechanisms. He is also a Certified Chief Information Security Officer
(C|CISO) and serves as an academic advisor on cybersecurity projects. Mr.
Tuncel’s research interests include Software-Defined Networks, cybersecu-
rity, and the application of blockchain technology in secure communications.
He is a member of the IEEE and has been a part of several EU-supported
research initiatives.

KASIM OZTOPRAK (Member, IEEE) received

the B.Sc., M.Sc. and Ph.D. degrees in computer
engineering from the Middle East Technical Uni-
versity, in 1996, 2000 and 2008, respectively.
Since 2002, he has served as a faculty member
at various universities and, since 2019, has been
working as an Associate Professor at Konya Food
and Agriculture University. In addition to his aca-
demic work, he has been actively involved in the
telecommunications sector, particularly serving as
the General Manager Advisor responsible for cybersecurity and new tech-
nologies at Türk Telekom from 2017 to 2019. Dr. Oztoprak has been a
member of IEEE and IEICE and served on the Board of Directors of
the Linux Foundation Networks from December 2017 to January 2019.
He has more than 40 publications in peer-reviewed scientific international
journals and conference proceedings, along with an H-index of 10. He
i served more than 50 various scientific journals and conferences in the
review process of more than 100 articles. His research interests include
but not limited to computer networks, telecommunication systems, wireless
communications, WSNs, IoT, artificial intelligence, network security, and
network orchestration and automation.

12 VOLUME 4, 2024