Network-intrusion detection and prevention systems (IDS/IPS) deployed on programmable data planes face dual constraints of security coverage and device resource load. To address this, we propose the first security-prioritized, load-aware learning-function distribution optimization model, formulating IDS/IPS model placement across switches and other data-plane devices as an integer programming problem. We replace computationally expensive exact solvers with lightweight metaheuristic algorithms—specifically, an enhanced genetic algorithm and simulated annealing—to enable scalable, real-time deployment decisions. Leveraging P4-programmable switches, we implement in-network machine learning inference, achieving a 37% reduction in end-to-end detection latency while maintaining CPU utilization at ≤8%. This work constitutes the first empirical validation that intelligent, programmable data planes can serve as low-overhead, high-responsiveness autonomous first-line defenses. It establishes a novel paradigm for distributed network security architectures grounded in joint security-performance optimization.

The rise of programmable data plane (PDP) and in-network computing (INC) paradigms paves the way for the development of network devices (switches, network interface cards, etc.) capable of performing advanced processing tasks. This allows running various types of algorithms, including machine learning, within the network itself to support user and network services. In particular, this paper delves into the deployment of in-network learning models with the aim of implementing fully distributed intrusion detection systems (IDS) or intrusion prevention systems (IPS). Specifically, a model is proposed for the optimal distribution of the IDS/IPS workload among data plane devices with the aim of ensuring complete network security without excessively burdening the normal operations of the devices. Furthermore, a meta-heuristic approach is proposed to reduce the long computation time required by the exact solution provided by the mathematical model and its performance is evaluated. The analysis conducted and the results obtained demonstrate the enormous potential of the proposed new approach for the creation of intelligent data planes that act effectively and autonomously as the first line of defense against cyber attacks, with minimal additional workload on the network devices involved.