To address the rapidly expanding attack surface in 6G networks—caused by massive heterogeneous devices—and the scalability limitations of conventional perimeter-based intrusion detection systems (IDS), this paper proposes an embedded, distributed, machine learning (ML)-driven in-network intrusion defense paradigm. The core method deploys lightweight ML-based anomaly detection models directly onto P4-programmable data plane devices, leveraging in-network computing and a distributed collaborative detection protocol to enable fully decentralized, real-time intrusion detection and response. Its key innovation lies in being the first to embed ML-driven IDS capabilities into the data plane—eliminating centralized architectures entirely. Empirical evaluation demonstrates high detection accuracy, significantly lower CPU and memory overhead compared to centralized IDS solutions, and strong resource efficiency and adaptability. This approach provides a viable technical pathway toward 6G-native security.

The problem of attacks on new generation network infrastructures is becoming increasingly relevant, given the widening of the attack surface of these networks resulting from the greater number of devices that will access them in the future (sensors, actuators, vehicles, household appliances, etc.). Approaches to the design of intrusion detection systems must evolve and go beyond the traditional concept of perimeter control to build on new paradigms that exploit the typical characteristics of future 5G and 6G networks, such as in-network computing and intelligent programmable data planes. The aim of this research is to propose a disruptive paradigm in which devices in a typical data plane of a future programmable network have anomaly detection capabilities and cooperate in a fully distributed fashion to act as an ML-enabled Intrusion Prevention System ``embedded"into the network. The reported proof-of-concept experiments demonstrate that the proposed paradigm allows working effectively and with a good level of precision while occupying overall less CPU and RAM resources of the devices involved.