Improvements in software defined networking allow for policy to be informed and modified by data-driven applications that can adjust policy to accommodate fluctuating requirements at line speed. However, there is some concern that over-correction can occur and cause unintended consequences depending on the data received. This is particularly problematic for network security features, such as machine-learning intrusion detection systems. We present Safeguard, a rule-based policy that overlaps a data-driven policy to prevent unintended responses for edge cases in network traffic. We develop a reference implementation of a network traffic classifier that enforces firewall rules for malicious traffic, and show how additional rulesets to allow known-good traffic are essential in utilizing a data-driven network policy.
@article{arxiv.2601.17355,
title = {Safeguard: Security Controls at the Software Defined Network Layer},
author = {Yi Lyu and Shichun Yu and Joe Catudal},
journal= {arXiv preprint arXiv:2601.17355},
year = {2026}
}