Enforcing Security Policies in the Application Layer and the Data Plane

Network traffic is now largely encrypted. Yet analysis of side-channel features-packet sizes, timings, and directions-can still reveal patterns about encrypted flows. Recent machine learning (ML) techniques have made such traffic analysis more powerful, and they can be applied both offensively (e.g., inference attacks) and defensively (e.g., intrusion detection). This raises the need for protections that keep pace with ML-enabled capabilities without exacerbating resource overhead and reaction delays. My research explores new opportunities, such as application-agnostic defenses, offered by data-plane programmability (e.g., eBPF/XDP at hosts and P4 in switches) to reshape observable traffic patterns and fast feature extraction for advanced detection mechanisms. My PhD also focuses on designing and prototyping the combination of ML together with programmable data planes to both mitigate traffic analysis and harness it for defense, while clarifying the trade-offs between privacy, performance, and deployability.