Arpit Gupta, assistant professor in the Computer Science Department at UC Santa Barbara, knows as well as anyone that not all networks are created equal. They range widely, from large, complex, sophisticated systems like those at government agencies or major corporations, which have extensive physical infrastructure and armies of people to support them, to much smaller systems, such as those that provide internet connectivity on Indian reservations or sparsely populated rural areas, where a much smaller and simpler system might be managed by a single person using far less sophisticated, or even repurposed, hardware. 

Network environments also differ in their usage patterns. A university research network experiences traffic surges around paper submission deadlines and regular transfers of massive scientific datasets. Meanwhile, a small business network primarily handles email, web browsing, and voice calls during business hours, while a residential community network sees evening peaks when people stream video content.

Increasingly, machine-learning (ML) models are being used to provide cybersecurity in systems of every size and description. ML models, however, are not a one-size-fits-all solution, and systems designed to protect large, complex operations do not necessarily lend themselves to use in smaller, resource-limited systems. Gupta is aiming to change that, with the support of a five-year, $700,000 National Science Foundation early CAREER award that will enable researchers in his lab to develop ML models that can be adapted to the full range of cybersecurity systems. 

“Joining the COE’s prestigious 'Early CAREER Award club' is an honor that feels both validating and humbling,” Gupta said. “From the moment I arrived at UCSB and learned about the remarkable faculty who had received this recognition, joining that community became both inspirational and aspirational for me. Receiving the award provides a profound sense of personal relief and validation.”

Gupta’s CAREER project, titled Developing Generalizable ML Models for Diverse Learning Problems in Network Operation, is based on the idea that “machine learning can help compensate for infrastructure limitations in smaller networks by serving as a force multiplier for [those] limited resources. Service-provider networks, cloud networks, enterprise networks, and community networks. — each faces learning problems in that they need to understand patterns in complex data to make decisions that keep their networks secure and performant.”

Enterprise networks, such as UCSB's campus network or the ESnet in the U.S. Department of Energy, where Gupta has a joint faculty-scientist appointment, may serve tens of thousands of users in support of critical research and educational activities, yet they often operate with smaller IT teams and more limited infrastructure budgets than major commercial providers do.

Community networks represent an even more resource-constrained case, Gupta explains: “These networks, which typically operate with minimal technical staff, provide internet access to hundreds or a few thousand users in underserved areas where traditional internet service providers (ISPs) don't find it profitable to build infrastructure. This is where ML systems can offer value as ‘resource multipliers,’ allowing limited staff to address problems proactively.”

Gupta says that existing ML models tend to fail when deployed outside of controlled lab environments, because “They learn patterns that do not generalize well to real-world settings.” He gives the example of an ML system, which, trained using data collected during regular workday hours (9-5) to detect cyber attacks on a network, learns that traffic at 3 AM is highly suspicious and flags it as an attack. “When we deploy this same system to an actual university network, it immediately starts generating false alarms,” he says. “Why? Because in a real university environment, researchers often run large data transfers and experiments overnight, when network resources are less congested. What the model learned as a reliable pattern — 'traffic at unusual hours equals attack' — doesn't generalize to this real-world setting.”

The problem, Gupta notes, is that “The model latched onto a 'shortcut' — time of day — rather than learning deeper patterns that distinguish true malicious activity from legitimate traffic. We call this an 'underspecification' issue, where the model finds correlations in training data that don’t represent true causalurt. Other examples include models that work perfectly on one network topology but fail on slightly different ones, or security systems that detect threats in one geographic region but miss them in another because user behaviors differ slightly. Patterns learned in one environment may not transfer to another.”

The challenge is that entities running smaller networks can't afford to collect the massive amounts of varied training data that might help models learn more generalizable patterns, and also cannot dedicate staff to constantly retune models that aren't working correctly. Gupta seeks to create an iterative process that identifies such shortcuts and biases, then systematically improves the training data to help models learn patterns that work across varied environments. “Rather than requiring more data overall, we focus on collecting the right data, which exposes the model's weaknesses and helps it improve,” he says.

If successful in the above scenario, his framework would detect that a model is generating an unusual pattern of alerts primarily during nighttime hours. The system would then use explainable AI techniques to identify which features are driving these decisions — in this case, discovering that 'time of day' is heavily influencing the model's judgments.

In the second phase, Gupta says, “Our pipeline would activate, and the system would automatically design a targeted data-collection strategy, perhaps collecting additional training examples of legitimate nighttime traffic patterns from various university networks to capture the diverse but normal activities that occur outside business hours.” With its refined dataset, the model would retrain and develop more sophisticated detection patterns based on the actual characteristics of attacks versus those of legitimate research activities. False alarms would dramatically decrease, while genuine threats would still be detected.

“What's particularly powerful about our approach is that, if the network environment changes again — say, during semester breaks when traffic patterns shift — the system would detect new failures, identify newly problematic shortcuts, and adapt again through targeted data collection,” Gupta notes. “The system becomes increasingly self-improving, rather than requiring constant human intervention to fix failures.”

Security protocols also vary dramatically among various network environments. While government networks implement stringent security protocols with multiple verification layers, a volunteer-run community network may have more basic security measures in place. “Like late-night data transfers, such variations create significant challenges for an anomaly-detection ML model trained on a well-maintained enterprise network, as the model might interpret the occasional outages common in a community wireless network as threats, generating constant false alarms,” Gupta says.

“My research is aimed at making ML models work across the spectrum of environments, by creating adaptable models that can recognize the underlying patterns that truly matter, regardless of environmental differences. We want to be able to systematically identify when and how these underspecification issues occur, and then address them through targeted improvements to the training data and the model-development process. In practical terms, this means that smaller networks with limited staff and budget will be able to use the same powerful ML tools that are currently only practical for large tech companies having extensive resources. We're trying to democratize access to advanced network management technology.”

Replicating ML models in networking research is challenging due to the difficulty of reproducing the specific data and network conditions considered during model development. Gupta's team is addressing this by lowering the reproducibility threshold for ML-based networking research, enabling other researchers to independently replicate and build upon successful solutions, incorporating them into the broader knowledge base, advancing the entire field. “This CAREER project represents a significant leap forward by connecting separate components developed previously into a comprehensive closed-loop pipeline,” Gupta says. “We're creating an integrated system where each stage informs the others.”

A significant aspect of this research, Gupta notes, is how it connects to his joint appointment as a faculty scientist at Lawrence Berkeley National Laboratory, where he leads efforts to develop ML artifacts for the Energy Science Network (ESnet), which serves all DOE national laboratories: “This provides a direct pathway for translating our research from theoretical concepts to practical implementation in one of the nation's most critical research networks, allowing us to see firsthand how our ML approaches perform in supporting scientific discovery at a national scale.”

The CAREER project, he says, “fundamentally changes how we develop ML for networking, moving from a trial-and-error approach to a principled methodology that progressively eliminates underspecification issues.”