Inference models for intrusion detection systems in time sensitive networks

What is claimed is: 1. An apparatus, comprising: a processing circuitry; a memory coupled to the processing circuitry, the memory to store instructions that when executed by the processing circuitry causes the processing circuitry to: establish a data stream between a first device and a second device in a network domain, the network domain comprising a plurality of switching nodes; receive messages from the first device by the second device in the network domain, the messages to comprise time information to synchronize a first clock for the first device and a second clock for the second device to a network time for the network domain; update a correction field for a received message with a residence time and time delay value by the second device; determine whether the updated message is benign or malicious; update the correction field for the updated message with an inference time when the updated message is benign; prevent relay of the updated message to other devices in the network domain when the updated message is malicious; and estimate the inference time from an inference model for an intrusion detection system (IDS), the estimated inference time to comprise an estimated time interval between ingress of the updated message to the IDS and egress of the updated message from the IDS. 2. The apparatus of claim 1 , the processing circuitry to establish the data stream in accordance with the Institute of Electrical and Electronics Engineers (IEEE) 802.1AS and/or 802.1Qbv and/or 1588 standards. 3. The apparatus of claim 1 , wherein the messages are synchronization messages, follow up messages, peer delay (pdelay) messages, or delay messages for a precision time protocol (PTP). 4. The apparatus of claim 1 , wherein the first device operates in a clock leader (CL) role and the second device operates in a clock follower (CF) role. 5. The apparatus of claim 1 , the processing circuitry to update a correction field for the received message with the residence time and the delay value by the second device, and send the updated message to an intrusion detection system (IDS) for the second device. 6. The apparatus of claim 1 , the processing circuitry to determine whether the updated message is benign or malicious by receiving an indicator from an intrusion detection system (IDS). 7. The apparatus of claim 1 , the processing circuitry to estimate the inference time from an inference model for an intrusion detection system (IDS), the inference model to comprise a neural network, regression model, statistical model or machine-learning model. 8. The apparatus of claim 1 , the processing circuitry to prevent relay of the updated message to other devices in the network domain when the updated message is malicious by dropping the updated message from a relay queue. 9. The apparatus of claim 1 , the processing circuitry to send a notification message to the other devices in the network domain that the updated message from the first device is malicious. 10. The apparatus of claim 1 , the processing circuitry to receive un updated inference model to estimate future inference times for the intrusion detection system (IDS) by the second device, the updated inference model to reflect changes to a network topology of devices in the network domain without the first device in response to a security attack. 11. The apparatus of claim 1 , comprising a network interface coupled to the processing circuitry, the network interface to send and receive messages for the second device. 12. The apparatus of claim 1 , comprising a radio transceiver coupled to the processing circuitry, the radio transceiver to send and receive messages for the second device using radio frequency (RF) signals. 13. A computing-implemented method, comprising: establishing a data stream between a first device and a second device in a network domain, the data stream comprising a plurality of switching nodes; receiving messages from the first device by the second device in the network domain, the messages to comprise time information to synchronize a first clock for the first device and a second clock for the second device to a network time for the network domain; updating a correction field for a received message with a residence time and time delay value by the second device; determining whether the updated message is benign or malicious; updating the correction field for the updated message with an inference time when the updated message is benign; preventing relay of the updated message to other devices in the network domain when the updated message is malicious; and estimate the inference time from an inference model for an intrusion detection system (IDS), the estimated inference time to comprise an estimated time interval between ingress of the updated message to the IDS and egress of the updated message from the IDS. 14. The computing-implemented method of claim 13 , comprising establishing the data stream in accordance with the Institute of Electrical and Electronics Engineers (IEEE) 802.1AS and/or 802.1Qbv and/or 1588 standards. 15. The computing-implemented method of claim 13 , wherein the messages are synchronization messages, follow up messages, peer delay (pdelay) messages, or delay messages for a precision time protocol (PTP). 16. The computing-implemented method of claim 13 , wherein the first device is a relay node in a time sensitive network (TSN). 17. The computing-implemented method of claim 13 , wherein the first device operates in a clock leader (CL) role and the second device operates in a clock follower (CF) role. 18. The computing-implemented method of claim 13 , comprising determining whether the updated message is benign or malicious by receiving an indicator from an intrusion detection system (IDS). 19. The computing-implemented method of claim 13 , comprising estimating the inference time from an inference model for an intrusion detection system (IDS), the inference model to comprise a neural network, regression model, statistical model or machine-learning model. 20. A non-transitory computer-readable storage device, storing instructions that when executed by processing circuitry of a controller of a time sensitive network (TSN), cause the controller to: establish a data stream between a first device and a second device in a network domain, the data stream comprising a plurality of switching nodes; receive messages from the first device by the second device in the network domain, the messages to comprise time information to synchronize a first clock for the first device and a second clock for the second device to a network time for the network domain; update a correction field for a received message with a residence time and time delay value by the second device; determine whether the updated message is benign or malicious; update the correction field for the updated message with an inference time when the updated message is benign; and prevent relay of the updated message to other devices in the network domain when the updated message is malicious; and estimate the inference time from an inference model for an intrusion detection system (IDS), the estimated inference time to comprise an estimated time interval between ingress of the updated message to the IDS and egress of the updated message from the IDS. 21. The computer-readable storage medium of claim 20 , the instructions, when executed by the processing circuitry, cause the controller to establish the data stream in accordance with the Institute of Electr