immUNITY: Detecting and Mitigating Low Volume & Slow Attacks with Programmable Switches and SmartNICs
This addresses network security for internet infrastructure by improving detection of stealthy attacks, though it builds incrementally on prior work for heavy hitter flows.
The paper tackles the problem of detecting low-volume and slow network attacks, which are prevalent but hard to identify in real time, by combining programmable switches and SmartNICs to achieve high accuracy while minimizing external traffic analysis.
Our analysis of recent Internet traces shows that up to 71% of flows contain suspicious behaviors indicative of low-volume network attacks such as port scans. However, distinguishing anomalous traffic in real time is challenging as each attack flow may comprise only a few packets. We extend prior work that tracks heavy hitter flows to also detect low-volume and slow attacks by combining the capabilities of both switches and SmartNICs. We flip the usual design approach by proposing an efficient filter data structure used to quickly route traffic marked as benign towards destination end-systems. We make careful use of limited programmable switch memory and pipeline stages, and complement them with SmartNIC resources to analyze the remaining traffic that may be anomalous. Using machine learning classifiers and intrusion detection rules deployed on the SmartNIC, we identify malicious source IPs, which then undergo more detailed forensics for attack mitigation. Finally, we develop a dataplane based protocol to rapidly coordinate data structure updates between these devices. We implement immUNITY in a testbed with Tofino v1 switch and Bluefield 3 SmartNIC, demonstrating its high accuracy, while minimizing traffic that's analyzed outside the switch.