TL;DR
P4Control is a system that enforces end-to-end information flow control at line rate using programmable switches and eBPF, effectively preventing cross-host attacks in real time.
Contribution
It introduces the first in-network decentralized information flow control mechanism enforced at network line rate, enabling real-time cross-host attack prevention.
Findings
Prevents cross-host attacks effectively in real time.
Maintains line-rate network performance with minimal overhead.
Facilitates zero trust architecture implementation.
Abstract
Modern targeted attacks such as Advanced Persistent Threats use multiple hosts as stepping stones and move laterally across them to gain deeper access to the network. However, existing defenses lack end-to-end information flow visibility across hosts and cannot block cross-host attack traffic in real time. In this paper, we propose P4Control, a network defense system that precisely confines end-to-end information flows in a network and prevents cross-host attacks at line rate. P4Control introduces a novel in-network decentralized information flow control (DIFC) mechanism and is the first work that enforces DIFC at the network level at network line rate. This is achieved through: (1) an in-network primitive based on programmable switches for tracking inter-host information flows and enforcing line-rate DIFC policies; (2) a lightweight eBPF-based primitive deployed on hosts for tracking…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
