RevealNet: Distributed Traffic Correlation for Attack Attribution on Programmable Networks

TL;DR

RevealNet is a decentralized, in-network traffic correlation framework using programmable switches to improve attack attribution scalability without sacrificing accuracy.

Contribution

It introduces a novel distributed traffic correlation method leveraging P4 switches, reducing computational and bandwidth overheads compared to centralized systems.

Findings

Achieves comparable accuracy to centralized systems.

Reduces computational complexity significantly.

Decreases bandwidth overhead for traffic correlation.

Abstract

Network attackers have increasingly resorted to proxy chains, VPNs, and anonymity networks to conceal their activities. To tackle this issue, past research has explored the applicability of traffic correlation techniques to perform attack attribution, i.e., to identify an attacker's true network location. However, current traffic correlation approaches rely on well-provisioned and centralized systems that ingest flows from multiple network probes to compute correlation scores. Unfortunately, this makes correlation efforts scale poorly for large high-speed networks. In this paper, we propose RevealNet, a decentralized framework for attack attribution that orchestrates a fleet of P4-programmable switches to perform traffic correlation. RevealNet builds on a set of correlation primitives inspired by prior work on computing and comparing flow sketches -- compact summaries of flows' key characteristics -- to enable efficient, distributed, in-network traffic correlation. Our evaluation suggests that RevealNet achieves comparable accuracy to centralized attack attribution systems while significantly reducing both the computational complexity and bandwidth overheads imposed by correlation tasks.