immUNITY: Detecting and Mitigating Low Volume & Slow Attacks with Programmable Switches and SmartNICs

TL;DR

immUNITY presents a novel system combining programmable switches and SmartNICs to detect and mitigate low-volume and slow network attacks in real time, improving accuracy and efficiency over prior methods.

Contribution

It introduces an efficient filter data structure and a coordinated dataplane protocol to detect suspicious traffic using limited switch memory and SmartNIC resources, enabling rapid attack mitigation.

Findings

High detection accuracy demonstrated in testbed

Minimized traffic analysis outside the switch

Effective coordination between switch and SmartNIC

Abstract

Our analysis of recent Internet traces shows that up to 71% of flows contain suspicious behaviors indicative of low-volume network attacks such as port scans. However, distinguishing anomalous traffic in real time is challenging as each attack flow may comprise only a few packets. We extend prior work that tracks heavy hitter flows to also detect low-volume and slow attacks by combining the capabilities of both switches and SmartNICs. We flip the usual design approach by proposing an efficient filter data structure used to quickly route traffic marked as benign towards destination end-systems. We make careful use of limited programmable switch memory and pipeline stages, and complement them with SmartNIC resources to analyze the remaining traffic that may be anomalous. Using machine learning classifiers and intrusion detection rules deployed on the SmartNIC, we identify malicious source IPs, which then undergo more detailed forensics for attack mitigation. Finally, we develop a dataplane based protocol to rapidly coordinate data structure updates between these devices. We implement immUNITY in a testbed with Tofino v1 switch and Bluefield 3 SmartNIC, demonstrating its high accuracy, while minimizing traffic that's analyzed outside the switch.