Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

immUNITY: Detecting and Mitigating Low Volume & Slow Attacks with Programmable Switches and SmartNICs

Cuidi Wei, Shaoyu Tu, Daiki Hata, Toru Hasegawa, Yuki Koizumi, K. K. Ramakrishnan, Junji Takemasa, Timothy Wood

Abstract

Our analysis of recent Internet traces shows that up to 71% of flows contain suspicious behaviors indicative of low-volume network attacks such as port scans. However, distinguishing anomalous traffic in real time is challenging as each attack flow may comprise only a few packets. We extend prior work that tracks heavy hitter flows to also detect low-volume and slow attacks by combining the capabilities of both switches and SmartNICs. We flip the usual design approach by proposing an efficient filter data structure used to quickly route traffic marked as benign towards destination end-systems. We make careful use of limited programmable switch memory and pipeline stages, and complement them with SmartNIC resources to analyze the remaining traffic that may be anomalous. Using machine learning classifiers and intrusion detection rules deployed on the SmartNIC, we identify malicious source IPs, which then undergo more detailed forensics for attack mitigation. Finally, we develop a dataplane based protocol to rapidly coordinate data structure updates between these devices. We implement immUNITY in a testbed with Tofino v1 switch and Bluefield 3 SmartNIC, demonstrating its high accuracy, while minimizing traffic that's analyzed outside the switch.

immUNITY: Detecting and Mitigating Low Volume & Slow Attacks with Programmable Switches and SmartNICs

Abstract

Our analysis of recent Internet traces shows that up to 71% of flows contain suspicious behaviors indicative of low-volume network attacks such as port scans. However, distinguishing anomalous traffic in real time is challenging as each attack flow may comprise only a few packets. We extend prior work that tracks heavy hitter flows to also detect low-volume and slow attacks by combining the capabilities of both switches and SmartNICs. We flip the usual design approach by proposing an efficient filter data structure used to quickly route traffic marked as benign towards destination end-systems. We make careful use of limited programmable switch memory and pipeline stages, and complement them with SmartNIC resources to analyze the remaining traffic that may be anomalous. Using machine learning classifiers and intrusion detection rules deployed on the SmartNIC, we identify malicious source IPs, which then undergo more detailed forensics for attack mitigation. Finally, we develop a dataplane based protocol to rapidly coordinate data structure updates between these devices. We implement immUNITY in a testbed with Tofino v1 switch and Bluefield 3 SmartNIC, demonstrating its high accuracy, while minimizing traffic that's analyzed outside the switch.
Paper Structure (36 sections, 3 equations, 12 figures, 4 tables, 1 algorithm)

This paper contains 36 sections, 3 equations, 12 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Low Volume and Slow Attacks
  4. Low Volume Attacks in the Wild
  5. Low and Slow Attack Mitigation
  6. Data Plane-based Monitoring
  7. Heterogeneous Data Plane Devices
  8. Unified Switch/SmartNIC Design
  9. Design Rationale and Overview
  10. Switch: Malicious Source Filtering
  11. Switch: Benign Flow Filtering
  12. Switch: Heavy Hitter Detection
  13. SmartNIC: Stateful Flow Tracking
  14. SmartNIC: Classifying Benign Flows
  15. SmartNIC: Identifying Malicious Flows
  16. ...and 21 more sections

Figures (12)

  • Figure 1: immUNITY comprises: 1) a Malicious Source Table (MST) to redirect known malicious traffic sources to a scrubber for deeper analysis; 2) an Overwriting Flow Filter (OFF) to forward benign traffic without further analysis; 3) a Flow Log to optimize state transfer to the SmartNIC; 4) a Sketch and log for tracking heavy hitters; 5) a SmartNIC table to track flow state ; 6) source table to aggregate across flows; 7) ML classification algorithms to identify benign flows; and 8) intrusion detection rules to identify malicious sources.
  • Figure 2: (a) Cuckoo Filtering requires access to multiple entries within two buckets to do lookups and insertions, which would require many recirculations if implemented on a switch. (b) Our OFF structure places one register array in each pipeline stage; with four stages, these can be structured to maximize depth or number of buckets.
  • Figure 3: immUNITY Pipeline Stages
  • Figure 4: The immUNITY testbed implementation
  • Figure 5: The system model for analyzing immUNITY. The equations highlighted in green represent values in bits/s, while those highlighted in yellow indicate values in packets/s.
  • ...and 7 more figures