RevealNet: Distributed Traffic Correlation for Attack Attribution on Programmable Networks

Abstract: Network attackers have increasingly resorted to proxy chains, VPNs, and anonymity networks to conceal their activities. To tackle this issue, past research has explored the applicability of traffic correlation techniques to perform attack attribution, i.e., to identify an attacker's true network location. However, current traffic correlation approaches rely on well-provisioned and centralized systems that ingest flows from multiple network probes to compute correlation scores. Unfortunately, this makes correlation efforts scale poorly for large high-speed networks. In this paper, we propose RevealNet, a decentralized framework for attack attribution that orchestrates a fleet of P4-programmable switches to perform traffic correlation. RevealNet builds on a set of correlation primitives inspired by prior work on computing and comparing flow sketches -- compact summaries of flows' key characteristics -- to enable efficient, distributed, in-network traffic correlation. Our evaluation suggests that RevealNet achieves comparable accuracy to centralized attack attribution systems while significantly reducing both the computational complexity and bandwidth overheads imposed by correlation tasks.

RevealNet: Distributed Traffic Correlation for Attack Attribution on Programmable Networks

The emergence of decentralized networks and the expansion of high-speed communication infrastructures necessitate robust methodologies for identifying and attributing cyberattacks. This paper introduces RevealNet, a decentralized framework designed to enhance attack attribution in programmable networks via distributed traffic correlation. By leveraging P4-programmable switches, RevealNet shifts from traditional centralized correlation systems, thereby addressing scalability issues associated with high-bandwidth environments.

Summary of Key Contributions

RevealNet proposes a paradigm wherein a fleet of P4 switches acts as both probes and correlators, significantly reducing the dependency on centralized computational nodes. The paper highlights several core components and methodologies within RevealNet, including:

• Decentralized Correlation Architecture: P4 switches are utilized to locally process and analyze network flow characteristics, obviating the need for centralized correlation nodes. This decentralized approach facilitates efficient data processing directly within the network, reducing latency and resource consumption.

• Implementation of Efficient Flow Sketches: Drawing from established methodologies in traffic correlation literature, RevealNet employs flow sketches as compact representations of flow features. This enables accurate correlation while drastically reducing the memory footprint. Flow sketches, pioneered by works such as Coskun et al. (2009) and Nasr et al. (2017), are validated as effective in maintaining correlation performance even under perturbations such as packet loss.

• Correlation Heuristics: The framework incorporates heuristics based on creation time and packet count to refine correlation processes. These heuristics reduce the computational complexity of correlation tasks, thereby enhancing performance without significantly compromising accuracy.

Evaluation and Findings

The paper presents an evaluation of RevealNet across multiple datasets that simulate diverse network conditions and attack scenarios. The results showcase:

• High Correlation Accuracy: RevealNet achieves comparable accuracy to traditional centralized systems, with flow sketches maintaining a robust true positive rate even under perturbed conditions. The decentralized setup inherently distributes the computational load, fostering efficient large-scale deployment.

• Improved Scalability: RevealNet substantially reduces the communication overhead typically associated with centralized systems. The distributed design cuts bandwidth usage by up to 96%, according to evaluations, making it viable for deployment in high-speed networks with extensive data flow.

• Enhanced Efficiency: The introduction of heuristics effectively reduces the computational load by filtering irrelevant flows, achieving a marked reduction in feature vector comparisons, as noted in Table 4. This is crucial for maintaining throughput in environments characterized by rapid traffic expansion.

Implications and Future Directions

The deployment of RevealNet in programmable networks presents several practical and theoretical implications. Practically, it enables efficient network management and security operations within ISP and large enterprise networks, facilitating swift response to cyber threats without overloading infrastructure resources. Theoretically, it contributes to the discourse on distributed network security operations, demonstrating the feasibility of incorporating sophisticated traffic analysis directly into network elements.

Future research could extend RevealNet to support more advanced attack attribution algorithms, potentially integrating learning-based methods for dynamic adaptation to evolving network threats. Additionally, exploring interoperability with emerging network technologies such as 5G could further enhance its applicability.

Overall, RevealNet positions itself as an effective and scalable solution in the domain of network traffic analysis and cyberattack attribution, addressing key challenges inherent to the rapidly evolving landscape of modern communication networks.