Our analysis of recent Internet traces shows that up to 71% of flows contain suspicious behaviors indicative of low-volume network attacks such as port scans. However, distinguishing anomalous traffic in real time is challenging as each attack flow may comprise only a few packets. We extend prior work that tracks heavy hitter flows to also detect low-volume and slow attacks by combining the capabilities of both switches and SmartNICs. We flip the usual design approach by proposing an efficient filter data structure used to quickly route traffic marked as benign towards destination end-systems. We make careful use of limited programmable switch memory and pipeline stages, and complement them with SmartNIC resources to analyze the remaining traffic that may be anomalous. Using machine learning classifiers and intrusion detection rules deployed on the SmartNIC, we identify malicious source IPs, which then undergo more detailed forensics for attack mitigation. Finally, we develop a dataplane based protocol to rapidly coordinate data structure updates between these devices. We implement immUNITY in a testbed with Tofino v1 switch and Bluefield 3 SmartNIC, demonstrating its high accuracy, while minimizing traffic that's analyzed outside the switch.

翻译：我们对近期互联网流量的分析表明，高达71%的流包含可疑行为，这些行为暗示着低流量网络攻击（如端口扫描）的存在。然而，实时区分异常流量颇具挑战性，因为每个攻击流可能仅由少量数据包组成。我们拓展了先前追踪重流量流的工作，通过结合交换机和智能网卡的能力，同时检测低流量慢速攻击。我们翻转了常规设计思路，提出一种高效的过滤器数据结构，用于快速将标记为良性的流量路由至目标终端系统。我们谨慎利用有限的可编程交换机内存与流水线阶段，并辅以智能网卡资源，分析其余可能异常的流量。通过部署在智能网卡上的机器学习分类器和入侵检测规则，我们识别恶意源IP地址，随后对这些地址进行更详细的取证以实施攻击缓解。最后，我们开发了一种基于数据平面的协议，用于在这些设备之间快速协调数据结构更新。我们在配备Tofino v1交换机和Bluefield 3智能网卡的测试平台上实现了immUNITY，展示了其高准确率，同时将交换机外部分析的流量降至最低。