RevealNet: Distributed Traffic Correlation for Attack Attribution on Programmable Networks
Network attackers have increasingly resorted to proxy chains, VPNs, and anonymity networks to conceal their activities. To tackle this issue, past research has explored the applicability of traffic correlation techniques to perform attack attribution, i.e., to identify an attacker's true network location. However, current traffic correlation approaches rely on well-provisioned and centralized systems that ingest flows from multiple network probes to compute correlation scores. Unfortunately, this makes correlation efforts scale poorly for large high-speed networks.In this paper, we propose RevealNet, a decentralized framework for attack attribution that orchestrates a fleet of P4-programmable switches to perform traffic correlation. RevealNet builds on a set of correlation primitives inspired by prior work on computing and comparing flow sketches -- compact summaries of flows' key characteristics -- to enable efficient, distributed, in-network traffic correlation. Our evaluation suggests that RevealNet achieves comparable accuracy to centralized attack attribution systems while significantly reducing both the computational complexity and bandwidth overheads imposed by correlation tasks.
View on arXiv@article{singh2025_2505.00618,
title={ RevealNet: Distributed Traffic Correlation for Attack Attribution on Programmable Networks },
author={ Gurjot Singh and Alim Dhanani and Diogo Barradas },
journal={arXiv preprint arXiv:2505.00618},
year={ 2025 }
}