RevealNet: Distributed Traffic Correlation for Attack Attribution on Programmable Networks
- URL: http://arxiv.org/abs/2505.00618v2
- Date: Wed, 08 Oct 2025 11:56:54 GMT
- Title: RevealNet: Distributed Traffic Correlation for Attack Attribution on Programmable Networks
- Authors: Gurjot Singh, Alim Dhanani, Diogo Barradas,
- Abstract summary: RevealNet is a decentralized framework for attack attribution.<n>It orchestrates a fleet of P4-programmable switches to perform traffic correlation.<n>Our evaluation suggests that RevealNet achieves comparable accuracy to centralized attack attribution systems.
- Score: 4.101460679701492
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Network attackers have increasingly resorted to proxy chains, VPNs, and anonymity networks to conceal their activities. To tackle this issue, past research has explored the applicability of traffic correlation techniques to perform attack attribution, i.e., to identify an attacker's true network location. However, current traffic correlation approaches rely on well-provisioned and centralized systems that ingest flows from multiple network probes to compute correlation scores. Unfortunately, this makes correlation efforts scale poorly for large high-speed networks. In this paper, we propose RevealNet, a decentralized framework for attack attribution that orchestrates a fleet of P4-programmable switches to perform traffic correlation. RevealNet builds on a set of correlation primitives inspired by prior work on computing and comparing flow sketches -- compact summaries of flows' key characteristics -- to enable efficient, distributed, in-network traffic correlation. Our evaluation suggests that RevealNet achieves comparable accuracy to centralized attack attribution systems while significantly reducing both the computational complexity and bandwidth overheads imposed by correlation tasks.
Related papers
- RECTor: Robust and Efficient Correlation Attack on Tor [3.643753954062602]
RECTor is a machine learning-based framework for traffic correlation under realistic conditions.<n>It achieves up to 60% higher true positive rates under high-noise conditions and reduces training and inference time by over 50%.<n>These findings reveal critical vulnerabilities in Tor's anonymity model and highlight the need for model-aware defenses.
arXiv Detail & Related papers (2025-11-29T10:25:38Z) - Contrastive Learning for Correlating Network Incidents [0.0]
This paper presents a self-supervised learning method for similarity-based correlation of network situations.<n>High precision achieved in experiments on real-world network monitoring data suggests that contrastive learning is a promising approach to network incident correlation.
arXiv Detail & Related papers (2025-09-29T08:29:01Z) - Distributed Link Sparsification for Scalable Scheduling Using Graph Neural Networks (Journal Version) [50.894272363373126]
In wireless networks characterized by dense connectivity, the significant signaling overhead generated by distributed link scheduling algorithms can exacerbate issues like congestion, energy consumption, and radio footprint expansion.<n>We propose a distributed link sparsification scheme employing graph neural networks (GNNs) to reduce scheduling overhead for delay-tolerant traffic while maintaining network capacity.<n>A GNN module is trained to adjust contention thresholds for individual links based on traffic statistics and network topology, enabling links to withdraw from scheduling contention when they are unlikely to succeed.
arXiv Detail & Related papers (2025-09-05T18:59:14Z) - Cluster-Aware Attacks on Graph Watermarks [50.19105800063768]
We introduce a cluster-aware threat model in which adversaries apply community-guided modifications to evade detection.
Our results show that cluster-aware attacks can reduce attribution accuracy by up to 80% more than random baselines.
We propose a lightweight embedding enhancement that distributes watermark nodes across graph communities.
arXiv Detail & Related papers (2025-04-24T22:49:28Z) - MUFFLER: Secure Tor Traffic Obfuscation with Dynamic Connection Shuffling and Splitting [11.967326811104831]
MUFFLER is a connection-level traffic obfuscation system designed to secure Tor egress traffic.<n>It maps real connections to a distinct set of virtual connections between the final Tor nodes and targeted services.<n>It achieves up to 27x lower latency overhead than existing solutions and seamlessly integrates with the current Tor architecture.
arXiv Detail & Related papers (2025-04-10T08:17:17Z) - Early-MFC: Enhanced Flow Correlation Attacks on Tor via Multi-view Triplet Networks with Early Network Traffic [1.7244120238071496]
We propose flow correlation attack with early network traffic, named Early-MFC, based on multi-view triplet networks.<n>The proposed approach extracts multi-view traffic features from the payload at the transport layer and the Inter-Packet Delay.<n>It then integrates multi-view flow information, converting the extracted features into shared embeddings.
arXiv Detail & Related papers (2025-03-21T04:36:51Z) - Multi-view Correlation-aware Network Traffic Detection on Flow Hypergraph [5.64836465356865]
We propose a multi-view correlation-aware framework named FlowID for network traffic detection.<n>FlowID captures multi-view traffic features via temporal and interaction awareness, while a hypergraph encoder further explores higher-order relationships between flows.<n>We show that FlowID significantly outperforms existing methods in accuracy, robustness, and generalization across diverse network scenarios.
arXiv Detail & Related papers (2025-01-15T06:17:06Z) - Enforcing Fundamental Relations via Adversarial Attacks on Input Parameter Correlations [76.2226569692207]
Correlations between input parameters play a crucial role in many scientific classification tasks.<n>We present a new adversarial attack algorithm called Random Distribution Shuffle Attack (RDSA)<n>We demonstrate the RDSA effectiveness on six classification tasks.
arXiv Detail & Related papers (2025-01-09T21:45:09Z) - NetFlowGen: Leveraging Generative Pre-training for Network Traffic Dynamics [72.95483148058378]
We propose to pre-train a general-purpose machine learning model to capture traffic dynamics with only traffic data from NetFlow records.<n>We address challenges such as unifying network feature representations, learning from large unlabeled traffic data volume, and testing on real downstream tasks in DDoS attack detection.
arXiv Detail & Related papers (2024-12-30T00:47:49Z) - MIETT: Multi-Instance Encrypted Traffic Transformer for Encrypted Traffic Classification [59.96233305733875]
Classifying traffic is essential for detecting security threats and optimizing network management.<n>We propose a Multi-Instance Encrypted Traffic Transformer (MIETT) to capture both token-level and packet-level relationships.<n>MIETT achieves results across five datasets, demonstrating its effectiveness in classifying encrypted traffic and understanding complex network behaviors.
arXiv Detail & Related papers (2024-12-19T12:52:53Z) - Progressive Pruning: Analyzing the Impact of Intersection Attacks [1.8434042562191815]
Stream-based communication poses unique challenges for anonymous communication networks (ACNs)<n>Traditionally designed for independent messages, ACNs struggle to account for the inherent vulnerabilities of streams.<n>We introduce progressive pruning, a novel methodology for quantifying the susceptibility to intersection attacks.
arXiv Detail & Related papers (2024-10-11T10:40:51Z) - Efficient Network Representation for GNN-based Intrusion Detection [2.321323878201932]
The last decades have seen a growth in the number of cyber-attacks with severe economic and privacy damages.
We propose a novel network representation as a graph of flows that aims to provide relevant topological information for the intrusion detection task.
We present a Graph Neural Network (GNN) based framework responsible for exploiting the proposed graph structure.
arXiv Detail & Related papers (2023-09-11T16:10:12Z) - The Double-Edged Sword of Implicit Bias: Generalization vs. Robustness
in ReLU Networks [64.12052498909105]
We study the implications of the implicit bias of gradient flow on generalization and adversarial robustness in ReLU networks.
In two-layer ReLU networks gradient flow is biased towards solutions that generalize well, but are highly vulnerable to adversarial examples.
arXiv Detail & Related papers (2023-03-02T18:14:35Z) - Correlating sparse sensing for large-scale traffic speed estimation: A
Laplacian-enhanced low-rank tensor kriging approach [76.45949280328838]
We propose a Laplacian enhanced low-rank tensor (LETC) framework featuring both lowrankness and multi-temporal correlations for large-scale traffic speed kriging.
We then design an efficient solution algorithm via several effective numeric techniques to scale up the proposed model to network-wide kriging.
arXiv Detail & Related papers (2022-10-21T07:25:57Z) - A Lightweight, Efficient and Explainable-by-Design Convolutional Neural
Network for Internet Traffic Classification [9.365794791156972]
This paper introduces a new Lightweight, Efficient and eXplainable-by-design convolutional neural network (LEXNet) for Internet traffic classification.
LEXNet relies on a new residual block (for lightweight and efficiency purposes) and prototype layer (for explainability)
Based on a commercial-grade dataset, our evaluation shows that LEXNet succeeds to maintain the same accuracy as the best performing state-of-the-art neural network.
arXiv Detail & Related papers (2022-02-11T10:21:34Z) - Decomposing neural networks as mappings of correlation functions [57.52754806616669]
We study the mapping between probability distributions implemented by a deep feed-forward network.
We identify essential statistics in the data, as well as different information representations that can be used by neural networks.
arXiv Detail & Related papers (2022-02-10T09:30:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.