Decentralized Traffic Correlation Using Programmable Switches
| dc.contributor.author | Singh, Gurjot | |
| dc.date.accessioned | 2026-03-19T13:15:31Z | |
| dc.date.available | 2026-03-19T13:15:31Z | |
| dc.date.issued | 2026-03-19 | |
| dc.date.submitted | 2026-03-15 | |
| dc.description.abstract | Attributing network attacks to their sources is challenging as adversaries employ proxy chains, virtual private networks, and anonymity infrastructures to obscure their origins. Traffic correlation techniques mitigate this challenge by linking flows observed at multiple network vantage points using invariant characteristics such as timing and packet volume. However, existing attack attribution systems largely rely on centralized architectures that aggregate flow features at dedicated correlators, introducing computational and communication overheads that hinder scalability in high-speed networks. This thesis discusses RevealNet, a decentralized framework for attack attribution that leverages P4-programmable switches to perform traffic correlation directly within the network fabric. RevealNet distributes feature extraction and correlation across cooperating networks, reducing dependence on centralized processing and minimizing telemetry offloading. Upon detection of a malicious flow, flow features are disseminated to participating switches, which locally correlate them against outgoing traffic using lightweight similarity metrics. To operate within the constraints of programmable data planes, RevealNet employs compact flow feature representations based on traffic aggregation matrices and sketching techniques designed for integer-only computation. The framework further incorporates heuristic optimizations that exploit temporal alignment and traffic-volume similarity to reduce correlation complexity and limit false positives. Experimental evaluation conducted over a prototype of our framework using multiple real-world attack datasets demonstrates that RevealNet achieves attack attribution accuracy comparable to state-of-the-art centralized systems while significantly improving scalability. Notably, compact flow feature representations achieve accuracy comparable to complete flow representations, substantially reducing memory requirements without sacrificing attribution performance. Overall, RevealNet's distributed design reduces bandwidth overhead by up to 96\% when deployed on a testbed consisting of 20 P4-enabled switches and enables programmable switches to correlate a significantly larger number of flows concurrently, demonstrating that attack attribution can be effectively decentralized within programmable network infrastructures. | |
| dc.identifier.uri | https://hdl.handle.net/10012/22976 | |
| dc.language.iso | en | |
| dc.pending | false | |
| dc.publisher | University of Waterloo | en |
| dc.subject | Network Security | |
| dc.subject | Traffic Correlation | |
| dc.title | Decentralized Traffic Correlation Using Programmable Switches | |
| dc.type | Master Thesis | |
| uws-etd.degree | Master of Mathematics | |
| uws-etd.degree.department | David R. Cheriton School of Computer Science | |
| uws-etd.degree.discipline | Computer Science | |
| uws-etd.degree.grantor | University of Waterloo | en |
| uws-etd.embargo.terms | 0 | |
| uws.contributor.advisor | Barradas, Diogo | |
| uws.contributor.affiliation1 | Faculty of Mathematics | |
| uws.peerReviewStatus | Unreviewed | en |
| uws.published.city | Waterloo | en |
| uws.published.country | Canada | en |
| uws.published.province | Ontario | en |
| uws.scholarLevel | Graduate | en |
| uws.typeOfResource | Text | en |