Conference PaperEnvisioning a Unified Programmable Dataplane to Monitor Slow AttacksWei, Cuidi; Tu, Shaoyu; Hasegawa, Toru; Koizumi, Yuki; Ramakrishnan, K K; Takemasa, Junji; Wood, TimothyRecent work shows that programmable switches can effectively detect attack traffic, such as denial-of-service attacks in the midst of high-volume network traffic. However, these techniques primarily rely on sampling or sketch-based data structures, which can only be used to approximate the characteristics of dominant flows in the network. As a result, such techniques are unable to effectively detect low-volume attacks that stealthily add only a few packets to the network. Our work explores how the combination of programmable switches, Smart network interface cards, and hosts can enable fine-grained analysis of every flow in a network, even those with only a small number of packets. We focus on analyzing packets at the start of each flow, as those packets often can help indicate whether a flow is benign or suspicious. We propose a unified architecture that spans the full programmable dataplane to take advantage of the strengths of each type of device. We are developing new filter data structures to efficiently track flows on the switch, dataplane-based communication protocols to quickly coordinate between devices, and caching approaches on the SmartNIC that help minimize the traffic load reaching the host. Our preliminary prototype can handle the full pipe bandwidth of 1.4 Tbps of traffic entering the Tofino switch, forward only 20 Gbps to the SmartNIC, and minimize the traffic load to 5 Gbps reaching the host due to our efficient flow filter, packet batching, and SmartNIC-based cache.2024 IEEE 32nd International Conference on Network Protocols (ICNP) Workshop2024-10-28106323631 to 6979-8-3503-5171-2https://doi.org/10.1109/ICNP61940.2024.108585352210379; 2210380Charleroi, BelgiumNational Science Foundation