This work addresses the challenge of detecting low-rate, low-volume network attacks—such as port scans—that often evade traditional detection mechanisms due to the sparsity of packets within individual flows. The authors propose a novel architecture leveraging协同 programmable switches (Tofino v1) and SmartNICs (BlueField-3), wherein a lightweight filtering structure in the data plane preferentially forwards benign traffic while directing only suspicious flows to a machine learning classifier and intrusion detection rules co-deployed on the SmartNIC. A custom data-plane protocol enables rapid state synchronization between devices. Experimental evaluation on a real testbed demonstrates that this approach significantly improves real-time detection accuracy for slow, low-volume attacks while drastically reducing the proportion of traffic requiring offline analysis, thereby overcoming the efficiency limitations inherent in conventional “heavy detection” paradigms.

Our analysis of recent Internet traces shows that up to 71% of flows contain suspicious behaviors indicative of low-volume network attacks such as port scans. However, distinguishing anomalous traffic in real time is challenging as each attack flow may comprise only a few packets. We extend prior work that tracks heavy hitter flows to also detect low-volume and slow attacks by combining the capabilities of both switches and SmartNICs. We flip the usual design approach by proposing an efficient filter data structure used to quickly route traffic marked as benign towards destination end-systems. We make careful use of limited programmable switch memory and pipeline stages, and complement them with SmartNIC resources to analyze the remaining traffic that may be anomalous. Using machine learning classifiers and intrusion detection rules deployed on the SmartNIC, we identify malicious source IPs, which then undergo more detailed forensics for attack mitigation. Finally, we develop a dataplane based protocol to rapidly coordinate data structure updates between these devices. We implement immUNITY in a testbed with Tofino v1 switch and Bluefield 3 SmartNIC, demonstrating its high accuracy, while minimizing traffic that's analyzed outside the switch.