Pallas: A Data-Plane-Only Approach to Accurate Persistent Flow Detection on Programmable Switches in High-Speed Networks

Abstract

In high-speed data center networks, persistent flows are repeatedly observed over extended periods, potentially signaling threats such as stealthy DDoS or botnet attacks. Monitoring every flow in production-grade hardware switches that feature limited memory, however, is challenging under typical high flow rates and data volumes. To tackle this, approximate data structures, like sketches, are often employed. Yet many existing methods rely on per-time-window flag resets, which require frequent control-plane interventions that make them unsuitable for high-speed traffic. This paper introduces PALLAS, a fully data-plane-implementable sketch for detecting persistent flows in high-speed networks with high accuracy, obviating the need for time-window-based resets. We further propose OPT-PALLAS, an enhanced variant of PALLAS that improves detection accuracy by incorporating flow arrival patterns. We present a rigorous error bound analysis for both PALLAS and OPT-PALLAS, along with extensive performance evaluations using a P4-based prototype on an Intel Tofino switch. PALLAS scales persistent flow detection to line-rate capacity, while state-of-the-art solutions fail to operate beyond a few Mbps. Our results show that PALLAS and OPT-PALLAS can accurately detect persistent flows in traffic volumes over 60× higher than those handled by the best existing approach. Additionally, even under low-speed traffic, PALLAS and OPT-PALLAS achieve 4.21% and 7.85% higher lookup accuracy while consuming only 8.5% and 9.7% of switch resources, respectively. Extensive trace-driven results on a CPU platform further validate the high detection accuracy of OPT-PALLAS compared to existing methods.