Offloading Network Forensic Analytics to Programmable Data Plane Switches

The extent to which cyber crimes are now being executed has reached a frequency that has never been observed before. To detect these events and extract relevant network artifacts for investigations, network forensics has long been the de-facto approach. However, the time and data storage necessary to perform traditional forensic procedures has put investigators at odds, often resulting in substantial artifact extraction latency and poor incident response. To mitigate what have now become inherent pitfalls for the forensics community, we propose a novel means of transforming network forensics to a procedure that functions at line rate, while the event of interest is taking place, by harnessing the newfound programmable switch technology. Amid the prevailing cyber-crime themes dominating today’s headlines are Distributed Denial of Service (DDoS) activities and the misuse of Internet of Things (IoT) devices. To this end, we implement two switch-based use cases for conducting the relevant network forensics associated with each of these classes of misdemeanors, respectively. In