Adaptive network-wide superspreader detection using programmable switches

Abstract

Superspreaders, i.e., hosts exhibiting an abnormal number of distinct connections in large-scale networks, are key indicators of security threats such as worm propagation, spam floods, and scanning attacks. Efficient network-wide superspreader detection requires effective distinct counts with tight memory and performance constraints. Existing sketching techniques in the literature typically allocate fixed memory per flow and often neglect the drastic cardinality imbalance between high- and low-cardinality flows. Most existing methods are restricted to detecting at a single point only. It often overlooks the network-wide superspreader. This paper introduces SpreadTrace, a novel approach leveraging programmable P4 switches for efficient superspreader detection. SpreadTrace combines a Bloom filter with lightweight counters for duplicate filtering, a multi-stage main table with sentinel-based eviction, and a probabilistic promotion mechanism that guarantees the retention of large-cardinality flows while efficiently handling low-cardinality flows. We further extend SpreadTrace with a network-wide detection mechanism based on dynamic thresholding at the controller, enabling coordinated detection across multiple switches in real time. The paper provides a theoretical analysis for the correctness guarantees and explicit error bounds for distinct counting, table utilization, auxiliary collisions, and promotion probability. Experiments on real traffic traces demonstrate that SpreadTrace achieves a precision of more than 95% with less than 250 KB of memory, and reduces the estimation error by a factor of 5–10$\times$ compared to state-of-the-art solutions, while operating at line rate on programmable switches.