Abstract: Apparatuses, systems, and techniques for detecting distributed denial of service (DDoS) attacks are described. A system includes a plurality of switches in a monitored data center, each switch comprising network monitoring logic to sample network packets and generate flow records representing behavior of network traffic. A dataflow collector receives the flow records from the plurality of switches. A streaming pipeline coupled to the dataflow collector processes the flow records. A data store stores the flow records processed by the streaming pipeline. A trainer accesses the flow records in the data store and trains one or more machine learning (ML) models to detect DDoS attacks based on the flow records. At least one of the one or more ML models is deployable to at least one switch of the plurality of switches to determine whether a host device coupled to the at least one switch is subject to a DDoS attack.

Abstract: Apparatuses, systems, and techniques for detecting that a host device is subject to a distributed denial of service (DDoS) attack using a machine learning (ML) detection system are described. A computing system includes a data processing unit (DPU) with a network interface and a hardware-acceleration engine. The DPU hosts a hardware-accelerated security service to extract features from network data and metadata from the hardware-acceleration engine and sends the extracted features to the ML detection system. The ML detection system determines whether the host device is subject to a DDoS attack using the extracted features. The ML detection system can send an enforcement rule to the hardware-acceleration engine responsive to a determination that the host device is subject to the DDoS attack.

Abstract: Technologies for optimizing performance of virtual switches in networking and accelerated computing are described. A virtual switch can identify an addition of a first data path (DP) rule in a flow table. The virtual switch can determine that the first DP rule and a second DP rule in the flow table overlap. The addition of the first DP rule causes the second DP rule to be deleted in the flow table. Before the second DP rule is deleted, the virtual switch can simulate receipt of a simulated packet comprising the specified portion of the network header corresponding to a second DP rule identifier of the second DP rule. The receipt of the simulated packet causes a third DP rule to be added to the flow table. After the third DP rule is added, the virtual switch can delete the second DP rule.

Abstract: Apparatuses, systems, and techniques for detecting that a host device is subject to a distributed denial of service (DDOS) attack using a machine learning (ML) detection system are described. A computing system includes a data processing unit (DPU) with a network interface and a hardware-acceleration engine. The DPU hosts a hardware-accelerated security service to extract features from network data and metadata from the hardware acceleration engine and sends the extracted features to the ML detection system. The ML detection system determines whether the host device is subject to a DDOS attack using the extracted features. The ML detection system can send an enforcement rule to the hardware-acceleration engine responsive to a determination that the host device is subject to the DDOS attack.

Abstract: Apparatuses, systems, and techniques for detecting that a host device is subject to a distributed denial of service (DDOS) attack using a machine learning (ML) detection system are described. A computing system includes a switch with port interfaces, a central processing unit (CPU) that implements a machine learning (ML) detection system, and network monitoring logic. The network monitoring logic can extract features from network data and send the extracted features to the ML detection system. The ML detection system determines whether the host device is subject to a DDOS attack using the extracted features. The ML detection system can send an alert to the host device responsive to a determination that the host device is subject to the DDOS attack.

Abstract: Technologies for configuring flexible hardware-accelerated rules in a Service Function Chaining (SFC) architecture are described. A DPU includes an acceleration hardware engine to provide a single accelerated data plane. A processing device within the DPU receives configuration data from a controller and uses this data to generate a first virtual bridge and a second virtual bridge. The first virtual bridge is controlled by a first network service hosted on the DPU and has a first set of network rules. The second virtual bridge has a second set of user-defined network rules. The processing device adds a virtual port between the first and second virtual bridges and generates a combined set of rules based on the first and second network rule sets. The acceleration hardware engine processes network traffic data in the single accelerated data plane using the combined set of network rules.

Abstract: Apparatuses, systems, and techniques of using one or more circuits (e.g., of a network interface) to obtain assembly code for one or more machine code segments loaded and/or injected into a process, and determine whether the assembly code is likely to perform at least one unauthorized task.

Abstract: Technologies for configuring flexible hardware-accelerated rules in a Service Function Chaining (SFC) architecture are described. A DPU includes an acceleration hardware engine to provide a single accelerated data plane, and a processing device that generates a first virtual bridge and a second virtual bridge. The first virtual bridge is controlled by a first network service hosted on the DPU and has a first set of one or more network rules. The second virtual bridge has a second set of one or more user-defined network rules. The processing device generates a combined set of network rules based on the first set of one or more network rules and the second set of one or more user-defined network rules. The acceleration hardware engine processes network traffic data in the single accelerated data plane using the combined set of network rules.

Abstract: Technologies for creating an optimized and accelerated network pipeline using a network pipeline abstraction layer (NPAL) for policy-based routing (PBR) over Service Function Chaining (SFC) are described. A DPU includes acceleration hardware engine to provide a single accelerated data plane. A processing device can generate a first virtual bridge and a second virtual bridge, the first virtual bridge to be controlled by a first network service hosted on the DPU and having a set of one or more network rules, and the second virtual bridge having a policy-based routing policy (PBR policy). The processing device can add the virtual port between the first virtual bridge and the second virtual bridge. The acceleration hardware engine, in the single accelerated data plane, can route network traffic data using the PBR policy and process the network traffic data using the set of one or more network rules.

Abstract: Technologies for creating an optimized and accelerated network pipeline using a network pipeline abstraction layer (NPAL) are described. A DPU includes DPU hardware and memory that stores DPU software with the NPAL that supports multiple network protocols and network functions in a network pipeline. The network pipeline includes a set of tables and logic organized in a specific order to be accelerated by an acceleration hardware engine of the DPU. The acceleration hardware engine processes network traffic data using the network pipeline.

Abstract: Technologies for creating an optimized and accelerated network pipeline using a virtual switch and a network pipeline abstraction layer (NPAL) for fast link recovery are described. The virtual switch can monitor a link availability of each of a plurality of links to a destination, the plurality of links being specified in an initial group of identifiers. The virtual switch can detect a link failure of a first link of the plurality of links. The NPAL can remove a first link identifier, associated with the first link, from the initial group of link identifiers to obtain a modified group of link identifiers. The NPAL can cause a routing table in the NPAL to be updated to remove the first link identifier. The acceleration hardware engine can process network traffic data using the network pipeline and distribute the network traffic data to only the remaining links of the plurality of links.

Abstract: Technologies for configuring flexible hardware-accelerated rules in a Service Function Chaining (SFC) architecture are described. A DPU includes an acceleration hardware engine to provide a single accelerated data plane, and a processing device that generates a first virtual bridge and a second virtual bridge. The first virtual bridge is controlled by a first network service hosted on the DPU and has a first set of one or more network rules. The second virtual bridge has a second set of one or more user-defined network rules. The processing device generates a combined set of network rules based on the first set of one or more network rules and the second set of one or more user-defined network rules. The acceleration hardware engine processes network traffic data in the single accelerated data plane using the combined set of network rules.

Abstract: Technologies for configuring multiple virtual bridges and interface mappings in a Service Function Chaining (SFC) architecture are described. A DPU can include memory to store a configuration file specifying the virtual bridges and interface mappings, and a processing device operatively coupled to the memory. The processing device, according to the configuration file, generates a first virtual bridge and a second virtual bridge. The first virtual bridge is controlled by a first network service hosted on the DPU, and the second virtual bridge is controlled by a user-defined logic. The processing device adds add one or more host interfaces to the second virtual bridge, a first service interface to the first virtual bridge to operatively couple to the first network service, and one or more virtual ports between the first virtual bridge and the second virtual bridge.

Abstract: Technologies for creating an optimized and accelerated network pipeline using an emulated network pipeline abstraction layer (NPAL) of an emulated data processing unit (DPU), including an emulated processing device and an emulated acceleration hardware engine, are described. The emulated NPAL supports multiple network protocols and network functions in an emulated network pipeline. The emulated network pipeline includes a set of tables and logic organized in a specific order to be accelerated by the emulated acceleration hardware engine. The emulated acceleration hardware engine can process network traffic data using the emulated network pipeline.

Abstract: Technologies for creating an optimized and accelerated network pipeline using a network pipeline abstraction layer (NPAL) for split interfaces are described. A DPU includes a physical port configured to couple to a breakout cable that physically couples to a set of a plurality of devices, DPU hardware, and a memory operatively coupled to the DPU hardware. The NPAL supports a plurality of logical split ports, each logical split port corresponding to one of the plurality of devices, wherein the network pipeline comprises a set of tables and logic organized in a specific order to be accelerated by the acceleration hardware engine. The acceleration hardware engine is to process the network traffic data using the network pipeline.

Abstract: Apparatuses, systems, and techniques of using one or more circuits (e.g., of a network interface) to obtain assembly code for one or more machine code segments loaded and/or injected into a process, and determine whether the assembly code is likely to perform at least one unauthorized task.

Abstract: Technologies for optimizing performance of virtual switches in networking and accelerated computing are described. A virtual switch can identify an addition of a first data path (DP) rule in a flow table. The virtual switch can determine that the first DP rule and a second DP rule in the flow table overlap. The addition of the first DP rule causes the second DP rule to be deleted in the flow table. Before the second DP rule is deleted, the virtual switch can simulate receipt of a simulated packet comprising the specified portion of the network header corresponding to a second DP rule identifier of the second DP rule. The receipt of the simulated packet causes a third DP rule to be added to the flow table. After the third DP rule is added, the virtual switch can delete the second DP rule.

Abstract: Apparatuses, systems, and techniques for detecting that a host device is subject to a distributed denial of service (DDOS) attack using a machine learning (ML) detection system are described. A computing system includes a data processing unit (DPU) with a network interface and a hardware acceleration engine. The DPU hosts a hardware-accelerated security service to extract features from network data and metadata from the hardware acceleration engine and sends the extracted features to the ML detection system. The ML detection system determines whether the host device is subject to a DDOS attack using the extracted features. The ML detection system can send an enforcement rule to the hardware acceleration engine responsive to a determination that the host device is subject to the DDOS attack.

Abstract: Apparatuses, systems, and techniques for detecting that a host device is subject to a distributed denial of service (DDOS) attack using a machine learning (ML) detection system are described. A computing system includes a switch with port interfaces, a central processing unit (CPU) that implements a machine learning (ML) detection system, and network monitoring logic. The network monitoring logic can extract features from network data and send the extracted features to the ML detection system. The ML detection system determines whether the host device is subject to a DDOS attack using the extracted features. The ML detection system can send an alert to the host device responsive to a determination that the host device is subject to the DDOS attack.

Abstract: In one embodiment, a data communication device includes a network interface controller to process packets received from at least one of a host device for sending over a network, and at least one remote device over the network, at least one processor to execute computer instructions to receive a configuration, and extract filtering rules from the configuration, and at least one hardware accelerator to receive the filtering rules from the at least one processor, and filter the packets based on the rules so that some of the packets are dropped and some of the packets are forwarded to the at least one processor to send data based on the forwarded packets to another device.