To address the poor scalability of centralized traffic correlation methods in large-scale, high-speed networks under stealthy attacks (e.g., proxy chains and VPNs), this paper proposes a distributed traffic correlation framework leveraging P4-programmable switches. We introduce a novel decentralized correlation paradigm that offloads flow-relatedness computation to the data plane, integrating lightweight flow sketching, distributed state synchronization, and marginal correlation computation to enable collaborative intra-network provenance tracing. Our approach achieves attribution accuracy comparable to centralized baselines while reducing bandwidth overhead and computational complexity by over 90%. It supports real-time deployment in large-scale, high-speed network environments.

Network attackers have increasingly resorted to proxy chains, VPNs, and anonymity networks to conceal their activities. To tackle this issue, past research has explored the applicability of traffic correlation techniques to perform attack attribution, i.e., to identify an attacker's true network location. However, current traffic correlation approaches rely on well-provisioned and centralized systems that ingest flows from multiple network probes to compute correlation scores. Unfortunately, this makes correlation efforts scale poorly for large high-speed networks. In this paper, we propose RevealNet, a decentralized framework for attack attribution that orchestrates a fleet of P4-programmable switches to perform traffic correlation. RevealNet builds on a set of correlation primitives inspired by prior work on computing and comparing flow sketches -- compact summaries of flows' key characteristics -- to enable efficient, distributed, in-network traffic correlation. Our evaluation suggests that RevealNet achieves comparable accuracy to centralized attack attribution systems while significantly reducing both the computational complexity and bandwidth overheads imposed by correlation tasks.