A Survey on the Security of Stateful SDN Data Planes

Dargahi, Tooska; Caponi, Alberto; Ambrosin, Moreno; Bianchi, Giuseppe; Conti, Mauro

doi:10.1109/comst.2017.2689819

Cited by 171 publications

(84 citation statements)

References 64 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Several different type of applications have already been built atop of the aforementioned stateful data plane solutions including stateful failure recovery [], HULA [51], port knocking [29], SDN tunneling stateful detection [23] and UDP flooding stateful mitigation [23]. While reviewing each of these solutions is out of scope in this work, we refer the interested reader to [35] for a survey.…”

Section: Stateful Data Planesmentioning

confidence: 99%

“…If control independent functionalities were to be implemented in stateful data planes, then this would require the use of probe message between forwarding devices, or information passing between switches and 'piggyback' inside regular traffic packets [35]. Securing inter-forwarding device communications is an important issue, which has almost been ignored in the literature so far.…”

Section: Security Implications Of Stateful Data Planesmentioning

confidence: 99%

See 1 more Smart Citation

Software-Defined Network (SDN) Data Plane Security: Issues, Solutions, and Future Directions

Shaghaghi

Kâafar

Buyya

et al. 2020

Handbook of Computer Networks and Cyber Security

View full text Add to dashboard Cite

Software-Defined Network (SDN) radically changes the network architecture by decoupling the network logic from the underlying forwarding devices. This architectural change rejuvenates the network-layer granting centralized management and re-programmability of the networks. From a security perspective, SDN separates security concerns into control and data plane, and this architectural recomposition brings up exciting opportunities and challenges. The overall perception is that SDN capabilities will ultimately result in improved security. However, in its raw form, SDN could potentially make networks more vulnerable to attacks and harder to protect. In this paper, we focus on identifying challenges faced in securing the data plane of SDN -one of the least explored but most critical components of this technology. We formalize this problem space, identify potential attack scenarios while highlighting possible vulnerabilities and establish a set of requirements and challenges to protect the data plane of SDNs. Moreover, we undertake a survey of existing solutions with respect to the identified threats, identifying their limitations and offer future research directions.

show abstract

Section: Stateful Data Planesmentioning

confidence: 99%

Section: Security Implications Of Stateful Data Planesmentioning

confidence: 99%

Software-Defined Network (SDN) Data Plane Security: Issues, Solutions, and Future Directions

Shaghaghi

Kâafar

Buyya

et al. 2020

Handbook of Computer Networks and Cyber Security

View full text Add to dashboard Cite

show abstract

“…Moreover, timing of sent requests can be used as a feature to determine if they are robot made or human made i.e. multiple request in very short period of time usually signifies a bot origin [122]- [124]. Passive Detection; in this technique, we achieve detection through monitoring activities initiated by applications to distinguish between malicious Trojans and benign apps.…”

Section: Network Behaviour and Timing;mentioning

confidence: 99%

A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence

Kiwia

Dehghantanha

Choo

et al. 2018

Journal of Computational Science

View full text Add to dashboard Cite

Malware such as banking Trojans are popular with financially-motivated cybercriminals. Detection of banking Trojans remains a challenging task, due to the constant evolution of techniques used to obfuscate and circumvent existing detection and security solutions. Having a malware taxonomy can facilitate the design of mitigation strategies such as those based on evolutionary computational intelligence. Specifically, in this paper, we propose a cyber kill chain based taxonomy of banking Trojans features. This threat intelligence based taxonomy providing a stage-by-stage operational understanding of a cyber-attack, can be highly beneficial to security practitioners and the design of evolutionary computational intelligence on Trojans detection and mitigation strategy. The proposed taxonomy is validated by using a real-world dataset of 127 banking Trojans

show abstract

“…Among these security problems, the most relevant has been the controller‐switch communication flood, a kind of Denial of Service (DoS) attack that exploits poor scalability of switch‐to‐controller communication . Since traditional SDN solutions (eg, OpenFlow) implement static flow tables, any stateful control, and processing intelligence is necessarily delegated to the network controller, increasing latency and signaling overhead.…”

Section: Introductionmentioning

confidence: 99%

A real‐time attack defense framework for 5G network slicing

et al. 2020

View full text Add to dashboard Cite

Network Slicing (NS) is a key enabler to support 5G network services on-demand. However, since NS is a result of the recent advancement in Software-Defined Networking and Network Function Virtualization, it introduces new security issues which include attacks against an NS instance within an operator network and interslice security threats. In this scenario, identifying and mitigating attacks in real-time is of paramount importance to improve security aspects. However, it is far from being straightforward. Therefore, this work proposes the FrameRTP4, a P4-based framework that aims to deliver real-time attack detection and mitigation mechanisms in 5G NS scenarios. For this, it provides a P4-based switch that implements an Service Function Chaining protocol layer, an efficient and scalable Access Control List for the detection and mitigation of known attacks, and a monitoring system aiming to reduce the overhead induced on the control channel. Furthermore, it delivers an orchestrator that aims to control all switches in order to enable lifecycle management of NS instances and P4 table rules. Besides, it also performs some autonomous tasks such as the wildcard rules generation and the detection of new threats by using machine learning algorithms. Preliminary results point to the potential benefits of FrameRTP4 to be part of a 5G NS infrastructure. K E Y W O R D S5G, bloom filter, cybersecurity, network function virtualization, network slice, P4

show abstract

A Survey on the Security of Stateful SDN Data Planes

Cited by 171 publications

References 64 publications

Software-Defined Network (SDN) Data Plane Security: Issues, Solutions, and Future Directions

Software-Defined Network (SDN) Data Plane Security: Issues, Solutions, and Future Directions

A cyber kill chain based taxonomy of banking Trojans for evolutionary computational intelligence

A real‐time attack defense framework for 5G network slicing

Contact Info

Product

Resources

About