Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks

Chou, Li-Der; Liu, Chien-Chang; Lai, Meng-Sheng; Chiu, Kai-Cheng; Tu, Hsuan-Hao; Su, Sen; Lai, Chun-Lin; Yen, Chia-Kuan; Tsai, Wei-Hsiang

doi:10.1109/ictc46691.2019.8939903

Cited by 5 publications

(3 citation statements)

References 18 publications

(17 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…What needs to be emphasized is that the target must be using DHCP for Persona Hijacking to be applicable. CTAD [8] detected different topology attack types by analyzing the relevance of network traffic and verifying link layer discovery protocol (LLDP) frames. TrustTopo [23] as a lightweight and efficient SDN topology verification scheme, coped with the host hijacking and link fabrication attacks.…”

Section: Related Workmentioning

confidence: 99%

“…To prove that SVM is more suitable for our experimental environment and scenarios, we first compared with other classification and clustering algorithms commonly used in anomaly detection, including k-Nearest Neighbors (KNN), Random Forest, Decision Tree, K-means, and BayesNet. As a comparison, we use the F1 score, precision, and recall to evaluate the performance of different algorithms and schemes, as shown in Equations ( 6)- (8). In Equations ( 6) and ( 7):…”

Section: Dos Detection Effectmentioning

confidence: 99%

“…Both academia and the industry have made many efforts and proposed many solutions to enhance SDN security. TopoGuard [7] and the correlation-based topology anomaly detection (CTAD) [8] solve topological attacks in SDN. The saturation attacks detector (SA-Detector) [9], vSwitchGuard [10], FTGuard [11], and SDNGuardian [12] are responsible for defending against data plane saturation attacks and flow table overflow attacks.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Packet Injection Exploiting Attack and Mitigation in Software-Defined Networks

Qin

et al. 2022

Applied Sciences

View full text Add to dashboard Cite

Software-defined networking (SDN) decouples the control plane and data plane through OpenFlow technology and allows flexible network control. It has been widely applied in different areas and has become a focus of attention in the future network. With SDN’s development, its security problem has become a necessary point of research to be solved urgently. In this paper, we propose a novel attack, namely, the packet injection exploiting attack. By maliciously injecting false hosts into SDN network topology, attackers can further use them to launch a denial of service (DoS) attack. The consequences affect the throughput and processing capabilities of the controller, severely consume data plane resources, and ultimately affect the entire network. To prevent the packet-injection exploiting attack, we designed PIEDefender, an efficient, protocol-independent component built on SDN controllers to detect and mitigate attacks effectively. We implement the PIEDefender prototype on the Floodlight controller and assess the effectiveness in the software environment. Experimental results show that PIEDefender achieves a 97.8% injection detection precision and a 97.96% DoS detection precision, incurring an average CPU consumption of 10%. The evaluation demonstrates that the PIEDefender can effectively mitigate the attack against SDN with limited overhead.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Dos Detection Effectmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Packet Injection Exploiting Attack and Mitigation in Software-Defined Networks

Qin

et al. 2022

Applied Sciences

View full text Add to dashboard Cite

show abstract

Efficient and Secure Topology Discovery in SDN: Review

Aladesote

Abdullah

2022

Advances on Intelligent Informatics and Computing

View full text Add to dashboard Cite

Detecting DoS Attacks Based on Multi-Features in SDN

Wang

Liu

2020

IEEE Access

View full text Add to dashboard Cite

Denial of Service (DoS) attack is a serious threat to Software Defined Network (SDN). Although many research efforts have been devoted to identify new features for DoS attack detection, the existing approaches are not able to detect various types of DoS attacks. In SDN, DoS attacks against data plane are mainly organized in two ways: 1) DoS attack with multiple flow entries (M-DoS) to exhaust the Ternary Content-Addressable Memory (TCAM) resource of the switch. 2) DoS attack with a single well-designed entry (S-DoS) to overwhelm the target link and further impact the controller. To detect these two attacks, we propose a new approach by extracting six features of flow table, and using the back propagation (BP) neural network to construct the classifier. Test results of test-bed experiments indicate that the accurate detection probability of proposed approach is 98.9%, which can effectively distinguish M-DoS flows and S-DoS flows without being affected by Flash crowd scene. INDEX TERMS SDN security, DoS, Feature detection, Flow table, Flash crowd I.INTRODUCTION Software Defined Network (SDN), as a new type of network management architecture, provides network with flexible control, simple network architecture, and great programmability by decoupling the control plane and the data plane of the traditional network. The control plane enables upper-level managers to implement the required functions by simply deploying the network. In terms of development, SDN provides developers with rich programming interfaces, enabling them to change the network deployment according to actual needs. The logically centralized controller not only provides powerful technical support for complex network services, but also can obtain network status information from a global perspective, which is convenient for monitoring the network in real-time. Moreover, the separation of the control plane and the data plane simplifies the process of packet forwarding, reduces the load on the switch, and makes network configuration more convenient. SDN has been widely used in network virtualization, wireless LANs, cloud computing and other fields due to its advantages[1]-[4]. However, as SDN is still in the development stage, many technical details are not mature enough, it can easily become a key target of network attacks. SDN has serious security vulnerabilities, thus faces great security threats[5]-[7]. Denial of Service (DoS) attacks is one of the major threats to SDN. Previous researches have noted that there exist many types of DoS attacks in SDN[8]-[10]. The victim may be control plane, data plane or application[9][11]. DoS attacks against data plane, control plane or SDN application commonly have different principles and features, corresponding to specialized detection methods. Therefore, DoS attacks should be studied according to different planes, and existing studies are commonly conducted in this way. Currently, DoS attacks on data plane have attracted wide attention, as the vulnerabilities of this plane are exposed. These attacks can be class...

show abstract

Behavior Anomaly Detection in SDN Control Plane: A Case Study of Topology Discovery Attacks

Cited by 5 publications

References 18 publications

Packet Injection Exploiting Attack and Mitigation in Software-Defined Networks

Packet Injection Exploiting Attack and Mitigation in Software-Defined Networks

Efficient and Secure Topology Discovery in SDN: Review

Detecting DoS Attacks Based on Multi-Features in SDN

Contact Info

Product

Resources

About