Handling malicious switches in software defined networks

Ghannam, Rami; Chung, Anthony

doi:10.1109/noms.2016.7502995

Cited by 12 publications

(9 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…• Traffic Delay: a compromised switch may delay traffic in order to increase jitter, which raises full of problems with time-sensitive traffic. Moreover, delaying traffic for a TCP stream triggers spurious timeouts and unjustified retransmissions, resulting in grave damage to the TCP throughput [13]. From the compromised switch behaviors mentioned above, an attacker can compromise a switch by dropping, slowing down, or misrouting network traffic [13], or by executing flooding attacks against the control plane, either by replaying or spoofing packet_in messages [5].…”

Section: A Problem Statementsmentioning

confidence: 99%

“…The damaging effects of compromised switches can cause great difficulties in any network system. In addition, to the best of our knowledge, and as seen in [5], [13]- [15], not many studies have efficiently solved these critical problems.…”

Section: A Problem Statementsmentioning

confidence: 99%

“…In general, the improvement of SDN security applications and controllers, and the online verification of network restrictions, separately, have been the prime focus of SDN security literature [6], [13]. Intrusion detection systems (IDSs) are important as prime defense techniques to protect network systems.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

ECSD: Enhanced Compromised Switch Detection in an SDN-Based Cloud Through Multivariate Time-Series Analysis

Dinh

Park

2020

IEEE Access

View full text Add to dashboard Cite

Nowadays, Software-Defined Networks (SDNs) are increasingly being used in many practical settings, posing a variety of security risks, such as compromised switches. Once a switch is compromised by an attacker, the switch may be either malfunctioning or misconfigured, displaying some abnormal network behaviors, e.g., delaying, dropping, adding, or modifying the traffic. In our previous work, we proposed an efficient scheme for detecting compromised SDN switches based on chaotic analysis of network traffic using an autoregressive-integrated-moving-average model. This scheme showed good results overall; however, it still showed high false-alarm rates due to a hard-set threshold. In this paper, we propose an enhanced scheme to detect compromised SDN switches effectively and reliably. The scheme consists of two phases (online and offline), leveraging the advantages of a stochastic recurrent neural network variant of multivariate time-series-based anomaly detection. Our main idea is to capture the normal patterns of multivariate time series by learning strong representations with the key techniques, such as planar normalizing flow and stochastic variable connection, then reconstruct input data by the representations, and use the reconstruction probabilities to find anomalies. Evaluation results of our proposed scheme yield outstanding performance in comparison with our previous work and other solutions.

show abstract

Section: A Problem Statementsmentioning

confidence: 99%

Section: A Problem Statementsmentioning

confidence: 99%

See 1 more Smart Citation

ECSD: Enhanced Compromised Switch Detection in an SDN-Based Cloud Through Multivariate Time-Series Analysis

Dinh

Park

2020

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Packet Delay: Occurs when a forwarding device delays traffic and increases jitter. A packet delay is a threat against time-sensitive traffic [13]. A delay of TCP stream also causes spurious timeouts and unnecessary re-transmission, which severely threatens the TCP throughput [44].…”

Section: Attack Detectionmentioning

confidence: 99%

“…In general, the development of SDN security applications and controllers and real-time verification of network constraints, separately, have been the primary focus of SDN security literature (see [3,25] for surveys). However, no combination of these provides effective protection against compromised forwarding devices [8,11,13].…”

Section: Introductionmentioning

confidence: 99%

WedgeTail

Shaghaghi

Kâafar

Jha

2017

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Software Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail, an Intrusion Prevention System (IPS) designed to secure the SDN data plane. WedgeTail regards forwarding devices as points within a geometric space and stores the path packets take when traversing the network as trajectories. To be efficient, it prioritizes forwarding devices before inspection using an unsupervised trajectory-based sampling mechanism. For each of the forwarding device, WedgeTail computes the expected and actual trajectories of packets and 'hunts' for any forwarding device not processing packets as expected. Compared to related work, WedgeTail is also capable of distinguishing between malicious actions such as packet drop and generation. Moreover, WedgeTail employs a radically different methodology that enables detecting threats autonomously. In fact, it has no reliance on pre-defined rules by an administrator and may be easily imported to protect SDN networks with different setups, forwarding devices, and controllers. We have evaluated Wed-geTail in simulated environments, and it has been capable of detecting and responding to all implanted malicious forwarding devices within a reasonable time-frame. We report on the design, implementation, and evaluation of WedgeTail in this manuscript.

show abstract