POAGuard: A Defense Mechanism Against Preemptive Table Overflow Attack in Software-Defined Networks

Liu, Yuming; Wang, Yong; Feng, Hao

doi:10.1109/access.2023.3330224

Cited by 2 publications

(1 citation statement)

References 56 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The overflow attack [1,2,3] is a main form to break data isolation. After the isolation is broken, the data stored on heap or stack will be overwritten.…”

Section: Introductionmentioning

confidence: 99%

DID: Data Isolation via Dynamic Adjustment of Permissions and Spaces

Li,

Qu,

Chung

2024

Preprint

View full text Add to dashboard Cite

Heap and stack are the main carriers for storing data in the operating system (OS), and their isolation is a key factor to ensure the data privacy and instruction orders. The existing isolation methods have the problem of coarse granularity. In addition, the completely open feature of the read and write permissions of the heap and stack has a serious impact on isolation. To solve these problems, this paper proposes an isolation method DID. This method refines the granularity of the isolated stack and heap. It establishes a framework to dynamically adjust the permissions and spaces of the target data. Based on this framework, DID builds four mechanisms: heap fence mechanism, heap owner mechanism, stack alternation mechanism, and stack jump mechanism. These mechanisms can be used to isolate the data on the heap or stack. Experiments and analysis show that DID has a good defense effect against various attacks based on data out-of-bounds access. And it only introduces 1.9% overhead to the CPU.

show abstract

“…The overflow attack [1,2,3] is a main form to break data isolation. After the isolation is broken, the data stored on heap or stack will be overwritten.…”

Section: Introductionmentioning

confidence: 99%

DID: Data Isolation via Dynamic Adjustment of Permissions and Spaces

Li,

Qu,

Chung

2024

Preprint

View full text Add to dashboard Cite

show abstract

Research on Detection and Mitigation Methods of Adaptive Flow Table Overflow Attacks in Software-Defined Networks

Zeng,

Wang,

Liu

2024

IEEE Access

Self Cite

View full text Add to dashboard Cite

In Software-Defined Networks (SDN), the ternary content addressable memory (TCAM) capacity in switches is limited, making them vulnerable to low-rate flow table overflow attacks. Most existing research in this field has not focused on the influence of flow entry eviction mechanisms on the effectiveness of such attacks. This paper proposes an adaptive low-rate flow table overflow attack (ALFO), which can adopt corresponding attack modes under different flow entry eviction mechanisms, significantly degrading network service quality. Due to the different features of ALFO under different attack modes, the existing attack detection methods are ineffective in this attack. Therefore, this paper proposes a detection and mitigation framework, which is called adaptive low-rate flow table overflow attack guard framework (ALFO-Guard). It extracts flow features from flow entry information in the switch and aggregates them into a current-time graph model. Then, combining graph neural networks, it performs graph anomaly detection and flow entry classification to identify attack flow entries. Finally, the attack can be eliminated by deleting the identified attack flow entries and blocking the attack flows.The effectiveness of ALFO and ALFO-Guard is validated through extensive experiments, and the experimental results demonstrate that ALFO-Guard can effectively defend against ALFO.INDEX TERMS SDN, Flow table overflow, Low-rate attacks, Graph neural network.

show abstract

POAGuard: A Defense Mechanism Against Preemptive Table Overflow Attack in Software-Defined Networks

Cited by 2 publications

References 56 publications

DID: Data Isolation via Dynamic Adjustment of Permissions and Spaces

DID: Data Isolation via Dynamic Adjustment of Permissions and Spaces

Research on Detection and Mitigation Methods of Adaptive Flow Table Overflow Attacks in Software-Defined Networks

Contact Info

Product

Resources

About