Securing Control and Data Planes From Reconnaissance Attacks Using Distributed Shadow Controllers, Reactive and Proactive Approaches

Hyder, Muhammad Faraz; Ismail, Muhammad Ali

doi:10.1109/access.2021.3055577

Cited by 20 publications

(10 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hyder and Ismail [22] used port and IP shuffling to improve the security of SDN. Medina-López et al [23] used MTD approaches, by which when the messages are exchanged between hosts, their IP address is changed.…”

Section: Related Workmentioning

confidence: 99%

SCEMA: An SDN-Oriented Cost-Effective Edge-Based MTD Approach

Javadpour

Ja’fari

Taleb

et al. 2023

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Protecting large-scale networks, especially Software-Defined Networks (SDNs), against distributed attacks in a costeffective manner plays a prominent role in cybersecurity. One of the pervasive approaches to plug security holes and prevent vulnerabilities from being exploited is Moving Target Defense (MTD), which can be efficiently implemented in SDN as it needs comprehensive and proactive network monitoring. The critical key in MTD is to shuffle the least number of hosts with an acceptable security impact and keep the shuffling frequency low. In this paper, we have proposed an SDN-oriented Cost-effective Edge-based MTD Approach (SCEMA) to mitigate Distributed Denial of Service (DDoS) attacks at a lower cost by shuffling an optimized set of hosts that have the highest number of connections to the critical servers. These connections are named edges from a graph-theoretical point of view. We have proposed a three-layer mathematical model for the network that can easily calculate the attack cost. We have also designed a system based on SCEMA and simulated it in Mininet. The results show that SCEMA has lower complexity than the previous related MTD field with acceptable performance.

show abstract

Section: Related Workmentioning

confidence: 99%

SCEMA: An SDN-Oriented Cost-Effective Edge-Based MTD Approach

Javadpour

Ja’fari

Taleb

et al. 2023

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…VCP filters undetermined traffic before forwarding it to the controller. Hyder et al 35 designed securing arrangement for the data and control plane of SDN-based MTD known as SDN-based Moving Target Defense for Control and Data planes Security (SMCDS). It utilized Shadow controllers in a distributed environment to enhance the control plane security for countering probing attacks.…”

Section: Crossfire Ddos Defense Techniques For Sdn and Nfvmentioning

confidence: 99%

Countering crossfire DDoS attacks through moving target defense in SDN networks using OpenFlow traffic modification

Hyder,

Fatima,

Khan

et al. 2023

Trans Emerging Tel Tech

Self Cite

View full text Add to dashboard Cite

Software‐Defined Networking (SDN) is an evolving networking technique due to its flexibility and programmability. OpenFlow is the primary protocol behind SDN. Moving Target Defense (MTD) is an emerging security technique to counter attacks by dynamically changing the attack surface. SDN‐based MTD security solutions are gaining popularity due to the centralized control and monitoring capabilities of the SDN control plane. Crossfire is a type of indirect Distributed Denial of Service (DDoS) attack intending to impact the neighbors of the actual target. Crossfire DDoS attacks are gaining momentum in recent times. In this paper, a mechanism for the protection of crossfire DDoS attacks is proposed by exploiting OpenFlow‐based traffic modifications. We employed the Moving Target Defense scheme to redirect the traffic from the actual host to the shadow host to counter the crossfire DDoS attack and from the default domain name system port to another predefined port. Traffic redirection helps in diverting the attacker to shadow host and thus getting the incorrect network path and subsequently crossfire attack was unable to be executed properly. The proposed scheme utilized the ONOS cluster with Mininet. The results showed successful traffic redirection for countering the Crossfire DDoS attacks at a low computational cost.

show abstract

“…Another solution proposed in the literature is the use of moving target defence, such as in [35] with the introduction of the notion of shadow controllers. Furthermore, in the case of detection of probing trafc, a part of the shadow controllers are randomly selected to respond to the trafc.…”

Section: Malicious Controller In Sdnmentioning

confidence: 99%

“…However, the techniques which use communication between the controllers, such as in [35], cannot be applied because we consider that the controller is faulty after the alarm. In addition, some methods cannot be applied as the methods proposed in [25] use non-Openfow packets named "Remap" or "Remap-Begin" to lead over the faulty controller.…”

Section: Recover Of the Attackmentioning

confidence: 99%

“…r learn ′ � r learn ; (26) if r learn ∈ R Set then (27) while timeout ps do (28) f � wait(fmod); (29) if type(f) � delete then (30) r learn ′ � r learn ′ /f′; (31) else if type(f) � add then (32) r learn ′ � r learn ′ ∪ f; (33) else if type(f) � modify then (34) r learn ′ � r learn ′ /f ′ & r learn ′ � r learn ′ ∪ f; (35) if cons(r learn ′ ) � � � � � � � r learn ′ � r learn then (36) return Fault; (43) while timeout mp do (44) f � wait(fmod); (45) if fmod ∈ R Set then (46) R Set � R Set /fmod (47) else (48) return Fault ALGORITHM 1: Observer Logic.…”

Section: Data Availabilitymentioning

confidence: 99%

See 1 more Smart Citation

Implementation of a SDN Architecture Observer: Detection of Failure, Distributed Denial-of-Service and Unauthorized Intrusion

Desgeorges

Georges

Divoux

2023

Security and Communication Networks

View full text Add to dashboard Cite

Software-defined networking was recently introduced and proposed to separate the control from the data plane. This architecture introduces new challenges, particularly with regard to security and safety. To address the safety challenges, it is necessary to set up a multi controller architecture to provide redundancy. In addition, the second controller can have a security benefit because it can be used to validate the decisions taken by the first controller. However, communication between the controllers is necessary in these architectures, which may be exploited by an attacker to spread across the controllers, resulting in a security issue. This study aims to develop a multi controller architecture without communication between controllers. The control is executed by the nominal controller, which performs the data plane computation, whereas the second controller is in charge of verifying the consistency of the controller’s decisions, i.e., the management traffic. We first formulated the activity of the command and then provided conditions to determine a consistent control. These conditions include a time boundary, which corresponds to the tolerance for a delay in the response time of the controller, and structural properties to verify the consistency of the path setup. Moreover, we proposed a detection algorithm that is divided into two parts: first, a learning phase that aims to learn the consistent path set up by the controller, and second, a running phase which aims to verify that the controller sets up paths that are similar to the learned path. This algorithm was evaluated in terms of its reactivity, precision, and recall. To evaluate this, we considered three use cases: a distributed denial of service (DDOS) attack, an attack to send malicious packets on the network, and a failure of the controller.

show abstract

Securing Control and Data Planes From Reconnaissance Attacks Using Distributed Shadow Controllers, Reactive and Proactive Approaches

Cited by 20 publications

References 32 publications

SCEMA: An SDN-Oriented Cost-Effective Edge-Based MTD Approach

SCEMA: An SDN-Oriented Cost-Effective Edge-Based MTD Approach

Countering crossfire DDoS attacks through moving target defense in SDN networks using OpenFlow traffic modification

Implementation of a SDN Architecture Observer: Detection of Failure, Distributed Denial-of-Service and Unauthorized Intrusion

Contact Info

Product

Resources

About