Securing data planes in software-defined networks

Chao, Tzu-Wei; Ke, Yu-Ming; Chen, Bo-Han; Chen, Jhu-Lin; Hsieh, Chen Yu; Lee, Shao-Chuan; Hsiao, Hsu-Chun

doi:10.1109/netsoft.2016.7502486

Cited by 29 publications

(13 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The resulting forwarding rules and subnets for each setup are shown in Table I. We report that a similar methodology is also adopted by relevant work such as [8], [41].…”

Section: Methodsmentioning

confidence: 99%

WedgeTail

Shaghaghi

Kâafar

Jha

2017

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Software Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail, an Intrusion Prevention System (IPS) designed to secure the SDN data plane. WedgeTail regards forwarding devices as points within a geometric space and stores the path packets take when traversing the network as trajectories. To be efficient, it prioritizes forwarding devices before inspection using an unsupervised trajectory-based sampling mechanism. For each of the forwarding device, WedgeTail computes the expected and actual trajectories of packets and 'hunts' for any forwarding device not processing packets as expected. Compared to related work, WedgeTail is also capable of distinguishing between malicious actions such as packet drop and generation. Moreover, WedgeTail employs a radically different methodology that enables detecting threats autonomously. In fact, it has no reliance on pre-defined rules by an administrator and may be easily imported to protect SDN networks with different setups, forwarding devices, and controllers. We have evaluated Wed-geTail in simulated environments, and it has been capable of detecting and responding to all implanted malicious forwarding devices within a reasonable time-frame. We report on the design, implementation, and evaluation of WedgeTail in this manuscript.

show abstract

“…The resulting forwarding rules and subnets for each setup are shown in Table I. We report that a similar methodology is also adopted by relevant work such as [8], [41].…”

Section: Methodsmentioning

confidence: 99%

WedgeTail

Shaghaghi

Kâafar

Jha

2017

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…The statistics-based approaches [20]- [27] discover forwarding anomalies by performing heavyweight flow statistics collection and analysis. Towards this end, they propose to collect various statistics, including OpenFlow flow statistics from all flow rules [20], port-based statistics [21], network counter rules [22], [23], [27], and packet trajectory data [24]. However, these solutions often impose significant communication overhead as they require to collect statistics from a vast majority of, if not all, flow rules.…”

Section: Statistics Analysis Based Anomaly Detectionmentioning

confidence: 99%

Efficient Forwarding Anomaly Detection in Software-Defined Networks

Liu

et al. 2021

IEEE Trans. Parallel Distrib. Syst.

View full text Add to dashboard Cite

Data centers, the critical infrastructure underpinning Cloud computing, often employ Software-Defined Networks (SDN) to manage cluster, wide-area and enterprise networks. As the network forwarding in SDN is dynamically programmed by controllers, it is crucial to ensure that the controller intent is correctly translated into underlying forwarding rules. Therefore, detecting and locating forwarding anomalies in SDN is a fundamental problem in production networks. Existing research proposals, roughly categorized into probing based, packet piggybacking based and flow statistics analysis based, either impose significant overhead or do not provide sufficient coverage for certain forwarding anomalies. In this paper, we propose FADE, a controllable and passive measuring scheme to simultaneously deliver detection efficiency and accuracy. FADE first analyzes the entire network topology and flow rules, and then computes a minimal set of flows that can cover all forwarding rules. For each selected network flow, FADE decides the optimal number of monitoring positions on its path (much less than total number of hops), and installs dedicated rules to collect flow statistics. FADE controls the installation and expiration of these rules, along with unique flow labels, to guarantee the accuracy of collected statistics, based on which FADE algorithmically decides whether a forwarding anomaly is detected, and if so it further locates the anomaly. On top of FADE, we propose iFADE (a more scalable version of FADE) to further optimize the usage and deployment of dedicated measurement rules. iFADE achieves over 40% rule reduction compared with FADE. We implement a prototype of both FADE and iFADE in about 12,000 lines of code and evaluate the prototype extensively. The experiment results demonstrate (i) FADE and iFADE are accurate, e.g., they achieve over 95% true positive rate and 99% true negative rate in anomaly detection; (ii) FADE and iFADE are lightweight, e.g., they reduce the overhead of control messages compared with state-of-the-art by about 50% and 90%, respectively. 1 Introduction Data centers are critical infrastructure underpinning the Cloud computing. Nowadays, production data centers often employ Software-Defined Networking (SDN) to manage both cluster networks [1], wide area networks [2], [3] and enterprise networks [4]. SDN adopts a new networking paradigm by separating the control plane from the data plane [5]. However, SDN itself does not ensure the flow rule consistency between what is intended in the control

show abstract

“…In general, the improvement of SDN security applications and controllers, and the online verification of network restrictions, separately, have been the prime focus of SDN security literature [6], [13]. Intrusion detection systems (IDSs) are important as prime defense techniques to protect network systems.…”

Section: Related Workmentioning

confidence: 99%

ECSD: Enhanced Compromised Switch Detection in an SDN-Based Cloud Through Multivariate Time-Series Analysis

Dinh

Park

2020

IEEE Access

View full text Add to dashboard Cite

Nowadays, Software-Defined Networks (SDNs) are increasingly being used in many practical settings, posing a variety of security risks, such as compromised switches. Once a switch is compromised by an attacker, the switch may be either malfunctioning or misconfigured, displaying some abnormal network behaviors, e.g., delaying, dropping, adding, or modifying the traffic. In our previous work, we proposed an efficient scheme for detecting compromised SDN switches based on chaotic analysis of network traffic using an autoregressive-integrated-moving-average model. This scheme showed good results overall; however, it still showed high false-alarm rates due to a hard-set threshold. In this paper, we propose an enhanced scheme to detect compromised SDN switches effectively and reliably. The scheme consists of two phases (online and offline), leveraging the advantages of a stochastic recurrent neural network variant of multivariate time-series-based anomaly detection. Our main idea is to capture the normal patterns of multivariate time series by learning strong representations with the key techniques, such as planar normalizing flow and stochastic variable connection, then reconstruct input data by the representations, and use the reconstruction probabilities to find anomalies. Evaluation results of our proposed scheme yield outstanding performance in comparison with our previous work and other solutions.

show abstract

Securing data planes in software-defined networks

Cited by 29 publications

References 14 publications

WedgeTail

WedgeTail

Efficient Forwarding Anomaly Detection in Software-Defined Networks

ECSD: Enhanced Compromised Switch Detection in an SDN-Based Cloud Through Multivariate Time-Series Analysis

Contact Info

Product

Resources

About