TY - GEN
T1 - Setting Malicious Flow Entries Against SDN Operations
T2 - 2018 IEEE Conference on Dependable and Secure Computing, DSC 2018
AU - Lin, Cheng Hsu
AU - Li, Chi-Yu
AU - Wang, Kuo-Chen
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2019/1/23
Y1 - 2019/1/23
N2 - Software-defined networking (SDN) apps are developed to support various functions (e.g., traffic engineering, routing, security, etc.) for SDN networks. Their operations rely on the APIs offered by the control plane. They may be compromised or designed to be malicious by third parties. Though there have been many studies against malicious apps, they only restrict the APIs used by them with coarse-grained controls. In this work, we seek to show that some malicious flow entries cannot be detected or prevented by current defenses. They may impede the operations of control-plane services or hinder packets from being forwarded correctly in the data plane. To show their negative impact, we devise two attacks, topology spoofing and forwarding-based DoS, as well as examine their damage and analyze root causes. We then propose a context-Aware, event-based anomaly detection (CEAD) framework to defend against the malicious flow entries. It provides more fine-grained controls over the flow entries set by apps. Different from other studies, it does anomaly detection by examining the context correlation between an event, the app registering it, and the flow entries set by the app for the event. Our evaluation results show that the CEAD can detect all the malicious flow entries in our given cases, and confirm its scalability with negligible overhead at increasing TCP connection attempt rates.
AB - Software-defined networking (SDN) apps are developed to support various functions (e.g., traffic engineering, routing, security, etc.) for SDN networks. Their operations rely on the APIs offered by the control plane. They may be compromised or designed to be malicious by third parties. Though there have been many studies against malicious apps, they only restrict the APIs used by them with coarse-grained controls. In this work, we seek to show that some malicious flow entries cannot be detected or prevented by current defenses. They may impede the operations of control-plane services or hinder packets from being forwarded correctly in the data plane. To show their negative impact, we devise two attacks, topology spoofing and forwarding-based DoS, as well as examine their damage and analyze root causes. We then propose a context-Aware, event-based anomaly detection (CEAD) framework to defend against the malicious flow entries. It provides more fine-grained controls over the flow entries set by apps. Different from other studies, it does anomaly detection by examining the context correlation between an event, the app registering it, and the flow entries set by the app for the event. Our evaluation results show that the CEAD can detect all the malicious flow entries in our given cases, and confirm its scalability with negligible overhead at increasing TCP connection attempt rates.
KW - DoS
KW - SDN
KW - context-Aware
KW - security
KW - topology spoofing
UR - http://www.scopus.com/inward/record.url?scp=85062486402&partnerID=8YFLogxK
U2 - 10.1109/DESEC.2018.8625101
DO - 10.1109/DESEC.2018.8625101
M3 - Conference contribution
AN - SCOPUS:85062486402
T3 - DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing
BT - DSC 2018 - 2018 IEEE Conference on Dependable and Secure Computing
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 10 December 2018 through 13 December 2018
ER -