论文信息 - A Framework For Integrating Security Services into Software-Defined Networks

A Framework For Integrating Security Services into Software-Defined Networks

O penflow may in time prove to be one of the more impactful technologies to drive a variety of innovations in network security. It could offer a dramatic simplification to the way we design and integrate complex network security applications into large networks. In particular, OpenFlow offers researchers with an unprecedented singular point of control over network flow routing decisions across the data planes of all OF-enabled network components. Using OpenFlow, security services can implement far more complex logic than simply halting or forwarding a flow. Such applications can incorporate stateful flow rule production logic to implement complex quarantine procedures, or dynamic connection migration functions that can redirect malicious network flows in ways not easily perceived by the attacker. Flow-based security detection algorithms can also be redesigned as OF security apps, but implemented more concisely and deployed more efficiently. However, to date there remains a stark paucity of compelling OpenFlow security applications. Our research team is actively engaged in several projects to help accelerate new research in OpenFlow-enabled network defense. Our latest research result [10] introduces FRESCO, an OpenFlow security application development framework that facilitates the rapid design and modular composition of OF-enabled detection and mitigation modules. Inspired by the Click router architecture [6] and Click's modular scripting interface, FRESCO abstracts key data access and security directive controls, fostering a more rapid and collaborative environment for security-focused developers. FRESCO's scripting language enables the linking of modules through data sharing and event triggering. Further, FRESCO provides an API that can facilitate responsive flow rule production decisions using information produced from legacy DPI-based security applications (such as IDS or anti-malware applications). FRESCO exports a scripting API that enables security practitioners to code security monitoring and threat detection logic as modular libraries. These modular libraries represent the elementary processing units in FRESCO, and may be shared and linked together to emulate complex network defense applications. FRESCO currently includes a library of 16 commonly reusable modules, which we intend to expand over time. Ideally, more sophisticated security modules can be built by connecting basic FRESCO modules. Each FRESCO module includes five interfaces: (i) input, (ii) output, (iii) event,(iv) parameter, and (v) action. By simply assigning values to each interface and connecting necessary modules, a FRESCO developer can replicate a range of essential security functions, such as firewalls, scan detectors, attack deflectors, or IDS detection logic. To date, we have used FRESCO to implement a …

[1] Syed Ali Khayam,et al. Revisiting Traffic Anomaly Detection Using Software Defined Networking , 2011, RAID.

[2] Hari Balakrishnan,et al. Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[3] Vinod Yegneswaran,et al. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[4] Mabry Tyson,et al. FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[5] Mabry Tyson,et al. A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[6] Eddie Kohler,et al. The Click modular router , 1999, SOSP.

[7] Vern Paxson,et al. On the Adaptive Real-Time Detection of Fast-Propagating Network Worms , 2007, DIMVA.

[8] Vyas Sekar,et al. A Multi-Resolution Approach forWorm Detection and Containment , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[9] Michael K. Reiter,et al. Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[10] Guofei Gu,et al. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.