SDN-RDCD: A Real-Time and Reliable Method for Detecting Compromised SDN Devices

A software-defined network (SDN) is increasingly deployed in many practical settings, bringing new security risks, e.g., SDN controller and switch hijacking. In this paper, we propose a real-time method to detect compromised SDN devices in a reliable way. The proposed method aims at solving the detection problem of compromised SDN devices when both the controller and the switch are trustless, and it is complementary with existing detection methods. Our primary idea is to employ backup controllers to audit the handling information of network update events collected from the primary controller and its switches, and to detect compromised devices by recognizing inconsistent or unexpected handling behaviors among the primary controller, backup controllers, and switches. Following this idea, we first capture each network update request and its execution result in the primary controller, collect each received network update instruction and the information of any state update in switches, and deliver these four kinds of information to those backup controllers in an auditor role. An auditor controller is designed to create an audit record for each received network update request and to add its execution result of this network update request as well as the received four kinds of matching information to the audit record. In particular, heterogeneous auditor controllers are proposed to avoid the same vulnerability with the primary controller. The audit algorithm and theoretical proof of its effectiveness for security enhancement are then presented. Finally, based on our prototype implementation, our experimental results further validate the proposed method and its low costs.

[1]  Theophilus Benson,et al.  Tolerating SDN Application Failures with LegoSDN , 2014, HotNets.

[2]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[3]  Andreas Haeberlen,et al.  Let SDN Be Your Eyes: Secure Forensics in Data Center Networks , 2014 .

[4]  Otto Carlos Muniz Bandeira Duarte,et al.  An elastic intrusion detection system for software networks , 2016, Ann. des Télécommunications.

[5]  Fernando M. V. Ramos,et al.  On the Design of Practical Fault-Tolerant SDN Controllers , 2014, 2014 Third European Workshop on Software Defined Networks.

[6]  Sakir Sezer,et al.  OperationCheckpoint: SDN Application Control , 2014, 2014 IEEE 22nd International Conference on Network Protocols.

[7]  Michael E. Locasto,et al.  Software Diversity: Security, Entropy and Game Theory , 2012, HotSec.

[8]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[9]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[10]  Mohsen Guizani,et al.  Software-Defined Network Forensics: Motivation, Potential Locations, Requirements, and Challenges , 2016, IEEE Network.

[11]  Song Guo,et al.  Byzantine-resilient secure software-defined networks with multiple controllers , 2014, 2014 IEEE International Conference on Communications (ICC).

[12]  Song Guo,et al.  Byzantine-Resilient Secure Software-Defined Networks with Multiple Controllers in Cloud , 2014, IEEE Transactions on Cloud Computing.

[13]  Xin Jin,et al.  SoftCell: scalable and flexible cellular core network architecture , 2013, CoNEXT.

[14]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[15]  Otto Carlos Muniz Bandeira Duarte,et al.  AuthFlow: authentication and access control mechanism for software defined networking , 2016, Ann. des Télécommunications.

[16]  Pavlin Radoslavov,et al.  ONOS: towards an open, distributed SDN OS , 2014, HotSDN.

[17]  Tobias Eggendorfer,et al.  Network forensic investigation in OpenFlow networks with ForCon , 2017 .

[18]  Yi Wang,et al.  Towards a secure controller platform for openflow applications , 2013, HotSDN '13.

[19]  Chao Yang,et al.  An intensive security architecture with multi-controller for SDN , 2016, 2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[20]  Dijiang Huang,et al.  SnortFlow: A OpenFlow-Based Intrusion Prevention System in Cloud Environment , 2013, 2013 Second GENI Research and Educational Experiment Workshop.

[21]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[22]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[23]  Kostas Pentikousis,et al.  C-BAS: Certificate-Based AAA for SDN Experimental Facilities , 2014, 2014 Third European Workshop on Software Defined Networks.

[24]  Marco Canini,et al.  FatTire: declarative fault tolerance for software-defined networks , 2013, HotSDN '13.

[25]  Robert Griesemer,et al.  Paxos made live: an engineering perspective , 2007, PODC '07.

[26]  Jim Esch,et al.  Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[27]  Martín Casado,et al.  Onix: A Distributed Control Platform for Large-scale Production Networks , 2010, OSDI.

[28]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[29]  Yashar Ganjali,et al.  Kandoo: a framework for efficient and scalable offloading of control applications , 2012, HotSDN '12.

[30]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[31]  Kpatcha M. Bayarou,et al.  OrchSec: An orchestrator-based architecture for enhancing network-security using Network Monitoring and SDN Control functions , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[32]  Ross J. Anderson,et al.  Authentication for Resilience: The Case of SDN , 2013, Security Protocols Workshop.

[33]  JongWon Kim,et al.  Scalable network intrusion detection on virtual SDN environment , 2014, 2014 IEEE 3rd International Conference on Cloud Networking (CloudNet).

[34]  Ehab Al-Shaer,et al.  FlowChecker: configuration analysis and verification of federated openflow infrastructures , 2010, SafeConfig '10.

[35]  Mahadev Konar,et al.  ZooKeeper: Wait-free Coordination for Internet-scale Systems , 2010, USENIX ATC.

[36]  Ken Gray,et al.  SDN: Software Defined Networks , 2013 .

[37]  Deep Medhi,et al.  SDNIPS: Enabling Software-Defined Networking based intrusion prevention system in clouds , 2014, 10th International Conference on Network and Service Management (CNSM) and Workshop.

[38]  Andreas Haeberlen,et al.  Secure network provenance , 2011, SOSP.

[39]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[40]  Ainuddin Wahid Abdul Wahab,et al.  FML: A novel forensics management layer for software defined networks , 2016, 2016 6th International Conference - Cloud System and Big Data Engineering (Confluence).

[41]  George Varghese,et al.  Real Time Network Policy Checking Using Header Space Analysis , 2013, NSDI.

[42]  Chin-Laung Lei,et al.  How to detect a compromised SDN switch , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[43]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[44]  Adrian Perrig,et al.  Fleet: defending SDNs from malicious administrators , 2014, HotSDN.

[45]  Alysson Neves Bessani,et al.  Analysis of operating system diversity for intrusion tolerance , 2014, Softw. Pract. Exp..

[46]  Yashar Ganjali,et al.  HyperFlow: A Distributed Control Plane for OpenFlow , 2010, INM/WREN.

[47]  Vinod Yegneswaran,et al.  Model checking invariant security properties in OpenFlow , 2013, 2013 IEEE International Conference on Communications (ICC).