Network-Wide Forwarding Anomaly Detection and Localization in Software Defined Networks

A crucial requirement for Software Defined Network (SDN) is that data plane forwarding behaviors should always agree with control plane policies. Such requirement cannot be met when there are forwarding anomalies, where packets deviate from the paths specified by the controller. Most anomaly detection methods for SDN install dedicated rules to collect statistics of each flow, and check whether the statistics conform to the ``flow conservation principle''. We find these methods have a limited detection scope: they look at one flow each time, thus can only check a small number of flows simultaneously. In addition, dedicated rules for statistics collection can impose a large overhead on flow tables of SDN switches. To this end, this paper presents FOCES, a network-wide forwarding anomaly detection and localization method in SDN. Different from previous methods, FOCES applies a new kind of flow conservation principle at network wide, and can check forwarding behaviors of all flows in the network simultaneously, without installing any dedicated rules. Finally, FOCES applies a voting-based method to localize malicious switches when anomalies are detected. Experiments with four network topologies show that FOCES can achieve a detection precision higher than 90%, when the packet loss rate is no larger than 10%, and a localization accuracy of around 80% when the packet loss rate is no larger than 5%.

[1]  Qi Li,et al.  FADE: Detecting forwarding anomaly in software-defined networks , 2016, 2016 IEEE International Conference on Communications (ICC).

[2]  A. J. Strecok,et al.  On the calculation of the inverse of the error function , 1968 .

[3]  Cheng Zhang,et al.  Fast testing network data plane with RuleChecker , 2017, 2017 IEEE 25th International Conference on Network Protocols (ICNP).

[4]  Endong Wang,et al.  Intel Math Kernel Library , 2014 .

[5]  David Walker,et al.  CacheFlow: Dependency-Aware Rule-Caching for Software-Defined Networks , 2016, SOSR.

[6]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[7]  Stefan Savage,et al.  Detecting and Isolating Malicious Routers , 2006, IEEE Transactions on Dependable and Secure Computing.

[8]  Biswanath Mukherjee,et al.  Detecting disruptive routers: a distributed network monitoring approach , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[9]  Tuomas Aura,et al.  Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch , 2014, NordSec.

[10]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[11]  Hao Li,et al.  Stick to the script: Monitoring the policy compliance of SDN data plane , 2016, 2016 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[12]  Torsten Hoefler,et al.  SDNsec: Forwarding Accountability for the SDN Data Plane , 2016, 2016 25th International Conference on Computer Communication and Networks (ICCCN).

[13]  F. Pukelsheim The Three Sigma Rule , 1994 .

[14]  Xin Liu,et al.  Passport: Secure and Adoptable Source Authentication , 2008, NSDI.

[15]  George Varghese,et al.  Automatic Test Packet Generation , 2012, IEEE/ACM Transactions on Networking.

[16]  Bo Yang,et al.  Is every flow on the right track?: Inspect SDN forwarding with RuleScope , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[17]  Dejan Kostic,et al.  Monocle: dynamic, fine-grained data plane monitoring , 2015, CoNEXT.

[18]  Peng Zhang,et al.  Towards rule enforcement verification for software defined networks , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[19]  Sanjay Jha,et al.  WedgeTail: An Intrusion Prevention System for the Data Plane of Software Defined Networks , 2017, AsiaCCS.

[20]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[21]  Hao Li,et al.  Mind the Gap: Monitoring the Control-Data Plane Consistency in Software Defined Networks , 2016, CoNEXT.

[22]  Qi Li,et al.  Verifying Rule Enforcement in Software Defined Networks With REV , 2020, IEEE/ACM Transactions on Networking.

[23]  Michael Walfish,et al.  Verifying and enforcing network paths with icing , 2011, CoNEXT '11.

[24]  Carol J. Fung,et al.  FlowMon: Detecting Malicious Switches in Software-Defined Networks , 2015, SafeConfig@CCS.

[25]  Chin-Laung Lei,et al.  How to detect a compromised SDN switch , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[26]  Hsu-Chun Hsiao,et al.  Securing data planes in software-defined networks , 2016, 2016 IEEE NetSoft Conference and Workshops (NetSoft).

[27]  Hao Li,et al.  FOCES: Detecting Forwarding Anomalies in Software Defined Networks , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[28]  Kevin Benton,et al.  OpenFlow vulnerability assessment , 2013, HotSDN '13.