A Forensic Methodology for Software-Defined Network Switches

This chapter presents a forensic methodology for computing systems in a software-defined networking environment that consists of an application plane, control plane and data plane. The methodology involves a forensic examination of the software-defined networking infrastructure from the perspective of a switch. Memory images of a live switch and southbound communications are leveraged to enable forensic investigators to identify and locate potential evidence for triage in real time. The methodology is evaluated using a real-world testbed exposed to network attacks. The experimental results demonstrate the effectiveness of the methodology for forensic investigations of software-defined networking infrastructures.

[1]  Olivier Festor,et al.  Anomaly traceback using software defined networking , 2014, 2014 IEEE International Workshop on Information Forensics and Security (WIFS).

[2]  Martín Casado,et al.  The Design and Implementation of Open vSwitch , 2015, NSDI.

[3]  Ainuddin Wahid Abdul Wahab,et al.  FML: A novel forensics management layer for software defined networks , 2016, 2016 6th International Conference - Cloud System and Big Data Engineering (Confluence).

[4]  Thomas Wilhelm,et al.  Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research , 2007 .

[5]  Kaiqi Xiong,et al.  Web services performance modeling and analysis , 2006, 2006 International Symposium on High Capacity Optical Networks and Enabling Technologies.

[6]  Kaiqi Xiong Resource Optimization and Security for Cloud Services: Xiong/Resource Optimization and Security for Cloud Services , 2014 .

[7]  Kaiqi Xiong,et al.  Multiple priority customer service guarantees in cluster computing , 2009, 2009 IEEE International Symposium on Parallel & Distributed Processing.

[8]  Fernando M. V. Ramos,et al.  Towards secure and dependable software-defined networks , 2013, HotSDN '13.

[9]  Kpatcha M. Bayarou,et al.  OrchSec: An orchestrator-based architecture for enhancing network-security using Network Monitoring and SDN Control functions , 2014, 2014 IEEE Network Operations and Management Symposium (NOMS).

[10]  Akihiro Nakao,et al.  GENI: A federated testbed for innovative network experiments , 2014, Comput. Networks.

[11]  Lei Xu,et al.  FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[12]  Kaiqi Xiong Resource Optimization and Security for Cloud Services , 2014 .

[13]  Xiangyang Li,et al.  An SDN-supported collaborative approach for DDoS flooding detection and containment , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[14]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[15]  Kaiqi Xiong,et al.  Quality of Service (QoS)-Guaranteed Network Resource Allocation via Software Defined Networking (SDN) , 2014, 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure Computing.

[16]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[17]  Xiangyang Li,et al.  Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN) , 2015, 2015 IEEE 35th International Conference on Distributed Computing Systems Workshops.

[18]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[19]  Andreas Haeberlen,et al.  Let SDN Be Your Eyes: Secure Forensics in Data Center Networks , 2014 .

[20]  Xenofontas A. Dimitropoulos,et al.  A novel framework for modeling and mitigating distributed link flooding attacks , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.