U-TRI: Unlinkability Through Random Identifier for SDN Network

Traffic analysis within switches is threatening the security of large enterprise networks built with SDN. Adversaries are able to monitor all traffic traversing a switch by exploiting just one vulnerability in it and obtain linkage information for further attacking, while administrators have to patch all switches as soon as possible in hope of eliminating the vulnerability in time. Moving Target Defense (MTD) is a novel theory for re-obtaining the upper hand in network defense by dynamically changing attack surfaces of the network. In this paper, we propose U-TRI (Unlinkability Through Random Identifier) as a moving target technique for changing the identifier, which is one of the most vital attack surfaces of traffic privacy, within packet data units. U-TRI employs an independent, hierarchically-structured, periodically and randomly changing identifier to replace the original static data link layer addresses. It also hides all other identifiers in the network and transport layer by obfuscating them. Such a combination of hierarchical random address and obfuscated identity enables U-TRI to provide unlinkable communications among hosts. The result of experiments indicates that U-TRI is capable of defending traffic analysis with very little burdens on network performance.

[1]  Chin-Laung Lei,et al.  How to detect a compromised SDN switch , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[2]  Frédérique E. Oggier,et al.  The secrecy capacity of the MIMO wiretap channel , 2007, 2008 IEEE International Symposium on Information Theory.

[3]  David J. C. MacKay,et al.  Information Theory, Inference, and Learning Algorithms , 2004, IEEE Transactions on Information Theory.

[4]  Martín Casado,et al.  The Design and Implementation of Open vSwitch , 2015, NSDI.

[5]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[6]  Sakir Sezer,et al.  Queen ' s University Belfast-Research Portal Are We Ready for SDN ? Implementation Challenges for Software-Defined Networks , 2016 .

[7]  Anton V. Arzhakov,et al.  Analysis of current internet wide scan effectiveness , 2017, 2017 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus).

[8]  Jan Melén,et al.  Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP) , 2015, RFC.

[9]  Pekka Nikander,et al.  A Bound End-to-End Tunnel (BEET) mode for ESP , 2008 .

[10]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[11]  Hamed Okhravi,et al.  Have No PHEAR: Networks Without Identifiers , 2016, MTD@CCS.

[12]  Sushil Jajodia,et al.  A moving target defense approach to mitigate DDoS attacks against proxy-based architectures , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[13]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .

[14]  Ramzi A. Haraty,et al.  The TOR data communication system , 2014, Journal of Communications and Networks.

[15]  Nick Feamster,et al.  The road to SDN: an intellectual history of programmable networks , 2014, CCRV.

[16]  I. Csiszar Maximum entropy and related methods , 1994, Proceedings of 1994 Workshop on Information Theory and Statistics.

[17]  Seungyeop Han,et al.  Tor instead of IP , 2011, HotNets-X.

[18]  Zhi-Li Zhang,et al.  VIRO: A scalable, robust and namespace independent virtual Id routing for future networks , 2011, 2011 Proceedings IEEE INFOCOM.

[19]  Amir Herzberg,et al.  Spying in the Dark: TCP and Tor Traffic Analysis , 2012, Privacy Enhancing Technologies.

[20]  Ehab Al-Shaer,et al.  Efficient Random Route Mutation considering flow and network constraints , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[21]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[22]  Po-Ching Lin,et al.  Rapid detection of disobedient forwarding on compromised OpenFlow switches , 2017, 2017 International Conference on Computing, Networking and Communications (ICNC).

[23]  H. S. Chandrashekar,et al.  Packet sniffing: a brief introduction , 2003 .

[24]  Ehab Al-Shaer,et al.  An Effective Address Mutation Approach for Disrupting Reconnaissance Attacks , 2015, IEEE Transactions on Information Forensics and Security.