research-article

WedgeTail: An Intrusion Prevention System for the Data Plane of Software Defined Networks

Authors:

Arash Shaghaghi,

Mohamed Ali Kaafar,

Sanjay JhaAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 849 - 861

https://doi.org/10.1145/3052973.3053039

Published: 02 April 2017 Publication History

Abstract

Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Software Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail, an Intrusion Prevention System (IPS) designed to secure the SDN data plane. WedgeTail regards forwarding devices as points within a geometric space and stores the path packets take when traversing the network as trajectories. To be efficient, it prioritizes forwarding devices before inspection using an unsupervised trajectory-based sampling mechanism. For each of the forwarding device, WedgeTail computes the expected and actual trajectories of packets and 'hunts' for any forwarding device not processing packets as expected. Compared to related work, WedgeTail is also capable of distinguishing between malicious actions such as packet drop and generation. Moreover, WedgeTail employs a radically different methodology that enables detecting threats autonomously. In fact, it has no reliance on pre-defined rules by an administrator and may be easily imported to protect SDN networks with different setups, forwarding devices, and controllers. We have evaluated WedgeTail in simulated environments, and it has been capable of detecting and responding to all implanted malicious forwarding devices within a reasonable time-frame. We report on the design, implementation, and evaluation of WedgeTail in this manuscript.

References

[1]

Mausezahn. http://www.perihel.at/sec/mz/.

[2]

Open Networking Foundation (ONF). https://www.opennetworking.org/.

[3]

S. T. Ali, V. Sivaraman, A. Radford, and S. Jha. A survey of securing networks using software defined networking. IEEE transactions on reliability, 64(3):1086--1097, 2015.

[4]

G. Andrienko, N. Andrienko, S. Rinzivillo, M. Nanni, and D. Pedreschi. A visual analytics toolkit for cluster-based classification of mobility data. In International Symposium on Spatial and Temporal Databases, pages 432--435. Springer, 2009.

Digital Library

[5]

G. Andrienko, N. Andrienko, S. Rinzivillo, M. Nanni, D. Pedreschi, and F. Giannotti. Interactive visual clustering of large collections of trajectories. In Visual Analytics Science and Technology, 2009. VAST 2009. IEEE Symposium on, pages 3--10. IEEE, 2009.

[6]

K. Benton, L. J. Camp, and C. Small. Openflow vulnerability assessment. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pages 151--152. ACM, 2013.

Digital Library

[7]

Cbench. https://goo.gl/10TLJk.

[8]

T.-W. Chao, Y.-M. Ke, B.-H. Chen, J.-L. Chen, C. J. Hsieh, S.-C. Lee, and H.-C. Hsiao. Securing data planes in software-defined networks. In 2016 IEEE NetSoft Conference and Workshops (NetSoft), pages 465--470. IEEE, 2016.

[9]

CRATE datasets. ftp://download.iwlab.foi.se/dataset.

[10]

Data Set for IMC 2010 Data Center Measurement. http://pages.cs.wisc.edu/ tbenson/IMC10_Data.html.

[11]

M. Dhawan, R. Poddar, K. Mahajan, and V. Mann. Sphinx: Detecting security attacks in software-defined networks. In NDSS, 2015.

[12]

N. G. Duffield and M. Grossglauser. Trajectory sampling for direct traffic observation. In ACM SIGCOMM Computer Communication Review, volume 30, pages 271--282. ACM, 2000.

Digital Library

[13]

R. Ghannam and A. Chung. Handling malicious switches in software defined networks. In NOMS 2016--2016 IEEE/IFIP Network Operations and Management Symposium, pages 1245--1248. IEEE, 2016.

[14]

F. Giannotti, M. Nanni, F. Pinelli, and D. Pedreschi. Trajectory pattern mining. In Proceedings of the 13th ACM SIGKDD international conference on Knowledge discovery and data mining, pages 330--339. ACM, 2007.

Digital Library

[15]

N. Handigol, B. Heller, V. Jeyakumar, D. Mazières, and N. McKeown. I know what your packet did last hop: Using packet histories to troubleshoot networks. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14), pages 71--85, 2014.

Digital Library

[16]

P. Hunter. Pakistan youtube block exposes fundamental internet security weakness: Concern that pakistani action affected youtube access elsewhere in world. Computer Fraud & Security, 2008(4):10--11, 2008.

[17]

A. Kamisi\'nski and C. Fung. Flowmon: Detecting malicious switches in software-defined networks. In Proceedings of the 2015 Workshop on Automated Decision Making for Active Cyber Defense, pages 39--45. ACM, 2015.

Digital Library

[18]

P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, and S. Whyte. Real time network policy checking using header space analysis. In Presented as part of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13), pages 99--111, 2013.

Digital Library

[19]

P. Kazemian, G. Varghese, and N. McKeown. Header space analysis: Static checking for networks. In Presented as part of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12), pages 113--126, 2012.

Digital Library

[20]

A. Khurshid, X. Zou, W. Zhou, M. Caesar, and P. B. Godfrey. Veriflow: Verifying network-wide invariants in real time. In Presented as part of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13), pages 15--27, 2013.

Digital Library

[21]

T. H.-J. Kim, C. Basescu, L. Jia, S. B. Lee, Y.-C. Hu, and A. Perrig. Lightweight source authentication and path validation. In ACM SIGCOMM Computer Communication Review, volume 44, pages 271--282. ACM, 2014.

Digital Library

[22]

R. Klöti, V. Kotronis, and P. Smith. Openflow: A security analysis. In 21st IEEE International Conference on Network Protocols (ICNP), pages 1--6. IEEE, 2013.

[23]

S. Knight, H. X. Nguyen, N. Falkner, R. Bowden, and M. Roughan. The internet topology zoo. IEEE Journal on Selected Areas in Communications, 29(9):1765--1775, 2011.

[24]

D. Kreutz, F. Ramos, and P. Verissimo. Towards secure and dependable software-defined networks. In Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking, pages 55--60. ACM, 2013.

Digital Library

[25]

D. Kreutz, F. M. Ramos, P. E. Verissimo, C. E. Rothenberg, S. Azodolmolky, and S. Uhlig. Software-defined networking: A comprehensive survey. Proceedings of the IEEE, 103(1):14--76, 2015.

[26]

LBNL/ICSI Enterprise Tracing Project. http://www.icir.org/enterprise-tracing/.

[27]

J.-G. Lee, J. Han, and X. Li. Trajectory outlier detection: A partition-and-detect framework. In 2008 IEEE 24th International Conference on Data Engineering, pages 140--149. IEEE, 2008.

Digital Library

[28]

H. Mai, A. Khurshid, R. Agarwal, M. Caesar, P. Godfrey, and S. T. King. Debugging the data plane with anteater. In ACM SIGCOMM Computer Communication Review, volume 41, pages 290--301. ACM, 2011.

Digital Library

[29]

N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner. Openflow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, 38(2):69--74, 2008.

Digital Library

[30]

S. Meloni, J. Gómez-Gardenes, V. Latora, and Y. Moreno. Scaling breakdown in flow fluctuations on complex networks. Physical review letters, 100(20):208701, 2008.

[31]

A. T. Mizrak, Y.-C. Cheng, K. Marzullo, and S. Savage. Fatih: Detecting and isolating malicious routers. In 2005 International Conference on Dependable Systems and Networks (DSN'05), pages 538--547. IEEE, 2005.

Digital Library

[32]

A. T. Mizrak, S. Savage, and K. Marzullo. Detecting malicious packet losses. IEEE Transactions on Parallel and distributed systems, 20(2):191--206, 2009.

Digital Library

[33]

Open Networking Foundation (ONF). Sdn architecture, onf tr-502. opennetworking.org/images/stories/downloads/sdn-resources/technical-reports/TR_SDN_ARCH_1.0_06062014.pdf.

[34]

S. Orlowski, R. Wess\"aly, M. Pióro, and A. Tomaszewski. Sndlib 1.0--survivable network design library. Networks, 55(3):276--286, 2010.

Digital Library

[35]

N. Pelekis, I. Kopanakis, C. Panagiotakis, and Y. Theodoridis. Unsupervised trajectory sampling. In Machine learning and knowledge discovery in databases, pages 17--33. Springer, 2010.

Digital Library

[36]

J. Rasley, B. Stephens, C. Dixon, E. Rozner, W. Felter, K. Agarwal, J. Carter, and R. Fonseca. Planck: Millisecond-scale monitoring and control for commodity networks. ACM SIGCOMM Computer Communication Review, 44(4):407--418, 2015.

Digital Library

[37]

Route Views. http://www.routeviews.org.

[38]

S. Scott-Hayward, S. Natarajan, and S. Sezer. A survey of security in software defined networks. IEEE Communications Surveys & Tutorials, 18(1):623--654, 2015.

Digital Library

[39]

N. Spring, R. Mahajan, D. Wetherall, and T. Anderson. Measuring isp topologies with rocketfuel. IEEE/ACM Transactions on networking, 12(1):2--16, 2004.

Digital Library

[40]

J. Suh, T. T. Kwon, C. Dixon, W. Felter, and J. Carter. Opensample: A low-latency, sampling-based measurement platform for commodity sdn. In Distributed Computing Systems (ICDCS), 2014 IEEE 34th International Conference on, pages 228--237. IEEE, 2014.

Digital Library

[41]

H. Zeng, S. Zhang, F. Ye, V. Jeyakumar, M. Ju, J. Liu, N. McKeown, and A. Vahdat. Libra: Divide and conquer to verify forwarding tables in huge networks. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14), pages 87--99, 2014.

Digital Library

[42]

X. Zhang, C. Lan, and A. Perrig. Secure and scalable fault localization under dynamic traffic patterns. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 317--331. IEEE, 2012.

Digital Library

[43]

X. Zhang, Z. Zhou, H.-C. Hsiao, T. H.-J. Kim, A. Perrig, and P. Tague. Shortmac: Efficient data-plane fault localization. In NDSS, 2012.

[44]

Y. J. Zhu and L. Jacob. On making tcp robust against spurious retransmissions. Computer communications, 28(1):25--36, 2005.

Digital Library

Cited By

Lei KLin GZhang MLi KLi QJing XWang P(2023)Measuring the Consistency Between Data and Control Plane in SDNIEEE/ACM Transactions on Networking10.1109/TNET.2022.319369831:2(511-525)Online publication date: Apr-2023
https://doi.org/10.1109/TNET.2022.3193698
Chen XLiu HHuang QZhang DZhou HWu CLiu XKhan M(2023)Stalker Attacks: Imperceptibly Dropping Sketch Measurement Accuracy on Programmable SwitchesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.331512818(5832-5847)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3315128
Ramani SJhaveri R(2022)ML-Based Delay Attack Detection and Isolation for Fault-Tolerant Software-Defined Industrial NetworksSensors10.3390/s2218695822:18(6958)Online publication date: 14-Sep-2022
https://doi.org/10.3390/s22186958
Show More Cited By

Index Terms

WedgeTail: An Intrusion Prevention System for the Data Plane of Software Defined Networks
1. Networks
  1. Network properties
    1. Network security

Recommendations

PS-IPS: Deploying Intrusion Prevention System with machine learning on programmable switch
Abstract
Intrusion prevention is significant to avoid device damage and financial losses. Researchers have proposed various Intrusion Prevention Systems (IPS) to prevent malware, including traditional and SDN-based IPS. However, existing IPSs suffer from ...
Highlights
- PS-IPS implements ML-based malware prevention on a single commercial programmable switch.
- PS-IPS achieves 99.57% detection accuracy by applying the Aposemat IoT-23 traffic data set.
- PS-IPS has 183X higher throughput and 99.99% ...
A Novel Network Security Defence Mechanism Based on Multi-SoftMan
CCCM '08: Proceedings of the 2008 ISECS International Colloquium on Computing, Communication, Control, and Management - Volume 01

Recent security incidents and analysis have demonstrated that current intrusion detection systems (1DS) to some attacks are no longer feasible. Implementing an effective intrusion detection capability is an elusive goal, not solved easily or with a ...
Developing a Host Intrusion Prevention System by Using Data Mining
ACSAT '12: Proceedings of the 2012 International Conference on Advanced Computer Science Applications and Technologies

Intrusion Prevention Systems (IPS) is the most important solution for providing a high level of security all over the networks today. IPS is evolving recently in a way that is expected eventually to replace other security solutions such as firewalls and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
719
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)1

Reflects downloads up to 07 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Lei KLin GZhang MLi KLi QJing XWang P(2023)Measuring the Consistency Between Data and Control Plane in SDNIEEE/ACM Transactions on Networking10.1109/TNET.2022.319369831:2(511-525)Online publication date: Apr-2023
https://doi.org/10.1109/TNET.2022.3193698
Chen XLiu HHuang QZhang DZhou HWu CLiu XKhan M(2023)Stalker Attacks: Imperceptibly Dropping Sketch Measurement Accuracy on Programmable SwitchesIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.331512818(5832-5847)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3315128
Ramani SJhaveri R(2022)ML-Based Delay Attack Detection and Isolation for Fault-Tolerant Software-Defined Industrial NetworksSensors10.3390/s2218695822:18(6958)Online publication date: 14-Sep-2022
https://doi.org/10.3390/s22186958
Li JTu TLi YQin SShi YWen Q(2022)DoSGuard: Mitigating Denial-of-Service Attacks in Software-Defined NetworksSensors10.3390/s2203106122:3(1061)Online publication date: 29-Jan-2022
https://doi.org/10.3390/s22031061
Li JQin STu TZhang HLi Y(2022)Packet Injection Exploiting Attack and Mitigation in Software-Defined NetworksApplied Sciences10.3390/app1203110312:3(1103)Online publication date: 21-Jan-2022
https://doi.org/10.3390/app12031103
Xie RCao JLi QSun KGu GXu MYang Y(2022)Disrupting the SDN Control Channel via Shared Links: Attacks and CountermeasuresIEEE/ACM Transactions on Networking10.1109/TNET.2022.316913630:5(2158-2172)Online publication date: Oct-2022
https://doi.org/10.1109/TNET.2022.3169136
Lee SWoo SKim JNam JYegneswaran VPorras PShin S(2022)A Framework for Policy Inconsistency Detection in Software-Defined NetworksIEEE/ACM Transactions on Networking10.1109/TNET.2022.314082430:3(1410-1423)Online publication date: Jun-2022
https://doi.org/10.1109/TNET.2022.3140824
Ghamari MRangel PMehrubeoglu MTewolde GSherratt R(2022)Unmanned Aerial Vehicle Communications for Civil Applications: A ReviewIEEE Access10.1109/ACCESS.2022.320857110(102492-102531)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3208571
Rahouti MXiong KXin YJagatheesaperumal SAyyash MShaheed M(2022)SDN Security Review: Threat Taxonomy, Implications, and Open ChallengesIEEE Access10.1109/ACCESS.2022.316897210(45820-45854)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3168972
Desta AOhira SArai IFujikawa K(2022)Rec-CNN: In-Vehicle Networks Intrusion Detection Using Convolutional Neural Networks Trained on Recurrence PlotsVehicular Communications10.1016/j.vehcom.2022.100470(100470)Online publication date: Mar-2022
https://doi.org/10.1016/j.vehcom.2022.100470
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents