IJCNIS Vol. 16, No. 5, 8 Oct. 2024
Cover page and Table of Contents: PDF (size: 627KB)
PDF (627KB), PP.46-56
Views: 0 Downloads: 0
Compromised SDN Switch, Data Plane, Flow Reconstruction, CPU Overhead
In Software Defined Networking (SDN) the data plane is separated from the controller plane to achieve better functionality than the traditional networking. Although this approach poses a lot of security vulnerabilities due to its centralized approach. One significant issue is compromised SDN switches because the switches are dumb in SDN architecture and in absence of any intelligence it can be a easy target to the attackers. If one or more switches are attacked and compromised by the attackers, then the whole network might be down or defunct. Therefore, in this work we have devised a strategy to successfully detect the compromised SDN switches, isolate them and then reconstruct the whole network flow again by bypassing the compromised switches. In our proposed approach of detection, we have used two controllers, one as primary and another as secondary which is used to run and validate our algorithm in the detection process. Flow reconstruction is the next job of the secondary controller which after execution is conveyed to the primary controller. A two-controller strategy has been used to balance the additional load of detection and reconstruction activity from the master controller and thus achieved a balanced outcome in terms of running time and CPU utilization. All the propositions are validated by experimental analysis of the results and compared with existing state of the art to satisfy our claim.
Tinku Adhikari, Ajoy Kumar Khan, Malay Kule, Subhajit Das, "An Efficient Approach for Detection of Compromised SDN Switches and Restoration of Network Flow", International Journal of Computer Network and Information Security(IJCNIS), Vol.16, No.5, pp.46-56, 2024. DOI:10.5815/ijcnis.2024.05.05
[1]Zhou, Haifeng, Chunming Wu, Chengyu Yang, Pengfei Wang, Qi Yang, Zhouhao Lu, and Qiumei Cheng. "SDN-RDCD: A real-time and reliable method for detecting compromised SDN devices." IEEE/ACM transactions on networking 26, no. 5 (2018): 2048-2061.
[2]Badotra, Sumit, and Japinder Singh. "Open Daylight as a Controller for Software Defined Networking." International Journal of Advanced Research in Computer Science 8, no. 5 (2017).
[3]Berde, Pankaj, Matteo Gerola, Jonathan Hart, Yuta Higuchi, Masayoshi Kobayashi, Toshio Koide, Bob Lantz et al. "ONOS: towards an open, distributed SDN OS." In Proceedings of the third workshop on Hot topics in software defined networking, pp. 1-6. 2014.
[4]Gao, Shang, Zecheng Li, Bin Xiao, and Guiyi Wei. "Security threats in the data plane of software-defined networks." IEEE network 32, no. 4 (2018): 108-113.
[5]Dhawan, Mohan, Rishabh Poddar, Kshiteej Mahajan, and Vijay Mann. "Sphinx: detecting security attacks in software-defined networks." In Ndss, vol. 15, pp. 8-11. 2015.
[6]Shaghaghi, Arash, Mohamed Ali Kaafar, and Sanjay Jha. "Wedgetail: An intrusion prevention system for the data plane of software defined networks." In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 849-861. 2017.
[7]Anjum, Iffat, Mu Zhu, Isaac Polinsky, William Enck, Michael K. Reiter, and Munindar P. Singh. "Role-based deception in enterprise networks." In Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, pp. 65-76. 2021.
[8]Haeberlen, Andreas, Petr Kouznetsov, and Peter Druschel. "PeerReview: Practical accountability for distributed systems." ACM SIGOPS operating systems review 41, no. 6 (2007): 175-188.
[9]Neti, Saran, Anil Somayaji, and Michael E. Locasto. "Software Diversity: Security, Entropy and Game Theory." In HotSec. 2012.
[10]Botelho, Fábio, Alysson Bessani, Fernando MV Ramos, and Paulo Ferreira. "On the design of practical fault-tolerant SDN controllers." In 2014 third European workshop on software defined networks, pp. 73-78. IEEE, 2014.
[11]Al-Shaer, Ehab, and Saeed Al-Haj. "FlowChecker: Configuration analysis and verification of federated OpenFlow infrastructures." In Proceedings of the 3rd ACM workshop on Assurable and usable security configuration, pp. 37-44. 2010.
[12]Son, Sooel, Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. "Model checking invariant security properties in OpenFlow." In 2013 IEEE international conference on communications (ICC), pp. 1974-1979. IEEE, 2013.
[13]Khurshid, Ahmed, Wenxuan Zhou, Matthew Caesar, and P. Brighten Godfrey. "Veriflow: Verifying network-wide invariants in real time." In Proceedings of the first workshop on Hot topics in software defined networks, pp. 49-54. 2012.
[14]Kazemian, Peyman, Michael Chang, Hongyi Zeng, George Varghese, Nick McKeown, and Scott Whyte. "Real time network policy checking using header space analysis." In 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13), pp. 99-111. 2013.
[15]Kazemian, Peyman, George Varghese, and Nick McKeown. "Header space analysis: Static checking for networks." In 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12), pp. 113-126. 2012.
[16]Tapolcai, János, Pin-Han Ho, Péter Babarczi, Lajos Rónyai, János Tapolcai, Pin-Han Ho, Péter Babarczi, and Lajos Rónyai. "Failure restoration approaches." Internet Optical Infrastructure: Issues on Monitoring and Failure Restoration (2015): 15-31.
[17]Guo, Qi, Pin-Han Ho, Hsiang-Fu Yu, Janos Tapolcai, and Hussein T. Mouftah. "Spare capacity reprovisioning for high availability shared backup path protection connections." Computer communications 33, no. 5 (2010): 603-611.
[18]Shah-Heydari, Shahram, and Oliver Yang. "Performance study of multiple link failure restorability of shared protection trees." In 2007 Fourth International Conference on Broadband Communications, Networks and Systems (BROADNETS'07), pp. 594-600. IEEE, 2007.
[19]Sinha, Rakesh K., Funda Ergun, Kostas N. Oikonomou, and K. K. Ramakrishnan. "Network design for tolerating multiple link failures using Fast Re-route (FRR)." In 2014 10th International Conference on the Design of Reliable Communication Networks (DRCN), pp. 1-8. IEEE, 2014.
[20]Rotsos, Charalampos, Nadi Sarrar, Steve Uhlig, Rob Sherwood, and Andrew W. Moore. "OFLOPS: An open framework for OpenFlow switch evaluation." In Passive and Active Measurement: 13th International Conference, PAM 2012, Vienna, Austria, March 12-14th, 2012. Proceedings 13, pp. 85-95. Springer Berlin Heidelberg, 2012.
[21]Staessens, Dimitri, Sachin Sharma, Didier Colle, Mario Pickavet, and Piet Demeester. "Software defined networking: Meeting carrier grade requirements." In 2011 18th IEEE workshop on local & metropolitan area networks (LANMAN), pp. 1-6. IEEE, 2011.
[22]Jarschel, Michael, Simon Oechsner, Daniel Schlosser, Rastin Pries, Sebastian Goll, and Phuoc Tran-Gia. "Modeling and performance evaluation of an OpenFlow architecture." In 2011 23rd International Teletraffic Congress (ITC), pp. 1-7. IEEE, 2011.
[23]Astaneh, Saeed A., and Shahram Shah Heydari. "Optimization of SDN flow operations in multi-failure restoration scenarios." IEEE Transactions on Network and Service Management 13, no. 3 (2016): 421-432.