{"title":"软件定义网络中数据平面完整性破坏检测的新方法","authors":"Ghandi Hessam, Ghassan Saba, M. Alkhayat","doi":"10.3233/JCS-200094","DOIUrl":null,"url":null,"abstract":"The scale of Software Defined Networks (SDN) is expanding rapidly and the demands for security reinforcement are increasing. SDN creates new targets for potential security threats such as the SDN controller and networking devices in the data plane. Violation of data plane integrity might lead to abnormal behaviors of the overall network. In this paper, we propose a new security approach for OpenFlow-based SDN in order to detect violation of switches flow tables integrity and successfully locate the compromised switches online. We cover all aspects of integrity violation including flow rule adding, modifying and removing by an unauthorized entity. We achieve this by using the cookie field in the OpenFlow protocol to put in a suitable digest (hash) value for each flow entry. Moreover, we optimize our method performance by calculating a global digest value for the entire switch’s flow table that decides whether a switch is suspected of being compromised. Our method is also able to determine and handle false alarms that affect the coherence of a corresponding table digest. The implementation is a reactive java module integrated with the Floodlight controller. In addition, we introduce a performance evaluation for three different SDN topologies.","PeriodicalId":142580,"journal":{"name":"J. Comput. Secur.","volume":"29 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-04-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"A new approach for detecting violation of data plane integrity in Software Defined Networks\",\"authors\":\"Ghandi Hessam, Ghassan Saba, M. Alkhayat\",\"doi\":\"10.3233/JCS-200094\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The scale of Software Defined Networks (SDN) is expanding rapidly and the demands for security reinforcement are increasing. SDN creates new targets for potential security threats such as the SDN controller and networking devices in the data plane. Violation of data plane integrity might lead to abnormal behaviors of the overall network. In this paper, we propose a new security approach for OpenFlow-based SDN in order to detect violation of switches flow tables integrity and successfully locate the compromised switches online. We cover all aspects of integrity violation including flow rule adding, modifying and removing by an unauthorized entity. We achieve this by using the cookie field in the OpenFlow protocol to put in a suitable digest (hash) value for each flow entry. Moreover, we optimize our method performance by calculating a global digest value for the entire switch’s flow table that decides whether a switch is suspected of being compromised. Our method is also able to determine and handle false alarms that affect the coherence of a corresponding table digest. The implementation is a reactive java module integrated with the Floodlight controller. In addition, we introduce a performance evaluation for three different SDN topologies.\",\"PeriodicalId\":142580,\"journal\":{\"name\":\"J. Comput. Secur.\",\"volume\":\"29 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-04-20\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"J. Comput. Secur.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.3233/JCS-200094\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"J. Comput. Secur.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3233/JCS-200094","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A new approach for detecting violation of data plane integrity in Software Defined Networks
The scale of Software Defined Networks (SDN) is expanding rapidly and the demands for security reinforcement are increasing. SDN creates new targets for potential security threats such as the SDN controller and networking devices in the data plane. Violation of data plane integrity might lead to abnormal behaviors of the overall network. In this paper, we propose a new security approach for OpenFlow-based SDN in order to detect violation of switches flow tables integrity and successfully locate the compromised switches online. We cover all aspects of integrity violation including flow rule adding, modifying and removing by an unauthorized entity. We achieve this by using the cookie field in the OpenFlow protocol to put in a suitable digest (hash) value for each flow entry. Moreover, we optimize our method performance by calculating a global digest value for the entire switch’s flow table that decides whether a switch is suspected of being compromised. Our method is also able to determine and handle false alarms that affect the coherence of a corresponding table digest. The implementation is a reactive java module integrated with the Floodlight controller. In addition, we introduce a performance evaluation for three different SDN topologies.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
