Field-based Security Testing of SDN configuration Updates

Jahanzaib Malik,Fabrizio Pastore
2024-11-14
Abstract:Software-defined systems revolutionized the management of hardware devices but introduced quality assurance challenges that remain to be tackled. For example, software defined networks (SDNs) became a key technology for the prompt reconfigurations of network services in many sectors including telecommunications, data centers, financial services, cloud providers, and manufacturing industry. Unfortunately, reconfigurations may lead to mistakes that compromise the dependability of the provided services. In this paper, we focus on the reconfigurations of network services in the satellite communication sector, and target security requirements, which are often hard to verify; for example, although connectivity may function properly, confidentiality may be broken by packets forwarded to a wrong destination. We propose an approach for FIeld-based Security Testing of SDN Configurations Updates (FISTS). First, it probes the network before and after configuration updates. Then, using the collected data, it relies on unsupervised machine learning algorithms to prioritize the inspection of suspicious node responses, after identifying the network nodes that likely match across the two configurations. Our empirical evaluation has been conducted with network data from simulated and real SDN configuration updates for our industry partner, a world-leading satellite operator. Our results show that, when combined with K-Nearest Neighbour, FISTS leads to best results (up to 0.95 precision and 1.00 recall). Further, we demonstrated its scalability.
Software Engineering,Networking and Internet Architecture
What problem does this paper attempt to address?
This paper attempts to address the security vulnerability issues that may be introduced during the software - defined network (SDN) configuration update process, especially in the field of satellite communication. Specifically, the author is concerned with the problem of network service dependency damage that may be caused after SDN configuration updates, for example, packets are forwarded to the wrong destination, thus breaking confidentiality. Such security issues are often difficult to detect because they do not manifest as obviously as functional failures. ### Core Issues of the Paper 1. **Security Challenges in SDN Configuration Updates**: With the wide application of SDN technology in multiple industries (such as telecommunications, data centers, financial services, cloud services, and manufacturing), frequent configuration updates bring new quality assurance challenges. These updates may lead to configuration errors, thus affecting the reliability of the services provided. 2. **Difficulties in Verifying Security Requirements**: Especially for the field of satellite communication, ensuring that configuration updates do not undermine security (such as confidentiality, integrity, etc.) is a complex and important task. Although connectivity may work normally, configuration errors may cause packets to be sent to the wrong destination, thus breaking confidentiality. ### Proposed Solutions To address the above challenges, the author proposes the FIeld - based Security Testing of SDN Configurations Updates (FISTS) method. The main steps of FISTS are as follows: 1. **Network Scanning**: Scan the network before and after the configuration update, and collect the response data of hosts to determine the state changes of each host port. 2. **Host Matching and Comparison**: Automatically match the hosts identified in the two scans (even if the IP or MAC address changes) to determine the port state change of each host. 3. **Anomaly Detection and Prioritization**: Use unsupervised machine learning algorithms (such as Isolation Forest, Local Outlier Factor, etc.) to prioritize the responses of suspicious nodes and identify potential security vulnerabilities. 4. **Manual Inspection**: Engineers check the hosts according to the priority list until no new vulnerabilities are found. ### Main Contributions - **FISTS**: A field - testing - based method that combines network scanning and anomaly detection to detect security issues in SDN configuration updates. - **SKNN**: An anomaly prioritization method based on the K - Nearest Neighbor algorithm. - **SHAC and SKM**: Anomaly prioritization methods based on Hierarchical Agglomerative Clustering (HAC) and K - means. - **Empirical Evaluation**: The effectiveness and scalability of FISTS are verified through experiments on 220 synthetic and real - data sets. ### Formula Representation When describing algorithms and methods, the formulas involved in the paper are represented in Markdown format. For example: - **K - Nearest Neighbor (KNN)**: \[ d(x, y)=\sqrt{\sum_{i = 1}^{n}(x_{i}-y_{i})^{2}} \] - **Silhouette Coefficient**: \[ s(i)=\frac{b(i)-a(i)}{\max\{a(i), b(i)\}} \] where \(a(i)\) is the average distance from sample \(i\) to other points in its cluster, and \(b(i)\) is the average distance from sample \(i\) to all points in the nearest cluster. Through these methods, FISTS can effectively detect security vulnerabilities introduced in SDN configuration updates, ensuring the security and reliability of network services.