Shumian Yang,Lianhai Wang,Dawei Zhao,Xiaohui Han,Shuhui Zhang

DOI: https://doi.org/10.22323/1.300.0033

2018-01-01

Abstract:Software definition networking is a revolutionary network architecture, which realizes the separation of the control plane and data plane of a network. While providing the centralized controllability and the software programmability, the network itself is encountering many security problems. In order to solve the problem of security threats in SDN networks, there are different layers of unique security challenges and the relevant research on SDN security problems. This paper introduces the depth learning technology into the field of security threat detection in SDN, and propose a security threat detection framework based on depth learning.The framework is based on the research on model establishment, abnormal behavior recognition and decision algorithm design. The software system based on physical memory analysis is under development in SDN. The system verifies the feasibility of this framework, and to finally generate the work plan on SDN infrastructure.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Apoorv Shukla,Said Jawad Saidi,Stefan Schmid,Marco Canini,Thomas Zinner,Anja Feldmann

DOI: https://doi.org/10.1109/TNSM.2019.2955790

2020-05-02

Abstract:The conventional wisdom is that a software-defined network (SDN) operates under the premise that the logically centralized control plane has an accurate representation of the actual data plane state. Unfortunately, bugs, misconfigurations, faults or attacks can introduce inconsistencies that undermine correct operation. Previous work in this area, however, lacks a holistic methodology to tackle this problem and thus, addresses only certain parts of the problem. Yet, the consistency of the overall system is only as good as its least consistent part. Motivated by an analogy of network consistency checking with program testing, we propose to add active probe-based network state fuzzing to our consistency check repertoire. Hereby, our system, PAZZ, combines production traffic with active probes to periodically test if the actual forwarding path and decision elements (on the data plane) correspond to the expected ones (on the control plane). Our insight is that active traffic covers the inconsistency cases beyond the ones identified by passive traffic. PAZZ prototype was built and evaluated on topologies of varying scale and complexity. Our results show that PAZZ requires minimal network resources to detect persistent data plane faults through fuzzing and localize them quickly while outperforming baseline approaches.

Networking and Internet Architecture

Raphaël Ollando,Seung Yeob Shin,Lionel C. Briand

2024-11-13

Abstract:Controllers for software-defined networks (SDNs) are centralised software components that enable advanced network functionalities, such as dynamic traffic engineering and network virtualisation. However, these functionalities increase the complexity of SDN controllers, making thorough testing crucial. SDN controllers are stateful, interacting with multiple network devices through sequences of control messages. Identifying stateful failures in an SDN controller is challenging due to the infinite possible sequences of control messages, which result in an unbounded number of stateful interactions between the controller and network devices. In this article, we propose SeqFuzzSDN, a learning-guided fuzzing method for testing stateful SDN controllers. SeqFuzzSDN aims to (1) efficiently explore the state space of the SDN controller under test, (2) generate effective and diverse tests (i.e., control message sequences) to uncover failures, and (3) infer accurate failure-inducing models that characterise the message sequences leading to failures. In addition, we compare SeqFuzzSDN with three extensions of state-of-the-art (SOTA) methods for fuzzing SDNs. Our findings show that, compared to the extended SOTA methods, SeqFuzzSDN (1) generates more diverse message sequences that lead to failures within the same time budget, and (2) produces more accurate failure-inducing models, significantly outperforming the other extended SOTA methods in terms of sensitivity.

Software Engineering

Raphaël Ollando,Seung Yeob Shin,Lionel C. Briand

DOI: https://doi.org/10.1145/3641541

IF: 3.685

2024-01-23

ACM Transactions on Software Engineering and Methodology

Abstract:Software-defined networks (SDN) enable flexible and effective communication systems that are managed by centralized software controllers. However, such a controller can undermine the underlying communication network of an SDN-based system and thus must be carefully tested. When an SDN-based system fails, in order to address such a failure, engineers need to precisely understand the conditions under which it occurs. In this article, we introduce a machine learning-guided fuzzing method, named FuzzSDN, aiming at both (1) generating effective test data leading to failures in SDN-based systems and (2) learning accurate failure-inducing models that characterize conditions under which such system fails. To our knowledge, no existing work simultaneously addresses these two objectives for SDNs. We evaluate FuzzSDN by applying it to systems controlled by two open-source SDN controllers. Further, we compare FuzzSDN with two state-of-the-art methods for fuzzing SDNs and two baselines for learning failure-inducing models. Our results show that (1) compared to the state-of-the-art methods, FuzzSDN generates at least 12 times more failures, within the same time budget, with a controller that is fairly robust to fuzzing and (2) our failure-inducing models have, on average, a precision of 98% and a recall of 86%, significantly outperforming the baselines.

computer science, software engineering

Abhishek Savaliya,Rutvij H Jhaveri,Qin Xin,Saad Alqithami,Sagar Ramani,Tariq Ahamed Ahanger

DOI: https://doi.org/10.3934/mbe.2021411

2021-09-22

Abstract:Industrial Cyber-Physical Systems (CPSs) require flexible and tolerant communication networks to overcome commonly occurring security problems and denial-of-service such as links failure and networks congestion that might be due to direct or indirect network attacks. In this work, we take advantage of Software-defined networking (SDN) as an important networking paradigm that provide real-time fault resilience since it is capable of global network visibility and programmability. We consider OpenFlow as an SDN protocol that enables interaction between the SDN controller and forwarding plane of network devices. We employ multiple machine learning algorithms to enhance the decision making in the SDN controller. Integrating machine learning with network resilience solutions can effectively address the challenge of predicting and classifying network traffic and thus, providing real-time network resilience and higher security level. The aim is to address network resilience by proposing an intelligent recommender system that recommends paths in real-time based on predicting link failures and network congestions. We use statistical data of the network such as link propagation delay, the number of packets/bytes received and transmitted by each OpenFlow switch on a specific port. Different state-of-art machine learning models has been implemented such as logistic regression, K-nearest neighbors, support vector machine, and decision tree to train these models in normal state, links failure and congestion conditions. The models are evaluated on the Mininet emulation testbed and provide accuracies ranging from around 91-99% on the test data. The machine learning model with the highest accuracy is utilized in the intelligent recommender system of the SDN controller which helps in selecting resilient paths to achieve a better security and quality-of-service in the network. This real-time recommender system helps the controller to take reactive measures to improve network resilience and security by avoiding faulty paths during path discovery and establishment.

Jiangyuan Yao,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu

DOI: https://doi.org/10.1109/ICNP.2014.37

2014-01-01

Abstract:Existing tools for Software-Defined Networking (SDN) data plane testing can be classified into two classes: white box and black-box. For the former, all or part of source codes should be accessed. But for testers outside the manufacturers, the accessing of source code is impossible or very difficult in most cases, especially for hardware devices. For the latter, test cases are manually developed, which cannot ensure the coverage. In this paper, we present a model based black-box systematic testing method for SDN data plane. We propose a new model, Pipelined Extended Finite State Machine (Pi-EFSM), to specify the multiple-level pipeline of SDN data plane. For the Pi-EFSM model, we present a 3-phase systematic test generation approach. By using a hierarchical test generation strategy, the proposed test generation method can alleviate state space explosion to some extent. Our test generation method can achieve the systematic coverage towards the elements of the model. We apply our method in the testing of Open Flow switches (specification version 1.3.0). We build a Pi-EFSM model for Open Flow switches and derive the executable test sequences. Some implementation faults and specification confusions are exposed when we test two switches, Open switch 2.1.0 and CPqD Open Flow 1.3 Software Switch.

S Pradeep,Yogesh Kumar Sharma,Umesh Kumar Lilhore,Sarita Simaiya,Abhishek Kumar,Sachin Ahuja,Martin Margala,Prasun Chakrabarti,Tulika Chakrabarti

DOI: https://doi.org/10.1038/s41598-023-44701-7

2023-10-13

Abstract:Software-defined networking (SDN) has significantly transformed the field of network management through the consolidation of control and provision of enhanced adaptability. However, this paradigm shift has concurrently presented novel security concerns. The preservation of service path integrity holds significant importance within SDN environments due to the potential for malevolent entities to exploit network flows, resulting in a range of security breaches. This research paper introduces a model called "EnsureS", which aims to enhance the security of SDN by proposing an efficient and secure service path validation approach. The proposed approach utilizes a Lightweight Service Path Validation using Batch Hashing and Tag Verification, focusing on improving service path validation's efficiency and security in SDN environments. The proposed EnsureS system utilizes two primary techniques in order to validate service pathways efficiently. Firstly, the method utilizes batch hashing in order to minimize computational overhead. The proposed EnsureS algorithm enhances performance by aggregating packets through batches rather than independently; the hashing process takes place on each one in the service pathway. Additionally, the implementation of tag verification enables network devices to efficiently verify the authenticity of packets by leveraging pre-established trust relationships. EnsureS provides a streamlined and effective approach for validating service paths in SDN environments by integrating these methodologies. In order to assess the efficacy of the Proposed EnsureS, a comprehensive series of investigations were conducted within a simulated SDN circumstance. The efficacy of Proposed EnsureS was then compared to that of established methods. The findings of our study indicate that the proposed EnsureS solution effectively minimizes computational overhead without compromising on the established security standards. The implementation successfully reduces the impact of different types of attacks, such as route alteration and packet spoofing, increasing SDN networks' general integrity.

Ameni Chetouane,Kamel Karoui

DOI: https://doi.org/10.1002/cpe.8332

2024-12-03

Concurrency and Computation Practice and Experience

Abstract:Software Defined Networking (SDN) is an open network approach that has been proposed to address some of the main problems with traditional networks. However, SDN faces cybersecurity issues. To provide a network defense against attacks, an Intrusion Detection System (IDS) needs to be updated and included into the SDN architecture on a regular basis. Machine learning methods have proved effective in detecting intrusions in SDN. Moreover, these techniques pose the problem of significant computational overload and the absence of regular updates when new cyber‐attacks appear. To address these issues, we propose a new SDN‐based cloud intrusion detection system called Continual Federated Learning (CFL). In CFL, we modify the classical federated learning process by granting a more important and dynamic role to each participating client. On the one hand, it can trigger this process whenever a new type of intrusion is detected. On the other hand, once the new model has been identified, the customer can decide whether or not to deploy it in his network. In addition, to verify the accuracy of the CFL system, we have formally specified it by a communication protocol. This specification organizes the exchanges between the different communicating entities involved in the CFL. To verify the accuracy of this specification, we described it using the PROMELA language and checked with the associated SPIN tool. On the experimental side, we deployed this specification of the CFL system in an SDN computing environment. We defined different scenarios, and we proposed that each client decides locally to deploy or not the newly obtained intrusion detection model. The decision is based on a modified metric where we integrate the severity of the intrusions. Experimental results using private local datasets show that the proposed CFL system can efficiently and accurately detect new types of intrusions while preserving client confidentiality. Thus, it can be considered a promising system for SDN‐based edge computing.

computer science, theory & methods, software engineering

Peng Zhang,Fangzheng Zhang,Shimin Xu,Zuoru Yang,Hao Li,Qi Li,Huanzhao Wang,Chao Shen,Chengchen Hu

DOI: https://doi.org/10.1109/tnet.2020.3033588

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:A crucial requirement for Software Defined Network (SDN) is that data plane forwarding behaviors should always agree with control plane policies. Such requirement cannot be met when there are forwarding anomalies, where packets deviate from the paths specified by the controller. Most anomaly detection methods for SDN install dedicated rules to collect statistics of each flow, and check whether the statistics conform to the “flow conservation principle”. We find these methods have a limited detection scope: they look at one flow each time, thus can only check a small number of flows simultaneously. In addition, dedicated rules for statistics collection can impose a large overhead on flow tables of SDN switches. To this end, this paper presents FOCES, a network-wide forwarding anomaly detection and localization method in SDN. Different from previous methods, FOCES applies a new kind of flow conservation principle at network wide, and can check forwarding behaviors of all flows in the network simultaneously, without installing any dedicated rules. Finally, FOCES applies a voting-based method to localize malicious switches when anomalies are detected. Experiments with four network topologies show that FOCES can achieve a detection precision higher than 90%, when the packet loss rate is no larger than 10%, and a localization accuracy of around 80% when the packet loss rate is no larger than 5%.

Andrei Costin,Hannu Turtiainen,Syed Khandker,Timo Hämäläinen

DOI: https://doi.org/10.48550/arXiv.2302.08359

2023-02-16

Cryptography and Security

Abstract:Aviation, maritime, and aerospace traffic control, radar, communication, and software technologies received increasing attention in the research literature over the past decade, as software-defined radios have enabled practical wireless attacks on communication links previously thought to be unreachable by unskilled or low-budget attackers. Moreover, recently it became apparent that both offensive and defensive cybersecurity has become a strategically differentiating factor for such technologies on the war fields (e.g., Ukraine), affecting both civilian and military missions regardless of their involvement. However, attacks and countermeasures are usually studied in simulated settings, thus introducing the lack of realism or non-systematic and highly customized practical setups, thus introducing high costs, overheads, and less reproducibility. Our "Unified Cybersecurity Testing Lab" seeks to close this gap by building a laboratory that can provide a systematic, affordable, highly-flexible, and extensible setup. In this paper, we introduce and motivate our "Unified Cybersecurity Testing Lab for Satellite, Aerospace, Avionics, Maritime, Drone (SAAMD)" technologies and communications, as well as some peer-reviewed results and evaluation of the targeted threat vectors. We show via referenced peer-reviewed works that the current modules of the lab were successfully used to realistically attack and analyze air-traffic control, radar, communication, and software technologies such as ADS-B, AIS, ACARS, EFB, EPIRB and COSPAS-SARSAT. We are currently developing and integrating support for additional technologies (e.g., CCSDS, FLARM), and we plan future extensions on our own as well as in collaboration with research and industry. Our "Unified Cybersecurity Testing Lab" is open for use, experimentation, and collaboration with other researchers, contributors and interested parties.

Xuanbo Huang,Kaiping Xue,Yitao Xing,Dingwen Hu,Ruidong Li,Qibin Sun

DOI: https://doi.org/10.1109/mass50613.2020.00048

2020-01-01

Abstract:The whole Software-Defined Networking (SDN) system might be out of service when the control plane is overloaded by control plane saturation attacks. In this attack, a malicious host can manipulate massive table-miss packets to exhaust the control plane resources. Even though many studies have focused on this problem, systems still suffer from more influenced switches because of centralized mitigation policies, and long recovery delay because of the remaining attack flows. To solve these problems, we propose FSDM, a Fast recovery Saturation attack Detection and Mitigation framework. For detection, FSDM extracts the distribution of Control Channel Occupation Rate (CCOR) to detect the attack and locates the port that attackers come from. For mitigation, with the attacker’s location and distributed Mitigation Agents, FSDM adopts different policies to migrate or block attack flows, which influences fewer switches and protects the control plane from resource exhaustion. Besides, to reduce the system recovery delay, FSDM equips a novel functional module called Force_Checking, which enables the whole system to quickly clean up the remaining attack flows and recovery faster. Finally, we conducted extensive experiments, which show that, with the increasing of attack PPS (Packets Per Second), FSDM only suffers a minor recovery delay increase. Compared with traditional methods without cleaning up remaining flows, FSDM saves more than 81% of ping RTT under attack rate ranged from 1000 to 4000 PPS, and successfully reduced the delay of 87% of HTTP requests time under large attack rate ranged from 5000 to 30000 PPS.

Fan Yang,Shasha Zhang,Shuyu Song,Rongpeng Li,Zhifeng Zhao,Honggang Zhang

DOI: https://doi.org/10.1145/3321408.3321610

2019-01-01

Abstract:In this paper, we propose an IntelligentSDS testbed, which is based on a novel Software Defined Security (SDS) framework powered with Artificial Intelligence. In particular, IntelligentSDS aims to flexibly deploy multiple security agents to white-box devices, so as to automatically learn ongoing threats and proactively protect the network. In particular, we discuss the design and realization of OpenStack-based intelligentSDS cloud, software-defined firewall, intelligent autodetection and defense system, and honeynet.

Ao Li,Rohan Padhye,Vyas Sekar

DOI: https://doi.org/10.48550/arXiv.2209.04026

2022-09-09

Abstract:Performance issues in software-defined network (SDN) controllers can have serious impacts on the performance and availability of networks. We specifically consider stateful performance issues, where a sequence of initial input messages drives an SDN controller into a state such that its performance degrades pathologically when processing subsequent messages. We identify key challenges in applying canonical program analysis techniques: large input space of messages (e.g., stateful OpenFlow protocol), complex code base and software architecture (e.g., OSGi framework with dynamic launch), and the semantic dependencies between the internal state and external inputs. We design SPIDER, a practical fuzzing workflow that tackles these challenges and automatically uncovers such issues in SDN controllers. SPIDER's design entails a careful synthesis and extension of semantic fuzzing, performance fuzzing, and static analysis, taken together with domain-specific insights to tackle these challenges. We show that our design workflow is robust across two controllers -- ONOS and OpenDaylight -- with very different internal implementations. Using SPIDER, we were able to identify and confirm multiple stateful performance issues.

Cryptography and Security

Wenwen Fu,Tao Li,Zhigang Sun

DOI: https://doi.org/10.1155/2018/5650205

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Software-Defined Networking (SDN) promises the vision of more flexible and manageable networks but requires certain level of programmability in the data plane to accommodate different forwarding abstractions. SDN software switches running on commodity multicore platforms are programmable and are with low deployment cost. However, the performance of SDN software switches is not satisfactory due to the complex forwarding operations on packets. Moreover, this may hinder the performance of real-time security on software switch. In this paper, we analyze the forwarding procedure and identify the performance bottleneck of SDN software switches. An FPGA-based mechanism for accelerating and securing SDN switches, named FAS (FPGA-Accelerated SDN software switch), is proposed to take advantage of the reconfigurability and high-performance advantages of FPGA. FAS improves the performance as well as the capacity against malicious traffic attacks of SDN software switches by offloading some functional modules. We validate FAS on an FPGA-based network processing platform. Experiment results demonstrate that the forwarding rate of FAS can be 44% higher than the original SDN software switch. In addition, FAS provides new opportunity to enhance the security of SDN software switches by allowing the deployment of bump-in-the-wire security modules (such as packet detectors and filters) in FPGA.

computer science, information systems,telecommunications

Qi Li,Yanyu Chen,Patrick P. C. Lee,Mingwei Xu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2018.2853593

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) utilizes a centralized controller to distribute packet processing rules to network switches. However, rules are often generated by the applications developed by different organizations, so they may conflict with each other in data plane and lead to violations with security rules. The problem is similar to firewall conflicts in IP networks. Rule conflict resolution should incur negligible process delay, such that all rules can he correctly and safely enforced in the data plane in real time. However, since SDN allows users to use more than 35 fields to specify rules (including field transition rules), it is much more complicated to prevent enforcement of SDN rules from violating with security rules than to resolve firewall rule violation, and in particular, field transition rules are enforced. Therefore, it is extremely difficult to resolve such rule conflicts in real time before the rules are installed in SDN data plane. In this paper, we investigate the rule conflict problem in SDN and identify new covert channel attacks due to rule conflicts. To the end, we propose the covert channel defender (CCD) that prevents covert channel attacks by verifying and resolving rule conflicts. Specifically, CCD tracks all rule insertion and modification messages from applications running on the controller. It analyzes the correlation among rules based on multiple packet header fields and resolves any identified rule conflict in real time before rule installation. We implement CCD with the Floodlight controller and evaluate its performance with the real-world Stanford topology. We show that CCD can efficiently detect and prevent rule conflicts in the data plane that may raise covert channels within hundreds of microseconds and brings small overhead to the packet delivery.

Safi Ibrahim,Aya M. Youssef,Mahmoud Shoman,Sanaa Taha

DOI: https://doi.org/10.1016/j.eij.2024.100564

IF: 4.195

2024-10-31

Egyptian Informatics Journal

Abstract:Software-defined networking (SDN) is a revolutionary technology that has revolutionised network management by providing flexibility and adaptability. As the popularity of SDN increases, it is crucial to address security vulnerabilities in these dynamic networks. This paper proposes a framework for enhancing security in SDN by utilising three separate Deep Learning models, namely Deep Neural Network (DNN), Convolutional Neural Network (CNN), and Long Short-Term Memory (LSTM). This framework is utilised for the InSDN dataset, a huge dataset specifically created for SDN security research. The dataset consists of a total of 343,939 instances, encompassing both normal and attack traffic. The regular data yields a sum of 68,424, whereas the attack traffic comprises 275,515 occurrences. This study employs multiclassification algorithms to precisely detect and categorise diverse security threats in SDN. The InSDN dataset faces issues related to class imbalance, which are addressed by using the Synthetic Minority Over-sampling Technique (SMOTE). The SMOTE technique is utilised to create artificial instances of the underrepresented class, hence achieving a more equitable distribution of security hazards within the dataset. This strategy improves the efficacy of multiclassification techniques, ultimately resulting in greater accuracy in the identification and classification of different security threats in SDN environments. The initial DNN model exhibited satisfactory performance, with an accuracy of 87%. The second CNN model demonstrated strong and consistent performance, with an accuracy rate of 99%. In addition, an LSTM model attained a 90% accuracy rate.

computer science, information systems, artificial intelligence

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Jinwoo Kim,Minjae Seo,Eduard Marin,Seungsoo Lee,Jaehyun Nam,Seungwon Shin

DOI: https://doi.org/10.1109/tifs.2024.3402967

IF: 7.231

2024-06-26

IEEE Transactions on Information Forensics and Security

Abstract:Distributed SDN (Software-Defined Networking) controllers have rapidly become an integral element of Wide Area Networks (WAN), particularly within SD-WAN, providing scalability and fault-tolerance for expansive network infrastructures. However, the architecture of these controllers introduces new potential attack surfaces that have thus far received inadequate attention. In response to these concerns, we introduce Ambusher, a testing tool designed to discover vulnerabilities within protocols used in distributed SDN controllers. Ambusher achieves this by leveraging protocol state fuzzing, which systematically finds attack scenarios based on an inferred state machine. Since learning states from a cluster is complicated, Ambusher proposes a novel methodology that extracts a single and relatively simple state machine, achieving efficient state-based fuzzing. Our evaluation of Ambusher, conducted on a real SD-WAN deployment spanning two campus networks and one enterprise network, illustrates its ability to uncover 6 potential vulnerabilities in the widely used distributed controller platform.

computer science, theory & methods,engineering, electrical & electronic