Yanfei Fan,Yixin Jiang,Haojin Zhu,Jiming Chen,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/twc.2011.122010.100087

IF: 10.4

2010-01-01

IEEE Transactions on Wireless Communications

Abstract:Privacy threat is one of the critical issues in multi-hop wireless networks, where attacks such as traffic analysis and flow tracing can be easily launched by a malicious adversary due to the open wireless medium. Network coding has the potential to thwart these attacks since the coding/mixing operation is encouraged at intermediate nodes. However, the simple deployment of network coding cannot achieve the goal once enough packets are collected by the adversaries. On the other hand, the coding/mixing nature precludes the feasibility of employing the existing privacy-preserving techniques, such as Onion Routing. In this paper, we propose a novel network coding based privacy-preserving scheme against traffic analysis in multi-hop wireless networks. With homomorphic encryption on Global Encoding Vectors (GEVs), the proposed scheme offers two significant privacy-preserving features, packet flow untraceability and message content confidentiality, for efficiently thwarting the traffic analysis attacks. Moreover, the proposed scheme keeps the random coding feature, and each sink can recover the source packets by inverting the GEVs with a very high probability. Theoretical analysis and simulative evaluation demonstrate the validity and efficiency of the proposed scheme.

Isaac Oliveira,Emídio Neto,Roger Immich,Ramon Fontes,Augusto Nelo,Fabrício Rodriguez,Christian Esteve Rothenberg,Emidio Neto,Augusto Neto,Fabricio Rodriguez

DOI: https://doi.org/10.1109/nfv-sdn53031.2021.9665012

2021-11-09

Abstract:Software-Defined Networking (SDN) fostered unprecedented advances over legacy networks by employing a central-logic control plane to coordinate data-plane nodes in a net-programmable manner. From the security view, control applications that run atop the SDN controller are in charge of establishing secure data-plane connections between pairs of data-plane forwarding nodes. The Diffie–Hellman (DH) is a widely used solution for cryptographic key exchange between endpoints. However, traditional DH implementations impose high computational costs and key management hazards, leading to issues in the SDN central-logic control plane. This paper introduces the dh-aes-p4, which tackles the penalties of legacy SDN security solutions by turning the data plane into fully programmable P4 nodes. The proposed solution allows P4-enabled data plane nodes to establish secure channels between each other. In doing that, it is possible to harness in-band DH key exchange with AES encryption, enclosing on-site features to generate keys dynamically and enforcing them autonomously and high-agile without SDN controller central-logic intervention. A prototype was designed to validate the feasibility and estimate performance impacts of dh-aes-p4 concerning regular SDN central logic.

Ya Gao,Zhenling Wang

DOI: https://doi.org/10.1155/2021/1257046

2021-11-23

Mobile Information Systems

Abstract:Network attacks show a trend of increased attack intensity, enhanced diversity, and more concealed attack methods, which put forward higher requirements for the performance of network security equipment. Unlike the SDN (software defined network) switch with a fixed-function data plane, switches with programmable data planes can help users realize more network protocols. Programming Protocol-independent Packet Processors (P4) is proposed to define the operations of the data plane and to implement user’s applications, e.g., data center networks, security, or 5G. This paper provides a review of research papers on solving network security problems with P4-based programmable data plane. The work can be organized into two parts. In the first part, the programming language P4, P4 program, architectures, P4 compilers, P4 Runtime, and P4 target are introduced according to the workflow model. The advantages of P4-based programmable switching in solving network security are analyzed. In the second part, the existing network security research papers are divided into four parts according to the perspectives of passive defense, active defense, and combination of multiple technologies. The schemes in each category are compared, and the core ideas and limitations are clarified. In addition, a detailed comparison is made for the research on the performance of P4 targets. Finally, trends and challenges related to the P4-based programmable data plane are discussed.

computer science, information systems,telecommunications

Rajasekhar Chaganti,Deepti Gupta,Naga Vemprala

DOI: https://doi.org/10.4018/ijsst.2021070103

2021-07-01

International Journal of Smart Security Technologies

Abstract:The cyber-physical system (CPS) has made tremendous progress in recent years and also disrupting technical fields ranging from health, transportation, industries, and more. However, CPS security is still one of the concerns for wide adoption owing to the high number of devices connecting to the internet and the traditional security solutions may not be suitable to protect the advanced, application-specific attacks. This paper presents a programmable device network layer architecture to combat attacks and efficient network monitoring in heterogeneous environment CPS applications. The authors leverage industrial control systems (ICS) to discuss the existing issues, highlighting the importance of advanced network layers for CPS. The programmable data plane language (P4) is introduced to detect well known HELLO flood attacks with minimal effort in the network level and show that programmable switches are suitable to implement security solutions in CPS applications.

English Else

Nicholas Gray,Katharina Dietz,Michael Seufert,Tobias Hossfeld

DOI: https://doi.org/10.1109/hpsr52026.2021.9481849

2021-06-07

Abstract:Today’s communication networks process an increasing amount of traffic, while simultaneously providing services to a larger and more diverse quantity of devices. This enhances the complexity of the network and imposes a larger attack space, impacting network management and security efforts. Deployed hardware middle-boxes, like firewalls and Intrusion Detection Systems (IDSs) often lack the flexibility to adapt to this dynamic environment, which Network Function Virtualization (NFV) addresses by implementing these services in software. Yet, this may impose a bottleneck, due to the absence of hardware acceleration. To mitigate this drawback, the functionality can be offloaded to programmable hardware, using P4. In this work we implement an IDS, capable of operating in core and backbone networks up to 100Gbps. This is achieved by using the hardware acceleration of P4-enabled Intel© Tofino™ switches for high performance metadata extraction, in order to train an ML-based detection engine. The system is evaluated regarding its throughput and obtainable aggregation levels as well as its accuracy for detecting a variety of network attacks.

Yubing Li,Wei Yang,Zhou,Qingyun Liu,Zhao Li,Shu Li

DOI: https://doi.org/10.1109/icc45855.2022.9839137

2022-01-01

Abstract:Internet Protocol Version 6 (IPv6) is expected for widespread deployment worldwide. Such rapid development of IPv6 may lead to safety problems. The main threats in IPv6 networks are denial of service (DoS) attacks and distributed DoS (DDoS) attacks. In addition to the similar threats in Internet Protocol Version 4 (IPv4), IPv6 has introduced new potential vulnerabilities, which are DoS and DDoS attacks based on Internet Control Message Protocol version 6 (ICMPv6). We divide such new attacks into two categories: pure flooding attacks and source address spoofing attacks. We propose P4-NSAF, a scheme to defend against the above two IPv6 DoS and DDoS attacks in the programmable data plane. P4-NSAF uses Count-Min Sketch to defend against flooding attacks and records information about IPv6 agents into match tables to prevent source address spoofing attacks. We implement a prototype of P4-NSAF with P4 and evaluate it in the programmable data plane. The result suggests that P4-NSAF can effectively protect IPv6 networks from DoS and DDoS attacks based on ICMPv6.

Osama Bajaber,Bo Ji,Peng Gao

DOI: https://doi.org/10.1109/SP54263.2024.00147

2024-05-24

Abstract:Modern targeted attacks such as Advanced Persistent Threats use multiple hosts as stepping stones and move laterally across them to gain deeper access to the network. However, existing defenses lack end-to-end information flow visibility across hosts and cannot block cross-host attack traffic in real time. In this paper, we propose P4Control, a network defense system that precisely confines end-to-end information flows in a network and prevents cross-host attacks at line rate. P4Control introduces a novel in-network decentralized information flow control (DIFC) mechanism and is the first work that enforces DIFC at the network level at network line rate. This is achieved through: (1) an in-network primitive based on programmable switches for tracking inter-host information flows and enforcing line-rate DIFC policies; (2) a lightweight eBPF-based primitive deployed on hosts for tracking intra-host information flows. P4Control also provides an expressive policy framework for specifying DIFC policies against different attack scenarios. We conduct extensive evaluations to show that P4Control can effectively prevent cross-host attacks in real time, while maintaining line-rate network performance and imposing minimal overhead on the network and host machines. It is also noteworthy that P4Control can facilitate the realization of a zero trust architecture through its fine-grained least-privilege network access control.

Cryptography and Security,Networking and Internet Architecture

Zhuangkun Wei,Liang Wang,Schyler Chengyao Sun,Bin Li,Weisi Guo

DOI: https://doi.org/10.3390/s22103951

IF: 3.9

2022-05-24

Sensors

Abstract:The proliferation of low-cost Internet of Things (IoT) devices has led to a race between wireless security and channel attacks. Traditional cryptography requires high computational power and is not suitable for low-power IoT scenarios. Whilst recently developed physical layer security (PLS) can exploit common wireless channel state information (CSI), its sensitivity to channel estimation makes them vulnerable to attacks. In this work, we exploit an alternative common physics shared between IoT transceivers: the monitored channel-irrelevant physical networked dynamics (e.g., water/oil/gas/electrical signal-flows). Leveraging this, we propose, for the first time, graph layer security (GLS), by exploiting the dependency in physical dynamics among network nodes for information encryption and decryption. A graph Fourier transform (GFT) operator is used to characterise such dependency into a graph-bandlimited subspace, which allows the generation of channel-irrelevant cipher keys by maximising the secrecy rate. We evaluate our GLS against designed active and passive attackers, using IEEE 39-Bus system. Results demonstrate that GLS is not reliant on wireless CSI, and can combat attackers that have partial networked dynamic knowledge (realistic access to full dynamic and critical nodes remains challenging). We believe this novel GLS has widespread applicability in secure health monitoring and for digital twins in adversarial radio environments.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Shan Jing,Chuan Zhao,Wenxiu Zhang

DOI: https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00055

2023-12-17

Abstract:As Software Defined Networking (SDN) becomes increasingly prevalent, the risk of Distributed Denial of Service (DDoS) attacks targeting SDN also grows. Specifically, the SDN data plane, consisting of simple forwarding devices, is more susceptible to DDoS attacks launched by malicious actors. These attacks can impose tremendous load on the SDN, potentially leading to its complete collapse in severe cases. The traditional SDN architecture based on the OpenFlow Protocol falls short in meeting the requirements for programming the data plane. To address this challenge and improve the flexibility of SDN architectures, the Programming Protocol-Independent Packet Processors (P4) has emerged. However, existing solutions, primarily based on Statistical Learning, Machine Learning, and Deep Learning, require further enhancement in terms of accuracy, complexity, and latency. In this study, we utilize the P4 language to implement a programmable data plane and propose the P4-CACNN model for detecting and defending against DDoS attacks on the data plane. Firstly, we employ an appropriate attention mechanism to enhance the processing of incoming traffic. Subsequently, the data is fed into a discriminator consisting of a Convolutional Neural Network (CNN) to classify whether it constitutes attack traffic. Experimental results demonstrate that our proposed model achieves a remarkable 98.99% accuracy in detecting DDoS attacks on the SDN data plane, while maintaining low latency.

Computer Science,Engineering

Mengqi Zhan,Yang Li,Guangxi Yu,Yan Zhang,Bo Li,Weiping Wang

DOI: https://doi.org/10.1109/tifs.2023.3266629

IF: 7.231

2023-04-28

IEEE Transactions on Information Forensics and Security

Abstract:The deepening of digital transformation has led to an increasing amount of data from industries being transmitted over the Internet. However, packets in plaintext originally designed for transmission in private networks suffer from significant security threats on the Internet. Unfortunately, existing encryption schemes, such as the representative TLS, are difficult to be applied to these industrial protocols due to their specific requirements and conditions such as low latency requirements and restricted operating environments. In this paper, we present a high-performance encryption/decryption middlebox called GuardBox to provide confidentiality and integrity for packets. GuardBox is expected to transparently encrypt/decrypt packets sent/received by protected industrial equipment with low latency and supports almost any application-layer protocol. To do that, we design a high-performance packet I/O framework and an optimized encryption/decryption scheme for GuardBox. More importantly, we use commodity trusted hardware, Intel SGX, to ensure the security of keys and the encryption/decryption process. Our extensive evaluation demonstrates that GuardBox can provide confidentiality and integrity for packets transmitted over the Internet with low latency and a near-native throughput.

computer science, theory & methods,engineering, electrical & electronic

Adrián Pérez-Resa,Miguel García-Bosque,Carlos Sánchez-Azqueta,Santiago Celma

DOI: https://doi.org/10.1109/TIE.2018.2847670

2024-01-27

Abstract:Industrial Ethernet is a technology widely spread in factory floors and critical infrastructures where a high amount of data need to be collected and transported. Fiber optic networks at gigabit rates fit well with that type of environments where speed, system performance and reliability are critical. In this work a new encryption method for high speed optical communications suitable for such kind of networks is proposed. This new encryption method consists of a symmetric streaming encryption of the 8b/10b data flow at PCS (Physical Coding Sublayer) level. It is carried out thanks to an FPE (Format Preserving Encryption) blockcipher working in CTR (Counter) mode. The overall system has been simulated and implemented in an FPGA (Field Programmable Gate Array). Thanks to experimental results it can be concluded that it is possible to cipher traffic at this physical level in a secure way. In addition, no overhead is introduced during encryption, getting minimum latency and maximum throughput.

Cryptography and Security,Signal Processing,Systems and Control

Aamir Shahzad,Malrey Lee,Neal Naixue Xiong,Gisung Jeong,Young-Keun Lee,Jae-Young Choi,Abdul Wheed Mahesar,Iftikhar Ahmad

DOI: https://doi.org/10.3390/s16030322

2016-03-03

Abstract:In Industrial systems, Supervisory control and data acquisition (SCADA) system, the pseudo-transport layer of the distributed network protocol (DNP3) performs the functions of the transport layer and network layer of the open systems interconnection (OSI) model. This study used a simulation design of water pumping system, in-which the network nodes are directly and wirelessly connected with sensors, and are monitored by the main controller, as part of the wireless SCADA system. This study also intends to focus on the security issues inherent in the pseudo-transport layer of the DNP3 protocol. During disassembly and reassembling processes, the pseudo-transport layer keeps track of the bytes sequence. However, no mechanism is available that can verify the message or maintain the integrity of the bytes in the bytes received/transmitted from/to the data link layer or in the send/respond from the main controller/sensors. To properly and sequentially keep track of the bytes, a mechanism is required that can perform verification while bytes are received/transmitted from/to the lower layer of the DNP3 protocol or the send/respond to/from field sensors. For security and byte verification purposes, a mechanism needs to be proposed for the pseudo-transport layer, by employing cryptography algorithm. A dynamic choice security buffer (SB) is designed and employed during the security development. To achieve the desired goals of the proposed study, a pseudo-transport layer stack model is designed using the DNP3 protocol open library and the security is deployed and tested, without changing the original design.

Wenji He,Haipeng Yao,Huan Chang,Yunjie Liu

DOI: https://doi.org/10.26599/tst.2024.9010020

2024-09-14

Tsinghua Science & Technology

Abstract:With various service types including massive machine-type communication (mMTC) and ultra-reliable low-latency communication (URLLC), fifth generation (5G) networks require advanced resources management strategies. As a method to segment network resources logically, network slicing (NS) addresses the challenges of heterogeneity and scalability prevalent in these networks. Traditional software-defined networking (SDN) technologies, lack the flexibility needed for precise control over network resources and fine-grained packet management. This has led to significant developments in programmable switches, with programming protocol-independent packet processors (P4) emerging as a transformative programming language. P4 endows network devices with flexibility and programmability, overcoming traditional SDN limitations and enabling more dynamic, precise network slicing implementations. In our work, we leverage the capabilities of P4 to forge a groundbreaking closed-loop architecture that synergizes the programmable data plane with an intelligent control plane. We set up a token bucket-based bandwidth management and traffic isolation mechanism in the data plane, and use the generative diffusion model to generate the key configuration of the strategy in the control plane. Through comprehensive experimentation, we validate the effectiveness of our architecture, underscoring its potential as a significant advancement in 5G network traffic management.

computer science, information systems,engineering, electrical & electronic, software engineering

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

David Chunhu Li,Hsuan-Hao Tu,Li-Der Chou

DOI: https://doi.org/10.1016/j.compeleceng.2024.109307

IF: 4.152

2024-05-30

Computers & Electrical Engineering

Abstract:This paper presents a comprehensive system for detecting and defending against distributed denial-of-service (DDoS) and distributed reflective denial-of-service (DRDoS) flood attacks in software-defined networking (SDN) environments using Programming Protocol-Independent Packet Processors (P4). The proposed system introduces a hybrid intrusion statistical threshold algorithm (HISTA) that analyzes intrusion data statistics to identify potential malicious attacks. Upon detection, the system utilises P4 programmability to implement a custom defence mechanism on the P4 switch. A novel Uruk protocol header collaborates with HISTA for enhanced cross-layer attack detection and categorisation. The HISTA-Uruk mechanism selectively discards malicious packets while ensuring uninterrupted communication for legitimate packets, effectively preventing DDoS/DRDoS attacks. Extensive experiments validate the system's ability to efficiently detect and thwart various DDoS, DRDoS, and internal attacks, demonstrating its effectiveness in identifying threats and restoring impacted network connections across diverse attack scenarios.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Frederik Hauser,Mark Schmidt,Michael Menth,Marco Haberle

DOI: https://doi.org/10.1109/access.2020.3012738

IF: 3.9

2020-01-01

IEEE Access

Abstract:In this work, we present P4-IPsec, a concept for IPsec in software-defined networks (SDN) using P4 programmable data planes. The prototype implementation features ESP in tunnel mode and supports different cipher suites. P4-capable switches are programmed to serve as IPsec tunnel endpoints. We also provide a client agent to configure tunnel endpoints on Linux hosts so that site-to-site and host-to-site application scenarios can be supported which are the base for virtual private networks (VPNs). While traditional VPNs require complex key exchange protocols like IKE to set up and renew tunnel endpoints, P4-IPsec benefits from an SDN controller to accomplish these tasks. One goal of this experimental work is to investigate how well P4-IPsec can be implemented on existing P4 switches. We present a prototype for the BMv2 P4 software switch, evaluate its performance, and publish its source code on GitHub [1]. We explain why we could not provide a useful implementation with the NetFPGA SUME board. For the Edgecore Wedge 100BF-32X Tofino-based switch, we presented two prototype implementations to cope with a missing crypto unit. As another contribution of this paper, we provide technological background of P4 and IPsec and give a comprehensive review of security applications in P4, IPsec in SDN, and IPsec data plane implementations. According to our knowledge, P4-IPsec is the first implementation of IPsec for P4-based SDN.

computer science, information systems,telecommunications,engineering, electrical & electronic

Liang Wang,Hyojoon Kim,Prateek Mittal,Jennifer Rexford

DOI: https://doi.org/10.48550/arXiv.2006.00097

2020-05-29

Networking and Internet Architecture

Abstract:Recent advances in programmable switch hardware offer a fresh opportunity to protect user privacy. This paper presents PINOT, a lightweight in-network anonymity solution that runs at line rate within the memory and processing constraints of hardware switches. PINOT encrypts a client's IPv4 address with an efficient encryption scheme to hide the address from downstream ASes and the destination server. PINOT is readily deployable, requiring no end-user software or cooperation from networks other than the trusted network where it runs. We implement a PINOT prototype on the Barefoot Tofino switch, deploy PINOT in a campus network, and present results on protecting user identity against public DNS, NTP, and WireGuard VPN services.

Frederik Hauser,Mark Schmidt,Marco Häberle,Michael Menth

DOI: https://doi.org/10.48550/arXiv.1904.07088

2019-04-15

Networking and Internet Architecture

Abstract:We propose P4-MACsec to protect network links between P4 switches through automated deployment of MACsec, a widespread IEEE standard for securing Layer 2 infrastructures. It is supported by switches and routers from major manufacturers and has only little performance limitations compared to VPN technologies such as IPsec. P4-MACsec introduces a data plane implementation of MACsec including AES-GCM encryption and decryption directly on P4 switches. P4-MACsec features a two-tier control plane structure where local controllers running on the P4 switches interact with a central controller. We propose a novel secure link discovery mechanism that leverages protected LLDP frames and the two-tier control plane structure for secure and efficient management of a global link map. Automated deployment of MACsec creates secure channel, generates keying material, and configures the P4 switches for each detected link between two P4 switches. It detects link changes and performs rekeying to provide a secure, configuration-free operation of MACsec. In this paper, we review the technological background of P4-MACsec and explain its architecture. To demonstrate the feasibility of P4-MACsec, we implement it on the BMv2 P4 software switch and validate the prototype through experiments. We evaluate its performance through experiments that focus on TCP throughput and round-trip time. We publish the prototype and experiment setups on Github.

Ya-Tao Jing,Lin Ge,Nanfang Li,Xiyuan Shang,Yun Ye,Wenqian Zhang

DOI: https://doi.org/10.1117/12.2639364

2022-06-30

Abstract:In network data transmission, the data to be encrypted is not always at the same level. The access structure is embedded in the ciphertext, resulting in excessive communication and computing overhead. Therefore, a secure sharing method of network data transmission is proposed based on multi-layer encryption algorithm. According to the relationship between users, type servers and service providers, the logical structure of data transmission is established, and the data sharing contract is called on the basis of secure communication. By designing the key synchronization mechanism, both sides of the transmission can use the same key for encryption and decryption to ensure the forward security of the data. The key distribution scheme is established based on multi-layer encryption algorithm. The ciphertext information of the next layer is directly embedded in the ciphertext of the previous layer, which realizes the jump transmission of ciphertext and ensures the security of data privacy. In the final stage, both the master node and the slave node will receive the confirmation information, and then check the signature of the confirmation information to complete the secure sharing of data transmission. The test results show that this method reduces the communication overhead and computing overhead, and improves the efficiency of encryption and decryption.

Engineering,Computer Science

Zhaoyang Han,Andrew Briasco-Stewart,Michael Zink,Miriam Leeser

2024-09-12

Abstract:Field Programmable Gate Arrays (FPGAs) play a significant role in computationally intensive network processing due to their flexibility and efficiency. Particularly with the high-level abstraction of the P4 network programming model, FPGA shows a powerful potential for packet processing. By supporting the P4 language with FPGA processing, network researchers can create customized FPGA-based network functions and execute network tasks on accelerators directly connected to the network. A feature of the P4 language is that it is stateless; however, the FPGA implementation in this research requires state information. This is accomplished using P4 externs to describe the stateful portions of the design and to implement them on the FPGA using High-Level Synthesis (HLS). This paper demonstrates using an FPGA-based SmartNIC to efficiently extract source-destination IP address information from network packets and construct anonymized network traffic matrices for further analysis. The implementation is the first example of the combination of using P4 and HLS in developing network functions on the latest AMD FPGAs. Our design achieves a processing rate of approximately 95 Gbps with the combined use of P4 and High-level Synthesis and is able to keep up with 100 Gbps traffic received directly from the network.

Networking and Internet Architecture,Hardware Architecture