Hongyan Liu,Xiang Chen,Yi Shen,Qun Huang,Zhengyan Zhou,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iwqos57198.2023.10188714

2023-01-01

Abstract:In programmable networks, some networking systems coordinate data plane switches to realize in-network functions (e.g., in-band network telemetry). However, the vulnerabilities of inter-device coordination are still largely unknown and neglected, which is highly concerning given the increasing popularity of this paradigm. In this paper, we identify three attack scenarios built upon such vulnerabilities, where attackers mislead the behaviors of networking systems that exploit inter-device coordination to execute in-network functions. We implement 20 existing networking systems on Tofino-based switches and a simulator, and attack these systems with the identified attacks. The experimental results indicate that our attacks significantly interfere with the normal operations of the selected networking systems, e.g., the cache hit rate of NetCache drops 38%. Our analysis also demonstrates that none of existing methods can fully mitigate our attacks since they fail to verify the packets for inter-device coordination.

Zhengyan Zhou,Jingwen Lv,Lingfei Cheng,Xiang Chen,Tianzhu Zhang,Qun Huang,Jiayu Luo,Longlong Zhu,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/ICNP55882.2022.9940368

2022-01-01

Abstract:Sketches enable efficient and fine-grained network measurement results with configurable resource-performance trade-offs. While sketch configurations are guided by theories, the current theoretical guidelines are either impractical or deficient for sketch configurations on emerging programmable switches. To better configure sketches on programmable switches, we (1) systematically analyze the limitations of sketch configuration guidelines on programmable hardware switches (i.e., unguided parameters, accuracy profiles, and resource budgets); (2) propose a generic and practical framework called SketchGuide to automate efficient sketch configurations on programmable switches; (3) implement SketchGuide on a Barefoot Tofino switch and compare SketchGuide to the state-of-the-art sketches by conducting extensive experiments. Our evaluations demonstrate that SketchGuide can automatically configure unguided parameters given resource budgets. SketchGuide reduces the hardware resource footprint by 52.92%-99.28% compared with current guidelines without impacting fidelity.

Yi Gao,Yunji Li,Ziyan Hua,Junjie Chen,Yajun Wu

DOI: https://doi.org/10.3390/info15100649

2024-01-01

Information

Abstract:In modern industrial applications, production quality, system performance, process reliability, and safety have received considerable attention. This article proposes a dynamic event-triggered attack estimator for Markovian jump stochastic systems susceptible to actuator deception attacks. Utilizing the developed estimator, the presented attack-tolerant control strategy can tolerate the effects of such attacks and ensure the mean-square convergence of the overall closed-loop system. A dynamic event-triggered mechanism is implemented on the sensor side to optimize communication efficiency. To address the potential threat of deception attacks, a plug-and-play (PnP) secure monitoring and control architecture is introduced. This architecture facilitates the seamless integration of the designed attack-tolerant controller with the nominal feedback controller, thereby enhancing system security without requiring significant modifications to the existing control structure. The practicality and effectiveness of the proposed approaches are demonstrated through experimental results on a switched boost converter circuit.

Chongrong Fang,Yifei Qi,Jiming Chen,Rui Tan,Wei Xing Zheng

DOI: https://doi.org/10.1109/tac.2019.2950072

IF: 6.549

2019-01-01

IEEE Transactions on Automatic Control

Abstract:In this technical note, the tradeoff between the attack detectability and the performance degradation in stochastic cyber-physical systems is investigated. We consider a linear time-invariant system in which the attack detector performs a hypothesis test on the innovation of the Kalman filter to detect malicious tampering with the actuator signals. We adopt a notion of attack stealthiness to quantify the degree of stealth by limiting the maximum achievable exponents of both false alarm probability and detection probability below certain thresholds. And the conditions for any actuator attack to have a specific level of stealthiness are derived. Additionally, we characterize the upper bound of the performance degradation induced by attacks with a given extent of stealthiness that produces independent and identically distributed Gaussian innovations, and design the attack, which achieves the stated upper bound for right-invertible systems. Finally, our results are illustrated via numerical examples.

Meng-zhou Gao,Dong-qin Feng

DOI: https://doi.org/10.1631/fitee.1700334

IF: 2.526

2018-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Security issues in networked control systems (NCSs) have received increasing attention in recent years. However, security protection often requires extra energy consumption, computational overhead, and time delays, which could adversely affect the real-time and energy-limited system. In this paper, random cryptographic protection is implemented. It is less expensive with respect to computational overhead, time, and energy consumption, compared with persistent cryptographic protection. Under the consideration of weak attackers who have little system knowledge, ungenerous attacking capability and the desire for stealthiness and random zero-measurement attacks are introduced as the malicious modification of measurements into zero signals. NCS is modeled as a stochastic system with two correlated Bernoulli distributed stochastic variables for implementation of random cryptographic protection and occurrence of random zero-measurement attacks; the stochastic stability can be analyzed using a linear matrix inequality (LMI) approach. The proposed stochastic stability analysis can help determine the proper probability of running random cryptographic protection against random zero-measurement attacks with a certain probability. Finally, a simulation example is presented based on a vertical take-off and landing (VTOL) system. The results show the effectiveness, robustness, and application of the proposed method, and are helpful in choosing the proper protection mechanism taking into account the time delay and in determining the system sampling period to increase the resistance against such attacks.

Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1109/tie.2020.2965467

IF: 7.7

2021-01-01

IEEE Transactions on Industrial Electronics

Abstract:The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method.

Dezhang Kong,Zhengyan Zhou,Yi Shen,Xiang Chen,Qiumei Cheng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/IWQoS57198.2023.10188809

2023-01-01

Abstract:In-band Network Telemetry (INT) is a widely used monitoring framework in modern large-scale networks that provides fine-grained visibility into network conditions by inserting telemetry data into packets. However, this mechanism also introduces new vulnerabilities that malicious attackers can exploit. In this paper, we present four In-band Network Telemetry Manipulation Attacks that take advantage of INT's weakness, demonstrating that attackers can cause severe damage with little effort by manipulating INT packets. To address this issue, we design SecureINT, a novel INT prototype that ensures confidentiality and integrity for INT packets. To meet the stringent computational requirements of programmable switches, we comprehensively analyze possible attacks on the deployed encryption/hash algorithms and modify them accordingly without compromising their security. According to the experiments, SecureINT can be deployed on programmable switches using a single pipeline, providing encryption and integrity verification for INT packets with minimal overhead.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Lu Tang,Yao Xiao,Qun Huang,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tnet.2022.3198738

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:Superspreaders (i.e., hosts with numerous distinct connections) remain severe threats to production networks. How to accurately detect superspreaders in real-time at scale remains a non-trivial yet challenging issue. We present SpreadSketch, an invertible sketch data structure for network-wide superspreader detection with the theoretical guarantees on memory space, performance, and accuracy. SpreadSketch tracks candidate superspreaders and embeds estimated fan-outs in binary hash strings inside small and static memory space, such that multiple SpreadSketch instances can be readily merged to provide a network-wide measurement view for recovering superspreaders and their estimated fan-outs. We present formal theoretical analysis on SpreadSketch in terms of space and time complexities as well as error bounds. We further extend SpreadSketch with a fast and small data structure that filters out the packets of high-frequency connections from sketch processing, so as to improve the update performance of SpreadSketch while maintaining the accuracy guarantees. Trace-driven evaluation shows that SpreadSketch achieves higher accuracy and performance over state-of-the-art sketches and remains accurate in detecting real-world worms and DDoS attacks. Furthermore, we prototype SpreadSketch in P4 and show its feasible deployment in commodity hardware switches.

Sze Zheng Yong,Minghui Zhu,Emilio Frazzoli

DOI: https://doi.org/10.48550/arXiv.1707.07112

2017-07-22

Abstract:In this paper, we consider the problem of attack-resilient state estimation, that is to reliably estimate the true system states despite two classes of attacks: (i) attacks on the switching mechanisms and (ii) false data injection attacks on actuator and sensor signals, in the presence of unbounded stochastic process and measurement noise signals. We model the systems under attack as hidden mode stochastic switched linear systems with unknown inputs and propose the use of a multiple-model inference algorithm to tackle these security issues. Moreover, we characterize fundamental limitations to resilient estimation (e.g., upper bound on the number of tolerable signal attacks) and discuss the topics of attack detection, identification and mitigation under this framework. Simulation examples of switching and false data injection attacks on a benchmark system and an IEEE 68-bus test system show the efficacy of our approach to recover resilient (i.e., asymptotically unbiased) state estimates as well as to identify and mitigate the attacks.

Optimization and Control,Cryptography and Security,Systems and Control,Dynamical Systems

Xuyang Jing,Jingjing Zhao,Qinghua Zheng,Zheng Yan,Witold Pedrycz

DOI: https://doi.org/10.1016/j.jnca.2019.06.007

IF: 7.574

2019-01-01

Journal of Network and Computer Applications

Abstract:Amplification attacks bring serious threats to network security due to their characteristics of anonymity and amplification. How to detect amplification attacks attracts more and more attention. However, as the age of networking for big data is coming, traditional amplification attack detection methods become inefficient due to the impact of big-volume network traffic that swamp significant signals of attacks. The premise of accurate effective attack detection is efficiently processing big-volume traffic. In this paper, we propose a meaningful work that applies sketch technique to detect and mitigate amplification attacks. This step enables the detection method to handle big-volume network traffic. We use a Chinese Reminder Theorem based Reversible Sketch to directly collect network traffic and then monitor the abrupt changes in one-to-one mapping between request packets and response packets to identify amplification attack traffic. The detection mechanism is robust and efficient since it does not need to record complicated traffic features and makes full use of the basic characteristic of amplification attacks. We examine the performance of our method through a series of experiments conducted on simulation and real world traffic. The results denote that the method can accurately detect and mitigate amplification attacks.

He Huang,Jiakun Yu,Yang Du,Jia Liu,Haipeng Dai,Yu-E Sun

DOI: https://doi.org/10.1145/3617334

2023-01-01

Abstract:Heavy-hitter detection is a fundamental task in network traffic measurement and security. Existing work faces the dilemma of suffering dynamic and imbalanced traffic characteristics or lowering the detection efficiency and flexibility. In this paper, we propose a flexible sketch called SwitchSketch that embraces dynamic and skewed traffic for efficient and accurate heavy-hitter detection. The key idea of SwitchSketch is allowing the sketch to dynamically switch among different modes and take full use of each bit of the memory. We present an encoding-based switching scheme together with a flexible bucket structure to jointly achieve this goal by using a combination of design features, including variable-length cells, shrunk counters, embedded metadata, and switchable modes. We further implement SwitchSketch on the NetFPGA-1G-CML board. Experimental results based on real Internet traces show that SwitchSketch achieves a high Fβ-Score of threshold-t detection (consistently higher than 0.938) and over 99% precision rate of top-k detection under a tight memory size (e.g., 100KB). Besides, it outperforms the state-of-the-art by reducing the ARE by 30.77%\sim99.96%. All related implementations are open-sourced.

Kaicheng Yang,Yuanpeng Li,Zirui Liu,Tong Yang,Yu Zhou,Jintao He,Jing'an Xue,Tong Zhao,Zhengyi Jia,Yongqiang Yang

DOI: https://doi.org/10.1109/ICNP52444.2021.9651940

2021-01-01

Abstract:(1) Network measurement is indispensable to network operations. Two most promising measurement solutions are In-band Network Telemetry (INT) solutions and sketching solutions. INT solutions provide fine-grained per-switch per-packet information at the cost of high network overhead. Sketching solutions have low network overhead but fail to achieve both simplicity and accuracy for per-flow measurement. To keep their advantages, and at the same time, overcome their shortcomings, we first design SketchINT to combine INT and sketches, aiming to obtain all per-flow per-switch information with low network overhead. Second, for deployment flexibility and measurement accuracy, we design a new sketch for SketchINT, namely TowerSketch, which achieves both simplicity and accuracy. The key idea of TowerSketch is to use different-sized counters for different arrays under the property that the number of bits used for different arrays stays the same. TowerSketch can automatically record larger flows in larger counters and smaller flows in smaller counters. We have fully implemented our SketchINT prototype on a testbed consisting of 10 switches. We also implement our TowerSketch on P4, single-core CPU, multi-core CPU, and FPGA platforms to verify its deployment flexibility. Extensive experimental results verify that 1) TowerSketch achieves better accuracy than prior art on various tasks, outperforming the state-of-the-art ElasticSketch up to 13.9 times in terms of error; 2) Compared to INT, SketchINT reduces the number of packets in the collection process by 3 similar to 4 orders of magnitude with an error smaller than 5%.

Ruijie Miao,Yinda Zhang,Zihao Zheng,Ruixin Wang,Ruwen Zhang,Tong Yang,Zaoxing Liu,Junchen Jiang

DOI: https://doi.org/10.1109/tnet.2023.3257226

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:Sketch-based measurement has emerged as a promising alternative to the traditional sampling-based network measurement approaches due to its high accuracy and resource efficiency. While there have been various designs around sketches, they focus on measuring one particular flow key, and it is infeasible to support many keys based on these sketches. In this work, we take a significant step towards supporting arbitrary partial key queries, where we only need to specify a full range of possible flow keys that are of interest before measurement starts, and in query time, we can extract the information of any key in that range. We design CocoSketch, which casts arbitrary partial key queries to the subset sum estimation problem and makes the theoretical tools for subset sum estimation practical. To realize desirable resource-accuracy tradeoffs in software and hardware platforms, we propose two techniques: (1) stochastic variance minimization to significantly reduce per-packet update delay, and (2) removing circular dependencies in the per-packet update logic to make the implementation hardware-friendly. We implement CocoSketch on four popular platforms (CPU, Open vSwitch, P4, and FPGA) and show that compared to baselines that use traditional single-key sketches, CocoSketch improves average packet processing throughput by 27.2x and accuracy by 10.4x when measuring six flow keys.

Guorui Xie,Qing Li,Chupeng Cui,Ruoyu Li,Lianbo Ma,Zhuyun Qi,Yong Jiang

DOI: https://doi.org/10.1109/TDSC.2024.3402955

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:To improve the accuracy of network attack detection, recent work has proposed deep learning (DL) based detectors. Nonetheless, conventional DL-based solutions are computation-intensive and have to be deployed on high-performance x86 servers, which is inefficient for large-scale networks. Unlike x86 servers, current programmable switches (e.g., P4 switches) support a throughput of Tbps and enable programmable logic in networks, indicating a promising alternative. Therefore, we present Soterv2, an intelligent in-network solution deployed on programmable switches. Soterv2 utilizes a two-phase detection manner. In the first phase, we build a P4 program running on the switch's Tofino ASIC to filter malicious packets from the massive traffic. Then, a DL-based inspection is conducted on the switch's CPU, thoroughly detecting the filtered packets. To improve the filtering performance, we propose to embed the rule-based machine learning model, decision tree, in a single match-action table in the P4 program. We also design a lightweight DL model, Branch Convolution Net, running on a multi-core fashion to speed up the thorough detection. Besides, Soterv2 enables the coordination of distributed switches, covering the detection in a large-scale network. Experiments demonstrate that Soterv2 behaves stably in eight network scenarios of different traffic rates (40/100Gbps) and fulfills per-flow detection in 0.03s.

Yu Zhou,Jun Bi,Tong Yang,Kai Gao,Cheng Zhang,Jiamin Cao,Yangyang Wang

DOI: https://doi.org/10.1109/icnp.2018.00045

2018-01-01

Abstract:The rise of programmable switches and P4 brings much flexibility to networks, but this flexibility comes with increased risks of bugs. Diagnosing these bugs is essential for network operation but is non-trivial. A potential approach is to track packet behaviors through postcards, but existing tools either generate substantial postcards (limited scalability) or only track a small proportion of packet behaviors (low coverage). In this paper, we present KeySight, a platform that troubleshoots programmable switches with high scalability and high coverage. The key idea is based on the Packet Equivalence Class (PEC) abstraction that aggregates packets with identical behaviors and generates one postcard per behavior. The PEC abstraction minimizes the number of postcards while tracking all packet behaviors. We design novel algorithms to analyze PECs of P4 programs and to implement the PEC abstraction on programmable switches. We deploy KeySight on Tofino and SmartNIC, and evaluate it against 80 P4 programs and real packet traces of over 5TB. Results show that in the premise of overseeing over 99.9% packet behaviors, KeySight reduces the number of postcards by one to two orders of magnitude when comparing with NetSight.

Peng Cheng,Zeyu Yang,Jiming Chen,Yifei Qi,Ling Shi

DOI: https://doi.org/10.1109/tac.2019.2956021

IF: 6.549

2020-10-01

IEEE Transactions on Automatic Control

Abstract:Security issues in cyber-physical systems (CPSs) have gained increasing attention in recent years due to the importance and unavoidable vulnerability of CPSs. This article focuses on designing an intelligent online attack, which can compromise a sensor, eavesdrop measurements, and inject false feedback information, against remote state estimation. From the viewpoint of the attacker, we design an event-based attack strategy to degrade the estimation quality with an arbitrary communication rate stealthy constraint. The approximate minimum mean-squared error estimation algorithm from the viewpoint of the attacker is derived under a Gaussian assumption. Furthermore, the relation between the attack threshold and the scheduling threshold is obtained in a closed form. We show that the mean-squared stability condition of the estimation is weakened under the attack. Two examples are provided to demonstrate the main results.

automation & control systems,engineering, electrical & electronic

Xinming Zhang,Zhongxiang Wei,Cenman Wang,Ye Tian,Wei Chen,Liyuan Gu

DOI: https://doi.org/10.1109/TNET.2023.3286879

2024-02-01

IEEE/ACM Transactions on Networking

Abstract:Sketch-based method has emerged as a promising direction for per-flow measurement in data center networks. Usually in such a measurement system, a sketch data structure is placed as a whole at one switch for counting all passing packets, but when summarizing measurement results from multiple switches, the overall accuracy is generally constrained by a few individual switches with small-sized sketches due to their limited memory resources. To address this problem, in this paper, we present Distributed Sketch, a new method for per-flow network measurement in data center networks. In Distributed Sketch, each network path is associated with a logical sketch, whose data structure is collectively maintained by all the switches along the path; meanwhile, each switch multiplexes its physical sketch to the constructions of the logical sketches of all the paths it belongs to. With Distributed Sketch, switches collaborate to measure network flows, and the network-wide measurement workload is fairly distributed among all the switches in the network. We implement Distributed Sketch with P4 on commodity hardware programmable switch, and in particular, to overcome the limitation that hardware switches do not support float-point computation, we present an optimal approximation method that involves only integer operations. We also propose an In-band Network Telemetry (INT) based method for addressing the challenges in deploying Distributed Sketch in large-scale data centers. Experiment results and theoretical analysis show that our proposed method is lightweight regarding measurement overhead, and by aggregating and making fair uses of resources from all the switches in the network, Distributed Sketch achieves a higher measurement accuracy compared with the state-of-the-art solutions.

Computer Science

Qun Huang,Xin Jin,Patrick P. C. Lee,Runhui Li,Lu Tang,Yi-Chao Chen,Gong Zhang

DOI: https://doi.org/10.1145/3098822.3098831

2017-01-01

Abstract:Network measurement remains a missing piece in today's software packet processing platforms. Sketches provide a promising building block for filling this void by monitoring every packet with fixed-size memory and bounded errors. However, our analysis shows that existing sketch-based measurement solutions suffer from severe performance drops under high traffic load. Although sketches are efficiently designed, applying them in network measurement inevitably incurs heavy computational overhead. We present SketchVisor, a robust network measurement framework for software packet processing. It augments sketch-based measurement in the data plane with a fast path, which is activated under high traffic load to provide high-performance local measurement with slight accuracy degradations. It further recovers accurate network-wide measurement results via compressive sensing. We have built a SketchVisor prototype on top of Open vSwitch. Extensive testbed experiments show that SketchVisor achieves high throughput and high accuracy for a wide range of network measurement tasks and microbenchmarks.

Xiwen Yu,Hongli Xu,Da Yao,Haibo Wang,Liusheng Huang

DOI: https://doi.org/10.1109/tnet.2018.2877700

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:In a software-defined network (SDN), statistics information is of vital importance for different applications, such as traffic engineering, flow rerouting, and attack detection. Since some resources, e.g., ternary content addressable memory, SRAM, and computing capacity, are often limited on SDN switches, traffic measurements based on flow tables or sampling become infeasible. In fact, sketches provide a promising building block for filling this void by monitoring every packet with fixed-size memory. Although many efficient sketches have been designed, our analysis shows that existing sketch-based measurement solutions may suffer from severe computing overhead on switches especially under high traffic load that significantly interferes with switch's basic functions, such as flow rule setup and modification. In this paper, we present CountMax, a lightweight and cooperative sketch for traffic measurement, which can achieve low-amortized processing overhead and tight estimation bounds, to track large flows in SDNs. We also discuss how to apply CountMax to support a variety of applications. We have implemented the proposed algorithm on our open switches. Testbed experiments and extensive simulation results show that CountMax consumes only 1/3-1/2 computing overhead and reduces the average estimation error by 20%-30%, compared with the existing solutions under the same memory size.