臺灣博碩士論文加值系統

軟體定義網路(SDN)是一種新的網路規範，它使網路可編程控制能在集中式控制器上進行。控制器提供API使得SDN應用程式(SDN-Apps)可以實現控制層功能(例如流量工程、路由選擇、負載平衡、安全性等)。然而，SDN-Apps可能是惡意的，因為正常Apps可能遭到危害，或是由不受信任的第三方所開發。儘管已經有許多針對惡意Apps的阻擋方案，但它們都沒有考慮到惡意封包流量規則可以用來攻擊控制層的服務和數據層的運作。在本論文中，我們指出了兩個安全威脅: 控制層服務的濫用與資料層的汙染。它們可以分別被用來發起網路拓樸欺騙攻擊與阻斷服務攻擊。因此我們提出了一個前後文感知、基於事件的異常偵測機制(CEAD-SDN)。CEAD-SDN限制了控制層的各個服務只能被負責該服務的App所操作，並規範被同一事件觸發的封包流量規則彼此的前後關係。這兩個機制分別可以解決我們上面提到的兩個安全威脅，從而避免上述兩個攻擊。我們已經在Floodlight控制器上實作了CEAD-SDN，並用EstiNet網路模擬器進行測試。評估結果顯示，CEAD-SDN能夠抵禦我們指出的SDN安全威脅和攻擊。在最壞的情況下，與沒有實裝CEAD-SDN相比，它只造成TCP連線成功率降低0.9%及TCP連線延遲增加16%，這些額外成本是微不足道的。

Software-defined networking (SDN) is a new networking paradigm that enables programmatic control over the network at a centralized controller. The controller offers APIs to allow SDN applications (SDN-Apps) to take care of control-plane functions (e.g., traffic engineering, routing, load balancing, security, etc.). However, some SDN-Apps may be malicious, since benign ones might be compromised or they were developed by untrusted third parties. Though there have been many solutions proposed to block malicious SDN-Apps, all of them did not consider that malicious flow entries can be populated to attack control-plane services and data-plane operations. In this thesis, we identify two security threats: control-plane service abuse and data-plane pollution. They can be leveraged to launch topology spoofing and SDN DoS attacks, respectively. We thus propose a context-aware, event-based anomaly detection mechanism, CEAD-SDN. It restricts the manipulation of each control-plane service to only the application that takes care of it, and confines the context of flow entries that are triggered by the same event. They can be used to address the above two threats and thus to avoid the above two attacks. We have implemented CEAS-SDN on Floodlight, and have tested it with EstiNet network simulator. Evaluation results show that CEAD-SDN is able to defend SDN against our identified security threats and to avoid associated attacks. It has negligible overhead with only 0.9% decrease of TCP connection success rates and results in 16.08% extra TCP connection delay in the worst case, compared with the case without CEAD-SDN.

Abstract (in Chinese) i
Abstract iii
Contents vi
List of Figures viii
List of Tables ix
Chapter 1 Introduction 1
1.1 Problem statement 1
1.2 Contribution 2
1.3 Thesis outline 3
Chapter 2 Related Work 4
2.1 Online access control of Apps 5
2.2 Online monitoring of Apps’ behaviors 5
2.3 Offline App analysis 6
2.4 Drawbacks of current solutions 6
Chapter 3 Security Threats Analysis for SDN 7
3.1 Threat model 7
3.2 Control-plane service abuse 8
3.3 Data-plane pollution 14
Chapter 4 Context-aware, Event-based Anomaly Detection Framework 16
4.1 Countermeasures 16
4.2 CEAD-SDN design overview 16
4.3 Event-based transaction classifier 17
4.4 Context-aware anomaly detector 19
Chapter 5 Evaluation 22
5.1 Correctness of anomaly detection 22
5.2 CEAD-SDN’s impact on network performance 23
Chapter 6 Concluding and Future Work 25
6.1 Concluding 25
6.2 Future work 25
Bibliography 27

[1] S. Scott-Hayward, C. Kane, and S. Sezer, “Operationcheckpoint: SDN application control,” in Proceedings of the IEEE 22nd International Conference on Network Protocols, Oct 2014, pp. 618–623.
[2] S. Shin, Y. Song, T. Lee, S. Lee, J. Chung, P. Porras, V. Yegneswaran, J. Noh, and B. B. Kang, “Rosemary: A robust, secure, and high performance network operating system,” in Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, ACM, 2014, pp. 78–89. [Online]. Available: http://doi.acm.org/10.1145/2660267.2660353
[3] X. Wen, B. Yang, Y. Chen, C. Hu, Y. Wang, B. Liu, and X. Chen, “SDNshield: Reconciliating configurable application permissions for SDN app markets,” in Proceedings of the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), June 2016, pp. 121–132.
[4] P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu, “A security enforcement kernel for Openflow networks,” in Proceedings of the First Workshop on Hot Topics in Software Defined Networks, ACM, 2012, pp. 121–126. [Online]. Available: http://doi.acm.org/10.1145/2342441.2342466
[5] P. Porras, S. Cheung, M. Fong, K. Skinner, and V. Yegneswaran, “Securing the Software-Defined Network Control Layer,” in Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2015.
[6] A. Khurshid, W. Zhou, M. Caesar, and P. B. Godfrey, “Veriflow: Verifying network-wide invariants in real time,” in Proceedings of the First Workshop on Hot Topics in Software Defined Networks, ACM, 2012, pp. 49–54. [Online]. Available: http://doi.acm.org/10.1145/2342441.2342452
[7] C. Lee and S. Shin, “Shield: An automated framework for static analysis of sdn applications,” in Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization, ACM, 2016, pp. 29–34. [Online]. Available: http://doi.acm.org/10.1145/2876019.2876026
[8] M. Canini, D. Venzano, P. Pereˇs´ıni, D. Kosti´c, and J. Rexford, “A nice way to test openflow applications,” in Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, USENIX Association, 2012, pp. 10–10. [Online]. Available: http://dl.acm.org/citation.cfm?id=2228298.2228312
[9] M. Dhawan, R. Poddar, K. Mahajan, and V. Mann, “Sphinx: Detecting security attacks in software-defined networks,” in Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2015.
[10] HP SDN Dev Center: SDN app store [online], Available: http://www.hp.com/go/sdndevcenter.
[11] Floodlight OpenFlow controller [online], Available: http://www.projectfloodlight.org/floodlight/.
[12] EstiNet network simulator [online], Available: http://www.estinet.com/.