Abstract
In Software-Defined Networks (SDN), so called SDN controllers
are responsible for managing the network devices
building such a network. Once such a core component of
the network has been infected with malicious software (e.g.,
by a malicious SDN application), an attacker typically has a
strong interest in remaining undetected while compromising
other devices in the network. Thus, hiding a malicious network
state and corresponding network manipulations are important
objectives for an adversary. To achieve this, rootkit
techniques can be applied in order to manipulate the SDN
controller’s view of a network. As a consequence, monitoring
capabilities of SDN controllers as well as SDN applications
with a security focus can be fooled by hiding adverse network
manipulations.
To tackle this problem, we propose a novel approach capable
of detecting and preventing hidden network manipulations
before they can attack a network. In particular,
our method is able to drop adverse network manipulations
before they are applied on a network. We achieve this by
comparing the actual network state, which includes both
malicious and benign configurations, with the network state
which is provided by a potentially compromised SDN controller.
In case of an attack, the result of this comparison
reveals network manipulations which are adversely removed
from an SDN controller’s view of a network. To demonstrate
the capabilities of this approach, we implement a prototype
and evaluate effectiveness as well as efficiency. The evaluation
results indicate scalability and high performance of our
system, while being able to protect major SDN controller
platforms.
Users
Please
log in to take part in the discussion (add own reviews or comments).