APCC 2019 - HCMC Vietnam

Transcript

1. APCC 2019 : 25th Asia-Pacific Conference on Communications Ho Chi

   Minh City, Vietnam - Nov 6, 2019 - Nov 8, 2019 Abnormal SDN switches detection based on chaotic analysis of network traffic D. Phuc Trinh, TaeHee Lee, Thang Nguyen Canh, Sa Pham Dang, Minho Park - Soongsil University, Seoul, South Korea

2. Outline 1) Background & Problem Statement 2) Proposed scheme 3)

   Implemental Setup & Evaluation 4) Conclusion & Future Work APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

3. 1. Problem Statement – Traditional Network vs SDN • Software-defined

   networking (SDN) technology, by contrast, focuses solely on separation of the network control plane from the data plane. • In traditional network, the data plane and control plane are set on the same a network device. • The control plane makes decisions about how packets should flow through the network. • The data plane actually moves packets from place to place. Source: Energy-Aware Routing in Carrier-Grade Ethernet using SDN Approach Figure 1. Traditional networking vs SDN APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

4. 1. Problem Statement – SDN architecture Application Layer Control Plane

   Data Plane Data Plane is vulnerable and can easily be attacked by an attacker Figure 2. SDN architecture APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

5. 3 Traffic loss: An attacker may drop traffic randomly or

   in a selective manner. For example: An attacker may program one switch to forward some kind of packets to another switch. After being compromised, the attacker may command the switch to drop all the packets. 1. Problem Statement - attack scenario Figure 3. The attacker drops packets Reference: Handling malicious switches in software defined networks https://ieeexplore.ieee.org/abstract/document/7502995 APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

6. 4 Traffic Misroute: An attacker could misroute traffic of a

   switch. For example: The attacker may program a switch sends packets but after being compromised, all the packets will be redirected to another switch. Figure 4. The attacker misroutes traffic of a switch 1. Problem Statement - attack scenario Reference: Handling malicious switches in software defined networks https://ieeexplore.ieee.org/abstract/document/7502995 APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

7. 5 DDoS attack: An attacker could manipulate all switches to

   attack one specific switch. For example: The attacker may command others switches to send all of their traffic to a specific switch. Figure 5. The attacker manipulates switches to attack one switch. 1. Problem Statement - attack scenario Reference: Handling malicious switches in software defined networks https://ieeexplore.ieee.org/abstract/document/7502995 APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

8. 6 Traffic delay: An attacker could manipulate a switch to

   delay its traffic and increase jitter, which is most problematic time-sensitive traffic. For example: The attacker may command a switch delay its traffic in an interval of time. Figure 6. The attacker adds t_seconds for each port. 1. Problem Statement - attack scenario Reference: Handling malicious switches in software defined networks https://ieeexplore.ieee.org/abstract/document/7502995 APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

9. 2. Our Proposed Scheme Application Layer Control Plane Data Plane

   Figure 7. Our proposed scheme

10. 8 stats No. flows time Figure 8. An illustration of

    traffic tracking of a switch with time-series representation. 2. Our Proposed Scheme APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

11. 9 Figure 9. Abnormal traffic with time-series representation • Before

    being compromised, the gap between prediction line and actual line are narrow, which proves the ARIMA “learn” well, producing a minor error. • After being compromised, the gap between prediction line and actual line are more substantial, which proves that the ARIMA model could not “learn” effectively, producing greater error. 2. Our Proposed Scheme error error error Before being compromised After being compromised APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

12. Proposed scheme steps: 1. Data Acquisition (the number of flows

    of every switch in every 3s). 2. Data processing using Box-Cox transformation + normalization. 3. Forecasting based on ARIMA model. 4. Chaotic and non-chaotic errors classification by applying Lyapunov exponent. 5. Proposed a set of rules. 6. Final Decision based on the set of rules. 2. Our Proposed Scheme APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

13. 10 2. Our Proposed Scheme IF A = 1 :

    Normal traffic The positive maximum Lyapunov exponent shows the chaotic behavior exists The chaotic error on t-th time During the abnormal times, the ratio of real traffic to the predicted traffic, significantly change) A = 0 : Abnormal traffic APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

14. 11 Figure 10. Ring topology (16 switches) Figure 11. Traffic

    of each switch by time-series representation 3. Experimental Setup APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

15. 12 Figure 12. Accuracy Figure 13: False Alarm Rate 4.

    Evaluation (1/2) Reference: WedgeTail: An Intrusion Prevention System for the Data Plane of Software Defined Networks https://arxiv.org/abs/1708.05477 APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

16. 13 Figure 14. CPU usage Figure 15. Memory Usage 4.

    Evaluation (2/2) APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

17. 5. Conclusion & Future Works  Conclusion  Compromised switches

    is a serious security vulnerabilies.  Proposed system can compromised switches effectively.  Future Works  Appling new technique to perform better in term of cpu usage.  Using more metrics to evaluate the performance. APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

18. Thank You 18 APCC 2019 : 25th Asia-Pacific Conference on

    Communications ​Ho Chi Minh City, Vietnam

19. Appendix ARIMA: is an integration of Autoregressive (AR) and Moving

    Average (MA) models Autoregressive AR process: • Series current values depend on its own previous values. • AR (p) – Current values depend on its own o-previous values • P is the order of AR process. Moving Average MA process: • The current deviation from mean depends on previous deviations. • MA(q) – The current deviation from mean depends on q-previous deviations. • Q is the order of MA process. APCC 2019 : 25th Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam

20. Appendix ARIMA can be expressed as: APCC 2019 : 25th

    Asia-Pacific Conference on Communications ​Ho Chi Minh City, Vietnam