Presented By: Mohammed Al-Mehdhar 2015. Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A.

Slides:

Advertisements

Similar presentations

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Advertisements

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

4.1.5 System Management Background What is in System Management Resource control and scheduling Booting, reconfiguration, defining limits for resource.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

SDN Security Matt Bishop, Brian Perry University of California at Davis 1GEC 22, March 24th, 2015.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Privacy-Preserving Cross-Domain Network Reachability Quantification

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.

Preventing Spam For SIP-based Sessions and Instant Messages Kumar Srivastava Henning Schulzrinne June 10, 2004.

1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.

Tesseract A 4D Network Control Plane

DIDS part II The Return of dIDS 2/12 CIS GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.

Lecture 11 Intrusion Detection (cont)

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Department of Electrical and Computer Engineering Kekai Hu, Harikrishnan Chandrikakutty, Deepak Unnikrishnan, Tilman Wolf, and Russell Tessier Department.

The chapter will address the following questions:

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

SECURING NETWORKS USING SDN AND MACHINE LEARNING DRAGOS COMANECI –

Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.

Towards a Safe Playground for HTTPS and Middle-Boxes with QoS2 Zhenyu Zhou CS Dept., Duke University.

GrIDS -- A Graph Based Intrusion Detection System For Large Networks Paper by S. Staniford-Chen et. al.

NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.

Software-Defined Networks Jennifer Rexford Princeton University.

Institute of Computer and Communication Network Engineering OFC/NFOEC, 6-10 March 2011, Los Angeles, CA Lessons Learned From Implementing a Path Computation.

VeriFlow: Verifying Network-Wide Invariants in Real Time

An Architectural Evaluation of SDN Controllers Syed Abdullah Shah, Jannet Faiz, Maham Farooq, Aamir Shafi, Syed Akbar Mehdi National University of Sciences.

Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.

Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.

Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.

LATA: A Latency and Throughput- Aware Packet Processing System Author: Jilong Kuang and Laxmi Bhuyan Publisher: DAC 2010 Presenter: Chun-Sheng Hsueh Date:

HP OpenFlow Plugin and Libraries June 30, 2014.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Cryptography and Network Security Sixth Edition by William Stallings.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

FirewallPK Security tool for centralized Access Control List Management th RoEduNet International Conference - Networking in Education and Research.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory

Role Of Network IDS in Network Perimeter Defense.

 Introduction  Tripwire For Servers  Tripwire Manager  Tripwire For Network Devices  Working Of Tripwire  Advantages  Conclusion.

Requirement Elicitation Review – Class 8 Functional Requirements Nonfunctional Requirements Software Requirements document Requirements Validation and.

Header Space Analysis: Static Checking for Networks Broadband Network Technology Integrated M.S. and Ph.D. Eun-Do Kim Network Standards Research Section.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

Securing Access to Data Using IPsec Josh Jones Cosc352.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Some Great Open Source Intrusion Detection Systems (IDSs)

SketchVisor: Robust Network Measurement for Software Packet Processing

SDN challenges Deployment challenges

The DPIaaS Controller Prototype

Hydra: Leveraging Functional Slicing for Efficient Distributed SDN Controllers Yiyang Chang, Ashkan Rezaei, Balajee Vamanan, Jahangir Hasan, Sanjay Rao.

Distributed Network Traffic Feature Extraction for a Real-time IDS

Authors: Sajjad Rizvi, Xi Li, Bernard Wong, Fiodar Kazhamiaka

SYSTEM ANALYSIS AND DESIGN

Northbound API Dan Shmidt | January 2017

Dynamic Packet-filtering in High-speed Networks Using NetFPGAs

2018/12/10 Energy Efficient SDN Commodity Switch based Practical Flow Forwarding Method Author: Amer AlGhadhban and Basem Shihada Publisher: 2016 IEEE/IFIP.

SDN-Guard: DoS Attacks Mitigation in SDN Networks

Autonomous Network Alerting Systems and Programmable Networks

OpenSec：Policy-Based Security Using Software-Defined Networking

Presentation transcript:

Presented By: Mohammed Al-Mehdhar 2015

Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A

Some SDN security solutions OpenWatch PermOF ETHAN FleXam SANE FLOVER VeriFlow FRESCO

Why SPHINX? SPHINX can detect both known and potentially unknown attacks on network topology and data plane forwarding originating within an SDN. Present incremental flow graphs as a novel abstraction for real-time detection of security threats. leverages the novel abstraction of flow graphs. SPHINX dynamically learns new network behavior and raises alerts when it detects suspicious changes to existing network control plane behavior SPHINX is capable of detecting attacks in SDNs in realtime with low performance overheads, and requires no changes to the controllers for deployment

SPHINX Contribution SPHINX can detect both known and potentially unknown attacks on network topology and data plane forwarding originating within an SDN. Examine four popular SDN controllers and demonstrate that they are vulnerable to a diverse array of attacks on network topology and data plane forwarding. Present incremental flow graphs as a novel abstraction for real-time detection of security threats. Present the design and implementation of SPHINX and its policy engine, which allows network administrators to specify fine-grained security policies, and enables easy action attribution. Evaluate SPHINX to show that it is practical and involves acceptable overheads. Also report on experiences gained using SPHINX in four different case studies.

SPHINX Key Idea SPHINX gleans topological and forwarding state metadata from OpenFlow control messages to build incremental flow graphs and verify all SDN state in realtime, including detection of security attacks on topology and data plane forwarding (such as those listed in x III-A and later in x VIII) or violations of administrative policies. Any deviant behavior is flagged and reported.

SPHINX Overview verify onset of attacks on network topology and data plane forwarding. detect violations of policies within SDNs,Present incremental flow graphs as a novel abstraction for real-time detection of security threats. assumed a trusted controller (which is required for the correct functioning of the network), but do not trust either the switches or the end hosts. given that most SDN applications run as modules as part of the controller binary, they can be trusted as long as the controller itself is trusted. SPHINX uses flow graphs to model both network topology and data plane forwarding in SDNs.

SPHINX Flow graph SPHINX uses flow graphs to model both network topology and data plane forwarding in SDNs. Flow paths are constructed only using FLOW_MOD messages because they are issued by the trusted controller. Untrusted STATS_REPLY messages from each switch only update flow statistics of the corresponding switch, and do not affect the flow graph structure. Flow graphs exploit the predictability and pattern in both topological and data plane forwarding inferred from control messages to detect attacks originating within the SDN If there is a majority of tampered or untrusted messages, then flow graphs will perceive incorrect messages as normal behavior and not raise any alarms

SPHINX WOrkFlow SPHINX’s workflow, which involves three stages. 1-SPHINX monitors all controller communication and identifies relevant OpenFlow messages required to build a comprehensive view of the network. 2-SPHINX analyzes these OpenFlow messages and extracts topological and forwarding state metadata to incrementally build a network graph complete with traffic flows. SPHINX maintains topological and forwarding state metadata captured from (i) incoming OpenFlow packet headers, (ii) outgoing flow path setup directives, (iii) actual flow traffic measurements over the network links, respectively. 3-SPHINX verifies the flow’s current metadata against (i) a set of permissible values of metadata gathered over the lifetime of a flow, (ii) administrative policies.

SPHINX Desing SPHINX aims to provide accurate and realtime verification of network behavior by providing three key features. First, it monitors all relevant OpenFlow control messages originating from the switches or the controller. Second, it leverages a succinct feature set that enables efficient verification of these messages. Third, it uses a custom algorithm for fast validation of network updates as they are processed by the controller.

SPHINX Policy Engine SPHINX provides a light-weight policy framework that enables administrators to specify validation checks on incremental flow graphs. SPHINX validates all flow graphs against a set of constraints. i) any administrator-specified security policies, (ii) those acquired over time for a specific flow. These administrator-specified constraints must be expressed in a policy language

SPHINX Policy Engine SPHINX provides a light-weight policy framework that enables administrators to specify validation checks on incremental flow graphs. SPHINX validates all flow graphs against a set of constraints. i) any administrator-specified security policies, (ii) those acquired over time for a specific flow. These administrator-specified constraints must be expressed in a policy language SPHINX feeds the policy to a verifier, which ensures that the constraints are checked at the specified trigger.

SPHINX Policy Engine SPHINX provides a light-weight policy framework that enables administrators to specify validation checks on incremental flow graphs. SPHINX validates all flow graphs against a set of constraints. i) any administrator-specified security policies, (ii) those acquired over time for a specific flow. These administrator-specified constraints must be expressed in a policy language SPHINX feeds the policy to a verifier, which ensures that the constraints are checked at the specified trigger.

SPHINX Constraints Verification SPHINX determines three classes SPHINX validates all flow graphs against a set of constraints. (packet, path and flow) Packet-level metadata pertains to all metadata that are specific to just one specific PACKET_IN, such as information about a host’s IP/MAC binding, or link connection between two switches. Path-level metadata refers to all metadata that describe the network’s actual forwarding state behavior, such as the switch and port from which the packet was received. Flow-level metadata quantify the actual data plane forwarding in the network, and are extracted from the STATS_REPLY messages received periodically.

SPHINX Constraints Verification SPHINX validates such policies on the specified trigger. 1-Topological state constraint verification 2-Forwarding state constraint verification

SPHINX Implementation implement it as a controller-agnostic proxy that sits between the controller and the switches SPHINX is written in 2100 lines of JAVA, and leverages the Netty I/O library. It implements separate queues for switch to controller communication (PACKET_IN, FEATURES_REPLY and STATS_REPLY) and controller to switch communication (FLOW_MOD), for enhanced performance. SPHINX is compatible with OpenFlow v1:1:0, and works with both OpenDaylight v0:1:0 (ODL) and Floodlight v0:90 controllers. SPHINX can easily be integrated with other controllers such as Maestro and POX, and requires no significant changes. However, we needed to modify just 30 lines. SPHINX may also be implemented as a passive monitoring tool that replicates all control traffic at the switches and analyzes them separately.

SPHINX Evaluation Evaluate SPHINX’s accuracy by measuring - how quickly it can detect attacks, - the effectiveness of the byte consistency algorithm, - the false alarms generated under benign conditions measure user perceived latencies introduced by SPHINX variation in packet throughputs, overhead of policy verification EXPERIMENTAL SETUP. Our physical testbed consists of 10 servers connected to 14 switches (IBM RackSwitch G8264) arranged in a three-tiered design with 8 edge, 4 aggregate, and 2 core switches. All of our servers are IBM x3650 M3 machines having 2 Intel Xeon x5675 CPUs with 6 cores each (12 cores in total) at 3:07 GHz, and 128 GB of RAM, running 64 bit Ubuntu Linux v12:04.

SPHINX Evaluation SPHINX’s detection accuracy under two different parameters. First, SPHINX must provide near realtime detection of attacks. Second, even in the presence of diverse network traffic and multiple different faults, SPHINX should be able to quickly detect each attack.

SPHINX Evaluation

Conclusion SPHINX, a controller agnostic tool that leverages flow graphs to detect security threats on network topology and data plane forwarding originating within SDNs. We show that existing controllers are vulnerable to such attacks, and SPHINX can effectively detect them in realtime. SPHINX incrementally builds and updates flow graphs with succinct metadata for each network flow and uses both deterministic and probabilistic checks to identify deviant behavior. evaluation shows that SPHINX imposes minimal overheads.

感谢您的关注