Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented By: Mohammed Al-Mehdhar 2015. Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A.

Published byAusten McCoy Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented By: Mohammed Al-Mehdhar 2015. Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A."— Presentation transcript:

1 Presented By: Mohammed Al-Mehdhar 2015

2 Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A

3 Some SDN security solutions OpenWatch PermOF ETHAN FleXam SANE FLOVER VeriFlow FRESCO

4 Why SPHINX? SPHINX can detect both known and potentially unknown attacks on network topology and data plane forwarding originating within an SDN. Present incremental flow graphs as a novel abstraction for real-time detection of security threats. leverages the novel abstraction of flow graphs. SPHINX dynamically learns new network behavior and raises alerts when it detects suspicious changes to existing network control plane behavior SPHINX is capable of detecting attacks in SDNs in realtime with low performance overheads, and requires no changes to the controllers for deployment

5 SPHINX Contribution SPHINX can detect both known and potentially unknown attacks on network topology and data plane forwarding originating within an SDN. Examine four popular SDN controllers and demonstrate that they are vulnerable to a diverse array of attacks on network topology and data plane forwarding. Present incremental flow graphs as a novel abstraction for real-time detection of security threats. Present the design and implementation of SPHINX and its policy engine, which allows network administrators to specify fine-grained security policies, and enables easy action attribution. Evaluate SPHINX to show that it is practical and involves acceptable overheads. Also report on experiences gained using SPHINX in four different case studies.

6 SPHINX Key Idea SPHINX gleans topological and forwarding state metadata from OpenFlow control messages to build incremental flow graphs and verify all SDN state in realtime, including detection of security attacks on topology and data plane forwarding (such as those listed in x III-A and later in x VIII) or violations of administrative policies. Any deviant behavior is flagged and reported.

7 SPHINX Overview verify onset of attacks on network topology and data plane forwarding. detect violations of policies within SDNs,Present incremental flow graphs as a novel abstraction for real-time detection of security threats. assumed a trusted controller (which is required for the correct functioning of the network), but do not trust either the switches or the end hosts. given that most SDN applications run as modules as part of the controller binary, they can be trusted as long as the controller itself is trusted. SPHINX uses flow graphs to model both network topology and data plane forwarding in SDNs.

8 SPHINX Flow graph SPHINX uses flow graphs to model both network topology and data plane forwarding in SDNs. Flow paths are constructed only using FLOW_MOD messages because they are issued by the trusted controller. Untrusted STATS_REPLY messages from each switch only update flow statistics of the corresponding switch, and do not affect the flow graph structure. Flow graphs exploit the predictability and pattern in both topological and data plane forwarding inferred from control messages to detect attacks originating within the SDN If there is a majority of tampered or untrusted messages, then flow graphs will perceive incorrect messages as normal behavior and not raise any alarms

9 SPHINX WOrkFlow SPHINX’s workflow, which involves three stages. 1-SPHINX monitors all controller communication and identifies relevant OpenFlow messages required to build a comprehensive view of the network. 2-SPHINX analyzes these OpenFlow messages and extracts topological and forwarding state metadata to incrementally build a network graph complete with traffic flows. SPHINX maintains topological and forwarding state metadata captured from (i) incoming OpenFlow packet headers, (ii) outgoing flow path setup directives, (iii) actual flow traffic measurements over the network links, respectively. 3-SPHINX verifies the flow’s current metadata against (i) a set of permissible values of metadata gathered over the lifetime of a flow, (ii) administrative policies.

10 SPHINX Desing SPHINX aims to provide accurate and realtime verification of network behavior by providing three key features. First, it monitors all relevant OpenFlow control messages originating from the switches or the controller. Second, it leverages a succinct feature set that enables efficient verification of these messages. Third, it uses a custom algorithm for fast validation of network updates as they are processed by the controller.

11 SPHINX Policy Engine SPHINX provides a light-weight policy framework that enables administrators to specify validation checks on incremental flow graphs. SPHINX validates all flow graphs against a set of constraints. i) any administrator-specified security policies, (ii) those acquired over time for a specific flow. These administrator-specified constraints must be expressed in a policy language

12 SPHINX Policy Engine SPHINX provides a light-weight policy framework that enables administrators to specify validation checks on incremental flow graphs. SPHINX validates all flow graphs against a set of constraints. i) any administrator-specified security policies, (ii) those acquired over time for a specific flow. These administrator-specified constraints must be expressed in a policy language SPHINX feeds the policy to a verifier, which ensures that the constraints are checked at the specified trigger.

13 SPHINX Policy Engine SPHINX provides a light-weight policy framework that enables administrators to specify validation checks on incremental flow graphs. SPHINX validates all flow graphs against a set of constraints. i) any administrator-specified security policies, (ii) those acquired over time for a specific flow. These administrator-specified constraints must be expressed in a policy language SPHINX feeds the policy to a verifier, which ensures that the constraints are checked at the specified trigger.

14 SPHINX Constraints Verification SPHINX determines three classes SPHINX validates all flow graphs against a set of constraints. (packet, path and flow) Packet-level metadata pertains to all metadata that are specific to just one specific PACKET_IN, such as information about a host’s IP/MAC binding, or link connection between two switches. Path-level metadata refers to all metadata that describe the network’s actual forwarding state behavior, such as the switch and port from which the packet was received. Flow-level metadata quantify the actual data plane forwarding in the network, and are extracted from the STATS_REPLY messages received periodically.

15 SPHINX Constraints Verification SPHINX validates such policies on the specified trigger. 1-Topological state constraint verification 2-Forwarding state constraint verification

16 SPHINX Implementation implement it as a controller-agnostic proxy that sits between the controller and the switches SPHINX is written in 2100 lines of JAVA, and leverages the Netty I/O library. It implements separate queues for switch to controller communication (PACKET_IN, FEATURES_REPLY and STATS_REPLY) and controller to switch communication (FLOW_MOD), for enhanced performance. SPHINX is compatible with OpenFlow v1:1:0, and works with both OpenDaylight v0:1:0 (ODL) and Floodlight v0:90 controllers. SPHINX can easily be integrated with other controllers such as Maestro and POX, and requires no significant changes. However, we needed to modify just 30 lines. SPHINX may also be implemented as a passive monitoring tool that replicates all control traffic at the switches and analyzes them separately.

17 SPHINX Evaluation Evaluate SPHINX’s accuracy by measuring - how quickly it can detect attacks, - the effectiveness of the byte consistency algorithm, - the false alarms generated under benign conditions measure user perceived latencies introduced by SPHINX variation in packet throughputs, overhead of policy verification EXPERIMENTAL SETUP. Our physical testbed consists of 10 servers connected to 14 switches (IBM RackSwitch G8264) arranged in a three-tiered design with 8 edge, 4 aggregate, and 2 core switches. All of our servers are IBM x3650 M3 machines having 2 Intel Xeon x5675 CPUs with 6 cores each (12 cores in total) at 3:07 GHz, and 128 GB of RAM, running 64 bit Ubuntu Linux v12:04.

18 SPHINX Evaluation SPHINX’s detection accuracy under two different parameters. First, SPHINX must provide near realtime detection of attacks. Second, even in the presence of diverse network traffic and multiple different faults, SPHINX should be able to quickly detect each attack.

19 SPHINX Evaluation

20

21 Conclusion SPHINX, a controller agnostic tool that leverages flow graphs to detect security threats on network topology and data plane forwarding originating within SDNs. We show that existing controllers are vulnerable to such attacks, and SPHINX can effectively detect them in realtime. SPHINX incrementally builds and updates flow graphs with succinct metadata for each network flow and uses both deterministic and probabilistic checks to identify deviant behavior. evaluation shows that SPHINX imposes minimal overheads.

22 感谢您的关注

Download ppt "Presented By: Mohammed Al-Mehdhar 2015. Presentation Outline Introduction Approaches Implementation Evaluation Conclusion Q & A."

Similar presentations

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.
Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.

Slick: A control plane for middleboxes Bilal Anwer, Theophilus Benson, Dave Levin, Nick Feamster, Jennifer Rexford Supported by DARPA through the U.S.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
4.1.5 System Management Background What is in System Management Resource control and scheduling Booting, reconfiguration, defining limits for resource.

4.1.5 System Management Background What is in System Management Resource control and scheduling Booting, reconfiguration, defining limits for resource.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
SDN Security Matt Bishop, Brian Perry University of California at Davis 1GEC 22, March 24th, 2015.

SDN Security Matt Bishop, Brian Perry University of California at Davis 1GEC 22, March 24th, 2015.
Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.

Scalable Flow-Based Networking with DIFANE 1 Minlan Yu Princeton University Joint work with Mike Freedman, Jennifer Rexford and Jia Wang.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) SriramGopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) SriramGopinath( )
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Privacy-Preserving Cross-Domain Network Reachability Quantification

Privacy-Preserving Cross-Domain Network Reachability Quantification
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.

Cumulative Violation For any window size  t  Communication-Efficient Tracking for Distributed Cumulative Triggers Ling Huang* Minos Garofalakis.
Preventing Spam For SIP-based Sessions and Instant Messages Kumar Srivastava Henning Schulzrinne June 10, 2004.

Preventing Spam For SIP-based Sessions and Instant Messages Kumar Srivastava Henning Schulzrinne June 10, 2004.
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.

1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
Tesseract A 4D Network Control Plane

Tesseract A 4D Network Control Plane
DIDS part II The Return of dIDS 2/12 CIS 610. 2 GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.

DIDS part II The Return of dIDS 2/12 CIS GrIDS Graph based intrusion detection system for large networks. Analyzes network activity on networks.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Similar presentations

Ads by Google