SDNProbe: 利用主動式探測保護軟體定義網路資料層

Abstract

如何有效且正確的定位行為能夠違反控制器意圖的惡意交換機是個艱鉅的挑戰,並且現有的網路故障排除工具可能很容易地誤判在惡意交換機的實際行為和操作者的意圖之間的不一致性。在本論文中,我們提出 SDNProbe,一種輕量級的軟體定義網路應用程式,能夠送出最少量的探測封包精準的定位行為錯誤或故障的交換機。類似於現有的工具,控制器送出測試封包驗證規則是否正確地被執行。為了達到低網路成本以及快速的偵測,我們提出一種可證明的演算法產生最少量的測試封包能夠涵蓋所有在網路中的規則。為了防止強大攻擊者的規避 (例如:知道偵測的演算法或共謀攻擊),我們進一步地擴展演算法能夠隨機化測試路徑。根據真實的網路拓撲以及規則,我們的測量結果證實 SDNProbe 能夠藉由送出最少量的測試封包快速地定位惡意交換機。和其他最先進的技術相比,SDNProbe 定位所有惡意交換機所需的測試封包數量減少了 30%。因此,除了藉由軟體定義網路的支援能有一個系統化和自動化的網絡故障排除流程之外,我們使用顯著地低成本解決方法在面對內部網絡的攻擊者能更進一步保護網路工作流程。

Efficiently and correctly localizing malicious SDN switches whose behavior deviates from the controller’s intent is a daunting challenge, and existing network troubleshooting tools can easily misdetect the mismatch between the actual behavior of malicious switches and the operator’s intent. In this paper, we propose SDNProbe, a lightweight SDN application that sends minimized number of probe packets to pinpoint misbehaving or malfunctioning switches. Similar to existing tools, the controller sends test packets to validate whether flow entries are correctly executed. To achieve low network overhead and fast detection, we propose an algorithm to provably minimize the number of test packets required to cover every flow entry in the network. To prevent circumvention from strong adversaries (e..g., know the detection algorithm or collude), we further extend the algorithm to randomize the test paths. Based on realistic topologies and flow rules, our evaluation results confirm that SDNProbe can rapidly localize malicious switches by sending a minimal number of test packets. SDNProbe reduces the number of test packets required to localize all existing malicious switches by 30% compared to the state of the art technology. Hence, in addition to SDN’s support to a systematic and automatic network troubleshooting workflow, our work can further secure the workflow against in-network adversaries with significantly reduced overhead.