WedgeTail: An intrusion prevention system for the data plane of software defined networks

Arash Shaghaghi; Mohamed Ali Kaafar; Sanjay Jha

doi:10.1145/3052973.3053039

WedgeTail: An intrusion prevention system for the data plane of software defined networks

Arash Shaghaghi, Mohamed Ali Kaafar, Sanjay Jha

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

42 Citations (Scopus)

Abstract

Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Soft- ware Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail, an Intrusion Prevention System (IPS) designed to secure the SDN data plane. WedgeTail regards forward- ing devices as points within a geometric space and stores the path packets take when traversing the network as trajecto- ries. To be efficient, it prioritizes forwarding devices before inspection using an unsupervised trajectory-based sampling mechanism. For each of the forwarding device, WedgeTail computes the expected and actual trajectories of packets and 'hunts' for any forwarding device not processing pack- ets as expected. Compared to related work, WedgeTail is also capable of distinguishing between malicious actions such as packet drop and generation. Moreover, WedgeTail em- ploys a radically different methodology that enables detect- ing threats autonomously. In fact, it has no reliance on pre-defined rules by an administrator and may be easily im- ported to protect SDN networks with different setups, for- warding devices, and controllers. We have evaluated Wed- geTail in simulated environments, and it has been capable of detecting and responding to all implanted malicious for- warding devices within a reasonable time-frame. We report on the design, implementation, and evaluation of WedgeTail in this manuscript.

Original language	English
Title of host publication	ASIA CCS 2017
Subtitle of host publication	Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security
Place of Publication	New York, NY
Publisher	Association for Computing Machinery, Inc
Pages	849-861
Number of pages	13
ISBN (Electronic)	9781450349444
DOIs	https://doi.org/10.1145/3052973.3053039
Publication status	Published - 2 Apr 2017
Externally published	Yes
Event	2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017 - Abu Dhabi, United Arab Emirates Duration: 2 Apr 2017 → 6 Apr 2017

Conference

Conference	2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017
Country/Territory	United Arab Emirates
City	Abu Dhabi
Period	2/04/17 → 6/04/17

Keywords

Data plane security
Intrusion prevention system
SDN security
Software defined networks

Access to Document

10.1145/3052973.3053039

Cite this

@inproceedings{ef2443d1fe1b4eca8ef6e9008a337a56,

title = "WedgeTail: An intrusion prevention system for the data plane of software defined networks",

abstract = "Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Soft- ware Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail, an Intrusion Prevention System (IPS) designed to secure the SDN data plane. WedgeTail regards forward- ing devices as points within a geometric space and stores the path packets take when traversing the network as trajecto- ries. To be efficient, it prioritizes forwarding devices before inspection using an unsupervised trajectory-based sampling mechanism. For each of the forwarding device, WedgeTail computes the expected and actual trajectories of packets and 'hunts' for any forwarding device not processing pack- ets as expected. Compared to related work, WedgeTail is also capable of distinguishing between malicious actions such as packet drop and generation. Moreover, WedgeTail em- ploys a radically different methodology that enables detect- ing threats autonomously. In fact, it has no reliance on pre-defined rules by an administrator and may be easily im- ported to protect SDN networks with different setups, for- warding devices, and controllers. We have evaluated Wed- geTail in simulated environments, and it has been capable of detecting and responding to all implanted malicious for- warding devices within a reasonable time-frame. We report on the design, implementation, and evaluation of WedgeTail in this manuscript.",

keywords = "Data plane security, Intrusion prevention system, SDN security, Software defined networks",

author = "Arash Shaghaghi and Kaafar, {Mohamed Ali} and Sanjay Jha",

year = "2017",

month = apr,

day = "2",

doi = "10.1145/3052973.3053039",

language = "English",

pages = "849--861",

booktitle = "ASIA CCS 2017",

publisher = "Association for Computing Machinery, Inc",

note = "2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017 ; Conference date: 02-04-2017 Through 06-04-2017",

}

Shaghaghi, A, Kaafar, MA & Jha, S 2017, WedgeTail: An intrusion prevention system for the data plane of software defined networks. in ASIA CCS 2017: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, New York, NY, pp. 849-861, 2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017, Abu Dhabi, United Arab Emirates, 2/04/17. https://doi.org/10.1145/3052973.3053039

WedgeTail: An intrusion prevention system for the data plane of software defined networks. / Shaghaghi, Arash; Kaafar, Mohamed Ali; Jha, Sanjay.
ASIA CCS 2017: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. New York, NY: Association for Computing Machinery, Inc, 2017. p. 849-861.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - WedgeTail

T2 - 2017 ACM Asia Conference on Computer and Communications Security, ASIA CCS 2017

AU - Shaghaghi, Arash

AU - Kaafar, Mohamed Ali

AU - Jha, Sanjay

PY - 2017/4/2

Y1 - 2017/4/2

N2 - Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Soft- ware Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail, an Intrusion Prevention System (IPS) designed to secure the SDN data plane. WedgeTail regards forward- ing devices as points within a geometric space and stores the path packets take when traversing the network as trajecto- ries. To be efficient, it prioritizes forwarding devices before inspection using an unsupervised trajectory-based sampling mechanism. For each of the forwarding device, WedgeTail computes the expected and actual trajectories of packets and 'hunts' for any forwarding device not processing pack- ets as expected. Compared to related work, WedgeTail is also capable of distinguishing between malicious actions such as packet drop and generation. Moreover, WedgeTail em- ploys a radically different methodology that enables detect- ing threats autonomously. In fact, it has no reliance on pre-defined rules by an administrator and may be easily im- ported to protect SDN networks with different setups, for- warding devices, and controllers. We have evaluated Wed- geTail in simulated environments, and it has been capable of detecting and responding to all implanted malicious for- warding devices within a reasonable time-frame. We report on the design, implementation, and evaluation of WedgeTail in this manuscript.

AB - Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Soft- ware Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail, an Intrusion Prevention System (IPS) designed to secure the SDN data plane. WedgeTail regards forward- ing devices as points within a geometric space and stores the path packets take when traversing the network as trajecto- ries. To be efficient, it prioritizes forwarding devices before inspection using an unsupervised trajectory-based sampling mechanism. For each of the forwarding device, WedgeTail computes the expected and actual trajectories of packets and 'hunts' for any forwarding device not processing pack- ets as expected. Compared to related work, WedgeTail is also capable of distinguishing between malicious actions such as packet drop and generation. Moreover, WedgeTail em- ploys a radically different methodology that enables detect- ing threats autonomously. In fact, it has no reliance on pre-defined rules by an administrator and may be easily im- ported to protect SDN networks with different setups, for- warding devices, and controllers. We have evaluated Wed- geTail in simulated environments, and it has been capable of detecting and responding to all implanted malicious for- warding devices within a reasonable time-frame. We report on the design, implementation, and evaluation of WedgeTail in this manuscript.

KW - Data plane security

KW - Intrusion prevention system

KW - SDN security

KW - Software defined networks

UR - http://www.scopus.com/inward/record.url?scp=85021938193&partnerID=8YFLogxK

U2 - 10.1145/3052973.3053039

DO - 10.1145/3052973.3053039

M3 - Conference proceeding contribution

AN - SCOPUS:85021938193

SP - 849

EP - 861

BT - ASIA CCS 2017

PB - Association for Computing Machinery, Inc

CY - New York, NY

Y2 - 2 April 2017 through 6 April 2017

ER -

WedgeTail: An intrusion prevention system for the data plane of software defined networks

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this