sphinx: detecting security attacks in software-defined ...€¦ · 10/09/2017 · sphinx:...
TRANSCRIPT
![Page 1: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/1.jpg)
Sphinx: Detecting Security Attacks in Software-Defined Networks
Mohan Dhawan Rishabh Poddar Kshiteej Mahajan Vijay Mann
IBM Research, India
![Page 2: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/2.jpg)
Feb 11th, 2015 NDSS'15
Software-Defined Network (SDN)
Logically-centralized control
switches
SDN ControllerSmart, slow
Dumb, fast
Data plane2
![Page 3: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/3.jpg)
Feb 11th, 2015 NDSS'15
Software-Defined Network (SDN)
Logically-centralized control
switches
SDN ControllerSmart, slow
Dumb, fast
Control plane
2
![Page 4: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/4.jpg)
Feb 11th, 2015 NDSS'15
Software-Defined Network (SDN)
Logically-centralized control
switches
SDN ControllerSmart, slow
Dumb, fast
2
![Page 5: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/5.jpg)
Feb 11th, 2015 NDSS'15
Software-Defined Network (SDN)
SDN Controller
A
B2
![Page 6: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/6.jpg)
Feb 11th, 2015 NDSS'15
Software-Defined Network (SDN)
SDN Controller
A
B
PACKET_IN
2
![Page 7: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/7.jpg)
Feb 11th, 2015 NDSS'15
Software-Defined Network (SDN)
SDN Controller
A
B2
![Page 8: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/8.jpg)
Feb 11th, 2015 NDSS'15
Software-Defined Network (SDN)
SDN Controller
A
B2
![Page 9: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/9.jpg)
Feb 11th, 2015 NDSS'15
Software-Defined Network (SDN)
SDN Controller
A
B2
![Page 10: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/10.jpg)
Feb 11th, 2015 NDSS'15
Software-Defined Network (SDN)
SDN ControllerCorrect functioning requires preservation of
● Network topology● Data plane forwarding
2
![Page 11: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/11.jpg)
Feb 11th, 2015 NDSS'15
Outline
● SDN Overview● Motivation● Sphinx● Implementation● Evaluation● Conclusion
3
![Page 12: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/12.jpg)
Feb 11th, 2015 NDSS'15
Vulnerable SDNs
● OpenFlow operational semantics– All unmatched packets are forwarded to the
controller
4
![Page 13: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/13.jpg)
Feb 11th, 2015 NDSS'15
Vulnerable SDNs
● OpenFlow operational semantics– All unmatched packets are forwarded to the
controller
● Attacks afflicting traditional networks affect SDNs too– Traditional defenses do not work in SDNs
4
![Page 14: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/14.jpg)
Feb 11th, 2015 NDSS'15
Vulnerable SDNs
● OpenFlow operational semantics– All unmatched packets are forwarded to the
controller
● Attacks afflicting traditional networks affect SDNs too– Traditional defenses do not work in SDNs
● Attacks possible from compromised switches and end hosts– Soft switches on end host servers attractive
targets for attackers4
![Page 15: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/15.jpg)
Feb 11th, 2015 NDSS'15
Several Attacks Possible
● Network topology– Corrupt routing table (ARP)
– Fake topology (LLDP)
– Multicast (IGMP)
● Data plane forwarding– Switch TCAM exhaustion
– Switch blackhole
5
![Page 16: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/16.jpg)
Feb 11th, 2015 NDSS'15
Controller Vulnerability
● Security analysis of four popular available SDN controllers
Attack OpenDaylight Floodlight POX Maestro
ARP poisoning Y Y Y Y
Fake topology Y Y N Y
Controller DoS Y N Y Y
Network DoS Y Y Y Y
TCAM exhaustion N Y Y Y
Switch blackhole Y Y Y Y
7
![Page 17: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/17.jpg)
Feb 11th, 2015 NDSS'15
Fake Network Topology Attack
SDN ControllerLLDP
A
B
C
D
6
![Page 18: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/18.jpg)
Feb 11th, 2015 NDSS'15
Fake Network Topology Attack
SDN Controller
A
B
C
D
LLDP
6
![Page 19: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/19.jpg)
Feb 11th, 2015 NDSS'15
Fake Network Topology Attack
SDN Controller
A
B
C
DLLDP
LLDPD
D
6
![Page 20: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/20.jpg)
Feb 11th, 2015 NDSS'15
Fake Network Topology Attack
SDN Controller
A
B
C
D
PACKET_IN
LLDPCD
6
![Page 21: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/21.jpg)
Feb 11th, 2015 NDSS'15
Fake Network Topology Attack
SDN ControllerLLDP
A
B
C
D
PACKET_IN
BD
6
![Page 22: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/22.jpg)
Feb 11th, 2015 NDSS'15
Fake Network Topology Attack
SDN Controller
A
B
C
D
LLDPD
6
![Page 23: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/23.jpg)
Feb 11th, 2015 NDSS'15
Fake Network Topology Attack
SDN Controller
A
B
C
D
LLDPAD
PACKET_IN
6
![Page 24: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/24.jpg)
Feb 11th, 2015 NDSS'15
Fake Network Topology Attack
SDN Controller
A
B
C
D
LLDPAD
PACKET_IN
6
![Page 25: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/25.jpg)
Feb 11th, 2015 NDSS'15
Fake Network Topology Attack
SDN Controller
A
B
C
D
LLDPAD
PACKET_IN
Video demo: http://goo.gl/zRG8bz
6
![Page 26: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/26.jpg)
Feb 11th, 2015 NDSS'15
Outline
● SDN Overview● Motivation● Sphinx● Implementation● Evaluation● Conclusion
8
![Page 27: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/27.jpg)
Feb 11th, 2015 NDSS'15
Detecting Security Threats in Real Time
● Verify network actions using OpenFlow metadata– All controller communication mediated by a shim
– Learn network behaviour and automatically generate network invariants
9
![Page 28: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/28.jpg)
Feb 11th, 2015 NDSS'15
Key Idea: FlowGraphs
Exploit predictability and pattern in topologicaland data plane forwarding to detect violation
Time T1 10
![Page 29: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/29.jpg)
Feb 11th, 2015 NDSS'15
Key Idea: FlowGraphs
Exploit predictability and pattern in topologicaland data plane forwarding to detect violation
Time T2 10
![Page 30: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/30.jpg)
Feb 11th, 2015 NDSS'15
Workflow (I)
● Intercept relevant OpenFlow messages– PACKET_IN, FLOW_MOD, STATS_REPLY,
FEATURES_REPLY
● Intercept relevant OpenFlow messages to extract topological and forwarding metadata
11
![Page 31: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/31.jpg)
Feb 11th, 2015 NDSS'15
Workflow (I)
● Intercept relevant OpenFlow messages– PACKET_IN, FLOW_MOD, STATS_REPLY,
FEATURES_REPLY
● Intercept relevant OpenFlow messages to extract topological and forwarding metadata
Assumption: Honest majority ofswitches along flow path
11
![Page 32: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/32.jpg)
Feb 11th, 2015 NDSS'15
Workflow (II)
● Intercept relevant OpenFlow messages– PACKET_IN, FLOW_MOD, STATS_REPLY,
FEATURES_REPLY
● Generate flowgraph constraints from the extracted metadata
12
![Page 33: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/33.jpg)
Feb 11th, 2015 NDSS'15
Accurate Characterization of Flows
● Maintain mapping of entities and allowed metadata– Hosts (Src MAC/IP/port, Dst MAC/IP/port)
– Switches (Switch and in/out-port)
– Flows (Flow match and statistics)
● Incrementally augment the flowgraph with such constraints
13
![Page 34: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/34.jpg)
Feb 11th, 2015 NDSS'15
Workflow (III)
● Intercept relevant OpenFlow messages– PACKET_IN, FLOW_MOD, STATS_REPLY,
FEATURES_REPLY
● Use custom algorithms to detect constraint violations on flowgraphs
14
![Page 35: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/35.jpg)
Feb 11th, 2015 NDSS'15
Administrator Policies
● Specified in constraint language
15
![Page 36: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/36.jpg)
Feb 11th, 2015 NDSS'15
Administrator Policies
● Specified in constraint language
● Example policy to check if all flows from host H3 pass through specified waypoints S2 and S3
<Policy PolicyId="Waypoints"> <Subjects><Subject value="H3, *" /></Subjects> <Objects> <Object><Waypoint value="S2" /></Object> <Object><Waypoint value="S3" /></Object> </Objects> <Operation value="IN" /> <Trigger value="Periodic" /></Policy>
15
![Page 37: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/37.jpg)
Feb 11th, 2015 NDSS'15
Constraint Validation
● Topological state– Packet spoofing, controller DoS
– Fast and deterministic
16
![Page 38: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/38.jpg)
Feb 11th, 2015 NDSS'15
Constraint Validation
● Topological state– Packet spoofing, controller DoS
– Fast and deterministic
● Forwarding state– Flow graph consistency, switch DoS, flow statistics
– Both deterministic and probabilistic
– Similarity Index (SI) categorizes nature of flow using statistics observed at switches along the flow path
● Identify malicious switches along flow path
16
![Page 39: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/39.jpg)
Feb 11th, 2015 NDSS'15
Outline
● SDN Overview● Motivation● Sphinx● Implementation● Evaluation● Conclusion
17
![Page 40: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/40.jpg)
Feb 11th, 2015 NDSS'15
Implementation
● Controller-agnostic proxy between the controller and the switches– Prototype compatible with OpenFlow (v1.1.0)
– Works with OpenDaylight (v0.1.0) and Floodlight (v.0.90)
– Written in ~2100 Java LOC
– Uses the fast Netty I/O framework with separate queues for communication in either direction
18
![Page 41: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/41.jpg)
Feb 11th, 2015 NDSS'15
Outline
● SDN Overview● Motivation● Sphinx● Implementation● Evaluation● Conclusion
19
![Page 42: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/42.jpg)
Feb 11th, 2015 NDSS'15
Experimental Setup
● Physical setup of three tiered datacenter topology with 14 switches
● Emulated Mininet network of up to 10K hosts● Measure
– Accuracy of deterministic and probabilistic verification
– Performance impact on end user latency, throughput and policy verification
20
![Page 43: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/43.jpg)
Feb 11th, 2015 NDSS'15
Accuracy (I)
● Attack detection times under different settings
● Measure false alarms generated in three diverse benign traffic traces (14min, 65min and 2hr)– Execution raised no alarms
21
![Page 44: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/44.jpg)
Feb 11th, 2015 NDSS'15
Accuracy (II)
● Probabilistic verification – probability of false alarms and lack of genuine alarms at different margins of similarity (τ)
– τ = x implies that SI observed at each switch in the flow path must lie between SI/x and SI*x
– τ = 1 implies that all switches along the flow path must report the same flow statistics
– τ = 1.045 corresponds to link loss rate of 1%
22
![Page 45: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/45.jpg)
Feb 11th, 2015 NDSS'15
Accuracy (II)
● Probabilistic verification – probability of false alarms and lack of genuine alarms at different margins of similarity (τ)
22
![Page 46: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/46.jpg)
Feb 11th, 2015 NDSS'15
Performance (I)
● End user latency
Only 300µs at 50% for 1K hosts
23
![Page 47: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/47.jpg)
Feb 11th, 2015 NDSS'15
Performance (II)
● Throughput
Just 2% overhead
24
![Page 48: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/48.jpg)
Feb 11th, 2015 NDSS'15
Performance (III)
● Policy verification
Only 869µs for 10K policies
25
![Page 49: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/49.jpg)
Feb 11th, 2015 NDSS'15
Outline
● SDN Overview● Motivation● Sphinx● Implementation● Evaluation● Conclusion
26
![Page 50: Sphinx: Detecting Security Attacks in Software-Defined ...€¦ · 10/09/2017 · Sphinx: Detecting Security Attacks in Software-Defined Networks Mohan Dhawan Rishabh Poddar Kshiteej](https://reader034.vdocument.in/reader034/viewer/2022042806/5f6ab0e6965dcf716676a493/html5/thumbnails/50.jpg)
Feb 11th, 2015 NDSS'15
Conclusion
● Existing controllers are vulnerable to a wide array of attacks
● Sphinx is a controller agnostic tool that detects security threats originating within SDNs in real time
● Sphinx builds succinct metadata for each network flow and uses both deterministic and probabilistic checks to identify deviant behavior
● Our evaluation shows that Sphinx is practical and imposes minimal overheads
27