SDN security papers

onephone發表於2016-11-04

關於SDN安全研究方向的總結已發表在sdnlab上,本篇是參考論文的list(含下載連結)

  1. 軟體定義網路:安全模型、機制及研究進展

    • Software Defined Networking:Security Model, Threats and Mechanism
    • 王蒙蒙,劉建偉,陳杰,毛劍,毛可飛.軟體定義網路:安全模型、機制及研究進展.軟體學報,2016,27(4):969-992

  2. FLOWGUARD: building robust firewalls for software-defined networks

    • Hongxin Hu, Wonkyu Han, Gail-Joon Ahn, and Ziming Zhao. 2014. FLOWGUARD: building robust firewalls for software-defined neworks. In Proceedings of the third workshop on Hot topics in software defined networking (HotSDN '14). ACM, New York, NY, USA, 97-102. DOI=http://dx.doi.org/10.1145/2620728.2620749

  3. Fleet: defending SDNs from malicious administrators

  4. A slick control plane for network middleboxes

  5. NetFuse: Short-circuiting Traffic Surges in the Cloud

    • Y. Wang, Y. Zhang, V. Singh, C. Lumezanu and G. Jiang, "NetFuse: Short-circuiting traffic surges in the cloud," 2013 IEEE International Conference on Communications (ICC), Budapest, 2013, pp. 3514-3518.
    • 藉助OpenFlow control訊息來探測活動流,使用多維度的流量聚合來定位問題(toxin-antitoxin-like mechanism),

  6. Lightweight DDoS flooding attack detection using NOX/OpenFlow

    • Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Proc. of the 35th IEEE Conf. on Local Computer Networks (LCN). Denver, 2010. 408?415. [doi: 10.1109/LCN.2010.5735752]
    • Keys: DoS, DDoS, Artificial Neural Networks
    • 利用自組織對映演算法(SOM,self organizing maps,應用於神經網路中一種分類演算法)flow進行分類,通過選定的6-tuples(Average of Packets per flow, Average of Bytes per flow, Average of Duration per flow, Percentage of Pair-flows, Growth of Single-flows,Growth of Different Ports)來對flow進行分類,以此來判定DoS/DDoS供給(通過訓練集來進行訓練,TCP、UDP、ICMP flooding),消耗低,檢測率高;關鍵在於statistics time interval的確定;問題:檢測具有一定的滯後性
    • 輔助閱讀論文《基於自組織對映網路的流量分類演算法》

  7. Poisoning network visibility in software-defined networks: New attacks and countermeasures

    • Hong S, Xu L, Wang H, Gu G. Poisoning network visibility in software-defined networks: New attacks and countermeasures. In: Proc. of the 2015 Annual Network and Distributed System Security Symp. (NDSS 2015). San Diego: Internet Society, 2015. 1?15.
    • TopoGuard --> 解決 topological poisoning attack,就control提供的 Host Tracking Service && Link Discovery Service 進行了特定的分析,針對Host Location Hijacking && Link Fabrication Attack提出瞭解決方案-- Authenticate Host Entity, Verify the Legitimcay of Host Migration(遷移前傳送port_down,遷移之後control還要確認之前的location unreachlabe,即cause-and-effect)&& Authenticate for LLDP packets, Verify for Switch Port Property(如檢測host-generated traffic,設定埠型別為Device Type,只允許LLDP在交換機鏈路和switch-to-control之間);不足

  8. AVANT-GUARD: Scalable and vigilant switch flow management in software-defined networks.

    • Shin S, Yegneswaran V, Porras P, Gu G. AVANT-GUARD: Scalable and vigilant switch flow management in software-defined networks. In: Proc. of the 2013 ACM SIGSAC Conf. on Computer & Communications Security. Berlin: ACM, 2013. 413?424. [doi: 10.1145/2508859.2516684]
    • connection migration && actuating trigger
    • 解決data-to-control saturation attack,針對的主要是DoS/DDoS,提出了connection migration和acuating triggers方式,只將有效的TCP連線資訊或者請求傳送給control(TCP連線建立的幾個圖,connection migration有四個階段,classification, report, migration, relay,共兩次與control通訊,分別進行migration、relay action);actuating trigger(defining a control, condition registeration (traffic rate monitering, event nofication) conditional flow rule activation)其實就是預先設定一個觸發條件,並把相應的action/流表存到switch中,等待被觸發 --> 主要的問題在於只適合TCP

  9. OpenFlow: A security analysis

    • Kloti R, Kotronis V, Smith P. OpenFlow: A security analysis. In: Proc. of the 21st IEEE Int’l Conf. on Network Protocols (ICNP). Goettingen, 2013. 1?6. [doi: 10.1109/ICNP.2013.6733671]
    • 結合STRIDE威脅檢測模型和攻擊樹技術,設計了一種可針對OpenFlow安全性進行有效分析的威脅檢測模型

  10. OF-GUARD: A DoS attack prevention extension in software-defined networks

    • Wang H, Xu L, Gu G. OF-GUARD: A DoS attack prevention extension in software-defined networks. In: Proc. of the Poster Session of the Open Networking Summit 2014. Santa Clara: USENIX, 2014. 1?2.

  11. Rosemary: A robust, secure, and highperformance network operating system

    • Shin S, Song Y, Lee T, Lee S, Chung J, Porras P, Yegneswaran V, Noh J, Kang BB. Rosemary: A robust, secure, and highperformance network operating system. In: Proc. of the 2014 ACM SIGSAC Conf. on Computer and Communications Security. Scottsdale: ACM, 2014. 78?89. [doi: 10.1145/2660267.2660353]
    • 解決control健壯性(robustness & resilience),安全性的缺陷,設計實現了Rosemary控制器,控制器主要由data abstraction layer, rosemary kernel (resource manager, security manager, systemlog manager, 核心程式區), system libries, resource monitor構成。其將所有應用程式執行在一個封閉的應用程式內,實時監控各個應用程式的行為(防止某一應用程式影響SDN Stack或造成crash),應用程式的合法性通過簽名來判定,micro-NOS --> 實現了control 的Robutness && Resilience。可改進:基於角色的簽名機制,應用程式是作為一個整體的,不能更好的對應用程式各個模組的訪問許可權進行細粒度的控制;一個應用可能有不同的使用者使用,這是否應考慮進去?
    • From linux: ulimits, pipeline, cpu core bounding
    • http://nss.kaist.ac.kr/

  12. Participatory networking: An API for application control of SDNs

    • Ferguson AD, Guha A, Liang C, Fonseca R, Krishnamurthi S. Participatory networking: An API for application control of SDNs. In: Proc. of the ACM SIGCOMM 2013 Conf. on SIGCOMM. Hong Kong: ACM, 2013. 327?338. [doi: 10.1145/2486001.2486003]
    • PANE --> share tree, policy tree, HFT()Complication,設計了一個內嵌安全機制的PANE控制器,解決了網路控制及可見性的安全分解和不可信任使用者間訪問請求的衝突問題。允許許可權的下級授權,同時通過其提供的API,終端使用者可以動態自主的請求網路資源,允許管理員根據網路資源制定相應的訪問控制策略。主要挑戰--如何安全的分解網路的控制及可見性;如何解決實體請求之間的衝突。系統主要構造含,ShareTree, Policy Tree, HFT(Hierarchical Flow Tables) Compilation等,且其提供了未來資源請求功能(靈活的排程)

  13. FlowChecker: Configuration Analysis and Verification of Federated OpenFlow Infrastructures

    • Al-Shaer E, Al-Haj S. FlowChecker: Configuration analysis and verification of federated openflow infrastructures. In: Proc. of the 3rd ACM Workshop on Assurable and Usable Security Configuration. Chicago: ACM, 2010. 37?44. [doi: 10.1145/1866898. 1866905]
    • 通過二元決策圖技術(binary decision diagramsB)對OpenFlow流表的配置資訊進行重新編碼,並結合模型檢測(model checking)技術,提出FlowChecker 檢測系統,通過形式化的方法對不同交換機和控制器之間的流規則一致性進行檢驗.通過與 FlowVisor網路切片技術相結合,FlowChecker還可以對新協議的正確性、可達性和安全性等問題進行驗證. 其使用CTL(Computational Tree Logic)語言;可改進:offline方式,即是事後檢測

  14. Consistent updates for software-defined networks: Change you can believe in

    • Reitblatt M, Foster N, Rexford J, Walker D. Consistent updates for software-defined networks: Change you can believe in. In: Proc. of the 10th ACM Workshop on Hot Topics in Networks. Cambridge: ACM, 2011. 1?6. [doi: 10.1145/2070562.2070569]
    • 解決transient 狀態的不一致性(即流規則更新過程中的一致性和正確性),將問題分解為Per-packer Consistency && Per-flow Conststency,前者通過給每個包新增一個Versioning欄位來確保每個只會被同一個configuration處理,後者通過給內部交換機先更新,ingress switch 後更新並設定timeouts來實現。問題:每個流的一致性主要是針對TCP的,但是UDP資料包的一致性呢?規則timeout的設定是一個關鍵的問題,怎麼處理呢?作者假設的是是單個ingress,多個呢?

  15. OpenFlow: A security analysis

    • Kloti R, Kotronis V, Smith P. OpenFlow: A security analysis. In: Proc. of the 21st IEEE Int’l Conf. on Network Protocols (ICNP). Goettingen, 2013. 1?6. [doi: 10.1109/ICNP.2013.6733671]

  16. VeriFlow: Verifying network-wide invariants in real time.

    • Khurshid A, Zhou W, Caesar M, Godfrey PB. VeriFlow: Verifying network-wide invariants in real time. In: Proc. of the 1st Workshop on Hot Topics in Software Defined Networks. New York, 2012. 49?54. [doi: 10.1145/2342441.2342452]
    • 實時檢測全網範圍內的不變性(invariants),採用了多維字首樹(a multidimensional prefix tree, trie)資料結構,先將網路進行等價類劃分(EC)並找出與新規則有關的EC,接著通過遍歷trie轉發圖(EC, device),最後通過(invariant, modified EC)來進行驗證。特點是:realtime,可檢測transient && longterm anomalies。問題:不支援修改包頭的action,即處理報的轉換。

  17. Improving Network Management with Software Defined Networking

    • Kim H, Feamster N (2013) Improving network management with software defined networking. IEEE Communications Magazine 51(2):114-119 - 解決network configuration and management,提出了一個基於SDN的an event-driven network control framework -- Procera, 解決了網路狀態頻繁變動的響應、high-level policy language(基於functional reactive programming(FRP))、定位效能瓶頸等問題。其突出點在於高層的策略語言,即相當於提供了一個north-bound interface,Procear的主要部件包括一個Policy engine,作者就Georgia campus校園內的上網認證做了一個分析(兩個VLAN,認證後scanning,之後才正常訪問),詳細的設計得參考另一篇論文。

  18. Model checking invariant security properties in OpenFlow

    • Son S, Seungwon S, Yegneswaran V, Porras P, Guofei G. Model checking invariant security properties in OpenFlow. In: Proc. of the 2013 IEEE Int’l Conf. on Communications (ICC). Budapest: IEEE, 2013. 1974?1979. [doi: 10.1109/ICC.2013.6654813]
    • FLOVER --> 主要內容:解決動態插入的流規則不會違反潛在的安全策略;將實際問題抽象成了一個 non-bypass protery問題,將規則翻譯成assertion set,藉助第三方工具來進行檢測(Yices SMT solver, 可滿足性檢測,Statisfiablity MOdulo Theories),分為 coverage violation和modify violation,通過形式化的語言進行驗證;實驗階段,進行了in-line模式的測試和batch處理模式的測試 --> 提高效能(閾值的確定);可改進點:通過一個Yices SMT solver來檢測non-bypass property violations;是否有更好的工具,是否直接能在controll核心進行驗證

  19. SDN Security: A Survey

    • S. Scott-Hayward, G. O'Callaghan and S. Sezer, "Sdn Security: A Survey," Future Networks and Services (SDN4FNS), 2013 IEEE SDN for, Trento, 2013, pp. 1-7. [doi: 10.1109/SDN4FNS.2013.6702553]

  20. Towards a Secure Controller Platform for OpenFlow Applications

  21. Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags

  22. A Security Enforcement Kernel for OpenFlow Networks

    • Porras P, Shin S, Yegneswaran V, Fong M, Tyson M, Gu G. A security enforcement kernel for OpenFlow networks. In: Proc. of the 1st Workshop on Hot topics in Software Defined Networks. Helsinki: ACM, 2012. 121?126. [doi: 10.1145/2342441.2342466]
    • FortNOX --> 主要內容:基於角色的授權和安全限制下發(role-based authorization && security constraint enforcement);演算法-->alias-set rule reduction algorithm;在NOX上實現的,解決動態流隧道問題--dynamic-flow tunneling。可改進點:演算法的有效性是否可以提升?針對每一個rule都進行檢測?是否可以定期的批量進行規則衝突的檢測?

  23. Modle Checking Invariant Security Properties in OpenFlow

  24. FRESCO: Modular Composable Security Services for Software-Defined Networks

    • Shin S, Porras P, Yegneswaran V, Fong M, Gu G, Tyson M. FRESCO: Modular composable security services for software-defined networks. In: Proc. of the ISOC Network and Distributed System Security Symp. (NDSS). San Diego: Internet Society, 2013. 1?16.
    • FRESCO --> 主要內容:安全應用軟體的可模組化開發;FRESCO Security Enforcement Kernel (SEK) --> 解決Rule confilt detection;使用的是FortNOX演算法 --> alias set rule reduction

  25. Securing the Software-Defined Network Control Layer

    • Porras P, Cheung S, Fong M, Skinner K, Yegneswaran V. Securing the software-defined network control layer. In: Proc. of the 2015 Annual Network and Distributed System Security Symp. (NDSS 2015). San Diego: Internet Society, 2015. 1?15.
    • SE-Floodlight --> 主要內容:authorization service, role-based autorization, rule衝突協商,安全審計服務;進步--主要擴充套件SEK的,更詳細的安全機制,有安全審計服務

  26. A NICE way to test openflow applications

    • Canini M, Venzano D, Pere P, Ni, Kosti D, Rexford J. A NICE way to test openflow applications. In: Proc. of the 9th USENIX Conf. on Networked Systems Design and Implementation. San Jose: USENIX Association, 2012. 1?14.
    • 使用該模型對真是的Python應用程式進行漏洞測試和驗證,可改進:SDN的部署和應用處於初級階段,並不適用

  27. CloundWatcher: Network Security Monitoring Using OpenFlow in Dynamic Clound Network

    • 主要內容:利用Openflow協議,控制路由路徑,使得網路流量經過特定的安全節點;針對網路安全裝置(被動的和in-line模式的),分析並比較了四種演算法。可改進點:演算法分析時,主要是針對單個security devices的,針對多個安全裝置,尤其是in-line的安全裝置,對演算法的效率並沒有充分考慮,尤其是在雲服務下;對於多個in-line安全裝置, 那就是有約束條件的最短路徑問題 --> 這個方向是否有研究的前景?<--這種演算法在SDN中應該還有其他的應用場景

  28. Flowvisor: A network virtualization layer

    • R. Sherwood, G. Gibb, K. Yap, G. Appenzeller, M. Casado, N. McKeown, and G. Parulkar, “Flowvisor: A network virtualization layer,” OpenFlow Switch Consortium, Tech.Rep, 2009.
    • 主要內容:借鑑VLAN,在物理網路上搭建完全相互隔離的虛擬網路 --> testbed <-- slice the network hardware;網路資源的切分-->Topology, Bandwidth, Device CPU, Forwarding Tables --> 資源的切分。 可改進:CPU的切分,都是粗力度的,簡單的是對OpenFlow message rate的,這個可以進一步可改進;forwarding "slow path" packets --> 從多個埠發出 --> 應用場景,如安全裝置

  29. Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security

    • Sungmin Hong, Robert Baykov, Lei Xu, Srinath Nadimpalli, Guofei Gu. "Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security." To appear in Proc. of the Network and Distributed System Security Symposium (NDSS'16), San Diego, California, Feb. 2016. (Acceptance ratio 15.4%=60/389)
    • 提出一個新的安全解決方案(企業網路)——PBS(Programmable BYOD Security), 針對移動APP和裝置的網路管理、策略實施,提供了一個細粒度、應用級別的網路安全。<--受SDN的啟發,將移動裝置元素(apps,network interface)抽象化,加入到傳統的SDN網路中,提供一個全網路,內容敏感,app-specific 的策略實施(無需改變SDN交換機的部署)

  30. SANE: A Protection Architecture for Enterprise Networks

    • M. Casado, T. Garfinkel, A. Akella, M. J. Freedman, D. Boneh, N. McKeown, and S. Shenker. SANE: A Protection Architecture for Enterprise Networks. In Proceedings of the 15th USENIX Security Symposium (SS), volume 15, 2006.

  31. Ethane: Taking Control of the Enterprise

    • M. Casado, M. J. Freedman, J. Pettit, J. Luo, N. McKeown, and S. Shenker. Ethane: Taking Control of the Enterprise. ACM SIGCOMM Computer Communication Review (CCR), 37(4):1–12, 2007.

  32. Openflow Random Host Mutation: Transparent Moving Target Defense Using Software Defined Networking

    • J. H. Jafarian, E. Al-Shaer, and Q. Duan. Openflow Random Host Mutation: Transparent Moving Target Defense Using Software Defined Networking. In Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pages 127–132. ACM, 2012.

  33. Resonance:Dynamic Access Control for Enterprise Networks

    • Resonance的訪問控制策略基於flow-level information 和 real-time alerts。其通過SDN來提高了企業網路的安全(傳統的網路是的reactive的,且嚴重依賴主機安全和middleboxs),在Georgia Tech's network進行了實驗。藉助二元組(security group, status)對主機進行了細粒度的控制訪問,通過和其他的系統結可提供有力的攻擊防禦功能。同SANE不同,其可以支援連續監控和基於介面政策的控制。

  34. Compling Path Queries

    • 藉助確定性有限狀態機(DFA),針對基於路徑的流量監測引入了一個申明式查詢語言。方便網路操作員進行實時的問題診斷,安全策略下發,容量規劃(capacity planning)

  35. A Clean Slate 4D Approach to Network Control and Management

  36. The Road to SDN

  37. A First Step Toward Network Security Virtualization:From Concept To Prototype

  38. OperationCheckpoint: SDN Application Control

    • SE-Floodlight

  39. A Survey of Securing Netwokrs using Software Defined Networking

    • 綜述

  40. Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures

  41. SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks

    • 提出了針對使用traffic patterns攻擊的對抗方法--SPIFFY。通過臨時提高核心鏈路的頻寬,來增加攻擊者的成本,或者使攻擊流量容易識別(通過rate change test),而頻寬的提升是通過SDN流量工程技術實現虛擬頻寬的提升;問題:作者提出的假設之一是通過增加攻擊者的成本可以很好的進行防範,但實際上的很多的DDos攻擊是惡意、有針對性的,很在乎成本?

  42. Bohatei: Flexible and Elastic DDoS Defense

    • 藉助SDN、NFV實現了一個靈活的,可伸縮的DDoS防禦-->Bohatei,提供了可擴充套件性,反應靈敏性,可恢復性。防禦措施可配置,更加靈活。問題:其提供的是一個靜態規模的防禦,針對的是傳統DoS攻擊,而且並不能解決link-flooding attacks。

  43. FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions

    • S. Fayazbakhsh, V. Sekar, M. Yu, and J. Mogul, “FlowTags: Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions,” in Proceedings of the second workshop on Hot topics in software defined networks. ACM, 2013.
    • 解決的問題:不違背SDN的基本原則(ORIGINBINDING, PATHFOLLOWPOLICY)下,如何將Middleboxes整合到SDN網路中。提出了一個FlowTags架構,通過對middleboxes進行最少的修改,通過提供的API和control互動。--> 通過在資料包頭新增Flag,service-chaining, perfomance debugging and forensics**可改進**:只能處理提前定義好的策略,不能處理動態的actions操作。

  44. SPHINX: Detecting Security Attacks in Software-Defined Networks

    • 使用flow graphs來模擬實際網路操作,進而檢測網路攻擊。可改進:多個控制器間flow graphs的一致性;SDN網路內部發起的attack是否能進行檢測;檢測不了入口交換機和出口交換機;資料中心虛擬機器的遷移會比較頻繁,這樣會導致flow graph變化較快。

  45. ECOS: leveraging software-defined networks to support mobile application offloading

  46. FLOWGUARD: Building Robust Firewalls for Software-Defined Networks

    • SDN網路防火牆的建立,通過flow tables和fire wall policles,來共同實現健壯的firewalls,firewall Authorization Space 和Flow Path Space整合。

  47. PGA: Using Graphs to Express and Automatically Reconcile Network Policies

    • PGA(Policy Graph Abstraction)-->解決和檢測策略衝突

  48. Enabling Practical Software-defined Networking Security Applications with OFX

    • OFX --> 利用交換機本身的處理能力,動態將模組載入到交換機上,提高效能以及部署的難易。可改進:測試未針對新載入的模組功能是否會對硬體之前的正常功能產生影響。

相關文章