| Summary: | 碩士 === 國立交通大學 === 資訊科學與工程研究所 === 105 === Software-defined networking (SDN) is a new networking paradigm that enables programmatic control over the network at a centralized controller. The controller offers APIs to allow SDN applications (SDN-Apps) to take care of control-plane functions (e.g., traffic engineering, routing, load balancing, security, etc.). However, some SDN-Apps may be malicious, since benign ones might be compromised or they were developed by untrusted third parties. Though there have been many solutions proposed to block malicious SDN-Apps, all of them did not consider that malicious flow entries can be populated to attack control-plane services and data-plane operations. In this thesis, we identify two security threats: control-plane service abuse and data-plane pollution. They can be leveraged to launch topology spoofing and SDN DoS attacks, respectively. We thus propose a context-aware, event-based anomaly detection mechanism, CEAD-SDN. It restricts the manipulation of each control-plane service to only the application that takes care of it, and confines the context of flow entries that are triggered by the same event. They can be used to address the above two threats and thus to avoid the above two attacks. We have implemented CEAS-SDN on Floodlight, and have tested it with EstiNet network simulator. Evaluation results show that CEAD-SDN is able to defend SDN against our identified security threats and to avoid associated attacks. It has negligible overhead with only 0.9% decrease of TCP connection success rates and results in 16.08% extra TCP connection delay in the worst case, compared with the case without CEAD-SDN.
|
|---|
