Multi-Level Queue Security in Switches: Adversarial Inference and Differential Privacy Protection in SDN

IF 1.6 4区计算机科学 Q3 ENGINEERING, ELECTRICAL & ELECTRONIC

Chinese Journal of Electronics Pub Date : 2025-03-01 DOI:10.23919/cje.2022.00.373

Xuewen Dong;Lingtao Xue;Tao Zhang;Zhichao You;Guangxia Li;Yulong Shen

{"title":"Multi-Level Queue Security in Switches: Adversarial Inference and Differential Privacy Protection in SDN","authors":"Xuewen Dong;Lingtao Xue;Tao Zhang;Zhichao You;Guangxia Li;Yulong Shen","doi":"10.23919/cje.2022.00.373","DOIUrl":null,"url":null,"abstract":"Network switches are critical elements in any network infrastructure for traffic forwarding and packet priority scheduling, which naturally become a target of network adversaries. Most attacks on switches focus on purposely forwarding packets to the wrong network nodes or generating flooding. However, potential privacy leakage in the multi-level priority queue of switches has not been considered. In this paper, we are the first to discuss the multi-level priority queue security and privacy protection problem in switches. Observing that packet leaving order from a queue is strongly correlated to its priority, we introduce a policy inference attack that exploits specific priority-mapping rules between different packet priorities and priority sub-queues in the multi-level queues. Next, based on the policy inference result and the built-in traffic shaping strategy, a capacity inference attack with the error probability decaying exponentially in the number of attacks is presented. In addition, we propose a differentially private priority scheduling mechanism to defend against the above attacks in OpenFlow switches. Theoretical analysis proves that our proposed mechanism can satisfy ε-differential privacy. Extensive evaluation results show that our mechanism can defend against inference attacks well and achieves up to 2.7 times priority process efficiency than a random priority scheduling strategy.","PeriodicalId":50701,"journal":{"name":"Chinese Journal of Electronics","volume":"34 2","pages":"533-547"},"PeriodicalIF":1.6000,"publicationDate":"2025-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10982054","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Chinese Journal of Electronics","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10982054/","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"ENGINEERING, ELECTRICAL & ELECTRONIC","Score":null,"Total":0}

引用次数: 0

Abstract

Network switches are critical elements in any network infrastructure for traffic forwarding and packet priority scheduling, which naturally become a target of network adversaries. Most attacks on switches focus on purposely forwarding packets to the wrong network nodes or generating flooding. However, potential privacy leakage in the multi-level priority queue of switches has not been considered. In this paper, we are the first to discuss the multi-level priority queue security and privacy protection problem in switches. Observing that packet leaving order from a queue is strongly correlated to its priority, we introduce a policy inference attack that exploits specific priority-mapping rules between different packet priorities and priority sub-queues in the multi-level queues. Next, based on the policy inference result and the built-in traffic shaping strategy, a capacity inference attack with the error probability decaying exponentially in the number of attacks is presented. In addition, we propose a differentially private priority scheduling mechanism to defend against the above attacks in OpenFlow switches. Theoretical analysis proves that our proposed mechanism can satisfy ε-differential privacy. Extensive evaluation results show that our mechanism can defend against inference attacks well and achieves up to 2.7 times priority process efficiency than a random priority scheduling strategy.

查看原文本刊更多论文

交换机中的多级队列安全：SDN中的对抗推理和差分隐私保护

网络交换机是任何网络基础设施中用于流量转发和分组优先级调度的关键部件，自然成为网络攻击者的攻击目标。大多数针对交换机的攻击集中在故意将数据包转发到错误的网络节点或产生泛洪。但是，没有考虑交换机多级优先级队列中潜在的隐私泄露。本文首次讨论了交换机中多级优先队列的安全和隐私保护问题。观察到数据包离开队列的顺序与其优先级密切相关，我们引入了一种策略推理攻击，该攻击利用多层次队列中不同数据包优先级和优先级子队列之间的特定优先级映射规则。其次，基于策略推理结果和内置流量整形策略，提出了一种错误概率随攻击次数呈指数衰减的容量推理攻击。此外，我们提出了一种不同的私有优先级调度机制来防御OpenFlow交换机中的上述攻击。理论分析证明了该机制能够满足ε-差分隐私。大量的评估结果表明，我们的机制可以很好地防御推理攻击，并且比随机优先级调度策略获得高达2.7倍的优先级进程效率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Chinese Journal of Electronics 工程技术-工程：电子与电气

CiteScore

3.70

自引率

16.70%

发文量

342

审稿时长

12.0 months

期刊介绍： CJE focuses on the emerging fields of electronics, publishing innovative and transformative research papers. Most of the papers published in CJE are from universities and research institutes, presenting their innovative research results. Both theoretical and practical contributions are encouraged, and original research papers reporting novel solutions to the hot topics in electronics are strongly recommended.