Minjian Zhang, Jianwei Hou, Ziqi Zhang, Wenchang Shi, Bo Qin, Bin Liang
{"title":"软件定义网络的细粒度指纹识别威胁","authors":"Minjian Zhang, Jianwei Hou, Ziqi Zhang, Wenchang Shi, Bo Qin, Bin Liang","doi":"10.1109/Trustcom/BigDataSE/ICESS.2017.229","DOIUrl":null,"url":null,"abstract":"Thanks to its flexibility and programmable features, Software-Defined Networking (SDN) has been attracting more and more attention from the academia and the industry. Unfortunately, the fundamental characteristic of SDN that decouples control plane from data plane becomes a potential attack surface as well, which enables adversaries to fingerprint and attack the SDNs. Existing work showed the possibility of fingerprinting an SDN with time-based features. However, they are coarse grained. This paper proposes a fine-grained fingerprinting approach and reveals the much more severe threats to SDN Security. By analyzing network packets, the approach digs out match fields of SDN flow rules innovatively. Being sensitive and control-related information in SDN, the match fields of flow rules can be used to infer the type of an SDN controller and the security policy of the network. With these sensitive configuration information, adversaries can launch more targeted and destructive attacks against an SDN. We implement our approach in both simulative and physical environments. Furthermore, we conduct experiments with different kinds of SDN controllers to verify the effectiveness of our concept. Experiment results demonstrate the feasibility to obtain highly sensitive, fine-grained information in SDN, and hence reveal the high risk of information disclosure in SDN and severe threats of attacks against SDN.","PeriodicalId":170253,"journal":{"name":"2017 IEEE Trustcom/BigDataSE/ICESS","volume":"51 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"Fine-Grained Fingerprinting Threats to Software-Defined Networks\",\"authors\":\"Minjian Zhang, Jianwei Hou, Ziqi Zhang, Wenchang Shi, Bo Qin, Bin Liang\",\"doi\":\"10.1109/Trustcom/BigDataSE/ICESS.2017.229\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Thanks to its flexibility and programmable features, Software-Defined Networking (SDN) has been attracting more and more attention from the academia and the industry. Unfortunately, the fundamental characteristic of SDN that decouples control plane from data plane becomes a potential attack surface as well, which enables adversaries to fingerprint and attack the SDNs. Existing work showed the possibility of fingerprinting an SDN with time-based features. However, they are coarse grained. This paper proposes a fine-grained fingerprinting approach and reveals the much more severe threats to SDN Security. By analyzing network packets, the approach digs out match fields of SDN flow rules innovatively. Being sensitive and control-related information in SDN, the match fields of flow rules can be used to infer the type of an SDN controller and the security policy of the network. With these sensitive configuration information, adversaries can launch more targeted and destructive attacks against an SDN. We implement our approach in both simulative and physical environments. Furthermore, we conduct experiments with different kinds of SDN controllers to verify the effectiveness of our concept. Experiment results demonstrate the feasibility to obtain highly sensitive, fine-grained information in SDN, and hence reveal the high risk of information disclosure in SDN and severe threats of attacks against SDN.\",\"PeriodicalId\":170253,\"journal\":{\"name\":\"2017 IEEE Trustcom/BigDataSE/ICESS\",\"volume\":\"51 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 IEEE Trustcom/BigDataSE/ICESS\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.229\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE Trustcom/BigDataSE/ICESS","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.229","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Fine-Grained Fingerprinting Threats to Software-Defined Networks
Thanks to its flexibility and programmable features, Software-Defined Networking (SDN) has been attracting more and more attention from the academia and the industry. Unfortunately, the fundamental characteristic of SDN that decouples control plane from data plane becomes a potential attack surface as well, which enables adversaries to fingerprint and attack the SDNs. Existing work showed the possibility of fingerprinting an SDN with time-based features. However, they are coarse grained. This paper proposes a fine-grained fingerprinting approach and reveals the much more severe threats to SDN Security. By analyzing network packets, the approach digs out match fields of SDN flow rules innovatively. Being sensitive and control-related information in SDN, the match fields of flow rules can be used to infer the type of an SDN controller and the security policy of the network. With these sensitive configuration information, adversaries can launch more targeted and destructive attacks against an SDN. We implement our approach in both simulative and physical environments. Furthermore, we conduct experiments with different kinds of SDN controllers to verify the effectiveness of our concept. Experiment results demonstrate the feasibility to obtain highly sensitive, fine-grained information in SDN, and hence reveal the high risk of information disclosure in SDN and severe threats of attacks against SDN.