软件定义网络的细粒度指纹识别威胁

Minjian Zhang, Jianwei Hou, Ziqi Zhang, Wenchang Shi, Bo Qin, Bin Liang
{"title":"软件定义网络的细粒度指纹识别威胁","authors":"Minjian Zhang, Jianwei Hou, Ziqi Zhang, Wenchang Shi, Bo Qin, Bin Liang","doi":"10.1109/Trustcom/BigDataSE/ICESS.2017.229","DOIUrl":null,"url":null,"abstract":"Thanks to its flexibility and programmable features, Software-Defined Networking (SDN) has been attracting more and more attention from the academia and the industry. Unfortunately, the fundamental characteristic of SDN that decouples control plane from data plane becomes a potential attack surface as well, which enables adversaries to fingerprint and attack the SDNs. Existing work showed the possibility of fingerprinting an SDN with time-based features. However, they are coarse grained. This paper proposes a fine-grained fingerprinting approach and reveals the much more severe threats to SDN Security. By analyzing network packets, the approach digs out match fields of SDN flow rules innovatively. Being sensitive and control-related information in SDN, the match fields of flow rules can be used to infer the type of an SDN controller and the security policy of the network. With these sensitive configuration information, adversaries can launch more targeted and destructive attacks against an SDN. We implement our approach in both simulative and physical environments. Furthermore, we conduct experiments with different kinds of SDN controllers to verify the effectiveness of our concept. Experiment results demonstrate the feasibility to obtain highly sensitive, fine-grained information in SDN, and hence reveal the high risk of information disclosure in SDN and severe threats of attacks against SDN.","PeriodicalId":170253,"journal":{"name":"2017 IEEE Trustcom/BigDataSE/ICESS","volume":"51 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":"{\"title\":\"Fine-Grained Fingerprinting Threats to Software-Defined Networks\",\"authors\":\"Minjian Zhang, Jianwei Hou, Ziqi Zhang, Wenchang Shi, Bo Qin, Bin Liang\",\"doi\":\"10.1109/Trustcom/BigDataSE/ICESS.2017.229\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Thanks to its flexibility and programmable features, Software-Defined Networking (SDN) has been attracting more and more attention from the academia and the industry. Unfortunately, the fundamental characteristic of SDN that decouples control plane from data plane becomes a potential attack surface as well, which enables adversaries to fingerprint and attack the SDNs. Existing work showed the possibility of fingerprinting an SDN with time-based features. However, they are coarse grained. This paper proposes a fine-grained fingerprinting approach and reveals the much more severe threats to SDN Security. By analyzing network packets, the approach digs out match fields of SDN flow rules innovatively. Being sensitive and control-related information in SDN, the match fields of flow rules can be used to infer the type of an SDN controller and the security policy of the network. With these sensitive configuration information, adversaries can launch more targeted and destructive attacks against an SDN. We implement our approach in both simulative and physical environments. Furthermore, we conduct experiments with different kinds of SDN controllers to verify the effectiveness of our concept. Experiment results demonstrate the feasibility to obtain highly sensitive, fine-grained information in SDN, and hence reveal the high risk of information disclosure in SDN and severe threats of attacks against SDN.\",\"PeriodicalId\":170253,\"journal\":{\"name\":\"2017 IEEE Trustcom/BigDataSE/ICESS\",\"volume\":\"51 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"8\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 IEEE Trustcom/BigDataSE/ICESS\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.229\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE Trustcom/BigDataSE/ICESS","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.229","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 8

摘要

软件定义网络(SDN)以其灵活性和可编程的特点,越来越受到学术界和业界的关注。不幸的是,SDN的基本特征是将控制平面与数据平面解耦,这也成为潜在的攻击面,使攻击者能够对SDN进行指纹识别和攻击。现有的工作表明,指纹识别具有时间特征的SDN是可能的。然而,它们是粗粒度的。本文提出了一种细粒度的指纹识别方法,揭示了SDN安全面临的更为严重的威胁。该方法通过对网络数据包的分析,创新地挖掘出SDN流规则的匹配域。流规则的匹配字段是SDN中敏感的、与控制相关的信息,可以用来推断SDN控制器的类型和网络的安全策略。有了这些敏感的配置信息,攻击者就可以对SDN发起更具针对性和破坏性的攻击。我们在模拟和物理环境中实施我们的方法。此外,我们对不同类型的SDN控制器进行了实验,以验证我们概念的有效性。实验结果证明了在SDN中获取高敏感、细粒度信息的可行性,从而揭示了SDN信息泄露的高风险和针对SDN攻击的严重威胁。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Fine-Grained Fingerprinting Threats to Software-Defined Networks
Thanks to its flexibility and programmable features, Software-Defined Networking (SDN) has been attracting more and more attention from the academia and the industry. Unfortunately, the fundamental characteristic of SDN that decouples control plane from data plane becomes a potential attack surface as well, which enables adversaries to fingerprint and attack the SDNs. Existing work showed the possibility of fingerprinting an SDN with time-based features. However, they are coarse grained. This paper proposes a fine-grained fingerprinting approach and reveals the much more severe threats to SDN Security. By analyzing network packets, the approach digs out match fields of SDN flow rules innovatively. Being sensitive and control-related information in SDN, the match fields of flow rules can be used to infer the type of an SDN controller and the security policy of the network. With these sensitive configuration information, adversaries can launch more targeted and destructive attacks against an SDN. We implement our approach in both simulative and physical environments. Furthermore, we conduct experiments with different kinds of SDN controllers to verify the effectiveness of our concept. Experiment results demonstrate the feasibility to obtain highly sensitive, fine-grained information in SDN, and hence reveal the high risk of information disclosure in SDN and severe threats of attacks against SDN.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信