FTOA-RP:一种基于“组”的流表替换策略探测和流表溢出攻击方法
IF 5.4
2区 计算机科学
Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS
引用次数: 0
摘要
软件定义网络(SDN)作为一种新型的网络架构,存在交换机配置探测、流表溢出攻击等潜在风险。现有的流表替换探测方法由于网络抖动和丢包等原因,可能无法准确探测到替换策略。同时,现有的流表溢出攻击忽略了流表替换策略在攻击过程中会将恶意流表项驱逐出去的事实。由于被驱逐的流条目没有及时重新安装,攻击的效果降低了。针对上述问题,提出了一种新的两阶段流项替换策略探测方法FTOA-RP和一种考虑流项替换策略的流表溢出攻击新方法。为了克服网络抖动和丢包导致的替换策略探测精度下降的问题,FTOA-RP采用一组探测报文对替换策略进行探测。特别是,FTOA-RP设计了TPRPP,一种探测算法,由前向/后向驱逐检测阶段和前向驱逐细粒度检测阶段组成,用于探测流条目替换策略。TPRPP设计了一个特殊结构的数据包组,该数据包组由多个子组组成,每个子组包含多个探测数据包。TPRPP通过分组发送探测报文,有效缓解了网络抖动和丢包带来的负面影响。针对现有流表溢出攻击由于流表替换策略而降低攻击有效性的问题,FTOA-RP设计了一种考虑流表替换影响的流表溢出攻击方法。具体来说,FTOA-RP设计了两种攻击报文发送算法。首先是SAP-FLR,用于FIFO和LRU下的流表溢出攻击。第二种是SAP-LF,用于在LFU下发起流表溢出攻击。在攻击阶段,SAP-FLR和SAP-LF根据替换策略调整攻击报文的发送顺序,保证被驱逐的流表项能够及时重新安装。评估结果表明,FTOA-RP在探测精度、探测成本和攻击过程中保持恶意流表项的能力等方面都优于现有的攻击方法。本文章由计算机程序翻译,如有差异,请以英文原文为准。
FTOA-RP: A ‘group’-based flow entry replacement policy probing and flow table overflow attack method
As a new network architecture, Software-Defined Networking (SDN) introduces potential risks, such as configuration probing of switches and flow table overflow attacks. The existing flow entry replacement probing methods may not accurately probe the replacement policies due to network jitter and packet loss. Meanwhile, existing flow table overflow attacks ignore the fact that the flow entry replacement policy will evict the malicious flow entries during the attack. As evicted flow entries are not reinstalled promptly, the attack’s effect is reduced. To address the above issues, FTOA-RP, a new two-phase flow entry replacement policy probing method, and a new flow table overflow attack method considering the flow entry replacement policy are proposed. To overcome the decrease in replacement policy probing accuracy caused by network jitter and packet loss, FTOA-RP probes the replacement policy using a group of probing packets. In particular, FTOA-RP designs TPRPP, a probing algorithm that consists of a forward/backward eviction detection phase and a forward eviction fine-grained detection phase to probe the flow entry replacement policies. TPRPP designs a specially structured packet group, which consists of multiple subgroups, each containing several probing packets. By sending probing packets in groups, TPRPP effectively mitigates the negative effects of network jitter and packet loss. To address the issue that the effectiveness of existing flow table overflow attacks is reduced by the flow entry replacement policy, FTOA-RP designs a flow table overflow attack method that considers the impact of flow entry replacement. More specifically, FTOA-RP designs two attack packet-sending algorithms. The first one is SAP-FLR, which is used to launch a flow table overflow attack under FIFO and LRU. The second one is SAP-LF, used to launch a flow table overflow attack under LFU. During the attack phase, SAP-FLR and SAP-LF adjust the sending order of attack packets based on the replacement policies to ensure the timely reinstallation of evicted flow entries. The evaluation results show that FTOA-RP outperforms the existing attack methods in terms of the probing accuracy, probing cost, and the ability to maintain malicious flow entries during the attack.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。
去求助
来源期刊
Computers & Security
工程技术-计算机:信息系统
CiteScore
12.40
自引率
7.10%
发文量
365
审稿时长
10.7 months
期刊介绍:
Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world.
Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
