research-article

Towards Fine-grained Network Security Forensics and Diagnosis in the SDN Era

Authors:

Guangliang Yang,

Phakpoom Chinprutthiwong,

Yangyong Zhang,

Guofei GuAuthors Info & Claims

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 3 - 16

https://doi.org/10.1145/3243734.3243749

Published: 15 October 2018 Publication History

Abstract

Diagnosing network security issues in traditional networks is difficult. It is even more frustrating in the emerging Software Defined Networks. The data/control plane decoupling of the SDN framework makes the traditional network troubleshooting tools unsuitable for pinpointing the root cause in the control plane. In this paper, we propose ForenGuard, which provides flow-level forensics and diagnosis functions in SDN networks. Unlike traditional forensics tools that only involve either network level or host level, ForenGuard monitors and records the runtime activities and their causal dependencies involving both the SDN control plane and data plane. Starting with a forwarding problem (e.g., disconnection) which could be caused by a security issue, ForenGuard can backtrack the previous activities in both the control and data plane through causal relationships and pinpoint the root cause of the problem. ForenGuard also provides a user-friendly interface that allows users to specify the detection point and diagnose complicated network problems. We implement a prototype system of ForenGuard on top of the Floodlight controller and use it to diagnose several real control plane attacks. We show that ForenGuard can quickly display causal relationships of activities and help to narrow down the range of suspicious activities that could be the root causes. Our performance evaluation shows that ForenGuard will add minor runtime overhead to the SDN control plane and can scale well in various network workloads.

References

[1]

M. Canini, D. Venzano, P. Peresini, D. Kostic, and Jennifer Rexford A NICE Way to Test OpenFlow Applications. In NSDI 2012.

Digital Library

[2]

E. Chan, S. Venkataraman, F. David, A. Chaugule, and R. Campbell Forenscope: a framework for live forensics. In ACSAC 2010.

Digital Library

[3]

A. Chen, A. Haeberlen, W. Zhou, and B. T. Loo One Primitive to Diagnose Them All: Architectural Support for Internet Diagnostics EuroSys 2017.

Digital Library

[4]

Scott A. Crosby and Dan S. Wallach Efficient Data Structures for Tamper-evident Logging USENIX Security 2009.

Digital Library

[5]

S. K. Fayaz, Y. Tobioka, V. Sekar, and M. Bailey Bohatei: Flexible and Elastic DDoS Defense. In USENIX Security 2015.

Digital Library

[6]

N. Handigol, B. Heller, V. Jeyakumar, D. Mazières, and N. McKeow. I Know What Your Packet Did Last Hop: Using Packet Histories to Troubleshoot Networks NSDI 2014.

Digital Library

[7]

S. Hong, R. Baykov, L. Xu, S. Nadimpalli, and G. Gu. Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security NDSS 2016.

[8]

S. Hong, L. Xu, H. Wang, and G. Gu. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures NDSS 2015.

[9]

H. Hu, W. Han, G. Ahn, and Z. Zhao. FlowGuard: Building Robust Firewalls for Software-defined Networks HotSDN 2014.

Digital Library

[10]

S. Jero, W. Koch, R. Skowyra, H. Okhravi, C. Nita-Rotaru, and D. Bigelow. Identifier Binding Attacks and Defenses in Software-Defined Networks Usenix Security 2017.

Digital Library

[11]

Y. Ji, S. Lee, E. Downing, W. Wang, M. Fazzini, T. Kim, A. Orso, and W. Lee. Rain: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking CCS 2017.

Digital Library

[12]

P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, and S. Whyte. Real Time Network Policy Checking using Header Space Analysis NSDI 2013.

Digital Library

[13]

P. Kazemian, G. Varghese, and N. McKeown. Header Space Analysis: Static Checking for Networks NSDI 2013.

Digital Library

[14]

A. Khurshid, X. Zou, W. Zhou, M. Caesar, and P. B. Godfrey. Veriflow: Verifying Network-Wide Invariants in Real Time NSDI 2013.

Digital Library

[15]

S. T. King and P. M. chen. Backtracking intrusions. In SOSP 2003.

Digital Library

[16]

P. Lam, E. Bodden, O. Lhotak, and L. Hendren. The soot framework for java program analysis: a retrospective CETUS 2011.

[17]

S. Lee, C. Yoon, C. Lee, S. Shin, V. Yegneswaran, and P. Porras. DELTA: A Security Assessment Framework for Software-Defined Networks NDSS 2017.

[18]

K. Mahajan M. Dhawan, R. Poddar and V. Mann. 2015. CloudNaaS: a cloud networking platform for enterprise applications NDSS 2015).

[19]

H. Mai, A. Khurshid, R. Agarwal, M. Caesar, P. B. Godfrey, and S. T. King. Debugging the Data Plane with Anteater. In SIGCOMM 2011.

Digital Library

[20]

G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson, and F. Schneider. Enriching Network Security Analysis with Time Travel SIGCOMM 2008.

Digital Library

[21]

S. Narayana, M. T. Arashloo, J. Rexford, and D. Walker. Compiling Path Queries. In NSDI 2016.

Digital Library

[22]

A. Nayak, A. Reimers, N. Feamster, and R. Clark. Resonance: Dynamic Access Control for Enterprise Networks WREN 2009.

[23]

R. Pang, M. Allman, M. Bennett, J. Lee, V. Paxson, and B. Tierney. A First Look at Modern Enterprise Traffic. In IMC 2005.

Digital Library

[24]

P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu. A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012.

Digital Library

[25]

C. Scott, A. Wundsam, B. Raghavan, A. Panda, A. Or, J. Lai, E. Huang, Z. Liu, A. El-Hassany, S. Whitlock, H.B. Acharya, K. Zarifis, and S. Shenker. Troubleshooting Blackbox SDN Control Software with Minimal Causal Sequences SIGCOMM 2011.

Digital Library

[26]

S. Shin, P. Porras, V. Yegneswaran, M. Fong, G. Gu, and M. Tyson. FRESCO: Modular Composable Security Services for Software-Defined Networks NDSS 2013.

[27]

S. Shin, Y. Song, T. Lee, S. Lee, J. Chung, P. Porras, V. Yegneswaran, J. Noh, and B. B. Kang. Rosemary: A Robust, Secure, and High-Performance Network Operating System CCS 2014.

Digital Library

[28]

S. Shin, V. Yegneswaran, P. Porras, and G. Gu. AVANT-GUARD: Scalable and Vigilant Switch Flow Management in Software-Defined Networks CCS 2013.

Digital Library

[29]

T. Taylor, S. E. Coull, F. Monrose, and J. McHugh. Toward Efficient Querying of Compressed Network Payloads Usenix ATC 2012.

Digital Library

[30]

M. Vallentin, V. Paxson, and R. Sommer. VAST: A Unified Platform for Interactive Network Forensics NSDI 2016.

Digital Library

[31]

H. Wang, L. Xu, and G. Gu. FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks DSN 2015.

Digital Library

[32]

Y. Wu, A. Chen, A. Haeberlen, W. Zhou, and B. T. Loo. Automated Bug Removal for Software-Defined Networks NSDI 2017.

Digital Library

[33]

A. Wundsam, D. Levin, S. Seetharaman, and A. Feldman. OFRewind: Enabling Record and Replay Troubleshooting for Networks USENIX ATC 2011.

Digital Library

[34]

L. Xu, J. Huang, S. Hong, J. Zhang, and G. Gu. Attacking the Brain: Races in the SDN Control Plane Usenix Security 2017.

Digital Library

[35]

Lei Xu, Jeff Huang, Sungmin Hong, Jialong Zhang, and Guofei Gu. Attacking the Brain: Races in the SDN Control Plane USENIX Security 2017.

Digital Library

[36]

Attila Yavuz, Peng Ning, and Michael Reiter. Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging. Financial Cryptography and Data Security 2012 (. ????).

[37]

H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis CCS 2007.

Digital Library

[38]

C. Yu, C. Lumezanu, V. Singh, Y. Zhang, G. Jiang, and H. V. Madhyastha. FlowSense: Monitoring Network Utilization with Zero Measurement Cost PAM 2013.

Digital Library

[39]

M. Yu, L. Jose, and R. Miao. Software Defined Traffic Measurement with OpenSketch NSDI 2013.

Digital Library

[40]

W. Zhou, Q. Fei, A. Narayan, A. Haeberlen, B. T. Loo, and M. Sherr. Secure Network Provenance. In SOSP 2011.

Digital Library

Cited By

Jiménez MFernández DEduardo Rivadeneira JFlores-Moyano R(2024)A Filtering Model for Evidence Gathering in an SDN-Oriented Digital Forensic and Incident Response ContextIEEE Access10.1109/ACCESS.2024.340558812(75792-75808)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3405588
Cao JXu MLi QSun KYang Y(2023)The LOFT Attack: Overflowing SDN Flow Tables at a Low RateIEEE/ACM Transactions on Networking10.1109/TNET.2022.322521131:3(1416-1431)Online publication date: Jun-2023
https://doi.org/10.1109/TNET.2022.3225211
Hyder MFatima TArshad S(2023)Towards adding digital forensics capabilities in software defined networking based moving target defenseCluster Computing10.1007/s10586-023-03990-327:1(893-912)Online publication date: 24-Mar-2023
https://doi.org/10.1007/s10586-023-03990-3
Show More Cited By

Index Terms

Towards Fine-grained Network Security Forensics and Diagnosis in the SDN Era
1. Networks
  1. Network services
    1. Network monitoring
2. Security and privacy
  1. Systems security
    1. Distributed systems security

Recommendations

Concordance of Diagnosis Based on Zangfu-Organs Syndrome Differentiation by Clinicians of Traditional Chinese Medicine
IJCBS '09: Proceedings of the 2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent Computing

Objective: We aimed to assess concordance of Zangfu-organs Syndrome Differentiation by evaluating the concordance of successive diagnosis by the same clinician of traditional Chinese medicine (TCM) and that of diagnosis by different clinicians of TCM. ...
Network management and system-level diagnosis
ICCCN '95: Proceedings of the 4th International Conference on Computer Communications and Networks

Abstract: Fault management, which consists of fault detection, diagnosis, and recovery is one of the key goals of network management. We consider an application of system-level diagnosis concepts to the problem of fault diagnosis in networks. Since the ...
An Algorithmic Approach to Conditional-Fault Local Diagnosis of Regular Multiprocessor Interconnected Systems under the PMC Model

System-level diagnosis is a crucial subject for maintaining the reliability of multiprocessor interconnected systems. Consider a system composed of N independent processors, each of which tests a subset of the others. Under the PMC diagnosis model, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

2359 pages

ISBN:9781450356930

DOI:10.1145/3243734

General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
1,419
Total Downloads

Downloads (Last 12 months)35
Downloads (Last 6 weeks)2

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jiménez MFernández DEduardo Rivadeneira JFlores-Moyano R(2024)A Filtering Model for Evidence Gathering in an SDN-Oriented Digital Forensic and Incident Response ContextIEEE Access10.1109/ACCESS.2024.340558812(75792-75808)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3405588
Cao JXu MLi QSun KYang Y(2023)The LOFT Attack: Overflowing SDN Flow Tables at a Low RateIEEE/ACM Transactions on Networking10.1109/TNET.2022.322521131:3(1416-1431)Online publication date: Jun-2023
https://doi.org/10.1109/TNET.2022.3225211
Hyder MFatima TArshad S(2023)Towards adding digital forensics capabilities in software defined networking based moving target defenseCluster Computing10.1007/s10586-023-03990-327:1(893-912)Online publication date: 24-Mar-2023
https://doi.org/10.1007/s10586-023-03990-3
Tabiban AZhao HJarraya YPourzandi MWang L(2023)VinciDecoder: Automatically Interpreting Provenance Graphs into Textual Forensic Reports with Application to OpenStackSecure IT Systems10.1007/978-3-031-22295-5_19(346-367)Online publication date: 1-Jan-2023
https://doi.org/10.1007/978-3-031-22295-5_19
Jia KLiu CLiu QWang JLiu JLiu F(2022)A lightweight DDoS detection scheme under SDN contextCybersecurity10.1186/s42400-022-00128-75:1Online publication date: 3-Oct-2022
https://doi.org/10.1186/s42400-022-00128-7
Jimenez MFernandez D(2022)A Framework for SDN Forensic Readiness and Cybersecurity Incident Response2022 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)10.1109/NFV-SDN56302.2022.9974648(112-116)Online publication date: 14-Nov-2022
https://doi.org/10.1109/NFV-SDN56302.2022.9974648
Tang DYan YZhang SChen JQin Z(2022)Performance and Features: Mitigating the Low-Rate TCP-Targeted DoS Attack via SDNIEEE Journal on Selected Areas in Communications10.1109/JSAC.2021.312605340:1(428-444)Online publication date: Jan-2022
https://doi.org/10.1109/JSAC.2021.3126053
Kumar RAggarwal AHanda KSoni PKumar M(2022)Software‐Defined Networks and Its ApplicationsSoftware Defined Networks10.1002/9781119857921.ch3(63-96)Online publication date: 11-Aug-2022
https://doi.org/10.1002/9781119857921.ch3
Irshad HCiocarlie GGehani AYegneswaran VLee KPatel JJha SKwon YXu DZhang X(2021)TRACE: Enterprise-Wide Provenance Tracking for Real-Time APT DetectionIEEE Transactions on Information Forensics and Security10.1109/TIFS.2021.309897716(4363-4376)Online publication date: 2021
https://doi.org/10.1109/TIFS.2021.3098977
Sherwin JSreenan C(2021)Inferring and Querying the Past State of a Software-Defined Data Center Network2021 Eighth International Conference on Software Defined Systems (SDS)10.1109/SDS54264.2021.9731853(1-8)Online publication date: 6-Dec-2021
https://doi.org/10.1109/SDS54264.2021.9731853
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents