Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/3564625.3564642acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

Heimdallr: Fingerprinting SD-WAN Control-Plane Architecture via Encrypted Control Traffic

Published: 05 December 2022 Publication History

Abstract

Software-defined wide area network (SD-WAN) has emerged as a new paradigm for steering a large-scale network flexibly by adopting distributed software-defined network (SDN) controllers. The key to building a logically centralized but physically distributed control-plane is running diverse cluster management protocols to achieve consistency through an exchange of control traffic. Meanwhile, we observe that the control traffic exposes unique time-series patterns and directional relationships due to the operational structure even though the traffic is encrypted, and this pattern can disclose confidential information such as control-plane topology and protocol dependencies, which can be exploited for severe attacks. With this insight, we propose a new SD-WAN fingerprinting system, called Heimdallr. It analyzes periodical and operational patterns of SD-WAN cluster management protocols and the context of flow directions from the collected control traffic utilizing a deep learning-based approach, so that it can classify the cluster management protocols automatically from miscellaneous control traffic datasets. Our evaluation, which is performed in a realistic SD-WAN environment consisting of geographically distant three campus networks and one enterprise network shows that Heimdallr can classify SD-WAN control traffic with ≥ 93%, identify individual protocols with ≥ 80% macro F-1 scores, and finally can infer control-plane topology with ≥ 70% similarity.

References

[1]
2014. CAIDA Passive Monitor: Chicago B.https://www.caida.org/data/passive/trace_stats/chicago-B/2014/?monitor=20140320-130000.UTC.
[2]
2015. CAIDA Passive Monitor: Chicago B.https://www.caida.org/data/passive/trace_stats/chicago-B/2015/?monitor=20150219-130000.UTC.
[3]
2016. CAIDA Passive Monitor: Chicago B.https://www.caida.org/data/passive/trace_stats/chicago-B/2016/?monitor=20160121-130000.UTC.
[4]
2016. CVE-2016-2074: Open vSwitch Buffer Overflow. https://nvd.nist.gov/vuln/detail/CVE-2016-2074.
[5]
2016. Docker. https://www.docker.com/.
[6]
2017. CVE-2017-3881: Cisco Catalyst Remote Code Execution. https://nvd.nist.gov/vuln/detail/CVE-2017-3881.
[7]
2020. Atomix: A reactive Java framework for building fault-tolerant distributed systems. https://atomix.io/.
[8]
2020. Open Network Operating System (ONOS). https://wiki.onosproject.org/display/ONOS/ONOS.
[9]
2020. OpenDaylight (ODL). https://www.opendaylight.org.
[10]
2020. OpenFlow Switch Specification v1.3.5. https://opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.3.5.pdf.
[11]
2021. AWS Direct Connect Announces MACsec Encryption for Dedicated 10Gbps and 100Gbps Connections at Select Locations. https://aws.amazon.com/about-aws/whats-new/2021/03/aws-direct-connect-announces-macsec-encryption-for-dedicated-10gbps-and-100gbps-connections-at-select-locations/?nc1=h_ls.
[12]
2021. Hyperledger: Advancing business blockchain adoption through global open source collaboration. https://www.hyperledger.org/.
[13]
2021. ZooKeeper: Because coordination distributed systems is a Zoo. https://cwiki.apache.org/confluence/display/ZOOKEEPER/Index.
[14]
2022. Alerts about BGP hijacks, leaks, and outages.https://bgpstream.com/.
[15]
2022. CORD (Central Office Re-architected as a Datacenter). https://opennetworking.org/cord/.
[16]
2022. Existing CVEs affecting SD-WAN. https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=SD-WAN.
[17]
2022. The Atlantic. The creepy, long-standing practice of undersea cable tapping.https://www.theatlantic.com/international/archive/2013/07/the-creepy-long-standing-practice-of-undersea-cable-tapping/277855/.
[18]
Khaled Al-Naami, Swarup Chandra, Ahmad Mustafa, Latifur Khan, Zhiqiang Lin, Kevin Hamlen, and Bhavani Thuraisingham. 2016. Adaptive encrypted traffic fingerprinting with bi-directional dependence. In Proceedings of the 32nd Annual Conference on Computer Security Applications.
[19]
Hannu Anttila. 2016. Measurement and Analysis of Youtube Traffic Profile And Energy Usage With LTE Drx Mode. In Tampereen Teknillinen Yliopisto Tampere University of Technology.
[20]
Noah Apthorpe, Dillon Reisman, and Nick Feamster. 2017. A Smart Home is No Castle: Privacy Vulnerabilities of Encrypted IoT Traffic. arXiv preprint arXiv:1705.06805(2017).
[21]
David Barrera, Laurent Chuat, Adrian Perrig, Raphael M. Reischuk, and Pawel Szalachowski. 2017. The SCION Internet Architecture. Commun. ACM 60, 6 (2017), 56–65.
[22]
Wolfgang Braun and Michael Menth. 2014. Software-Defined Networking Using OpenFlow: Protocols, Applications and Architectural Design Choices. Future Internet 6 (05 2014), 302–336. https://doi.org/10.3390/fi6020302
[23]
Wolfgang Braun and Michael Menth. 2014. Software-defined Networking Using OpenFlow: Protocols, Applications and Architectural Design Choices. Future Internet 6, 2 (2014), 302–336.
[24]
Pietro Bressana, Noa Zilberman, and Robert Soulé. 2020. Finding Hard-to-Find Data Plane Bugs with a PTA. Association for Computing Machinery, New York, NY, USA, 218–231. https://doi.org/10.1145/3386367.3431313
[25]
Xiang Cai, Xin Cheng Zhang, Brijesh Joshi, and Rob Johnson. 2012. Touching from a Distance: Website Fingerprinting Attacks and Defenses. In Proceedings of the 2012 ACM conference on Computer and communications security. 605–616.
[26]
Jiahao Cao, Qi Li, Renjie Xie, Kun Sun, Guofei Gu, Mingwei Xu, and Yuan Yang. 2019. The CrossPath Attack: Disrupting the SDN Control Channel via Shared Links. In Proceedings of the USENIX Security Symposium. USENIX.
[27]
Jiahao Cao, Zijie Yang, Kun Sun, Qi Li, Mingwei Xu, and Peiyi Han. 2019. Fingerprinting SDN Applications via Encrypted Control Traffic. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses.
[28]
Martin Casado, Michael J Freedman, Justin Pettit, Jianying Luo, Nick McKeown, and Scott Shenker. 2007. Ethane: Taking Control of the Enterprise. ACM SIGCOMM computer communication review(2007).
[29]
Riccardo Coppola and Maurizio Morisio. 2016. Connected Car: Technologies, Issues, Future Trends. ACM Computing Surveys (CSUR) 49, 3 (2016), 1–36.
[30]
Alberto Dainotti, Antonio Pescape, and Kimberly C Claffy. 2012. Issues and future directions in traffic classification. IEEE network 26, 1 (2012), 35–40.
[31]
Abhinandan Das, Indranil Gupta, and Ashish Motivala. 2002. SWIM: Scalable Weakly-Consistent Infection-Style Process Group Membership Protocol. In Proceedings International Conference on Dependable Systems and Networks. IEEE.
[32]
Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu. 2020. Off-path TCP Exploits of the Mixed IPID Assignment. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security.
[33]
Andrew D. Ferguson, Steve Gribble, Chi-Yao Hong, Charles Killian, Waqar Mohsin, Henrik Muehe, Joon Ong, Leon Poutievski, Arjun Singh, Lorenzo Vicisano, Richard Alimi, Shawn Shuoshuo Chen, Mike Conley, Subhasree Mandal, Karthik Nagaraj, Kondapa Naidu Bollineni, Amr Sabaa, Shidong Zhang, Min Zhu, and Amin Vahdat. 2021. Orion: Google’s Software-Defined Networking Control Plane. In 18th USENIX Symposium on Networked Systems Design and Implementation (NSDI 21). USENIX.
[34]
Michael Finsterbusch, Chris Richter, Eduardo Rocha, Jean-Alexander Muller, and Klaus Hanssgen. 2013. A survey of payload-based traffic classification approaches. IEEE Communications Surveys & Tutorials 16, 2 (2013), 1135–1156.
[35]
Xinbo Gao, Bing Xiao, Dacheng Tao, and Xuelong Li. 2010. A Survey of Graph Edit Distance. Pattern Analysis and applications(2010).
[36]
Yossi Gilad and Amir Herzberg. 2014. Off-path TCP injection attacks. ACM Transactions on Information and System Security (TISSEC) 16, 4(2014), 1–32.
[37]
Jiajun Gong and Tao Wang. 2020. Zero-delay lightweight defenses against website fingerprinting. In Proceedings of 29th USENIX Security Symposium (USENIX Security 20). 717–734.
[38]
Alex Graves, Abdel-rahman Mohamed, and Geoffrey Hinton. 2013. Speech Recognition with Deep Recurrent Neural Networks. In 2013 IEEE international conference on acoustics, speech and signal processing. IEEE.
[39]
Albert Greenberg. 2015. SDN for the Cloud. In Keynote in the 2015 ACM Conference on Special Interest Group on Data Communication.
[40]
Yuhong Guo and Wei Xue. 2013. Probabilistic Multi-Label Classification with Sparse Feature Learning. In IJCAI. 1373–1379.
[41]
Sepp Hochreiter and Jürgen Schmidhuber. 1997. Long Short-Term Memory. In Neural Computation.
[42]
Chi-Yao Hong 2013. Achieving high utilization with software-driven WAN. In Proceedings of the ACM SIGCOMM 2013 Conference on SIGCOMM. 15–26.
[43]
Chi-Yao Hong 2018. B4 and After: Managing Hierarchy, Partitioning, and Asymmetry for Availability and Scale in Google’s Software-Defined WAN. Proceedings of the 2018 Conference of the ACM Special Interest Group on Data Communication.
[44]
Sungmin Hong 2015. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures. In Proceedings in Network and Distributed System Security Symposium. Internet Society.
[45]
Rashid Ibragimov, Maximilian Malek, Jiong Guo, and Jan Baumbach. 2013. GEDEVO: An Evolutionary Graph Edit Distance Algorithm for Biological Network Alignment. In German Conference on Bioinformatics 2013. Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik.
[46]
Sushant Jain 2013. B4: Experience with a Globally-Deployed Software Defined WAN. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication. ACM.
[47]
Samuel Jero, Xiangyu Bu, Cristina Nita-Rotaru, Hamed Okhravi, Richard Skowyra, and Sonia Fahmy. 2017. Beads: Automated Attack Discovery in Openflow-based SDN Systems. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 311–333.
[48]
Min Suk Kang, Soo Bum Lee, and V. D. Gligor. 2013. The Crossfire Attack. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE.
[49]
Fazle Karim. 2017. LSTM Fully Convolutional Networks for Time Series Classification. In IEEE Access.
[50]
Rowan Klöti, Vasileios Kotronis, and Paul Smith. 2013. OpenFlow: A Security Analysis. In IEEE International Conference on Network Protocols. IEEE.
[51]
Yann LeCun, Léon Bottou, Yoshua Bengio, and Patrick Haffner. 1998. Gradient-based Learning Applied to Document Recognition. Proc. IEEE 86, 11 (1998), 2278–2324.
[52]
Seungsoo Lee 2017. DELTA: A Security Assessment Framework for Software-Defined Networks. In Proceedings in Network and Distributed System Security Symposium. Internet Society.
[53]
Sheng Liu, Michael K. Reiter, and Vyas Sekar. 2017. Flow Reconnaissance via Timing Attacks on SDN Switches. In IEEE 37th International Conference on Distributed Computing Systems. IEEE.
[54]
Manuel Lopez-Martin, Belen Carro, Antonio Sanchez-Esguevillas, and Jaime Lloret. 2017. Network traffic classifier with convolutional and recurrent neural networks for Internet of Things. IEEE Access 5(2017), 18042–18050.
[55]
Mohammad Lotfollahi, Mahdi Jafari Siavoshani, Ramin Shirali Hossein Zade, and Mohammdsadegh Saberian. 2020. Deep packet: A novel approach for encrypted traffic classification using deep learning. Soft Computing 24, 3 (2020), 1999–2012.
[56]
Bomin Mao, Zubair Md Fadlullah, Fengxiao Tang, Nei Kato, Osamu Akashi, Takeru Inoue, and Kimihiro Mizutani. 2017. Routing or Computing? The Paradigm Shift Towards Intelligent Computer Network Packet Transmission Based on Deep Learning. IEEE Trans. Comput. 66, 11 (2017), 1946–1960.
[57]
Bomin Mao, Fengxiao Tang, Zubair Md Fadlullah, Nei Kato, Osamu Akashi, Takeru Inoue, and Kimihiro Mizutani. 2018. A Novel Non-supervised Deep-learning-based Network Traffic Control Method for Software Defined Wireless Networks. IEEE Wireless Communications 25, 4 (2018), 74–81.
[58]
Eduard Marin 2019. An in-depth look into SDN topology discovery mechanisms: Novel attacks and practical countermeasures. In Proceedings of the Conference on Computer and Communications security.
[59]
Roland Meier, Vincent Lenders, and Laurent Vanbever. 2022. ditto: WAN Traffic Obfuscation at Line Rate. In NDSS Symposium 2022.
[60]
Diego Ongaro and John Ousterhout. 2014. In search of an understandable consensus algorithm. In Proceedings of the USENIX Annual Technical Conference. USENIX.
[61]
Vibhor Rastogi and Suman Nath. 2010. Differentially private aggregation of distributed time-series with transformation and encryption. In Proceedings of the 2010 ACM SIGMOD International Conference on Management of data.
[62]
Haşim Sak, Andrew Senior, and Françoise Beaufays. 2014. Long Short-term Memory Based Recurrent Neural Network Architectures for Large Vocabulary Speech Recognition. arXiv preprint arXiv:1402.1128(2014).
[63]
Roei Schuster, Vitaly Shmatikov, and Eran Tromer. 2017. Beauty and the Burst: Remote Identification of Encrypted Video Streams. In Proceedings of the USENIX Security Symposium. USENIX.
[64]
Colin Scott, Vjekoslav Brajkovic, George Necula, Arvind Krishnamurthy, and Scott Shenker. 2016. Minimizing Faulty Executions of Distributed Systems. In Proceedings of the 13th USENIX Symposium on Networked Systems Design and Implementation. USENIX, 291–309.
[65]
Seungwon Shin and Guofei Gu. 2013. Attacking Software-Defined Networks: A First Feasibility Study. In Proceedings of the ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. ACM.
[66]
Bikesh Singh. 2015. Investigation on Impact of Feature Normalization Techniques on Classifier’s Performance in Breast Tumor Classification. In International Journal of Computer Applications.
[67]
John Sonchack, Anurag Dubey, Adam J. Aviv, Jonathan M. Smith, and Eric Keller. 2016. Timing-based Reconnaissance and Defense in Software-Defined Networks. In Proceedings of the 32nd Annual Conference on Computer Security Applications. ICPS.
[68]
Ahren Studer and Adrian Perrig. 2009. In Search of an Understandable Consensus Algorithm. In Proceedings of the European Symposium on Research in Computer Security. ESORICS.
[69]
Jianhua Sun, Kun Sun, and Chris Shenefiel. 2019. Automated IoT Device Fingerprinting Through Encrypted Stream Classification. In International Conference on Security and Privacy in Communication Systems. Springer.
[70]
Edi Sutoyo and Ahmad Musnansyah. 2020. A Hybrid of Seasonal Autoregressive Integrated Moving Average (SARIMA) and Decision Tree for Drought Forecasting. In Proceedings of the International Conference on Engineering and Information Technology for Sustainable Industry. 1–6.
[71]
Praveen Tammana, Rachit Agarwal, and Myungjin Lee. 2015. Cherrypick: Tracing Packet Trajectory in Software-Defined Datacenter Networks. In Proceedings of the ACM SIGCOMM Symposium on Software Defined Networking Research.
[72]
Kashyap Thimmaraju, Bhargava Shastry, Tobias Fiebig, Felicitas Hetzelt, Jean-Pierre Seifert, Anja Feldmann, and Stefan Schmid. 2018. Taking Control of SDN-Based Cloud Systems via the Data Plane. In Proceedings of the Symposium on SDN Research (Los Angeles, CA, USA) (SOSR ’18). Association for Computing Machinery, New York, NY, USA, Article 1, 15 pages. https://doi.org/10.1145/3185467.3185468
[73]
Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. 2014. Effective Attacks and Provable Defenses for Website Fingerprinting. In Proceedings of the USENIX Security Symposium. USENIX.
[74]
Tao Wang and Ian Goldberg. 2017. Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks. In Proceedings of the 26th USENIX Security Symposium.
[75]
Wei Wang, Ming Zhu, Jinlin Wang, Xuewen Zeng, and Zhongzhen Yang. 2017. End-to-end encrypted traffic classification with one-dimensional convolution neural networks. In 2017 IEEE international conference on intelligence and security informatics (ISI). IEEE, 43–48.
[76]
Lei Xu, Jeff Huang, Sungmin Hong, Jialong Zhang, and Guofei Gu. 2017. Attacking the Brain: Races in the SDN Control Plane. In Proceedings of the USENIX Security Symposium. USENIX.
[77]
Min Xu and Zhongfeng Qin. 2021. A novel hybrid ARIMA and regression tree model for the interval-valued time series. Journal of Statistical Computation and Simulation 91, 5(2021), 1000–1015.
[78]
Zhenjie Yang, Yong Cui, Baochun Li, Yadong Liu, and Yi Xy. 2019. Software-Defined Wide Area Network (SD-WAN): Architecture, Advances and Opportunities. In International Conference on Computer Communications and Networks. ICCCN.
[79]
Yang Zhang, Eman Ramadan, Hesham Mekky, and Zhi-Li Zhang. 2017. When Raft Meets SDN: How to Elect a Leader and Reach Consensus in an Unruly Network. In Proceedings of the First Asia-Pacific Workshop on Networking.
[80]
Guorui Zhou, Xiaoqiang Zhu, Chenru Song, Ying Fan, Han Zhu, Xiao Ma, Yanghui Yan, Junqi Jin, Han Li, and Kun Gai. 2018. Deep Interest Network for Click-through Rate Prediction. In Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 1059–1068.

Cited By

View all
  • (2024) Ambusher : Exploring the Security of Distributed SDN Controllers Through Protocol State Fuzzing IEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340296719(6264-6279)Online publication date: 2024
  • (2024)PassREfinder: Credential Stuffing Risk Prediction by Representing Password Reuse between Websites on a Graph2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00020(1385-1404)Online publication date: 19-May-2024
  • (2024)gShock: A GNN-Based Fingerprinting System for Permissioned Blockchain Networks Over Encrypted ChannelsIEEE Access10.1109/ACCESS.2024.346958312(146328-146342)Online publication date: 2024
  • Show More Cited By

Index Terms

  1. Heimdallr: Fingerprinting SD-WAN Control-Plane Architecture via Encrypted Control Traffic
    Index terms have been assigned to the content through auto-classification.

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference
    December 2022
    1021 pages
    ISBN:9781450397599
    DOI:10.1145/3564625
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 05 December 2022

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Fingerprinting
    2. Network Security
    3. Software-defined Networking

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Funding Sources

    Conference

    ACSAC

    Acceptance Rates

    Overall Acceptance Rate 104 of 497 submissions, 21%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)88
    • Downloads (Last 6 weeks)7
    Reflects downloads up to 21 Nov 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024) Ambusher : Exploring the Security of Distributed SDN Controllers Through Protocol State Fuzzing IEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340296719(6264-6279)Online publication date: 2024
    • (2024)PassREfinder: Credential Stuffing Risk Prediction by Representing Password Reuse between Websites on a Graph2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00020(1385-1404)Online publication date: 19-May-2024
    • (2024)gShock: A GNN-Based Fingerprinting System for Permissioned Blockchain Networks Over Encrypted ChannelsIEEE Access10.1109/ACCESS.2024.346958312(146328-146342)Online publication date: 2024
    • (2024)Enhancing security in SDNComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2024.110203241:COnline publication date: 25-Jun-2024
    • (2023)Software Defined Wide Area Networks: Current Challenges and Future Perspectives2023 IEEE 9th International Conference on Network Softwarization (NetSoft)10.1109/NetSoft57336.2023.10175458(350-353)Online publication date: 19-Jun-2023

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format.

    HTML Format

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media