ABSTRACT
Diagnosing network security issues in traditional networks is difficult. It is even more frustrating in the emerging Software Defined Networks. The data/control plane decoupling of the SDN framework makes the traditional network troubleshooting tools unsuitable for pinpointing the root cause in the control plane. In this paper, we propose ForenGuard, which provides flow-level forensics and diagnosis functions in SDN networks. Unlike traditional forensics tools that only involve either network level or host level, ForenGuard monitors and records the runtime activities and their causal dependencies involving both the SDN control plane and data plane. Starting with a forwarding problem (e.g., disconnection) which could be caused by a security issue, ForenGuard can backtrack the previous activities in both the control and data plane through causal relationships and pinpoint the root cause of the problem. ForenGuard also provides a user-friendly interface that allows users to specify the detection point and diagnose complicated network problems. We implement a prototype system of ForenGuard on top of the Floodlight controller and use it to diagnose several real control plane attacks. We show that ForenGuard can quickly display causal relationships of activities and help to narrow down the range of suspicious activities that could be the root causes. Our performance evaluation shows that ForenGuard will add minor runtime overhead to the SDN control plane and can scale well in various network workloads.
- M. Canini, D. Venzano, P. Peresini, D. Kostic, and Jennifer Rexford A NICE Way to Test OpenFlow Applications. In NSDI 2012. Google ScholarDigital Library
- E. Chan, S. Venkataraman, F. David, A. Chaugule, and R. Campbell Forenscope: a framework for live forensics. In ACSAC 2010. Google ScholarDigital Library
- A. Chen, A. Haeberlen, W. Zhou, and B. T. Loo One Primitive to Diagnose Them All: Architectural Support for Internet Diagnostics EuroSys 2017. Google ScholarDigital Library
- Scott A. Crosby and Dan S. Wallach Efficient Data Structures for Tamper-evident Logging USENIX Security 2009. Google ScholarDigital Library
- S. K. Fayaz, Y. Tobioka, V. Sekar, and M. Bailey Bohatei: Flexible and Elastic DDoS Defense. In USENIX Security 2015. Google ScholarDigital Library
- N. Handigol, B. Heller, V. Jeyakumar, D. Mazières, and N. McKeow. I Know What Your Packet Did Last Hop: Using Packet Histories to Troubleshoot Networks NSDI 2014. Google ScholarDigital Library
- S. Hong, R. Baykov, L. Xu, S. Nadimpalli, and G. Gu. Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security NDSS 2016.Google Scholar
- S. Hong, L. Xu, H. Wang, and G. Gu. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures NDSS 2015.Google Scholar
- H. Hu, W. Han, G. Ahn, and Z. Zhao. FlowGuard: Building Robust Firewalls for Software-defined Networks HotSDN 2014. Google ScholarDigital Library
- S. Jero, W. Koch, R. Skowyra, H. Okhravi, C. Nita-Rotaru, and D. Bigelow. Identifier Binding Attacks and Defenses in Software-Defined Networks Usenix Security 2017. Google ScholarDigital Library
- Y. Ji, S. Lee, E. Downing, W. Wang, M. Fazzini, T. Kim, A. Orso, and W. Lee. Rain: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking CCS 2017. Google ScholarDigital Library
- P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, and S. Whyte. Real Time Network Policy Checking using Header Space Analysis NSDI 2013. Google ScholarDigital Library
- P. Kazemian, G. Varghese, and N. McKeown. Header Space Analysis: Static Checking for Networks NSDI 2013. Google ScholarDigital Library
- A. Khurshid, X. Zou, W. Zhou, M. Caesar, and P. B. Godfrey. Veriflow: Verifying Network-Wide Invariants in Real Time NSDI 2013. Google ScholarDigital Library
- S. T. King and P. M. chen. Backtracking intrusions. In SOSP 2003. Google ScholarDigital Library
- P. Lam, E. Bodden, O. Lhotak, and L. Hendren. The soot framework for java program analysis: a retrospective CETUS 2011.Google Scholar
- S. Lee, C. Yoon, C. Lee, S. Shin, V. Yegneswaran, and P. Porras. DELTA: A Security Assessment Framework for Software-Defined Networks NDSS 2017.Google Scholar
- K. Mahajan M. Dhawan, R. Poddar and V. Mann. 2015. CloudNaaS: a cloud networking platform for enterprise applications NDSS 2015).Google Scholar
- H. Mai, A. Khurshid, R. Agarwal, M. Caesar, P. B. Godfrey, and S. T. King. Debugging the Data Plane with Anteater. In SIGCOMM 2011. Google ScholarDigital Library
- G. Maier, R. Sommer, H. Dreger, A. Feldmann, V. Paxson, and F. Schneider. Enriching Network Security Analysis with Time Travel SIGCOMM 2008. Google ScholarDigital Library
- S. Narayana, M. T. Arashloo, J. Rexford, and D. Walker. Compiling Path Queries. In NSDI 2016. Google ScholarDigital Library
- A. Nayak, A. Reimers, N. Feamster, and R. Clark. Resonance: Dynamic Access Control for Enterprise Networks WREN 2009.Google Scholar
- R. Pang, M. Allman, M. Bennett, J. Lee, V. Paxson, and B. Tierney. A First Look at Modern Enterprise Traffic. In IMC 2005. Google ScholarDigital Library
- P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu. A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012. Google ScholarDigital Library
- C. Scott, A. Wundsam, B. Raghavan, A. Panda, A. Or, J. Lai, E. Huang, Z. Liu, A. El-Hassany, S. Whitlock, H.B. Acharya, K. Zarifis, and S. Shenker. Troubleshooting Blackbox SDN Control Software with Minimal Causal Sequences SIGCOMM 2011. Google ScholarDigital Library
- S. Shin, P. Porras, V. Yegneswaran, M. Fong, G. Gu, and M. Tyson. FRESCO: Modular Composable Security Services for Software-Defined Networks NDSS 2013.Google Scholar
- S. Shin, Y. Song, T. Lee, S. Lee, J. Chung, P. Porras, V. Yegneswaran, J. Noh, and B. B. Kang. Rosemary: A Robust, Secure, and High-Performance Network Operating System CCS 2014. Google ScholarDigital Library
- S. Shin, V. Yegneswaran, P. Porras, and G. Gu. AVANT-GUARD: Scalable and Vigilant Switch Flow Management in Software-Defined Networks CCS 2013. Google ScholarDigital Library
- T. Taylor, S. E. Coull, F. Monrose, and J. McHugh. Toward Efficient Querying of Compressed Network Payloads Usenix ATC 2012. Google ScholarDigital Library
- M. Vallentin, V. Paxson, and R. Sommer. VAST: A Unified Platform for Interactive Network Forensics NSDI 2016. Google ScholarDigital Library
- H. Wang, L. Xu, and G. Gu. FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks DSN 2015. Google ScholarDigital Library
- Y. Wu, A. Chen, A. Haeberlen, W. Zhou, and B. T. Loo. Automated Bug Removal for Software-Defined Networks NSDI 2017. Google ScholarDigital Library
- A. Wundsam, D. Levin, S. Seetharaman, and A. Feldman. OFRewind: Enabling Record and Replay Troubleshooting for Networks USENIX ATC 2011. Google ScholarDigital Library
- L. Xu, J. Huang, S. Hong, J. Zhang, and G. Gu. Attacking the Brain: Races in the SDN Control Plane Usenix Security 2017. Google ScholarDigital Library
- Lei Xu, Jeff Huang, Sungmin Hong, Jialong Zhang, and Guofei Gu. Attacking the Brain: Races in the SDN Control Plane USENIX Security 2017. Google ScholarDigital Library
- Attila Yavuz, Peng Ning, and Michael Reiter. Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging. Financial Cryptography and Data Security 2012 (. ????).Google Scholar
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis CCS 2007. Google ScholarDigital Library
- C. Yu, C. Lumezanu, V. Singh, Y. Zhang, G. Jiang, and H. V. Madhyastha. FlowSense: Monitoring Network Utilization with Zero Measurement Cost PAM 2013. Google ScholarDigital Library
- M. Yu, L. Jose, and R. Miao. Software Defined Traffic Measurement with OpenSketch NSDI 2013. Google ScholarDigital Library
- W. Zhou, Q. Fei, A. Narayan, A. Haeberlen, B. T. Loo, and M. Sherr. Secure Network Provenance. In SOSP 2011. Google ScholarDigital Library
Index Terms
- Towards Fine-grained Network Security Forensics and Diagnosis in the SDN Era
Recommendations
Concordance of Diagnosis Based on Zangfu-Organs Syndrome Differentiation by Clinicians of Traditional Chinese Medicine
IJCBS '09: Proceedings of the 2009 International Joint Conference on Bioinformatics, Systems Biology and Intelligent ComputingObjective: We aimed to assess concordance of Zangfu-organs Syndrome Differentiation by evaluating the concordance of successive diagnosis by the same clinician of traditional Chinese medicine (TCM) and that of diagnosis by different clinicians of TCM. ...
Network management and system-level diagnosis
ICCCN '95: Proceedings of the 4th International Conference on Computer Communications and NetworksAbstract: Fault management, which consists of fault detection, diagnosis, and recovery is one of the key goals of network management. We consider an application of system-level diagnosis concepts to the problem of fault diagnosis in networks. Since the ...
An Algorithmic Approach to Conditional-Fault Local Diagnosis of Regular Multiprocessor Interconnected Systems under the PMC Model
System-level diagnosis is a crucial subject for maintaining the reliability of multiprocessor interconnected systems. Consider a system composed of N independent processors, each of which tests a subset of the others. Under the PMC diagnosis model, ...
Comments