Cyber Attacks Detection and Mitigation in SDN Environments

January 2018

abstract: Cyber-systems and networks are the target of different types of cyber-threats and attacks, which are becoming more common, sophisticated, and damaging. Those attacks can vary in the way they are performed. However, there are similar strategies and tactics often used because they are time-proven to be effective. The motivations behind cyber-attacks play an important role in designating how attackers plan and proceed to achieve their goals. Generally, there are three categories of motivation are: political, economical, and socio-cultural motivations. These indicate that to defend against possible attacks in an enterprise environment, it is necessary to consider what makes such an enterprise environment a target. That said, we can understand what threats to consider and how to deploy the right defense system. In other words, detecting an attack depends on the defenders having a clear understanding of why they become targets and what possible attacks they should expect. For instance, attackers may preform Denial of Service (DoS), or even worse Distributed Denial of Service (DDoS), with intention to cause damage to targeted organizations and prevent legitimate users from accessing their services. However, in some cases, attackers are very skilled and try to hide in a system undetected for a long period of time with the incentive to steal and collect data rather than causing damages. Nowadays, not only the variety of attack types and the way they are launched are important. However, advancement in technology is another factor to consider. Over the last decades, we have experienced various new technologies. Obviously, in the beginning, new technologies will have their own limitations before they stand out. There are a number of related technical areas whose understanding is still less than satisfactory, and in which long-term research is needed. On the other hand, these new technologies can boost the advancement of deploying security solutions and countermeasures when they are carefully adapted. That said, Software Defined Networking i(SDN), its related security threats and solutions, and its adaption in enterprise environments bring us new chances to enhance our security solutions. To reach the optimal level of deploying SDN technology in enterprise environments, it is important to consider re-evaluating current deployed security solutions in traditional networks before deploying them to SDN-based infrastructures. Although DDoS attacks are a bit sinister, there are other types of cyber-threats that are very harmful, sophisticated, and intelligent. Thus, current security defense solutions to detect DDoS cannot detect them. These kinds of attacks are complex, persistent, and stealthy, also referred to Advanced Persistent Threats (APTs) which often leverage the bot control and remotely access valuable information. APT uses multiple stages to break into a network. APT is a sort of unseen, continuous and long-term penetrative network and attackers can bypass the existing security detection systems. It can modify and steal the sensitive data as well as specifically cause physical damage the target system. In this dissertation, two cyber-attack motivations are considered: sabotage, where the motive is the destruction; and information theft, where attackers aim to acquire invaluable information (customer info, business information, etc). I deal with two types of attacks (DDoS attacks and APT attacks) where DDoS attacks are classified under sabotage motivation category, and the APT attacks are classified under information theft motivation category. To detect and mitigate each of these attacks, I utilize the ease of programmability in SDN and its great platform for implementation, dynamic topology changes, decentralized network management, and ease of deploying security countermeasures. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2018

Computer science

Advanced Persistent Threats

Anomaly Detection

Cyber Attacks

Machine Learning

Software Defined Networking

Threats Detection

MARS: uma arquitetura para análise de malwares utilizando SDN. / MARS: an SDN-based malware analysis solution.

Ceron, João Marcelo

08 December 2017

Detectar e analisar malwares é um processo essencial para aprimorar os sistemas de segurança. As soluções atuais apresentam limitações no processo de investigação e detecção de códigos maliciosos sofisticados. Mais do que utilizar técnicas para evadir sistemas de análise, malwares sofisticados requerem condições específicas no ambiente em que são executados para revelar seu comportamento malicioso. Com o surgimento das Redes Definidas por Software (SDN), notou-se uma oportunidade para aprimorar o processo de investigação de malware propondo uma arquitetura flexível apta a detectar variações comportamentais de maneira automática. Esta tese apresenta uma arquitetura especializada para analisar códigos maliciosos que permite controlar de maneira unificada o ambiente de análise, incluindo o sandbox e os elementos que o circundam. Dessa maneira, é possível gerenciar regras de contenção, configuração dinâmica de recursos, e manipular o tráfego de rede gerado pelos malwares. Para avaliar a arquitetura foi analisado um conjunto de malwares em dois cenários de avaliação. No primeiro cenário de avaliação, as funcionalidades descritas pela solução proposta revelaram novos eventos comportamentais em 100% dos malwares analisados. Já, no segundo cenários de avaliação, foi analisado um conjunto de malwares projetados para dispositivos IoT. Em consequência, foi possível bloquear ataques, monitorar a comunicação do malware com seu controlador de botnet, e manipular comandos de ataques. / Mechanisms to detect and analyze malicious software are essential to improve security systems. Current security mechanisms have limited success in detecting sophisticated malicious software. More than to evade analysis system, many malware require specific conditions to activate their actions in the target system. The flexibility of Software-Defined Networking (SDN) provides an opportunity to develop a malware analysis architecture that can detect behavioral deviations in an automated way. This thesis presents a specialized architecture to analyze malware by managing the analysis environment in a centralized way, including to control the sandbox and the elements that surrounds it. The proposed architecture enables to determine the network access policy, to handle the analysis environment resource configuration, and to manipulate the network connections performed by the malware. To evaluate our solution we have analyzed a set of malware in two evaluation scenarios. In the first evaluation scenario, we showed that the mechanisms proposed have increased the number of behavioral events in 100% of the malware analyzed. In the second evaluation scenario, we have analyzed malware designed for IoT devices. As a result, by using the MARS features, it was possible to block attacks, to manipulate attack commands, and to enable the malware communication with the respective botnet controller. The experimental results showed that our solution can improve the dynamic malware analysis process by providing this configuration flexibility to the analysis environment.

Análise de Malware

Arquitetura de software

Dynamic analysis

Malware analysis

Software-defined networking

Migração de redes tradicionais para SDN / Migration of traditional networks to SDN

Barbosa, Renan Rodrigo

12 December 2018

Redes Definidas por Software são baseadas em características como separação entre plano de dados e plano de controle, programabilidade e monitoramento dos dispositivos, além de capacidade para teste e experimentação de novos protocolos. Embora boa parte dos conceitos dessas redes tenham sido propostos há mais de vinte e cinco anos, apenas recentemente houve um aumento no interesse pelo tópico. Esse aumento se deve principalmente ao maior poder computacional dos dispositivos e pelo surgimento do protocolo OpenFlow, proposto por um time de pesquisadores de Stanford em 2008 e considerado hoje em dia um padrão para a tecnologia. Embora o tema tenha nascido na academia, a indústria tem abraçado os conceitos e diversos fabricantes têm desenvolvido seus equipamentos com suporte ao OpenFlow. As vantagens trazidas com o OpenFlow como a pa- dronização do protocolo de comunicação entre os planos, capacidade de programação e coleta de métricas e suporte a criação de regras pró-ativas e reativas, por exemplo, fazem com que a migração de uma rede tradicional para esse novo paradigma se torne atraente. Entretanto, tal migração não é trivial. É necessário um planejamento prévio com análise dos riscos e benefícios, precisa haver acompanhamento de cada etapa da execução e validação posterior dos resultados apresentados pela rede migrada. Esta dissertação de mestrado apresenta um estudo sobre migração de tecnologias e protocolos de redes com foco na migração específica de redes tradicionais para SDN, utilizando o OpenFlow como protocolo. É apresentado um mecanismo que é capaz de analisar as configurações dos dispositivos da rede legada e convertê-las para regras de um controlador OpenFlow, possibi- litando a simulação de serviços e funcionalidades e facilitando as primeiras etapas da migração. Experimentos em ambiente de simulação mostram que uma SDN gerenciada pelo controlador confi- gurado com as regras dadas pelo mecanismo tem funcionamento equivalente àquele da rede original, não-SDN, de onde essa configuração foi extraída. / Software Defined Networks are based in characteristics such as detachment between the network data and control planes, network programmability and monitoring of the devices, as well as the ability to test and experiment new protocols. Although much of the concepts of these networks have been proposed more than twenty-five years ago, only recently has there been an interest increase for the topic. This increase is mainly due to the greater computing power of the devices and the emergence of the OpenFlow protocol, proposed by a team of Stanford researchers in 2008 and considered a standard for technology today. Although the theme was born in academia, the industry has embraced the concepts and several manufacturers have developed their equipment with OpenFlow support. The advantages of OpenFlow, such as the standardization of the communication protocol between planes, the ability to program and collect metrics, and the support for the creation of proactive and reactive rules, for example, mean that migration from a traditional network to new paradigm becomes attractive. However, such migration is not trivial. Prior planning is required with risk and benefit analysis, there must be monitoring of each stage of the execution and subsequent validation of the results presented by the migrated network. This dissertation presents a study on the migration of network technologies and protocols with focus on the specific migration of traditional networks to SDN, using OpenFlow as protocol. A mechanism is presented that is able to analyze the legacy network device settings and convert them to OpenFlow controller rules, enabling the simulation of services and features and facilitating the first steps of the migration. Experiments in the simulation environment show that a controller-managed SDN configured with the rules given by the mechanism has equivalent functionality to that of the original, non-SDN network from which this configuration was extracted from.

Migração de protocolos de rede

Network protocol migration

OpenFlow

OpenFlow

Redes definidas por software

Software defined networks

ASSESSMENT OF DISAGGREGATING THE SDN CONTROL PLANE

Adib Rastegarnia (7879706)

20 November 2019

Current SDN controllers have been designed based on a monolithic approach that integrates all of services and applications into one single, huge program. The monolithic design of SDN controllers restricts programmers who build management applications to specific programming interfaces and services that a given SDN controller provides, making application development dependent on the controller, and thereby restricting portability of management applications across controllers. Furthermore, the monolithic approach means an SDN controller must be recompiled whenever a change is made, and does not provide an easy way to add new functionality or scale to handle large networks. To overcome the weaknesses inherent in the monolithic approach, the next generation of SDN controllers must use a distributed, microservice architecture that disaggregates the control plane by dividing the monolithic controller into a set of cooperative microservices. Disaggregation allows a programmer to choose a programming language that is appropriate for each microservice. In this dissertation, we describe steps taken towards disaggregating the SDN control plane, consider potential ways to achieve the goal, and discuss the advantages and disadvantages of each. We propose a distributed architecture that disaggregates controller software into a small controller core and a set of cooperative microservices. In addition, we present a software defined network programming framework called Umbrella that provides a set of abstractions that programmers can use for writing of SDN management applications independent of NB APIs that SDN controllers provide. Finally, we present an intent-based network programming framework called OSDF to provide a high-level policy based API for programming of network devices using SDN. <br>

Networking and Communications

Software Defined Networking

OpenFlow

SDN Control Plane Disaggregation

Intent-based Networking

Programmable Networks

Development of a Software-Defined Integrated Circuit Test System Using a System Engineering Approach on a PXI Platform

Flores, Alfonso S

24 October 2008

There are various types of test performed on Integrated Circuits, (IC), for detecting and locating defects and faults during failure analysis. Functional, logic, parametric and IDDQ tests are among the most common. Functional IC tests are designed to verify whether the IC performs its intended function. Logic tests verify the logic operation of gates and registers. AC and DC parametric tests are used to measure time, voltage and current-varying parameters associated with the operational limits of the IC. Test parameters in parametric testing include, among others, propagation delay, operating current and signals rise and fall time. Currently, almost all ICs are manufactured or refurbished in Asia. A greater portion of the ICs are processed in China and Malaysia. Presently issues with component reliability are compromised since the ICs are not tested before they leave the factory, are sometimes only remarked with different part numbers and date codes or resold even though they do not work properly. These activities lead to a high level of uncertainty among consumers all over the world. The purpose of this research was the design of a software-defined semiconductor validation test system using the PCI eXtension for Instrumentation, (PXI), platform. The test system was to be capable of performing Open and Short Circuit Tests for CMOS components. Open and Short Circuit Tests verify for faults at the protection diode circuitry of CMOS chips level. The test system reduces the overall test timing compared to the tests performed by a functional instrument such as a curve tracer. PXI is a modular instrumentation platform originally introduced in 1997 by National Instruments, (NI). PXI is an open, PC-based platform for test, measurement and control. PXI possesses the highest bandwidth and lowest latency with modular inputs and outputs for high-resolution from DC to RF frequencies. PXI was designed for measurement and automation applications that require high-performance. Concepts associated with the Systems of Systems Engineering, (SoSE), approach were applied to this research in order to facilitate the design process for the test system. The objective was to apply Systems Engineering methodologies to the design of this particular test system.

Software-Defined Instrumentation

National Instruments

Semiconductor

Failure Analysis

Diode

Cost-of-the-Shelf

American Studies

Arts and Humanities

SDN-BASED MECHANISMS FOR PROVISIONING QUALITY OF SERVICE TO SELECTED NETWORK FLOWS

Alharbi, Faisal

01 January 2018

Despite the huge success and adoption of computer networks in the recent decades, traditional network architecture falls short of some requirements by many applications. One particular shortcoming is the lack of convenient methods for providing quality of service (QoS) guarantee to various network applications. In this dissertation, we explore new Software-Defined Networking (SDN) mechanisms to provision QoS to targeted network flows. Our study contributes to providing QoS support to applications in three aspects. First, we explore using alternative routing paths for selected flows that have QoS requirements. Instead of using the default shortest path used by the current network routing protocols, we investigate using the SDN controller to install forwarding rules in switches that can achieve higher bandwidth. Second, we develop new mechanisms for guaranteeing the latency requirement by those applications depending on timely delivery of sensor data and control signals. The new mechanism pre-allocates higher priority queues in routers/switches and reserves these queues for control/sensor traffic. Third, we explore how to make the applications take advantage of the opportunity provided by SDN. In particular, we study new transmission mechanisms for big data transfer in the cloud computing environment. Instead of using a single TCP path to transfer data, we investigate how to let the application set up multiple TCP paths for the same application to achieve higher throughput. We evaluate these new mechanisms with experiments and compare them with existing approaches.

Software Defined Networking

Quality of Service

Network Architecture

Multipath TCP

Computer Sciences

AUTOMATED NETWORK SECURITY WITH EXCEPTIONS USING SDN

Rivera Polanco, Sergio A.

01 January 2019

Campus networks have recently experienced a proliferation of devices ranging from personal use devices (e.g. smartphones, laptops, tablets), to special-purpose network equipment (e.g. firewalls, network address translation boxes, network caches, load balancers, virtual private network servers, and authentication servers), as well as special-purpose systems (badge readers, IP phones, cameras, location trackers, etc.). To establish directives and regulations regarding the ways in which these heterogeneous systems are allowed to interact with each other and the network infrastructure, organizations typically appoint policy writing committees (PWCs) to create acceptable use policy (AUP) documents describing the rules and behavioral guidelines that all campus network interactions must abide by. While users are the audience for AUP documents produced by an organization's PWC, network administrators are the responsible party enforcing the contents of such policies using low-level CLI instructions and configuration files that are typically difficult to understand and are almost impossible to show that they do, in fact, enforce the AUPs. In other words, mapping the contents of imprecise unstructured sentences into technical configurations is a challenging task that relies on the interpretation and expertise of the network operator carrying out the policy enforcement. Moreover, there are multiple places where policy enforcement can take place. For example, policies governing servers (e.g., web, mail, and file servers) are often encoded into the server's configuration files. However, from a security perspective, conflating policy enforcement with server configuration is a dangerous practice because minor server misconfigurations could open up avenues for security exploits. On the other hand, policies that are enforced in the network tend to rarely change over time and are often based on one-size-fits-all policies that can severely limit the fast-paced dynamics of emerging research workflows found in campus networks. This dissertation addresses the above problems by leveraging recent advances in Software-Defined Networking (SDN) to support systems that enable novel in-network approaches developed to support an organization's network security policies. Namely, we introduce PoLanCO, a human-readable yet technically-precise policy language that serves as a middle-ground between the imprecise statements found in AUPs and the technical low-level mechanisms used to implement them. Real-world examples show that PoLanCO is capable of implementing a wide range of policies found in campus networks. In addition, we also present the concept of Network Security Caps, an enforcement layer that separates server/device functionality from policy enforcement. A Network Security Cap intercepts packets coming from, and going to, servers and ensures policy compliance before allowing network devices to process packets using the traditional forwarding mechanisms. Lastly, we propose the on-demand security exceptions model to cope with the dynamics of emerging research workflows that are not suited for a one-size-fits-all security approach. In the proposed model, network users and providers establish trust relationships that can be used to temporarily bypass the policy compliance checks applied to general-purpose traffic -- typically by network appliances that perform Deep Packet Inspection, thereby creating network bottlenecks. We describe the components of a prototype exception system as well as experiments showing that through short-lived exceptions researchers can realize significant improvements for their special-purpose traffic.

Software-Defined Networking

Network Security

Policy Enforcement

Security Exceptions

Digital Communications and Networking

Systems and Communications

Neprekidnost sesije IP servisa kod heterogenih mobilnih mreža primenom softverski definisanih mreža / IP Session continuity in heterogeneous mobile networks using Software DefinedNetworking

Bojović Petar

28 January 2019

<p>Ova disertacija se bavi istraživanjem problema kontinuiteta IP<br />mrežnih sesija u oblasti komunikscija u mobilnim računarskim mrežama.<br />Cilj istraživanja u okviru ove doktorske disertacije je da se definiše<br />rešenje problema mobilnosti primenjivo na heterogene bežične mreže<br />primenom metode softverski definisanog umrežavanja. U okviru<br />istraživanja prikazana je i praktična implementacija predloženog<br />rešenja. Tokom istraživanja su dobijeni rezultati koji ukazuju na potrebu<br />integracije postojećih tradicionalnih bežičnih mreža sa softverski<br />definisanim mrežama. Osnovu predloženog rešenja predstavlja<br />inkrementslan pristup u pogledu uvođenja novih SDN funkcionslnosti u<br />bežične IP mreže. Kroz implementaciju minimalnog seta SDN<br />funkcionalnosti gradi se tzv. hibridni model SDN mreže. Glavni<br />doprinos ovog istraživanja se ogleda u definisanju postupka koji će<br />omogućiti da se prevaziđe problem mobilnosti u aktuelnom konceptu<br />heterogenih bežičnih računarskih mreža. Ovakav model rešenja, pruža<br />značajan doprinos i sa aspekta ulaganja u promenu infrastrukture u<br />bežičnim mrežama. Implementacijom hibridnog modela, redukuje se<br />potreba za potpunim, ali i značajnim, uvođenjem virtuelne<br />infrastrukture bazirane na fleksibilnim softverski definisanim<br />mrežama.</p> / <p>This dissertation investigates the problem of IP networking communication<br />sessions continuity in mobile computer networks. The aim of the research within<br />this doctoral dissertation is to define a solution to the mobility problem<br />applicable to heterogeneous wireless networks using the software-defined<br />networking method. The research also demonstrates the practical<br />implementation of the proposed solution. During the research were obtained<br />results that indicate the need for integration of software-defined networks into<br />existing traditional wireless networks. The basis of the proposed solution is an<br />incremental approach in terms of introducing new SDN functionality into<br />wireless IP networks. Through the implementation of the minimal set of SDN<br />functionality, the so-called hybrid model of the SDN network is being built. The<br />main contribution of this research is reflected in the definition of a process that<br />will allow to overcome the problem of mobility in the current concept of<br />heterogeneous wireless computing networks. This solution model, also provides<br />a significant contribution from the aspect of investing in the change of<br />infrastructure in wireless networks. Implementation of the hybrid model reduces<br />the need for a complete replacement with a virtual infrastructure based on<br />flexible software-defined networks.</p>

Leveraging Software-Defined Radio for a Scalable Wide-band Wireless Channel Measurement System

Jamison, James

01 January 2018

Wireless channel characterization is important for determining both the requirements for a wireless system and its resulting reliability. Wireless systems are becoming ever more pervasive and thus are expected to operate in increasingly more cluttered environments. While these devices may be fixed in location, the channel is still far from ideal due to multipath. Under such conditions, it is desirable to have a means of taking wireless channel measurements in a low-cost and distributed manner, which is not always possible using typical channel measurement equipment. This thesis leverages a software-defined radio (SDR) platform to perform wideband wireless channel measurements. Specifically, the system can measure the scalar frequency response of a wireless channel in a distributed manner and provides measurements with an average mean-squared error of 0.018 % σ and a median error not exceeding 0.631 dB when compared to measurements taken with a vector network analyzer. This accuracy holds true in a highly multipath environment, with a measurement range of ~40 dB. The system is also capable of scaling to multiple wireless links which will be measured simultaneously (up to three links are demonstrated). After validating the measurement system, a measurement campaign is undertook using the system in a highly multipath environment to demonstrate a possible application of the system.

Channel Measurement

Measurement System

Multipath

SDR

Software Defined Radio

Wireless Channel Measurement

Electrical and Electronics

Utilizing a Game Theoretical Approach to Prevent Collusion and Incentivize Cooperation in Cybersecurity Contexts

Unknown Date

In this research, a new reputation-based model is utilized to disincentivize collusion of defenders and attackers in Software Defined Networks (SDN), and also, to disincentivize dishonest mining strategies in Blockchain. In the context of SDN, the model uses the reputation values assigned to each entity to disincentivize collusion with an attacker. Our analysis shows that not-colluding actions become Nash Equilibrium using the reputationbased model within a repeated game setting. In the context of Blockchain and mining, we illustrate that by using the same socio-rational model, miners not only are incentivized to conduct honest mining but also disincentivized to commit to any malicious activities against other mining pools. We therefore show that honest mining strategies become Nash Equilibrium in our setting. This thesis is laid out in the following manner. In chapter 2 an introduction to game theory is provided followed by a survey of previous works in game theoretic network security, in chapter 3 a new reputation-based model is introduced to be used within the context of a Software Defined Network (SDN), in chapter 4 a reputation-based solution concept is introduced to force cooperation by each mining entity in Blockchain, and finally, in chapter 5, the concluding remarks and future works are presented. / Includes bibliography. / Thesis (M.S.)--Florida Atlantic University, 2017. / FAU Electronic Theses and Dissertations Collection

Blockchain

Cybersecurity