Software-defined networks (SDNs) have fundamentally altered the way in which networks and the systems built upon them are created and maintained. The ability to rapidly deploy and reconfigure SDNs and their supported services allow organizations to be agile in addressing changing needs and threats. Moreover, when deployed together with Network Function Virtualization (NFV), SDN enables network services such as firewalls, network intrusion detection systems (NIDS), and load balancers to be abstracted from the physical infrastructure that they are deployed on, thereby greatly simplifying service composition and scaling. However, as SDNs become widely adopted, the issue of security emerges. On the one hand, the logically centralized view of SDN eases defenses against traditional IP-network attacks such as port scanning and firewall probing. On the other hand, SDN introduces new opportunities for adversarial reconnaissance, which is a family of techniques that allow insider and outsider attackers to use the network behavior and control-plane messaging to infer the structure, configuration, and vulnerabilities of the target SDN. To secure future networks against such attackers, this project proposes to develop a systematic understanding of the techniques, capabilities, fundamental limits, and countermeasures of adversarial reconnaissance in SDNs.
The project plans to develop systematic modeling and analysis of reconnaissance techniques and enabled attacks in SDNs. The objectives of such reconnaissance include the covert extraction of the policies (e.g., rule replacement policy) and the states (e.g., network congestion state, link loads) at both the network level and the service level. The project plans to achieve these objectives by developing and evaluating explicit inference algorithms that can learn the internal parameters of the target SDN from easily obtainable measurements, with concrete efforts focused on host-based reconnaissance of the internal parameters of switches, as well as switch-based reconnaissance of the internal logic and state of important control applications. To understand the consequence of adversarial reconnaissance, the project also plans to develop and evaluate intelligent attacks that make use of the network parameters learned during reconnaissance. The general objective of such attacks is to minimize the risk of detection while causing measurable damage, with concrete efforts focused on intelligent host-based attacks that design attack flows to achieve the optimal tradeoff between attack performance and cost, as well as intelligent switch-based attacks that exploit the learned logic and state of the target control application (e.g., load balancer) to manipulate its decisions. This work will develop new theories, algorithms, methodologies, evaluation harnesses, and online tools by combining network science with security analysis in concert with simulated and real-world experiments. Its outcome will advance the science and practice of SDN security and vulnerability analysis and enhance the security of future SDNs by motivating attack-resilient designs. The work will also support education at the participating institution and develop workforce expertise in SDN and security analysis, as well as fostering the PIs' already active efforts in Broadening Participation in Computing.
This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
|Effective start/end date||3/15/20 → 2/28/23|
- National Science Foundation: $500,000.00