Forensic investigation of link fabrication attack in software defined networks / Suleman Khan
Software Defined Networking (SDN) is an emergent network architecture with a unique feature of decoupling an infrastructure plane from the control plane. SDN enables network-wide visibility to the applications running on top of the controller by executing a topology discovery module. However, the ad...
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Published: |
2017
|
| Subjects: | |
| Online Access: | http://studentsrepo.um.edu.my/11729/2/Suleman.pdf http://studentsrepo.um.edu.my/11729/1/Suleman_Khan.pdf http://studentsrepo.um.edu.my/11729/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Universiti Malaya |
| id |
my.um.stud.11729 |
|---|---|
| record_format |
eprints |
| spelling |
my.um.stud.117292020-09-08T18:21:23Z Forensic investigation of link fabrication attack in software defined networks / Suleman Khan Suleman , Khan QA75 Electronic computers. Computer science QA76 Computer software Software Defined Networking (SDN) is an emergent network architecture with a unique feature of decoupling an infrastructure plane from the control plane. SDN enables network-wide visibility to the applications running on top of the controller by executing a topology discovery module. However, the adversaries try to exploit the controller visibility due to its centralized control management of the entire network. The SDN faces topology vulnerabilities due to lack of security concern in its initial development of the architecture. Thus, the existing vulnerabilities in the controller attract the adversary to exploit SDN for various illegitimate reasons. For instance, the controller lacks an authentication mechanism to differentiate between legitimate and spoofed Link Layer Discovery Protocol (LLDP) packets. The LLDP packets are used by the topology discovery module to determine a link between the switches which further assists the controller to build the network topology. The legitimate network topology is an utmost important in SDN because adversaries can inject fake links between the switches to fabricate the network topology. The fabrication of fake links in the network topology is called Link Fabrication Attack (LFA). The LFA occurs due to malicious switches and hosts that spoof the LLDP packets to generate fake links between the switches. The fake links are used for numerous illegal reasons including eavesdropping, diverting legitimate traffic, and packet drops. Currently, the available techniques are available to detect fake links, but they fail to identify the real source of the attack. Thus, SDN requires having a forensic method which not only detects fake links but determines the real source of the fake links. Therefore, we proposed a forensic-based investigation method (FoR-Guard) to detect fake links as well as determine the real source of the LFA. The FoR-Guard is composed of three main phases namely trigger, Detection and Source Identification (DeSI), and validation phase. The trigger phase triggers an alarm message to the DeSI phase by observing the fake link generated between the switches. The trigger phase used Malicious Index Record (MIR) of the switches to trigger a message. The DeSI phase investigates to detect fake links between the switches by checking the Link Communication Direction (LCD) and MIR information of the respective link and switch respectively. Afterwards, a traceback mechanism is used to identify the cause of the attack by determining the malicious host connected to the switch. The validation phase verifies the true source of the attack by using probability and entropy measurements. Furthermore, the FoR-Guard is compared with state-of-the-art detection mechanism of LFA by controller processing time. It founds that by employing forensic-based investigation method (FoR-Guard) the processing time of the controller is reduced significantly. Results show that FoR-Guard reduces the controller processing time up to 30.03 microseconds as compared to 89.94 and 68.49 microseconds of TopoGuard and Sphinx for 10 switches, having 20 fake links out of 50 total numbers of links. Different experiments highlight that FoR-Guard utilize maximum 35 microseconds to detect up to 20 fake links in any network topology which is significant as compared to TopoGuard and Sphinx controller processing time. Hence, the FoR-Guard provides an efficient, comprehensive forensic-based solution for SDN. 2017-01 Thesis NonPeerReviewed application/pdf http://studentsrepo.um.edu.my/11729/2/Suleman.pdf application/pdf http://studentsrepo.um.edu.my/11729/1/Suleman_Khan.pdf Suleman , Khan (2017) Forensic investigation of link fabrication attack in software defined networks / Suleman Khan. PhD thesis, University of Malaya. http://studentsrepo.um.edu.my/11729/ |
| institution |
Universiti Malaya |
| building |
UM Library |
| collection |
Institutional Repository |
| continent |
Asia |
| country |
Malaysia |
| content_provider |
Universiti Malaya |
| content_source |
UM Student Repository |
| url_provider |
http://studentsrepo.um.edu.my/ |
| topic |
QA75 Electronic computers. Computer science QA76 Computer software |
| spellingShingle |
QA75 Electronic computers. Computer science QA76 Computer software Suleman , Khan Forensic investigation of link fabrication attack in software defined networks / Suleman Khan |
| description |
Software Defined Networking (SDN) is an emergent network architecture with a unique feature of decoupling an infrastructure plane from the control plane. SDN enables network-wide visibility to the applications running on top of the controller by executing a topology discovery module. However, the adversaries try to exploit the controller visibility due to its centralized control management of the entire network. The SDN faces topology vulnerabilities due to lack of security concern in its initial development of the architecture. Thus, the existing vulnerabilities in the controller attract the adversary to exploit SDN for various illegitimate reasons. For instance, the controller lacks an authentication mechanism to differentiate between legitimate and spoofed Link Layer Discovery Protocol (LLDP) packets. The LLDP packets are used by the topology discovery module to determine a link between the switches which further assists the controller to build the network topology. The legitimate network topology is an utmost important in SDN because adversaries can inject fake links between the switches to fabricate the network topology. The fabrication of fake links in the network topology is called Link Fabrication Attack (LFA). The LFA occurs due to malicious switches and hosts that spoof the LLDP packets to generate fake links between the switches. The fake links are used for numerous illegal reasons including eavesdropping, diverting legitimate traffic, and packet drops. Currently, the available techniques are available to detect fake links, but they fail to identify the real source of the attack. Thus, SDN requires having a forensic method which not only detects fake links but determines the real source of the fake links. Therefore, we proposed a forensic-based investigation method (FoR-Guard) to detect fake links as well as determine the real source of the LFA. The FoR-Guard is composed of three main phases namely trigger, Detection and Source Identification (DeSI), and validation phase. The trigger phase triggers an alarm message to the DeSI phase by observing the fake link generated between the switches. The trigger phase used Malicious Index Record (MIR) of the switches to trigger a message. The DeSI phase investigates to detect fake links between the switches by checking the Link Communication Direction (LCD) and MIR information of the respective link and switch respectively. Afterwards, a traceback mechanism is used to identify the cause of the attack by determining the malicious host connected to the switch. The validation phase verifies the true source of the attack by using probability and entropy measurements. Furthermore, the FoR-Guard is compared with state-of-the-art detection mechanism of LFA by controller processing time. It founds that by employing forensic-based investigation method (FoR-Guard) the processing time of the controller is reduced significantly. Results show that FoR-Guard reduces the controller processing time up to 30.03 microseconds as compared to 89.94 and 68.49 microseconds of TopoGuard and Sphinx for 10 switches, having 20 fake links out of 50 total numbers of links. Different experiments highlight that FoR-Guard utilize maximum 35 microseconds to detect up to 20 fake links in any network topology which is significant as compared to TopoGuard and Sphinx controller processing time. Hence, the FoR-Guard provides an efficient, comprehensive forensic-based solution for SDN.
|
| format |
Thesis |
| author |
Suleman , Khan |
| author_facet |
Suleman , Khan |
| author_sort |
Suleman , Khan |
| title |
Forensic investigation of link fabrication attack in software defined networks / Suleman Khan |
| title_short |
Forensic investigation of link fabrication attack in software defined networks / Suleman Khan |
| title_full |
Forensic investigation of link fabrication attack in software defined networks / Suleman Khan |
| title_fullStr |
Forensic investigation of link fabrication attack in software defined networks / Suleman Khan |
| title_full_unstemmed |
Forensic investigation of link fabrication attack in software defined networks / Suleman Khan |
| title_sort |
forensic investigation of link fabrication attack in software defined networks / suleman khan |
| publishDate |
2017 |
| url |
http://studentsrepo.um.edu.my/11729/2/Suleman.pdf http://studentsrepo.um.edu.my/11729/1/Suleman_Khan.pdf http://studentsrepo.um.edu.my/11729/ |
| _version_ |
1738506520961744896 |