TY - GEN
T1 - Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN
AU - Cai, Yun Zhan
AU - Lin, Ting Yu
AU - Wang, Yu Ting
AU - Tuan, Ya Pei
AU - Tsai, Meng Hsun
N1 - Funding Information:
ACKNOWLEDGMENT This work was supported by the Center for Open Intelligent Connectivity through the Featured Areas Research Center Program within the Framework of the Higher Education Sprout Project by the Ministry of Education in Taiwan. The work of M.-H. Tsai was supported in part by NCKU-Accton joint research center, and in part by the MOST under Grant 110-2221-E-006-016-and 111-2221-E-006-160-.
Publisher Copyright:
© 2022 IEICE.
PY - 2022
Y1 - 2022
N2 - In software-defined networking (SDN), emerging new-flow attacks aim at exhausting the resources of switches and controllers through massive packet-in messages. To detect new-flow attacks, SDNGuardian was proposed as a protocol-independent defense method, which uses entropy to detect anomalies and mitigate attacks with rate limits. In this paper, we introduce a crafty new-flow attack named timeout-aware attack that SDNGuardian cannot detect. We, therefore, propose a novel defense method: SDNSnapshot. Through simulations, we show that SDNSnapshot can successfully detect the timeout-aware attack. The number of dropped benign packet-in messages in SDNSnapshot is around one third of that in SDNGuardian. Besides, a snapshot only consumes 0.9Mb static random access memory (SRAM) for each anomalous sensitive field. The results indicate that SDNSnapshot is a feasible solution to mitigate new-flow attacks in practice.
AB - In software-defined networking (SDN), emerging new-flow attacks aim at exhausting the resources of switches and controllers through massive packet-in messages. To detect new-flow attacks, SDNGuardian was proposed as a protocol-independent defense method, which uses entropy to detect anomalies and mitigate attacks with rate limits. In this paper, we introduce a crafty new-flow attack named timeout-aware attack that SDNGuardian cannot detect. We, therefore, propose a novel defense method: SDNSnapshot. Through simulations, we show that SDNSnapshot can successfully detect the timeout-aware attack. The number of dropped benign packet-in messages in SDNSnapshot is around one third of that in SDNGuardian. Besides, a snapshot only consumes 0.9Mb static random access memory (SRAM) for each anomalous sensitive field. The results indicate that SDNSnapshot is a feasible solution to mitigate new-flow attacks in practice.
UR - http://www.scopus.com/inward/record.url?scp=85142072342&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85142072342&partnerID=8YFLogxK
U2 - 10.23919/APNOMS56106.2022.9919925
DO - 10.23919/APNOMS56106.2022.9919925
M3 - Conference contribution
AN - SCOPUS:85142072342
T3 - APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G
BT - APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 23rd Asia-Pacific Network Operations and Management Symposium, APNOMS 2022
Y2 - 28 September 2022 through 30 September 2022
ER -