Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN

Yun Zhan Cai; Ting Yu Lin; Yu Ting Wang; Ya Pei Tuan; Meng Hsun Tsai

doi:10.23919/APNOMS56106.2022.9919925

Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN

Yun Zhan Cai, Ting Yu Lin, Yu Ting Wang, Ya Pei Tuan, Meng Hsun Tsai

Department of Computer Science and Information Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In software-defined networking (SDN), emerging new-flow attacks aim at exhausting the resources of switches and controllers through massive packet-in messages. To detect new-flow attacks, SDNGuardian was proposed as a protocol-independent defense method, which uses entropy to detect anomalies and mitigate attacks with rate limits. In this paper, we introduce a crafty new-flow attack named timeout-aware attack that SDNGuardian cannot detect. We, therefore, propose a novel defense method: SDNSnapshot. Through simulations, we show that SDNSnapshot can successfully detect the timeout-aware attack. The number of dropped benign packet-in messages in SDNSnapshot is around one third of that in SDNGuardian. Besides, a snapshot only consumes 0.9Mb static random access memory (SRAM) for each anomalous sensitive field. The results indicate that SDNSnapshot is a feasible solution to mitigate new-flow attacks in practice.

Original language	English
Title of host publication	APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium
Subtitle of host publication	Data-Driven Intelligent Management in the Era of beyond 5G
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9784885523397
DOIs	https://doi.org/10.23919/APNOMS56106.2022.9919925
Publication status	Published - 2022
Event	23rd Asia-Pacific Network Operations and Management Symposium, APNOMS 2022 - Takamatsu, Japan Duration: 2022 Sept 28 → 2022 Sept 30

Publication series

Name	APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G

Conference

Conference	23rd Asia-Pacific Network Operations and Management Symposium, APNOMS 2022
Country/Territory	Japan
City	Takamatsu
Period	22-09-28 → 22-09-30

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Hardware and Architecture
Information Systems and Management

Access to Document

10.23919/APNOMS56106.2022.9919925

Cite this

Cai, Y. Z., Lin, T. Y., Wang, Y. T., Tuan, Y. P., & Tsai, M. H. (2022). Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN. In APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G (APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.23919/APNOMS56106.2022.9919925

Cai, Yun Zhan ; Lin, Ting Yu ; Wang, Yu Ting et al. / Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN. APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G. Institute of Electrical and Electronics Engineers Inc., 2022. (APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G).

@inproceedings{cad3835c691246ce9c60e38529c6b215,

title = "Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN",

abstract = "In software-defined networking (SDN), emerging new-flow attacks aim at exhausting the resources of switches and controllers through massive packet-in messages. To detect new-flow attacks, SDNGuardian was proposed as a protocol-independent defense method, which uses entropy to detect anomalies and mitigate attacks with rate limits. In this paper, we introduce a crafty new-flow attack named timeout-aware attack that SDNGuardian cannot detect. We, therefore, propose a novel defense method: SDNSnapshot. Through simulations, we show that SDNSnapshot can successfully detect the timeout-aware attack. The number of dropped benign packet-in messages in SDNSnapshot is around one third of that in SDNGuardian. Besides, a snapshot only consumes 0.9Mb static random access memory (SRAM) for each anomalous sensitive field. The results indicate that SDNSnapshot is a feasible solution to mitigate new-flow attacks in practice.",

author = "Cai, {Yun Zhan} and Lin, {Ting Yu} and Wang, {Yu Ting} and Tuan, {Ya Pei} and Tsai, {Meng Hsun}",

note = "Publisher Copyright: {\textcopyright} 2022 IEICE.; 23rd Asia-Pacific Network Operations and Management Symposium, APNOMS 2022 ; Conference date: 28-09-2022 Through 30-09-2022",

year = "2022",

doi = "10.23919/APNOMS56106.2022.9919925",

language = "English",

series = "APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium",

address = "United States",

}

Cai, YZ, Lin, TY, Wang, YT, Tuan, YP & Tsai, MH 2022, Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN. in APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G. APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G, Institute of Electrical and Electronics Engineers Inc., 23rd Asia-Pacific Network Operations and Management Symposium, APNOMS 2022, Takamatsu, Japan, 22-09-28. https://doi.org/10.23919/APNOMS56106.2022.9919925

Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN. / Cai, Yun Zhan; Lin, Ting Yu; Wang, Yu Ting et al.
APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G. Institute of Electrical and Electronics Engineers Inc., 2022. (APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN

AU - Cai, Yun Zhan

AU - Lin, Ting Yu

AU - Wang, Yu Ting

AU - Tuan, Ya Pei

AU - Tsai, Meng Hsun

PY - 2022

Y1 - 2022

N2 - In software-defined networking (SDN), emerging new-flow attacks aim at exhausting the resources of switches and controllers through massive packet-in messages. To detect new-flow attacks, SDNGuardian was proposed as a protocol-independent defense method, which uses entropy to detect anomalies and mitigate attacks with rate limits. In this paper, we introduce a crafty new-flow attack named timeout-aware attack that SDNGuardian cannot detect. We, therefore, propose a novel defense method: SDNSnapshot. Through simulations, we show that SDNSnapshot can successfully detect the timeout-aware attack. The number of dropped benign packet-in messages in SDNSnapshot is around one third of that in SDNGuardian. Besides, a snapshot only consumes 0.9Mb static random access memory (SRAM) for each anomalous sensitive field. The results indicate that SDNSnapshot is a feasible solution to mitigate new-flow attacks in practice.

AB - In software-defined networking (SDN), emerging new-flow attacks aim at exhausting the resources of switches and controllers through massive packet-in messages. To detect new-flow attacks, SDNGuardian was proposed as a protocol-independent defense method, which uses entropy to detect anomalies and mitigate attacks with rate limits. In this paper, we introduce a crafty new-flow attack named timeout-aware attack that SDNGuardian cannot detect. We, therefore, propose a novel defense method: SDNSnapshot. Through simulations, we show that SDNSnapshot can successfully detect the timeout-aware attack. The number of dropped benign packet-in messages in SDNSnapshot is around one third of that in SDNGuardian. Besides, a snapshot only consumes 0.9Mb static random access memory (SRAM) for each anomalous sensitive field. The results indicate that SDNSnapshot is a feasible solution to mitigate new-flow attacks in practice.

UR - http://www.scopus.com/inward/record.url?scp=85142072342&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85142072342&partnerID=8YFLogxK

U2 - 10.23919/APNOMS56106.2022.9919925

DO - 10.23919/APNOMS56106.2022.9919925

M3 - Conference contribution

AN - SCOPUS:85142072342

T3 - APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G

BT - APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 23rd Asia-Pacific Network Operations and Management Symposium, APNOMS 2022

Y2 - 28 September 2022 through 30 September 2022

ER -

Cai YZ, Lin TY, Wang YT, Tuan YP, Tsai MH. Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN. In APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G. Institute of Electrical and Electronics Engineers Inc. 2022. (APNOMS 2022 - 23rd Asia-Pacific Network Operations and Management Symposium: Data-Driven Intelligent Management in the Era of beyond 5G). doi: 10.23919/APNOMS56106.2022.9919925

Mitigating New-Flow Attack with SDNSnapshot in P4-based SDN

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this