SDN Malicious Switch Detection Technology

SDN malicious switch detection is a new research in the field of SDN network security,and is also an essential part of the SDN network security defense.It aims to detect the malicious behavior of the switch in SDN.The existing techniques for detecting abnormal behavior of SDN malicious switches include statistical counting technique based on OpenFlow counter and active probing technique for flow tracing.The former focuses on monitoring the whole statistics data on forwarding plane,so as to find malicious forwarding behavior in statistics,but the monitoring information is too simple to monitor a variety of malicious behaviors.While the latter focuses on tracking of single forwarding flow,to analys the changes in flows through the SDN network,however,it is difficult to detect the whole SDN data plane.In addition,on the problem of locating multi SDN malicious,only a few researches propose a way to exclude switches that are suspicious or non-suspicious to shrink the scope of the monitoring objects.This method assumes that the behavior of the malicious switch is sustainable and stable,and attempts to pinpoint the location of malicious switches,which does not have practical value in practical application,and can not effectively deal with the situation of multi malicious switches gang up in reality.With the increasing deployment and application of SDN network,the security problem of SDN is becoming more and more serious.There is an urgent need for effective technology to detect malicious forwarding behavior and to locate the malicious switch in SDN.For this reason,this paper focuses on the research of the new detection technology of detecting malicious forwarding behavior and locating malicious switch in the SDN network environment.Main contributions include:1.A uniform hash sampling based data plain extraction technique——SFlow-UHS——is proposedAt present,the data plane forwarding information extraction technology used in the SDN malicious forwarding behavior detection includes OpenFlow flow table counter based statistical information extraction technology and the active flow detection technology.Although these technologies have been improved in time complexity and accuracy,it is difficult to detect more kinds of malicious behavior and cover the whole network.Based on the analysis of the demand of the data plane forwarding information corresponding to the behavior of malicious exchange behavior,a sFlow based uniform hash sampling(sFlow-UHS)technique is proposed,which is suitable for the detection of malicious switch behavior in SDN networks.The information extracted by s Flow-UHS can meet the statistical feature of the switch behavior,the integrity feature of the packet and the integrity feature of the packets sequence.The experimental results show that the sFlow-UHS can effectively detect the packet loss,traffic modification and traffic disorder behavior.2.Covert flow label and random sampling based flow forwarding tracking technology(CR-FTT)is proposedAs the above mentioned data plane forwarding information extraction technologies are concerned with the forwarding behavior of the flow on its flow path,it is difficult to monitor the forwarding behavior that flow get off track from the original path.For effective detection of traffic replication,traffic misrouting and traffic fabrication that appear on a wrong switch,CR-FTT is proposed.Inspired by covert channel technology that hide information in the protocol head field,we embed covert flow label into flow,and detect traffic replication,traffic misrouting and traffic fabrication by random sampling packets at each port on all switches.The experimental results show that CR-FTT can effectively detect the traffic replication,traffic misrouting and traffic fabrication in a certain sampling rate with a low false negative rate.3 Multiple precision supported multi malicious switches off-line detection model is proposedThe problem of detecting malicious switches is transformed into the problem of detecting suspicious sub paths with some precision,and the concept of accuracy is introduced.Two kinds of accurate multi malicious switches detection model are designed,which are 2 accurate anomaly detection model(2-AADM)and k+2 accurate anomaly detection model(k+2-AADM).These two kinds of model are independent to specific information extraction technology.To deal with the situation that multi malicious switches gang up and fabricate data plain information,2-AADM model locate malicious switch in an accurate of 2 into a 2-length suspicious sub path,and k+2-AADM locate malicious switch in an accurate of k+2 into a k+2-length suspicious sub path.The experimental results show that the 2-AADM and k+2-AADM models can effectively hit multi SDN switches within certain accuracy.4 A prototype system SDN-MSD for detecting malicious switch in SDN is designed and implemented.A simulated SDN environment is built and the ability to detect malicious forwarding behavior and malicious switch of SDN-MSD is verified.The experimental results show that SDN-MSD system can effectively detect the packet loss,traffic modification,traffic disorder and other malicious forwarding behaviors,and the detection system combines sFlow-UHS and 2-AADM and k+2-AADM can hit multi malicious collusion switches with a certain accuracy and low false negative rate.