vSwitchGuard: Defending OpenFlow Switches Against Saturation Attacks

While the decoupling of control and data planes in software-defined networking (SDN) facilitates orchestrating network traffic, it suffers from security threats. For example, saturation attacks can make SDN out of service by exhausting the controller' and switch's computational resources. The existing research has focused on defense against limited types of saturation attacks. In this paper, we propose vSwitchGuard, a framework for detection and countermeasure of known and unknown saturation attacks in SDN. vSwitchGuard aims to identify the victim switches targeted by known or unknown types of saturation attacks with machine learning classifiers and restore the victim switches to their safe state through deep packet inspection. We have evaluated three supervised classifiers and four semi-supervised classifiers for five types of saturation attacks (TCP-SYN, UDP, ICMP, IP-Spoofing, and TCP-SARFU) and their combinations. The results suggest that supervised and semi-supervised classifiers can be combined to deal with known and unknown attacks for better performance. We have also implemented the countermeasure and evaluated it with all combinations of the five types of attacks. The results demonstrate that vSwitchGuard can effectively defend against the attacks without significant performance overhead.