VSwitchGuard: Defending OpenFlow Switches against Saturation Attacks

Samer Khamaiseh; Edoardo Serra; Dianxiang Xu

doi:10.1109/COMPSAC48688.2020.0-157

VSwitchGuard: Defending OpenFlow Switches against Saturation Attacks

Samer Khamaiseh, Edoardo Serra, Dianxiang Xu

Computer Science Department

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

21 Scopus citations

Abstract

While the decoupling of control and data planes in software-defined networking (SDN) facilitates orchestrating network traffic, it suffers from security threats. For example, saturation attacks can make SDN out of service by exhausting the controller' and switch's computational resources. The existing research has focused on defense against limited types of saturation attacks. In this paper, we propose vSwitchGuard, a framework for detection and countermeasure of known and unknown saturation attacks in SDN. vSwitchGuard aims to identify the victim switches targeted by known or unknown types of saturation attacks with machine learning classifiers and restore the victim switches to their safe state through deep packet inspection. We have evaluated three supervised classifiers and four semi-supervised classifiers for five types of saturation attacks (TCP-SYN, UDP, ICMP, IP-Spoofing, and TCP-SARFU) and their combinations. The results suggest that supervised and semi-supervised classifiers can be combined to deal with known and unknown attacks for better performance. We have also implemented the countermeasure and evaluated it with all combinations of the five types of attacks. The results demonstrate that vSwitchGuard can effectively defend against the attacks without significant performance overhead.

Original language	English
Title of host publication	Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020
Editors	W. K. Chan, Bill Claycomb, Hiroki Takakura, Ji-Jiang Yang, Yuuichi Teranishi, Dave Towey, Sergio Segura, Hossain Shahriar, Sorel Reisman, Sheikh Iqbal Ahamed
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	851-860
Number of pages	10
ISBN (Electronic)	9781728173030
DOIs	https://doi.org/10.1109/COMPSAC48688.2020.0-157
State	Published - Jul 2020
Event	44th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2020 - Virtual, Madrid, Spain Duration: 13 Jul 2020 → 17 Jul 2020

Publication series

Name	Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020

Conference

Conference	44th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2020
Country/Territory	Spain
City	Virtual, Madrid
Period	13/07/20 → 17/07/20

Keywords

DoS attacks
machine learning
OpenFlow
saturation attack
Software-defined networking

Access to Document

10.1109/COMPSAC48688.2020.0-157

Cite this

Khamaiseh, S., Serra, E., & Xu, D. (2020). VSwitchGuard: Defending OpenFlow Switches against Saturation Attacks. In W. K. Chan, B. Claycomb, H. Takakura, J.-J. Yang, Y. Teranishi, D. Towey, S. Segura, H. Shahriar, S. Reisman, & S. I. Ahamed (Eds.), Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020 (pp. 851-860). Article 9202486 (Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/COMPSAC48688.2020.0-157

Khamaiseh, Samer ; Serra, Edoardo ; Xu, Dianxiang. / VSwitchGuard : Defending OpenFlow Switches against Saturation Attacks. Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020. editor / W. K. Chan ; Bill Claycomb ; Hiroki Takakura ; Ji-Jiang Yang ; Yuuichi Teranishi ; Dave Towey ; Sergio Segura ; Hossain Shahriar ; Sorel Reisman ; Sheikh Iqbal Ahamed. Institute of Electrical and Electronics Engineers Inc., 2020. pp. 851-860 (Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020).

@inproceedings{fca3f15a2f1e464e9900b497122b3edb,

title = "VSwitchGuard: Defending OpenFlow Switches against Saturation Attacks",

abstract = "While the decoupling of control and data planes in software-defined networking (SDN) facilitates orchestrating network traffic, it suffers from security threats. For example, saturation attacks can make SDN out of service by exhausting the controller' and switch's computational resources. The existing research has focused on defense against limited types of saturation attacks. In this paper, we propose vSwitchGuard, a framework for detection and countermeasure of known and unknown saturation attacks in SDN. vSwitchGuard aims to identify the victim switches targeted by known or unknown types of saturation attacks with machine learning classifiers and restore the victim switches to their safe state through deep packet inspection. We have evaluated three supervised classifiers and four semi-supervised classifiers for five types of saturation attacks (TCP-SYN, UDP, ICMP, IP-Spoofing, and TCP-SARFU) and their combinations. The results suggest that supervised and semi-supervised classifiers can be combined to deal with known and unknown attacks for better performance. We have also implemented the countermeasure and evaluated it with all combinations of the five types of attacks. The results demonstrate that vSwitchGuard can effectively defend against the attacks without significant performance overhead.",

keywords = "DoS attacks, machine learning, OpenFlow, saturation attack, Software-defined networking",

author = "Samer Khamaiseh and Edoardo Serra and Dianxiang Xu",

note = "Publisher Copyright: {\textcopyright} 2020 IEEE.; 44th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2020 ; Conference date: 13-07-2020 Through 17-07-2020",

year = "2020",

month = jul,

doi = "10.1109/COMPSAC48688.2020.0-157",

language = "English",

series = "Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "851--860",

editor = "Chan, {W. K.} and Bill Claycomb and Hiroki Takakura and Ji-Jiang Yang and Yuuichi Teranishi and Dave Towey and Sergio Segura and Hossain Shahriar and Sorel Reisman and Ahamed, {Sheikh Iqbal}",

booktitle = "Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020",

}

Khamaiseh, S, Serra, E & Xu, D 2020, VSwitchGuard: Defending OpenFlow Switches against Saturation Attacks. in WK Chan, B Claycomb, H Takakura, J-J Yang, Y Teranishi, D Towey, S Segura, H Shahriar, S Reisman & SI Ahamed (eds), Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020., 9202486, Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020, Institute of Electrical and Electronics Engineers Inc., pp. 851-860, 44th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2020, Virtual, Madrid, Spain, 13/07/20. https://doi.org/10.1109/COMPSAC48688.2020.0-157

VSwitchGuard: Defending OpenFlow Switches against Saturation Attacks. / Khamaiseh, Samer; Serra, Edoardo; Xu, Dianxiang.
Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020. ed. / W. K. Chan; Bill Claycomb; Hiroki Takakura; Ji-Jiang Yang; Yuuichi Teranishi; Dave Towey; Sergio Segura; Hossain Shahriar; Sorel Reisman; Sheikh Iqbal Ahamed. Institute of Electrical and Electronics Engineers Inc., 2020. p. 851-860 9202486 (Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - VSwitchGuard

T2 - 44th IEEE Annual Computers, Software, and Applications Conference, COMPSAC 2020

AU - Khamaiseh, Samer

AU - Serra, Edoardo

AU - Xu, Dianxiang

PY - 2020/7

Y1 - 2020/7

N2 - While the decoupling of control and data planes in software-defined networking (SDN) facilitates orchestrating network traffic, it suffers from security threats. For example, saturation attacks can make SDN out of service by exhausting the controller' and switch's computational resources. The existing research has focused on defense against limited types of saturation attacks. In this paper, we propose vSwitchGuard, a framework for detection and countermeasure of known and unknown saturation attacks in SDN. vSwitchGuard aims to identify the victim switches targeted by known or unknown types of saturation attacks with machine learning classifiers and restore the victim switches to their safe state through deep packet inspection. We have evaluated three supervised classifiers and four semi-supervised classifiers for five types of saturation attacks (TCP-SYN, UDP, ICMP, IP-Spoofing, and TCP-SARFU) and their combinations. The results suggest that supervised and semi-supervised classifiers can be combined to deal with known and unknown attacks for better performance. We have also implemented the countermeasure and evaluated it with all combinations of the five types of attacks. The results demonstrate that vSwitchGuard can effectively defend against the attacks without significant performance overhead.

AB - While the decoupling of control and data planes in software-defined networking (SDN) facilitates orchestrating network traffic, it suffers from security threats. For example, saturation attacks can make SDN out of service by exhausting the controller' and switch's computational resources. The existing research has focused on defense against limited types of saturation attacks. In this paper, we propose vSwitchGuard, a framework for detection and countermeasure of known and unknown saturation attacks in SDN. vSwitchGuard aims to identify the victim switches targeted by known or unknown types of saturation attacks with machine learning classifiers and restore the victim switches to their safe state through deep packet inspection. We have evaluated three supervised classifiers and four semi-supervised classifiers for five types of saturation attacks (TCP-SYN, UDP, ICMP, IP-Spoofing, and TCP-SARFU) and their combinations. The results suggest that supervised and semi-supervised classifiers can be combined to deal with known and unknown attacks for better performance. We have also implemented the countermeasure and evaluated it with all combinations of the five types of attacks. The results demonstrate that vSwitchGuard can effectively defend against the attacks without significant performance overhead.

KW - DoS attacks

KW - machine learning

KW - OpenFlow

KW - saturation attack

KW - Software-defined networking

UR - http://www.scopus.com/inward/record.url?scp=85094099340&partnerID=8YFLogxK

U2 - 10.1109/COMPSAC48688.2020.0-157

DO - 10.1109/COMPSAC48688.2020.0-157

M3 - Conference contribution

AN - SCOPUS:85094099340

T3 - Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020

SP - 851

EP - 860

BT - Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020

A2 - Chan, W. K.

A2 - Claycomb, Bill

A2 - Takakura, Hiroki

A2 - Yang, Ji-Jiang

A2 - Teranishi, Yuuichi

A2 - Towey, Dave

A2 - Segura, Sergio

A2 - Shahriar, Hossain

A2 - Reisman, Sorel

A2 - Ahamed, Sheikh Iqbal

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 13 July 2020 through 17 July 2020

ER -

Khamaiseh S, Serra E, Xu D. VSwitchGuard: Defending OpenFlow Switches against Saturation Attacks. In Chan WK, Claycomb B, Takakura H, Yang JJ, Teranishi Y, Towey D, Segura S, Shahriar H, Reisman S, Ahamed SI, editors, Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020. Institute of Electrical and Electronics Engineers Inc. 2020. p. 851-860. 9202486. (Proceedings - 2020 IEEE 44th Annual Computers, Software, and Applications Conference, COMPSAC 2020). doi: 10.1109/COMPSAC48688.2020.0-157

VSwitchGuard: Defending OpenFlow Switches against Saturation Attacks

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this