Embed Size (px)
Citation preview
Research ArticleA Framework for Real-Time Intrusion Response in SoftwareDefined Networking Using Precomputed GraphicalSecurity Models
Taehoon Eom 1 Jin B Hong2 SeongMo An1 Jong Sou Park1 and Dong Seong Kim3
1Department of Computer Engineering Korea Aerospace University Goyang Republic of Korea2Department of Computer Science and Software Engineering University of Western Australia Perth Australia3School of Information Technology and Electrical Engineering e University of Queensland Brisbane Australia
Correspondence should be addressed to Taehoon Eom eomth86gmailcom
Received 17 August 2019 Revised 28 December 2019 Accepted 14 January 2020 Published 18 February 2020
Academic Editor Stelvio Cimato
Copyright copy 2020 Taehoon Eom et al)is is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Software defined networking (SDN) has been adopted in many application domains as it provides functionalities to dy-namically control the network flow more robust and more economical compared to the traditional networks In order tostrengthen the security of the SDN against cyber attacks many security solutions have been proposed However thosesolutions need to be compared in order to optimize the security of the SDN To assess and evaluate the security of the SDNsystematically one can use graphical security models (eg attack graphs and attack trees) However it is difficult to providedefense against an attack in real time due to their high computational complexity In this paper we propose a real-timeintrusion response in SDN using precomputation to estimate the likelihood of future attack paths from an ongoing attack Wealso take into account various SDN components to conduct a security assessment which were not available when addressingonly the components of an existing network Our experimental analysis shows that we are able to estimate possible attack pathsof an ongoing attack to mitigate it in real time as well as showing the security metrics that depend on the flow table includingthe SDN component Hence the proposed approach can be used to provide effective real-time mitigation solutions forsecuring SDN
1 Introduction
One of the key functionalities of an SDN (software definednetworking) is to allow network administrators to dynam-ically change the logical network topology in real time [1 2])is is achieved by separating the controls from the dataflows onto the control plane and data plane respectivelyMoreover network disruptions have a minimum impact onthe performance when the SDN dynamically reconfiguresthe network topology [3] which allows the administrators tooptimize the load more efficiently in real time Moreoverthese SDN functionalities allow for new security mecha-nisms to be designed and deployed such as moving targetdefense (MTD) systems which require continuous changesmade to the network [4 5] However the SDN also
introduces new networking components (eg such as theSDN controllers and forwarding devices) which openednew attack vectors for attackers to exploit the SDN [6]
)ere are various techniques developed to protect theSDN from attacks such as DELTA [7] a security evaluationframework athena [8] an anomaly detection developmentframework and research to predict attack patterns usingmachine learning [9] However one must assess their ef-fectiveness in order to optimize the security of the SDN Anapproach is to use graphical security models (such as attackgraphs (AG) and attack trees (AT)) to evaluate the securityof the SDN [10ndash13] which provide an in-depth analysis ofthe security (eg various attack scenarios and multihopattack paths) as well as means to compute optimal coun-termeasures [14] Applying this approach to a SDN
HindawiSecurity and Communication NetworksVolume 2020 Article ID 7235043 15 pageshttpsdoiorg10115520207235043
environment also requires considering the new SDNcomponents into the security assessment which were notpreviously captured and analyzed In addition intrusiondetection systems may not always detect ongoing attacks inreal time causing a delay between the initiation of an attackto response Hence the attacker could already be in the reachof the target so countermeasure efforts should be morefocused on deterring the attacker from reaching the targetrather than hardening the point of detection To do this wemust generate and analyze all possible attack paths whichcan be used to understand possible targets the attacker istrying to compromise However computing all possibleattack paths suffers from scalability and adaptability prob-lems [15 16] )erefore we need a more efficient techniquethat can evaluate all possible attack paths more efficientlywhile taking into account the new SDN components in thesecurity assessment
To address the aforementioned problems we propose aprecomputation approach with the SDN components in-corporated into a graphical security model namely thehierarchical attack representation model (HARM) [17] toassess the security of the SDN in real time)e precomputedHARM allows us to evaluate all possible attack paths prior toan attack detected which can be used to estimate possibleattack paths from the point of detection to formulate ef-fective countermeasures In particular we use a full AG[18ndash20] to generate the precomputed attack scenarios for theevaluation And we used an attack scenario in which anattacker tried to break in to steal data from the outside Oncewe identified these attack paths we then take into accountthe case where the delay of the intrusion detection mech-anism takes longer than the attack time )e precomputedfull AG is used to identify relevant attack paths which arethen evaluated to deploy relevant countermeasures Wefurther conduct experimental analysis to demonstrate thatour proposed approach can effectively trace an attack withdelayed detections and mitigate an ongoing attack in realtime )e contributions of our paper are summarized asfollows
(i) To conduct security assessment for the SDN thattakes into account new SDN components and theirassociated attack vectors
(ii) To generate precomputed attack scenarios using afull AG for real-time security assessment andcountermeasure in the SDN
(iii) To propose response and prevention for ongoingintrusions that take into account delays observed byattack detection mechanisms
(iv) To conduct experimental analysis to demonstratethe feasibility of the proposed approach for miti-gating an ongoing attack with delayed detections inthe SDN
)e rest of the paper is organized as follows Section 2presents the overall framework and flowchart and the detailsof how eachmodule works are shown in Section 3 In Section4 precomputation of attack scenarios and future attackscenario predictions are presented )e experimental
analysis is presented in Section 5 )e discussion and lim-itations of this paper are presented in Section 6 and Section7 presents the related work Finally we conclude our paperin Section 8
2 A Framework for Real-Time IntrusionResponse in SDN
To overcome the limitations of IDSes we propose a pre-computed graphical security model (GSM) for real-timeintrusion response in SDN )e general steps are describedas follows (1) collect configuration information of the SDNincluding security vulnerabilities and node connectionsdependencies (2) input the gathered information to gen-erate the GSM for security assessments (3) collect intrusiondetection data from the SDN and lastly (4) compute ef-fective attack response by selecting optimal countermeasure)e relationships between these steps are shown in Figure 1with the workflow of our framework presented in Figure 2
21 SDN Configuration To evaluate the security postureassociated with the SDN we first need to collect the requiredsecurity information Two main information are vulnera-bilities associated with each SDN component and theirconnectivitydependency )e vulnerability information canbe gathered using various vulnerability scanning tools suchas NESSUS [21] and OpenVAS [22] )e component de-pendencies can be gathered from the flow table and SDNcontroller settings )is information is then sent to thesecurity modeling and analysis module
In the SDN there are also IDSes Any detected intrusionsare forwarded to the intrusion detection module directlyNote that IDSes are typically not placed on all SDN com-ponents (eg too costly) and therefore the attack scenariocan be even more complex and unpredictable in SDNs withvery sparse IDSes
22 Security Modeling and Analysis Using the inputs fromthe SDN configuration module we then generate a GSM[10 11] For example hierarchical attack representationmodel (HARM) is a scalable and adaptable GSM [17] whichwe will use in our paper (we have selected to use the HARMfor demonstrations but other GSMs can be used as wellhowever the selection of an appropriate GSM to use is out ofscope in this paper) GSMs can take into account varioussecurity vulnerabilities and compute various attack scenariosassociated with different dependencies However they stillsuffer from the scalability problem when the size of thenetwork gets larger Hence the need for a precomputationtechnique to achieve the real-time attack response )eprecomputed security assessment information is then sent tothe attack response module which will be used when anintrusion is detected
23 Intrusion Detection )e IDSes in the SDN collect theintrusion logs which are sent to the attack response module)is module processes the raw intrusion detection data and
2 Security and Communication Networks
analyzes the attack information (eg type of attack) and itsassociated metadata (eg location time etc) Although thismodule will try its best to detect attacks accurately and fastwe cannot rely on its performance that it would be in realtime and fully accurate
24 Attack Response )e attack response module is one ofour main contributions where the impact of an attack isevaluated taking into account the intrusions detected and thelocation of the attack For instance if an attack is detectedwhere the subnet contains many vulnerable computers thenthe impact may be that one or more of computers may alsobe compromised soon after Consequently the goal of theattack response module is to reduce the impact of the attackby quickly locating estimating the damage and isolating theattack from its progression
3 Real-Time Intrusion Response in SDN
31 SDNConfiguration To demonstrate the usability of ourproposed solution we take into account a running exampleas shown in Figure 3)e toy example includes nine nodes inthe data plane (ie six virtual machines (VMs) and threeswitches) Table 1 shows the defined flow table in the SDN
We assume that only the VMs on web server are connectedto the Internet and the attacker is located outside the SDN(ie no attackers inside the SDN) (our proposed solution isalso applicable for inside attackers as it takes into accountboth security models and IDSes however we initially focuson attackers outside the SDN first) )e role of the VMs is toprovide services within and to the external users (eg anenterprise network setup using the SDN) For example auser requesting a service will access VM1 VM2 or VM3located in web server
If there is no problem with the system the systemoperates as follows A user sends a request to the systemwhich requires the data stored in a database (eg VM6) Toestablish this service a VM in web server (eg VM1) re-quests the data through a VM in app server (eg VM4) for allvalid requests )en this request gets passed to VM6 forprocessing Finally the requested data get returned to theuser through the VMs the request was processed from (egin this instance through VM1 VM4 and VM6)
)ere are two redundancy connections between VM1and SW2 and VM5 and SW1 to continue to provide func-tionalities in the event of an emergency (eg burst in re-quests or a DDoS attack) However if the attackercompromises the SDN controller these redundant con-nections can be used to form various attack paths Based on
SDNcontroller
Control plane
bull Networkvulnerabilityinformation collection
bull Systemnetworkevent collection
Security modelingand analysisSDN configuration
Intrusion detection
Attack response
bull Defense policy enforcement
bull Forward result- Reachability- Model calculation time
bull Forward result- Attack information- Detection time
bull Change flow table
Data plane
Server2
Server3
Server1
VM1
VM2
VM3VM4
VM5
SW5
SW1SW1
VM6
Internet
Figure 1 Framework for real-time intrusion response in SDN
The attackerattempts to attack
Security modeling
Attack reactor
tA vs tD + tS + tCSelection of a node with tA gt tD + tS + tC
among reconfigurationable nodes
Selection of a node with tA gt tD + tS + tCamong all nodes
IDS
The defenderdetects attack
Isattack detection
perfect
Yes
YesNo
No
Is there afalse alarm
Apply falsealarm rate
Attack detectionrate calculation
Is there aprecomputed security
model
Apply reconfiguration(flow table)
Yes
Yes
Security modelsearch
Security modelcalculation
Security modelconfiguration time (tS)
calculation
Countermeasureapplication time (tC)
calculation
Isreconfiguration possible
on all nodes
No
No
Attack time (tA)calculation
Attack detectiontime (tD) calculation
Figure 2 Overall system flowchart
Security and Communication Networks 3
the SDN configurations and settings the operation system ofeach node and vulnerabilities can be found as shown inTable 2 For simplicity we chose only a few vulnerabilities inthe SDN for each node (OS vulnerabilities for VMs andOpenFlow vulnerability for SDN switches) but all vulner-abilities can be modeled as in [23]
32 Security Modeling and Analysis
321 Common Vulnerability Scoring System (CVSS) Inorder to measure the severity of vulnerabilities we use theCVSS base score (BS) [24] First we mention a few keyupdates to the CVSS BS system )e base vector takes intoconsideration of the ldquoUser Interactionrdquo and ldquoPrivilegesRequiredrdquo and ldquoPhysical Metricrdquo has been added to theattack vector Confidentiality integrity and availabilitymeasures are changed from None Partial Complete toNone Low High and ldquoAccess Complexityrdquo has been
changed to ldquoAttack Complexityrdquo )e following equationsare used to compute the CVSS BS metric which we simplydenoted as ldquoBSrdquo (as shown in equation (1)) ldquoIMrdquo representsthe Impact Metric (as shown in equation (2)) and ldquoErdquo rep-resents the Exploitability Metric (as shown in equation (3))
BS (06 times IM + 04 times E minus 15) times f(IM) (1)
IM 1041 times(1 minus (1 minus C) times(1 minus I) times(1 minus A)) (2)
E 20 times AC times AU times AV (3)
Based on risk computation in [5] we utilize the CVSS BSin order to compute the system risk which is calculated asshown in equation (4) (ie the system risk is a factor of
SDNcontroller
Control plane
Data plane
Applicationserver
Database
Web server
VM1
VM2
VM3VM4
VM5
SW3
SW2SW1
VM6
Internet
SDN control protocol (eg OpenFlow)Physicallogical connection on data planeRedundancy connection
Figure 3 Example SDN configuration
Table 1 )e flow table
SW IDMatch fields
Action PriorityPort Src Dst
SW1
1 lowast lowast Forward port 2 12 lowast VM4 Forward port 3 12 lowast VM5 Forward port 3 14 lowast VM5 Forward port 5 3lowast lowast VM6 Drop 9
SW2
1 lowast lowast Forward port 2 12 lowast VM6 Forward port 3 34 VM1 VM4 Forward port 2 34 VM1 VM5 Forward port 2 3lowast lowast VM6 Drop 2
SW3 1 lowast VM6 Forward port 2 1
Table 2 Operation system and vulnerabilities in each node
Node OS CVE ID CVSS BS Impact
VM1 Win 7 CVE-2013-0013 58 49CVE-2012-0001 93 10
VM2 Win 7 CVE-2015-0006 61 47CVE-2015-1675 93 10
VM3 Linux CVE-2012-4546 43 29CVE-2014-0100 93 82
VM4 Win 7 CVE-2017-8495 60 48CVE-2017-8717 93 10
VM5 Linux CVE-2015-7312 44 29CVE-2015-4002 90 85
VM6 Linux CVE-2017-0626 43 29CVE-2017-6264 93 82
SW1 Openflow 25 CVE-2014-5035 68 64SW2 Openflow 27 CVE-2017-9263 65 65SW3 Openflow 28 CVE-2017-14970 59 68
4 Security and Communication Networks
impact and probability of an attack) In order to compute thesystem security risk we need to know the probability of anattack success and the impact Here we use the exploitabilitymetric associated with each vulnerability (as shown in Ta-ble 2) to represent the probability of an attack success as inequation (5) and use the impact metric directly from theCVSS
RiskVul IM times Pattack (4)
Pattack BS10
(5)
322 Attack Graph for SDN Here we describe the AG usedto model SDN which captures the sequence of vulnera-bilities to be exploited to achieve the attack goal We assumethe attack goal is to execute arbitrary code on VM6 First wedefine an AG as follows
Definition 1 An AG is a directed graph AG (V E) whereV is a finite set of vulnerabilities in the networked system andEsubeV times V is a set of edges where a pair of vulnerabilities(vi vj) | vi isin V vi ne vj is a mapping of nodesvi⟶ vj forallpost(vi) pre(vj) such that the postcondition ofvi satisfies the precondition of vj
Given the definition above we can generate an AG tomap attack scenarios of our example SDN as shown inFigure 4 Given the model and the system risk calculationsteps above we can compute the system risk associated withour example SDN For instance the attacker can exploitvulnerabilities WV1 and WV2 as specified in Table 2 forWindows 7-based VMs If the attacker exploits WV1 vul-nerability then RiskWV1
is 2842 (ie the impact of 49multiplied by the probability of 58) SimilarlyRiskWV2
93 RiskLV1 1247 RiskLV2
765 andRiskOFV1
4352
33 IntrusionDetection In this section we take into accountthe time factor when an attack has been detected It ispossible that an ongoing attack may have progressed furtherat the time of detection )erefore it is important to takeinto consideration which attack scenarios are important inorder to mitigate the attack Generally attack detectionshould consider Bayesian eory but we assume the attackdetection mechanisms in the SDN is correct (eg we can usedetection mechanisms such as in [25ndash28]) If we considerBayesian theory attack detection is similar to applying the)reshold RandomWalk with Credit-Based connection ratelimiting (TRW-CB) algorithm in [28] )e detection rate is9254 and a false alarm rate is 748
Figure 5 shows the detection of an attack success at VM2Given the attacker has not yet progressed any further theSDN administrator can deploy countermeasures For ex-ample we change the flow table rules to drop all outgoingpackets of VM2 disabling any further attacks Figure 5(b)shows the result of the countermeasure
However if we assume that the detection of the attack hasbeen delayed (ie the attack is detected after a t amount of time
has passed since the actual event of an attack) the attackerwould consequently have progressed further from compro-mising VM2 in our example )is is depicted in Figure 6(a))e attacker has successfully compromised SW1 after com-promising VM2 but the attack detection only alerted the SDNadministrator the progress of the attack at VM2 In order topredict its current attack scenario we use the full AG and focuson all possible attack paths from the given detection point asshown in Figure 6(c) Using the flow table rule change as thecountermeasure our approach is to limit the attack path up toh-hops where h is the number of hops from the node withinitial attack detection For example if we use 2-hop pathdisable then the result is shown as in Figure 6(b) As a resultwe are able to disable further attack paths of the attacker in atrade-off to some loss of SDN functionalities In conclusionthis is to show that we can still maintain some functionalities ofthe SDN while disabling any potential ongoing attacks Weinvestigate how security is affected further in Section 5
34 Attack Response SDN can manipulate the flow of dataplane using flow table )erefore when an attack occurs inthe SDN environment it is possible to block the attack pathby modifying the flow table in addition to the responsemethod (eg patching a vulnerability) used in the existingnetwork However if the response is delayed the attackermay succeed in exploiting the next target before the defenseis implemented We considered system loss and cost ofaction based on the relationship between the attackerrsquos at-tack time and the defenderrsquos response time For that weassume the following First the attack detection (IDS) iscomplete and all nodes can be monitored at the same timeSecond all of network flows can be changed using the flowtable )ird the devices or software that make up the SDNare not changed )e attack time and response time that weuse follow the following definition
Definition 2 Attack time tA is defined as the time taken foran attacker to succeed in attacking the next host connected atthe current location
Definition 3 Response time is defined as tR tD + tS + tCHere tD is defined as the time taken to detect an attackerrsquosattack attempt on the host (attack detection time) tS isdefined as the time taken to calculate the security model inreal time or to retrieve it from the precomputed securitymodel (security model calculation time) tC is defined as thetime required to apply a countermeasure to one host(countermeasure time)
Given the above definition an example of comparisonsbetween attack time and response time can be expressed asfollows
Example 1 Figure 5(b) shows tR tA )e loss node is VM2and the action node is SW1 Assuming that both the cost ofdamage from the attack and the cost of the action are 100 thetotal cost is 200
Security and Communication Networks 5
VM1V2prime
VM1V2
VM1
VM4
VM5
VM6
A target
VM2
VM3
VM1V1
VM2V2SW2V1
SW3V1
SW1V1
A
An attacker
VM2V1
VM3V2
VM3V1
VM2V2prime
VM4V2prime
VM4V2
VM6V2
VM6V1 VM6V2prime
VM4V1
VM5V2
VM5V1 VM5V2prime
VM3V2prime
Vulnerability
VM
Reachability
Figure 4 An AG of the SDN
Attackdetected
SW3
SW2
SW1
A
A
VM1
VM2
VM3
VM4
VM5
VM6
(a)
SW3
SW2
SW1
AA
VM1
VM2
VM3
VM4
VM5
VM6
(b)
Figure 5 Continued
6 Security and Communication Networks
Example 2 Figure 6(b) shows tR 2 times tA )e lossnodes are VM2 and SW1 and the action nodes are SW2 andSW3 Assuming that both the cost of damage from the attackand the cost of the action are 100 the total cost is 400
If tR is less than tA the attack can take immediate actionon the detected node But in reality this is not always trueand therefore the attacker has extra time to continue
compromising nodes in the SDN k is used to determine theattackers attack progress It also indicates the number ofpossible SDN nodes that the attacker may have compro-mised (ie a predictive value to estimate the attackerrsquosprogress) Hence the defender must take action on thenodes that is up to k hops in distance when the condition ofequation (6) is satisfied For example if tR and tA are the
SW2
SW2 SW2SW3
SW3SW3SW3SW3SW3
SW3 SW3 SW3 SW3
SW3
SW1 SW1
A
VM1
VM4 VM5 VM6
VM6VM6
VM6 VM6
VM6 VM6 VM6
VM6
VM6
VM6
VM3
VM5 VM5
VM4 VM5
VM5VM4
(c)
Figure 5 Attack detection and countermeasure without detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2(c) Full AG after countermeasure applied
VM1
SW2
SW1
Attackerrsquosexpected location
Attackdetected
SW3VM2A
VM3VM5
VM6
VM4
A
(a)
VM1
VM2
SW2
SW2SW1
A
A VM5
VM6
VM4
VM3
(b)
SW2
SW3
SW3 SW3
VM1
A
VM4 VM5
VM6
VM6 VM6
(c)
Figure 6 Attack detection and countermeasure with detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2 andSW1 (c) Full AG after countermeasure applied
Security and Communication Networks 7
same then k is 1 )e defender can then take action on anode that is 1 hop away Using Algorithm 1 the defender canselect the node to take action
k times tA le tR lt (k + 1) times tA (6)
)e countermeasures should be applied as soon aspossible to minimize the loss of the entire system If youcannot reduce tD and tC in tR you should reduce tS Ratherthan calculating the security model in a real time when anattack occurs it is possible to reduce the tS by searching andapplying a model that matches the current situation amongthe precomputed security models
4 Precomputation and Attack Prediction forSecurity Assessment
)is section introduces the precomputation of attack sce-narios and attack scenario prediction by taking into accountthe delays in attack detections We can precompute theattack scenarios in order to reduce the time taken to evaluatethem We also take into account the delays observed inattack detection mechanisms and propose an attack scenarioprediction method to enhance the capabilities of SDN de-fense mechanisms )e generations of both the full graphand the HARM can be found in [17]
41 Full Graph Assessing the security of SDN in real timefaces a scalability problem using existing graphical securitymodels as presented in Section 7 To address this problemwe precompute all possible attack scenarios using full AGBy precomputing all possible attack scenarios offline we canreuse this information in real time when necessary Forprecomputation of attack scenarios we use a full AG whichrepresents all possible attack paths Algorithm 2 is used togenerate a full AG )e inputs required are the AG attackerlocation and the target node )en the algorithm searchesfor all possible attack paths of the given attack scenarioGiven the attacker outside the SDN and the target node ofVM6 the full AG of the example SDN is shown in Figure 7For simplicity we only represented attack paths of VMs asthe size of the full AG grows exponentially relative to the AGabove
42 HARM )e full AG above is used for fast real-timesecurity assessment for particular attack scenarios Howeverit is not scalable to enumerate all possible attack scenarios fora security overview of the SDN Instead we use the HARM[17] to assess the security of the SDN in a more scalablemanner )e HARM models network nodes and theirvulnerabilities onto multiple layers and utilizes the benefitsof hierarchy to reduce the scalability complexity We gen-erate a 2-HARM (a two-layered HARM) of the exampleSDN as shown in Figure 8)e formalism of the 2-HARM isas follows
Definition 4 )e two-layered HARM is defined as a 3-tupleH (U L M) Here U is the AG and L is the ATs forH andV where M is the mapping between the upper layer
components and lower layer components )is mapping isdescribed by M U⟶ L Each host in the upper layer mayhave a corresponding AT in the lower layer
)e upper layer of the HARM uses the AG to representthe reachability between the nodes in the SDN (ie the VMsand the switches) Hence we define U as follows
Definition 5 An AG in the upper layer of the HARM isdefined as a 2-tuple U (N E) where N is a finite set ofnodes in the SDN and EsubeN times N is a set of edges where apair of nodes
)e lower layer of the HARM is a set of attack trees(ATs) [29] where each AT represents the vulnerabilityinformation of each upper layer node of the HARM (ieSDN nodes) We define each L in the lower layer of theHARM as follows
Definition 6 An AT in the lower layer of the HARM isdefined as a 5-tuple L (A B c g root) where A is a finiteset of vulnerabilities and B is a set of gates which are theinner nodes of L We require AcapB and root isin AcupBFunction c B⟶ P(AcupB) describes the children of eachinner node in at (we assume there are no cycles) Functiong B⟶ ANDOR describes the type of each gate )e
procedure RNS(AGSDN ND tA tR)
if tA gt tR thenSend ND to Reconfiguration Module
elsefor all E from ND to Ni do
tR⟵ tR minus tA
RNS(AGSDN Ni tA tR)
end forend if
end procedure
ALGORITHM 1 Response node selection algorithm
procedure fullAG(AG Ncr Ntg)
Mark Ncr visitedStackpush(Ncr)
if Ncr Ntg thenReturn Stack
else if Sizeof(ENcr)ne 0 then
for i⟵0 to Sizeof(ENcr) in AG do
Nnext⟵de stination of ENcr
i
if Nnext is uniquely aligned thenfullAG (AG Nnext Ntg)
end ifend for
elseStackclear
end ifend procedure
ALGORITHM 2 Algorithm to generate a full AG
8 Security and Communication Networks
representation of the attack tree Ln associated to the hostn isin N is as follows
Ln Asube nvuls (7)
)is means that the vulnerabilities of a node are com-bined using logical AND and OR gates
Given the definitions above the example SDN in theform of the HARM can be represented as follows
Example 3 e Upper and Lower Layer Mapping Figure 8shows HARM of the SDN)e HARM for given SDNmodelis H (U L M) where U and L are the AG and the set of
SW1
SW2 SW3SW2 SW2
SW1SW1
SW3SW3SW3
SW3 SW3
SW3 SW3 SW3 SW3 SW3
SW3SW3SW3SW3
SW2
VM1
VM5 VM5 VM5
VM2
A
VM3
VM5
VM6VM6
VM6VM6
VM6
VM5VM4
VM6
VM6VM6VM6VM6
VM6
VM6VM6
VM6
VM4 VM5 VM4
VM6
VM5VM4
Figure 7 A full AG of the SDN
Upper layer
An attacker
A
0971
09710971
0971
0943
0943
0971
0539
2013ndash0013058
2012ndash0001093
2012ndash0001093
2013ndash0013058
2012ndash0001093
2012ndash0001093
2012ndash4546043
2012ndash4002090
2012ndash4002090
2013ndash0013058
2012ndash0001093
075Openflow
control
075Openflow
control
075Openflow
control
2012ndash0001093
root
0943
0387
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash2131075
2012ndash2131075
2012ndash2131075
0387
root 0943root
0971root 0943
0387 05390539
root 0971root
075
0749
075
0744
0971
0723
0943
0882
075
0744
0943
0701
A target
VM6
VM4
VM5
VM2
VM1
VM3
VM1 VM2 VM3 VM4
SW3SW2SW1VM6VM5
SW3
SW2
SW1
Lower layer
Figure 8 A HARM of the SDN in Figure 4
Security and Communication Networks 9
ATs in the upper and the lower layer and M U⟶ L is aone-to-one mapping of the upper layer U to the corre-sponding lower layer L
Example 4 e Upper Layer the AG shown in Figure 8 is adirected graph AGSDN (NSDN ESDN) where NSDN AVM1 VM2 VM3 VM4 VM5 VM6 SW1 SW2 SW3 andESDN (A VM1) (A VM2) (AVM3 ) (VM1 SW1) (VM2SW1) (VM3 SW1) (VM1 SW2) (SW1 SW2) (SW1 VM5)(SW2 VM4) (SW2 VM5) (SW2 SW3) (VM4 SW3) (VM5SW3) (SW3 VM6)
Example 5 e Lower Layer the ATs in the lower layer areshown in Figure 8 )e set of conditions required tocompromise VM1 is given by LVM1 (AVM1 BVM1
cVM1 gVM1 rootVM1) where AVM1 WV1WV2 WV2prime1113864 1113865 is aset of components which are the leaves (vulnerabilities)BVM1 AND1OR11113864 1113865 cAND1 WV1WV2prime1113864 1113865 cOR1 AND11113864
WV2 gVM1(rootVM1) OR1 and rootVM1 root root isin
AVM1 cupBVM1
5 Result and Analysis
In this section we investigate the effectiveness of using fullAG for precomputation taking into account various securitymetrics Regardless of which model we use the securitymetric computed will be the same Since both full AG andthe HARM computes the same metric values we do notexplicitly present those results in this paper
First we look at changes in security metrics with andwithout deploying countermeasure where we change theflow table rules to block attack paths up to three steps inSection 51 )en we conduct simulations to investigate theperformance difference of computing an AG used in theHARM to a full AG for precomputation in Section 53
51 Change in Security Metrics For this experiment we usethe example SDN as shown in Figure 3 as our experimentaltestbed In this system service is not available unless a packetis sent to the database So we assume that the networkadministrator cannot change the flow table rules of SW3 andVM6 due to system constraints (ie they need to be func-tional to continuously provide SDN service) To ensure theoperability we extend this assumption such that at least oneconnection path exists such that usersrsquo requests can behandled Although modifying flows can affect the perfor-mance of the SDN we only consider the minimal cost toenhance the security of SDN in this paper (ie the minimumnumber of flow changes for maximized security) For ex-ample an alternative flow path can be used to continuedelivering the service but it may create a bottleneck effect ifthe traffic is not managed carefully We will investigate thetrade-off between enhancing security and degrading thenetwork performance in our future work
First we investigate the change in security when pre-dicting potential attack in 1-hop and then we measure thechange in the probability of attack success and the systemrisk )e result is shown in Figure 9 which shows that
blocking 1-hop at SW1 or SW2 flows can minimize theprobability and the risk than other nodes
On the other hand if the detection of an attack wasdelayed we need to consider further steps in order tomitigate the attack So we also look at 2-hop flow blocking ofnodes where the combinations are shown in Table 3 )eresult is shown in Figure 10 which shows a similar result tothe 1-hop blocking (ie the best practice is to block flowthrough SW1 or SW2) However we observe that the im-portance of nodes for defense has changed (ie the prioritiesto secure SDN components can vary when the number ofhops changes) For instance blocking the flow through VM2and SW2 can also achieve a similar effect where VM2 in the1-hop analysis was significantly worse
Lastly we look at the 3-hop flow blocking Table 4shows the combinations of three nodes and their flows to beblocked With the given attack scenario we have 21 pos-sible combinations of nodes out of the maximum numberof 35 Figure 11 shows the result where three conditionsthat include SW2 minimized the probability of attacksuccess and the system risk but only one condition thatincludes SW1 )is indicates that we look into variousattack paths as well as the importance of nodes In con-clusion we observe that our proposed solution has iden-tified SW2 as the most important SDN component tosecure In general the most vulnerable node or the nodewith many connections to other nodes in the network canbe the most important node Another method of analyzingthe importance of nodes is the network centrality measure[30] For the running example it is obvious to pick it upeasily by inspection but when the SDN becomes larger andmore complex this can be done easily using the proposedsolution whereas it would be near impossible and im-practical by human efforts
52 Numerical Sensitivity Analysis )e slower the responseto an attack the more attackers can attack the node )isresults in more loss to the system We conducted an ex-periment to compare the losses incurred in the system withthe costs required to take action in response time Since losscost and cost of action cannot be defined objectively thesensitivity analysis methodology was applied In this ex-periment we calculated loss and response costs based ondetection time and attack time when an attacker successfullyattacked VM2
In the first experiment we applied a sensitivity analysisto the loss cost )e corresponding cost was fixed at 100 andthe loss cost increased from 0 to 500 In each case the totalcost of ownership was calculated Figure 12(a) shows theexperimental result As the response time is slower than theattack time the total cost is higher
Second we applied a sensitivity analysis to the responsecosts )e loss cost was fixed at 100 and the correspondingcost was increased from 0 to 500 And as in the previousexperiment we calculated the total cost for each caseExperimental results show that the total cost of ownershipvaries depending on the situation such as Figure 12(b) If adefender defends a node that is far from the compromised
10 Security and Communication Networks
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
environment also requires considering the new SDNcomponents into the security assessment which were notpreviously captured and analyzed In addition intrusiondetection systems may not always detect ongoing attacks inreal time causing a delay between the initiation of an attackto response Hence the attacker could already be in the reachof the target so countermeasure efforts should be morefocused on deterring the attacker from reaching the targetrather than hardening the point of detection To do this wemust generate and analyze all possible attack paths whichcan be used to understand possible targets the attacker istrying to compromise However computing all possibleattack paths suffers from scalability and adaptability prob-lems [15 16] )erefore we need a more efficient techniquethat can evaluate all possible attack paths more efficientlywhile taking into account the new SDN components in thesecurity assessment
To address the aforementioned problems we propose aprecomputation approach with the SDN components in-corporated into a graphical security model namely thehierarchical attack representation model (HARM) [17] toassess the security of the SDN in real time)e precomputedHARM allows us to evaluate all possible attack paths prior toan attack detected which can be used to estimate possibleattack paths from the point of detection to formulate ef-fective countermeasures In particular we use a full AG[18ndash20] to generate the precomputed attack scenarios for theevaluation And we used an attack scenario in which anattacker tried to break in to steal data from the outside Oncewe identified these attack paths we then take into accountthe case where the delay of the intrusion detection mech-anism takes longer than the attack time )e precomputedfull AG is used to identify relevant attack paths which arethen evaluated to deploy relevant countermeasures Wefurther conduct experimental analysis to demonstrate thatour proposed approach can effectively trace an attack withdelayed detections and mitigate an ongoing attack in realtime )e contributions of our paper are summarized asfollows
(i) To conduct security assessment for the SDN thattakes into account new SDN components and theirassociated attack vectors
(ii) To generate precomputed attack scenarios using afull AG for real-time security assessment andcountermeasure in the SDN
(iii) To propose response and prevention for ongoingintrusions that take into account delays observed byattack detection mechanisms
(iv) To conduct experimental analysis to demonstratethe feasibility of the proposed approach for miti-gating an ongoing attack with delayed detections inthe SDN
)e rest of the paper is organized as follows Section 2presents the overall framework and flowchart and the detailsof how eachmodule works are shown in Section 3 In Section4 precomputation of attack scenarios and future attackscenario predictions are presented )e experimental
analysis is presented in Section 5 )e discussion and lim-itations of this paper are presented in Section 6 and Section7 presents the related work Finally we conclude our paperin Section 8
2 A Framework for Real-Time IntrusionResponse in SDN
To overcome the limitations of IDSes we propose a pre-computed graphical security model (GSM) for real-timeintrusion response in SDN )e general steps are describedas follows (1) collect configuration information of the SDNincluding security vulnerabilities and node connectionsdependencies (2) input the gathered information to gen-erate the GSM for security assessments (3) collect intrusiondetection data from the SDN and lastly (4) compute ef-fective attack response by selecting optimal countermeasure)e relationships between these steps are shown in Figure 1with the workflow of our framework presented in Figure 2
21 SDN Configuration To evaluate the security postureassociated with the SDN we first need to collect the requiredsecurity information Two main information are vulnera-bilities associated with each SDN component and theirconnectivitydependency )e vulnerability information canbe gathered using various vulnerability scanning tools suchas NESSUS [21] and OpenVAS [22] )e component de-pendencies can be gathered from the flow table and SDNcontroller settings )is information is then sent to thesecurity modeling and analysis module
In the SDN there are also IDSes Any detected intrusionsare forwarded to the intrusion detection module directlyNote that IDSes are typically not placed on all SDN com-ponents (eg too costly) and therefore the attack scenariocan be even more complex and unpredictable in SDNs withvery sparse IDSes
22 Security Modeling and Analysis Using the inputs fromthe SDN configuration module we then generate a GSM[10 11] For example hierarchical attack representationmodel (HARM) is a scalable and adaptable GSM [17] whichwe will use in our paper (we have selected to use the HARMfor demonstrations but other GSMs can be used as wellhowever the selection of an appropriate GSM to use is out ofscope in this paper) GSMs can take into account varioussecurity vulnerabilities and compute various attack scenariosassociated with different dependencies However they stillsuffer from the scalability problem when the size of thenetwork gets larger Hence the need for a precomputationtechnique to achieve the real-time attack response )eprecomputed security assessment information is then sent tothe attack response module which will be used when anintrusion is detected
23 Intrusion Detection )e IDSes in the SDN collect theintrusion logs which are sent to the attack response module)is module processes the raw intrusion detection data and
2 Security and Communication Networks
analyzes the attack information (eg type of attack) and itsassociated metadata (eg location time etc) Although thismodule will try its best to detect attacks accurately and fastwe cannot rely on its performance that it would be in realtime and fully accurate
24 Attack Response )e attack response module is one ofour main contributions where the impact of an attack isevaluated taking into account the intrusions detected and thelocation of the attack For instance if an attack is detectedwhere the subnet contains many vulnerable computers thenthe impact may be that one or more of computers may alsobe compromised soon after Consequently the goal of theattack response module is to reduce the impact of the attackby quickly locating estimating the damage and isolating theattack from its progression
3 Real-Time Intrusion Response in SDN
31 SDNConfiguration To demonstrate the usability of ourproposed solution we take into account a running exampleas shown in Figure 3)e toy example includes nine nodes inthe data plane (ie six virtual machines (VMs) and threeswitches) Table 1 shows the defined flow table in the SDN
We assume that only the VMs on web server are connectedto the Internet and the attacker is located outside the SDN(ie no attackers inside the SDN) (our proposed solution isalso applicable for inside attackers as it takes into accountboth security models and IDSes however we initially focuson attackers outside the SDN first) )e role of the VMs is toprovide services within and to the external users (eg anenterprise network setup using the SDN) For example auser requesting a service will access VM1 VM2 or VM3located in web server
If there is no problem with the system the systemoperates as follows A user sends a request to the systemwhich requires the data stored in a database (eg VM6) Toestablish this service a VM in web server (eg VM1) re-quests the data through a VM in app server (eg VM4) for allvalid requests )en this request gets passed to VM6 forprocessing Finally the requested data get returned to theuser through the VMs the request was processed from (egin this instance through VM1 VM4 and VM6)
)ere are two redundancy connections between VM1and SW2 and VM5 and SW1 to continue to provide func-tionalities in the event of an emergency (eg burst in re-quests or a DDoS attack) However if the attackercompromises the SDN controller these redundant con-nections can be used to form various attack paths Based on
SDNcontroller
Control plane
bull Networkvulnerabilityinformation collection
bull Systemnetworkevent collection
Security modelingand analysisSDN configuration
Intrusion detection
Attack response
bull Defense policy enforcement
bull Forward result- Reachability- Model calculation time
bull Forward result- Attack information- Detection time
bull Change flow table
Data plane
Server2
Server3
Server1
VM1
VM2
VM3VM4
VM5
SW5
SW1SW1
VM6
Internet
Figure 1 Framework for real-time intrusion response in SDN
The attackerattempts to attack
Security modeling
Attack reactor
tA vs tD + tS + tCSelection of a node with tA gt tD + tS + tC
among reconfigurationable nodes
Selection of a node with tA gt tD + tS + tCamong all nodes
IDS
The defenderdetects attack
Isattack detection
perfect
Yes
YesNo
No
Is there afalse alarm
Apply falsealarm rate
Attack detectionrate calculation
Is there aprecomputed security
model
Apply reconfiguration(flow table)
Yes
Yes
Security modelsearch
Security modelcalculation
Security modelconfiguration time (tS)
calculation
Countermeasureapplication time (tC)
calculation
Isreconfiguration possible
on all nodes
No
No
Attack time (tA)calculation
Attack detectiontime (tD) calculation
Figure 2 Overall system flowchart
Security and Communication Networks 3
the SDN configurations and settings the operation system ofeach node and vulnerabilities can be found as shown inTable 2 For simplicity we chose only a few vulnerabilities inthe SDN for each node (OS vulnerabilities for VMs andOpenFlow vulnerability for SDN switches) but all vulner-abilities can be modeled as in [23]
32 Security Modeling and Analysis
321 Common Vulnerability Scoring System (CVSS) Inorder to measure the severity of vulnerabilities we use theCVSS base score (BS) [24] First we mention a few keyupdates to the CVSS BS system )e base vector takes intoconsideration of the ldquoUser Interactionrdquo and ldquoPrivilegesRequiredrdquo and ldquoPhysical Metricrdquo has been added to theattack vector Confidentiality integrity and availabilitymeasures are changed from None Partial Complete toNone Low High and ldquoAccess Complexityrdquo has been
changed to ldquoAttack Complexityrdquo )e following equationsare used to compute the CVSS BS metric which we simplydenoted as ldquoBSrdquo (as shown in equation (1)) ldquoIMrdquo representsthe Impact Metric (as shown in equation (2)) and ldquoErdquo rep-resents the Exploitability Metric (as shown in equation (3))
BS (06 times IM + 04 times E minus 15) times f(IM) (1)
IM 1041 times(1 minus (1 minus C) times(1 minus I) times(1 minus A)) (2)
E 20 times AC times AU times AV (3)
Based on risk computation in [5] we utilize the CVSS BSin order to compute the system risk which is calculated asshown in equation (4) (ie the system risk is a factor of
SDNcontroller
Control plane
Data plane
Applicationserver
Database
Web server
VM1
VM2
VM3VM4
VM5
SW3
SW2SW1
VM6
Internet
SDN control protocol (eg OpenFlow)Physicallogical connection on data planeRedundancy connection
Figure 3 Example SDN configuration
Table 1 )e flow table
SW IDMatch fields
Action PriorityPort Src Dst
SW1
1 lowast lowast Forward port 2 12 lowast VM4 Forward port 3 12 lowast VM5 Forward port 3 14 lowast VM5 Forward port 5 3lowast lowast VM6 Drop 9
SW2
1 lowast lowast Forward port 2 12 lowast VM6 Forward port 3 34 VM1 VM4 Forward port 2 34 VM1 VM5 Forward port 2 3lowast lowast VM6 Drop 2
SW3 1 lowast VM6 Forward port 2 1
Table 2 Operation system and vulnerabilities in each node
Node OS CVE ID CVSS BS Impact
VM1 Win 7 CVE-2013-0013 58 49CVE-2012-0001 93 10
VM2 Win 7 CVE-2015-0006 61 47CVE-2015-1675 93 10
VM3 Linux CVE-2012-4546 43 29CVE-2014-0100 93 82
VM4 Win 7 CVE-2017-8495 60 48CVE-2017-8717 93 10
VM5 Linux CVE-2015-7312 44 29CVE-2015-4002 90 85
VM6 Linux CVE-2017-0626 43 29CVE-2017-6264 93 82
SW1 Openflow 25 CVE-2014-5035 68 64SW2 Openflow 27 CVE-2017-9263 65 65SW3 Openflow 28 CVE-2017-14970 59 68
4 Security and Communication Networks
impact and probability of an attack) In order to compute thesystem security risk we need to know the probability of anattack success and the impact Here we use the exploitabilitymetric associated with each vulnerability (as shown in Ta-ble 2) to represent the probability of an attack success as inequation (5) and use the impact metric directly from theCVSS
RiskVul IM times Pattack (4)
Pattack BS10
(5)
322 Attack Graph for SDN Here we describe the AG usedto model SDN which captures the sequence of vulnera-bilities to be exploited to achieve the attack goal We assumethe attack goal is to execute arbitrary code on VM6 First wedefine an AG as follows
Definition 1 An AG is a directed graph AG (V E) whereV is a finite set of vulnerabilities in the networked system andEsubeV times V is a set of edges where a pair of vulnerabilities(vi vj) | vi isin V vi ne vj is a mapping of nodesvi⟶ vj forallpost(vi) pre(vj) such that the postcondition ofvi satisfies the precondition of vj
Given the definition above we can generate an AG tomap attack scenarios of our example SDN as shown inFigure 4 Given the model and the system risk calculationsteps above we can compute the system risk associated withour example SDN For instance the attacker can exploitvulnerabilities WV1 and WV2 as specified in Table 2 forWindows 7-based VMs If the attacker exploits WV1 vul-nerability then RiskWV1
is 2842 (ie the impact of 49multiplied by the probability of 58) SimilarlyRiskWV2
93 RiskLV1 1247 RiskLV2
765 andRiskOFV1
4352
33 IntrusionDetection In this section we take into accountthe time factor when an attack has been detected It ispossible that an ongoing attack may have progressed furtherat the time of detection )erefore it is important to takeinto consideration which attack scenarios are important inorder to mitigate the attack Generally attack detectionshould consider Bayesian eory but we assume the attackdetection mechanisms in the SDN is correct (eg we can usedetection mechanisms such as in [25ndash28]) If we considerBayesian theory attack detection is similar to applying the)reshold RandomWalk with Credit-Based connection ratelimiting (TRW-CB) algorithm in [28] )e detection rate is9254 and a false alarm rate is 748
Figure 5 shows the detection of an attack success at VM2Given the attacker has not yet progressed any further theSDN administrator can deploy countermeasures For ex-ample we change the flow table rules to drop all outgoingpackets of VM2 disabling any further attacks Figure 5(b)shows the result of the countermeasure
However if we assume that the detection of the attack hasbeen delayed (ie the attack is detected after a t amount of time
has passed since the actual event of an attack) the attackerwould consequently have progressed further from compro-mising VM2 in our example )is is depicted in Figure 6(a))e attacker has successfully compromised SW1 after com-promising VM2 but the attack detection only alerted the SDNadministrator the progress of the attack at VM2 In order topredict its current attack scenario we use the full AG and focuson all possible attack paths from the given detection point asshown in Figure 6(c) Using the flow table rule change as thecountermeasure our approach is to limit the attack path up toh-hops where h is the number of hops from the node withinitial attack detection For example if we use 2-hop pathdisable then the result is shown as in Figure 6(b) As a resultwe are able to disable further attack paths of the attacker in atrade-off to some loss of SDN functionalities In conclusionthis is to show that we can still maintain some functionalities ofthe SDN while disabling any potential ongoing attacks Weinvestigate how security is affected further in Section 5
34 Attack Response SDN can manipulate the flow of dataplane using flow table )erefore when an attack occurs inthe SDN environment it is possible to block the attack pathby modifying the flow table in addition to the responsemethod (eg patching a vulnerability) used in the existingnetwork However if the response is delayed the attackermay succeed in exploiting the next target before the defenseis implemented We considered system loss and cost ofaction based on the relationship between the attackerrsquos at-tack time and the defenderrsquos response time For that weassume the following First the attack detection (IDS) iscomplete and all nodes can be monitored at the same timeSecond all of network flows can be changed using the flowtable )ird the devices or software that make up the SDNare not changed )e attack time and response time that weuse follow the following definition
Definition 2 Attack time tA is defined as the time taken foran attacker to succeed in attacking the next host connected atthe current location
Definition 3 Response time is defined as tR tD + tS + tCHere tD is defined as the time taken to detect an attackerrsquosattack attempt on the host (attack detection time) tS isdefined as the time taken to calculate the security model inreal time or to retrieve it from the precomputed securitymodel (security model calculation time) tC is defined as thetime required to apply a countermeasure to one host(countermeasure time)
Given the above definition an example of comparisonsbetween attack time and response time can be expressed asfollows
Example 1 Figure 5(b) shows tR tA )e loss node is VM2and the action node is SW1 Assuming that both the cost ofdamage from the attack and the cost of the action are 100 thetotal cost is 200
Security and Communication Networks 5
VM1V2prime
VM1V2
VM1
VM4
VM5
VM6
A target
VM2
VM3
VM1V1
VM2V2SW2V1
SW3V1
SW1V1
A
An attacker
VM2V1
VM3V2
VM3V1
VM2V2prime
VM4V2prime
VM4V2
VM6V2
VM6V1 VM6V2prime
VM4V1
VM5V2
VM5V1 VM5V2prime
VM3V2prime
Vulnerability
VM
Reachability
Figure 4 An AG of the SDN
Attackdetected
SW3
SW2
SW1
A
A
VM1
VM2
VM3
VM4
VM5
VM6
(a)
SW3
SW2
SW1
AA
VM1
VM2
VM3
VM4
VM5
VM6
(b)
Figure 5 Continued
6 Security and Communication Networks
Example 2 Figure 6(b) shows tR 2 times tA )e lossnodes are VM2 and SW1 and the action nodes are SW2 andSW3 Assuming that both the cost of damage from the attackand the cost of the action are 100 the total cost is 400
If tR is less than tA the attack can take immediate actionon the detected node But in reality this is not always trueand therefore the attacker has extra time to continue
compromising nodes in the SDN k is used to determine theattackers attack progress It also indicates the number ofpossible SDN nodes that the attacker may have compro-mised (ie a predictive value to estimate the attackerrsquosprogress) Hence the defender must take action on thenodes that is up to k hops in distance when the condition ofequation (6) is satisfied For example if tR and tA are the
SW2
SW2 SW2SW3
SW3SW3SW3SW3SW3
SW3 SW3 SW3 SW3
SW3
SW1 SW1
A
VM1
VM4 VM5 VM6
VM6VM6
VM6 VM6
VM6 VM6 VM6
VM6
VM6
VM6
VM3
VM5 VM5
VM4 VM5
VM5VM4
(c)
Figure 5 Attack detection and countermeasure without detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2(c) Full AG after countermeasure applied
VM1
SW2
SW1
Attackerrsquosexpected location
Attackdetected
SW3VM2A
VM3VM5
VM6
VM4
A
(a)
VM1
VM2
SW2
SW2SW1
A
A VM5
VM6
VM4
VM3
(b)
SW2
SW3
SW3 SW3
VM1
A
VM4 VM5
VM6
VM6 VM6
(c)
Figure 6 Attack detection and countermeasure with detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2 andSW1 (c) Full AG after countermeasure applied
Security and Communication Networks 7
same then k is 1 )e defender can then take action on anode that is 1 hop away Using Algorithm 1 the defender canselect the node to take action
k times tA le tR lt (k + 1) times tA (6)
)e countermeasures should be applied as soon aspossible to minimize the loss of the entire system If youcannot reduce tD and tC in tR you should reduce tS Ratherthan calculating the security model in a real time when anattack occurs it is possible to reduce the tS by searching andapplying a model that matches the current situation amongthe precomputed security models
4 Precomputation and Attack Prediction forSecurity Assessment
)is section introduces the precomputation of attack sce-narios and attack scenario prediction by taking into accountthe delays in attack detections We can precompute theattack scenarios in order to reduce the time taken to evaluatethem We also take into account the delays observed inattack detection mechanisms and propose an attack scenarioprediction method to enhance the capabilities of SDN de-fense mechanisms )e generations of both the full graphand the HARM can be found in [17]
41 Full Graph Assessing the security of SDN in real timefaces a scalability problem using existing graphical securitymodels as presented in Section 7 To address this problemwe precompute all possible attack scenarios using full AGBy precomputing all possible attack scenarios offline we canreuse this information in real time when necessary Forprecomputation of attack scenarios we use a full AG whichrepresents all possible attack paths Algorithm 2 is used togenerate a full AG )e inputs required are the AG attackerlocation and the target node )en the algorithm searchesfor all possible attack paths of the given attack scenarioGiven the attacker outside the SDN and the target node ofVM6 the full AG of the example SDN is shown in Figure 7For simplicity we only represented attack paths of VMs asthe size of the full AG grows exponentially relative to the AGabove
42 HARM )e full AG above is used for fast real-timesecurity assessment for particular attack scenarios Howeverit is not scalable to enumerate all possible attack scenarios fora security overview of the SDN Instead we use the HARM[17] to assess the security of the SDN in a more scalablemanner )e HARM models network nodes and theirvulnerabilities onto multiple layers and utilizes the benefitsof hierarchy to reduce the scalability complexity We gen-erate a 2-HARM (a two-layered HARM) of the exampleSDN as shown in Figure 8)e formalism of the 2-HARM isas follows
Definition 4 )e two-layered HARM is defined as a 3-tupleH (U L M) Here U is the AG and L is the ATs forH andV where M is the mapping between the upper layer
components and lower layer components )is mapping isdescribed by M U⟶ L Each host in the upper layer mayhave a corresponding AT in the lower layer
)e upper layer of the HARM uses the AG to representthe reachability between the nodes in the SDN (ie the VMsand the switches) Hence we define U as follows
Definition 5 An AG in the upper layer of the HARM isdefined as a 2-tuple U (N E) where N is a finite set ofnodes in the SDN and EsubeN times N is a set of edges where apair of nodes
)e lower layer of the HARM is a set of attack trees(ATs) [29] where each AT represents the vulnerabilityinformation of each upper layer node of the HARM (ieSDN nodes) We define each L in the lower layer of theHARM as follows
Definition 6 An AT in the lower layer of the HARM isdefined as a 5-tuple L (A B c g root) where A is a finiteset of vulnerabilities and B is a set of gates which are theinner nodes of L We require AcapB and root isin AcupBFunction c B⟶ P(AcupB) describes the children of eachinner node in at (we assume there are no cycles) Functiong B⟶ ANDOR describes the type of each gate )e
procedure RNS(AGSDN ND tA tR)
if tA gt tR thenSend ND to Reconfiguration Module
elsefor all E from ND to Ni do
tR⟵ tR minus tA
RNS(AGSDN Ni tA tR)
end forend if
end procedure
ALGORITHM 1 Response node selection algorithm
procedure fullAG(AG Ncr Ntg)
Mark Ncr visitedStackpush(Ncr)
if Ncr Ntg thenReturn Stack
else if Sizeof(ENcr)ne 0 then
for i⟵0 to Sizeof(ENcr) in AG do
Nnext⟵de stination of ENcr
i
if Nnext is uniquely aligned thenfullAG (AG Nnext Ntg)
end ifend for
elseStackclear
end ifend procedure
ALGORITHM 2 Algorithm to generate a full AG
8 Security and Communication Networks
representation of the attack tree Ln associated to the hostn isin N is as follows
Ln Asube nvuls (7)
)is means that the vulnerabilities of a node are com-bined using logical AND and OR gates
Given the definitions above the example SDN in theform of the HARM can be represented as follows
Example 3 e Upper and Lower Layer Mapping Figure 8shows HARM of the SDN)e HARM for given SDNmodelis H (U L M) where U and L are the AG and the set of
SW1
SW2 SW3SW2 SW2
SW1SW1
SW3SW3SW3
SW3 SW3
SW3 SW3 SW3 SW3 SW3
SW3SW3SW3SW3
SW2
VM1
VM5 VM5 VM5
VM2
A
VM3
VM5
VM6VM6
VM6VM6
VM6
VM5VM4
VM6
VM6VM6VM6VM6
VM6
VM6VM6
VM6
VM4 VM5 VM4
VM6
VM5VM4
Figure 7 A full AG of the SDN
Upper layer
An attacker
A
0971
09710971
0971
0943
0943
0971
0539
2013ndash0013058
2012ndash0001093
2012ndash0001093
2013ndash0013058
2012ndash0001093
2012ndash0001093
2012ndash4546043
2012ndash4002090
2012ndash4002090
2013ndash0013058
2012ndash0001093
075Openflow
control
075Openflow
control
075Openflow
control
2012ndash0001093
root
0943
0387
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash2131075
2012ndash2131075
2012ndash2131075
0387
root 0943root
0971root 0943
0387 05390539
root 0971root
075
0749
075
0744
0971
0723
0943
0882
075
0744
0943
0701
A target
VM6
VM4
VM5
VM2
VM1
VM3
VM1 VM2 VM3 VM4
SW3SW2SW1VM6VM5
SW3
SW2
SW1
Lower layer
Figure 8 A HARM of the SDN in Figure 4
Security and Communication Networks 9
ATs in the upper and the lower layer and M U⟶ L is aone-to-one mapping of the upper layer U to the corre-sponding lower layer L
Example 4 e Upper Layer the AG shown in Figure 8 is adirected graph AGSDN (NSDN ESDN) where NSDN AVM1 VM2 VM3 VM4 VM5 VM6 SW1 SW2 SW3 andESDN (A VM1) (A VM2) (AVM3 ) (VM1 SW1) (VM2SW1) (VM3 SW1) (VM1 SW2) (SW1 SW2) (SW1 VM5)(SW2 VM4) (SW2 VM5) (SW2 SW3) (VM4 SW3) (VM5SW3) (SW3 VM6)
Example 5 e Lower Layer the ATs in the lower layer areshown in Figure 8 )e set of conditions required tocompromise VM1 is given by LVM1 (AVM1 BVM1
cVM1 gVM1 rootVM1) where AVM1 WV1WV2 WV2prime1113864 1113865 is aset of components which are the leaves (vulnerabilities)BVM1 AND1OR11113864 1113865 cAND1 WV1WV2prime1113864 1113865 cOR1 AND11113864
WV2 gVM1(rootVM1) OR1 and rootVM1 root root isin
AVM1 cupBVM1
5 Result and Analysis
In this section we investigate the effectiveness of using fullAG for precomputation taking into account various securitymetrics Regardless of which model we use the securitymetric computed will be the same Since both full AG andthe HARM computes the same metric values we do notexplicitly present those results in this paper
First we look at changes in security metrics with andwithout deploying countermeasure where we change theflow table rules to block attack paths up to three steps inSection 51 )en we conduct simulations to investigate theperformance difference of computing an AG used in theHARM to a full AG for precomputation in Section 53
51 Change in Security Metrics For this experiment we usethe example SDN as shown in Figure 3 as our experimentaltestbed In this system service is not available unless a packetis sent to the database So we assume that the networkadministrator cannot change the flow table rules of SW3 andVM6 due to system constraints (ie they need to be func-tional to continuously provide SDN service) To ensure theoperability we extend this assumption such that at least oneconnection path exists such that usersrsquo requests can behandled Although modifying flows can affect the perfor-mance of the SDN we only consider the minimal cost toenhance the security of SDN in this paper (ie the minimumnumber of flow changes for maximized security) For ex-ample an alternative flow path can be used to continuedelivering the service but it may create a bottleneck effect ifthe traffic is not managed carefully We will investigate thetrade-off between enhancing security and degrading thenetwork performance in our future work
First we investigate the change in security when pre-dicting potential attack in 1-hop and then we measure thechange in the probability of attack success and the systemrisk )e result is shown in Figure 9 which shows that
blocking 1-hop at SW1 or SW2 flows can minimize theprobability and the risk than other nodes
On the other hand if the detection of an attack wasdelayed we need to consider further steps in order tomitigate the attack So we also look at 2-hop flow blocking ofnodes where the combinations are shown in Table 3 )eresult is shown in Figure 10 which shows a similar result tothe 1-hop blocking (ie the best practice is to block flowthrough SW1 or SW2) However we observe that the im-portance of nodes for defense has changed (ie the prioritiesto secure SDN components can vary when the number ofhops changes) For instance blocking the flow through VM2and SW2 can also achieve a similar effect where VM2 in the1-hop analysis was significantly worse
Lastly we look at the 3-hop flow blocking Table 4shows the combinations of three nodes and their flows to beblocked With the given attack scenario we have 21 pos-sible combinations of nodes out of the maximum numberof 35 Figure 11 shows the result where three conditionsthat include SW2 minimized the probability of attacksuccess and the system risk but only one condition thatincludes SW1 )is indicates that we look into variousattack paths as well as the importance of nodes In con-clusion we observe that our proposed solution has iden-tified SW2 as the most important SDN component tosecure In general the most vulnerable node or the nodewith many connections to other nodes in the network canbe the most important node Another method of analyzingthe importance of nodes is the network centrality measure[30] For the running example it is obvious to pick it upeasily by inspection but when the SDN becomes larger andmore complex this can be done easily using the proposedsolution whereas it would be near impossible and im-practical by human efforts
52 Numerical Sensitivity Analysis )e slower the responseto an attack the more attackers can attack the node )isresults in more loss to the system We conducted an ex-periment to compare the losses incurred in the system withthe costs required to take action in response time Since losscost and cost of action cannot be defined objectively thesensitivity analysis methodology was applied In this ex-periment we calculated loss and response costs based ondetection time and attack time when an attacker successfullyattacked VM2
In the first experiment we applied a sensitivity analysisto the loss cost )e corresponding cost was fixed at 100 andthe loss cost increased from 0 to 500 In each case the totalcost of ownership was calculated Figure 12(a) shows theexperimental result As the response time is slower than theattack time the total cost is higher
Second we applied a sensitivity analysis to the responsecosts )e loss cost was fixed at 100 and the correspondingcost was increased from 0 to 500 And as in the previousexperiment we calculated the total cost for each caseExperimental results show that the total cost of ownershipvaries depending on the situation such as Figure 12(b) If adefender defends a node that is far from the compromised
10 Security and Communication Networks
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
analyzes the attack information (eg type of attack) and itsassociated metadata (eg location time etc) Although thismodule will try its best to detect attacks accurately and fastwe cannot rely on its performance that it would be in realtime and fully accurate
24 Attack Response )e attack response module is one ofour main contributions where the impact of an attack isevaluated taking into account the intrusions detected and thelocation of the attack For instance if an attack is detectedwhere the subnet contains many vulnerable computers thenthe impact may be that one or more of computers may alsobe compromised soon after Consequently the goal of theattack response module is to reduce the impact of the attackby quickly locating estimating the damage and isolating theattack from its progression
3 Real-Time Intrusion Response in SDN
31 SDNConfiguration To demonstrate the usability of ourproposed solution we take into account a running exampleas shown in Figure 3)e toy example includes nine nodes inthe data plane (ie six virtual machines (VMs) and threeswitches) Table 1 shows the defined flow table in the SDN
We assume that only the VMs on web server are connectedto the Internet and the attacker is located outside the SDN(ie no attackers inside the SDN) (our proposed solution isalso applicable for inside attackers as it takes into accountboth security models and IDSes however we initially focuson attackers outside the SDN first) )e role of the VMs is toprovide services within and to the external users (eg anenterprise network setup using the SDN) For example auser requesting a service will access VM1 VM2 or VM3located in web server
If there is no problem with the system the systemoperates as follows A user sends a request to the systemwhich requires the data stored in a database (eg VM6) Toestablish this service a VM in web server (eg VM1) re-quests the data through a VM in app server (eg VM4) for allvalid requests )en this request gets passed to VM6 forprocessing Finally the requested data get returned to theuser through the VMs the request was processed from (egin this instance through VM1 VM4 and VM6)
)ere are two redundancy connections between VM1and SW2 and VM5 and SW1 to continue to provide func-tionalities in the event of an emergency (eg burst in re-quests or a DDoS attack) However if the attackercompromises the SDN controller these redundant con-nections can be used to form various attack paths Based on
SDNcontroller
Control plane
bull Networkvulnerabilityinformation collection
bull Systemnetworkevent collection
Security modelingand analysisSDN configuration
Intrusion detection
Attack response
bull Defense policy enforcement
bull Forward result- Reachability- Model calculation time
bull Forward result- Attack information- Detection time
bull Change flow table
Data plane
Server2
Server3
Server1
VM1
VM2
VM3VM4
VM5
SW5
SW1SW1
VM6
Internet
Figure 1 Framework for real-time intrusion response in SDN
The attackerattempts to attack
Security modeling
Attack reactor
tA vs tD + tS + tCSelection of a node with tA gt tD + tS + tC
among reconfigurationable nodes
Selection of a node with tA gt tD + tS + tCamong all nodes
IDS
The defenderdetects attack
Isattack detection
perfect
Yes
YesNo
No
Is there afalse alarm
Apply falsealarm rate
Attack detectionrate calculation
Is there aprecomputed security
model
Apply reconfiguration(flow table)
Yes
Yes
Security modelsearch
Security modelcalculation
Security modelconfiguration time (tS)
calculation
Countermeasureapplication time (tC)
calculation
Isreconfiguration possible
on all nodes
No
No
Attack time (tA)calculation
Attack detectiontime (tD) calculation
Figure 2 Overall system flowchart
Security and Communication Networks 3
the SDN configurations and settings the operation system ofeach node and vulnerabilities can be found as shown inTable 2 For simplicity we chose only a few vulnerabilities inthe SDN for each node (OS vulnerabilities for VMs andOpenFlow vulnerability for SDN switches) but all vulner-abilities can be modeled as in [23]
32 Security Modeling and Analysis
321 Common Vulnerability Scoring System (CVSS) Inorder to measure the severity of vulnerabilities we use theCVSS base score (BS) [24] First we mention a few keyupdates to the CVSS BS system )e base vector takes intoconsideration of the ldquoUser Interactionrdquo and ldquoPrivilegesRequiredrdquo and ldquoPhysical Metricrdquo has been added to theattack vector Confidentiality integrity and availabilitymeasures are changed from None Partial Complete toNone Low High and ldquoAccess Complexityrdquo has been
changed to ldquoAttack Complexityrdquo )e following equationsare used to compute the CVSS BS metric which we simplydenoted as ldquoBSrdquo (as shown in equation (1)) ldquoIMrdquo representsthe Impact Metric (as shown in equation (2)) and ldquoErdquo rep-resents the Exploitability Metric (as shown in equation (3))
BS (06 times IM + 04 times E minus 15) times f(IM) (1)
IM 1041 times(1 minus (1 minus C) times(1 minus I) times(1 minus A)) (2)
E 20 times AC times AU times AV (3)
Based on risk computation in [5] we utilize the CVSS BSin order to compute the system risk which is calculated asshown in equation (4) (ie the system risk is a factor of
SDNcontroller
Control plane
Data plane
Applicationserver
Database
Web server
VM1
VM2
VM3VM4
VM5
SW3
SW2SW1
VM6
Internet
SDN control protocol (eg OpenFlow)Physicallogical connection on data planeRedundancy connection
Figure 3 Example SDN configuration
Table 1 )e flow table
SW IDMatch fields
Action PriorityPort Src Dst
SW1
1 lowast lowast Forward port 2 12 lowast VM4 Forward port 3 12 lowast VM5 Forward port 3 14 lowast VM5 Forward port 5 3lowast lowast VM6 Drop 9
SW2
1 lowast lowast Forward port 2 12 lowast VM6 Forward port 3 34 VM1 VM4 Forward port 2 34 VM1 VM5 Forward port 2 3lowast lowast VM6 Drop 2
SW3 1 lowast VM6 Forward port 2 1
Table 2 Operation system and vulnerabilities in each node
Node OS CVE ID CVSS BS Impact
VM1 Win 7 CVE-2013-0013 58 49CVE-2012-0001 93 10
VM2 Win 7 CVE-2015-0006 61 47CVE-2015-1675 93 10
VM3 Linux CVE-2012-4546 43 29CVE-2014-0100 93 82
VM4 Win 7 CVE-2017-8495 60 48CVE-2017-8717 93 10
VM5 Linux CVE-2015-7312 44 29CVE-2015-4002 90 85
VM6 Linux CVE-2017-0626 43 29CVE-2017-6264 93 82
SW1 Openflow 25 CVE-2014-5035 68 64SW2 Openflow 27 CVE-2017-9263 65 65SW3 Openflow 28 CVE-2017-14970 59 68
4 Security and Communication Networks
impact and probability of an attack) In order to compute thesystem security risk we need to know the probability of anattack success and the impact Here we use the exploitabilitymetric associated with each vulnerability (as shown in Ta-ble 2) to represent the probability of an attack success as inequation (5) and use the impact metric directly from theCVSS
RiskVul IM times Pattack (4)
Pattack BS10
(5)
322 Attack Graph for SDN Here we describe the AG usedto model SDN which captures the sequence of vulnera-bilities to be exploited to achieve the attack goal We assumethe attack goal is to execute arbitrary code on VM6 First wedefine an AG as follows
Definition 1 An AG is a directed graph AG (V E) whereV is a finite set of vulnerabilities in the networked system andEsubeV times V is a set of edges where a pair of vulnerabilities(vi vj) | vi isin V vi ne vj is a mapping of nodesvi⟶ vj forallpost(vi) pre(vj) such that the postcondition ofvi satisfies the precondition of vj
Given the definition above we can generate an AG tomap attack scenarios of our example SDN as shown inFigure 4 Given the model and the system risk calculationsteps above we can compute the system risk associated withour example SDN For instance the attacker can exploitvulnerabilities WV1 and WV2 as specified in Table 2 forWindows 7-based VMs If the attacker exploits WV1 vul-nerability then RiskWV1
is 2842 (ie the impact of 49multiplied by the probability of 58) SimilarlyRiskWV2
93 RiskLV1 1247 RiskLV2
765 andRiskOFV1
4352
33 IntrusionDetection In this section we take into accountthe time factor when an attack has been detected It ispossible that an ongoing attack may have progressed furtherat the time of detection )erefore it is important to takeinto consideration which attack scenarios are important inorder to mitigate the attack Generally attack detectionshould consider Bayesian eory but we assume the attackdetection mechanisms in the SDN is correct (eg we can usedetection mechanisms such as in [25ndash28]) If we considerBayesian theory attack detection is similar to applying the)reshold RandomWalk with Credit-Based connection ratelimiting (TRW-CB) algorithm in [28] )e detection rate is9254 and a false alarm rate is 748
Figure 5 shows the detection of an attack success at VM2Given the attacker has not yet progressed any further theSDN administrator can deploy countermeasures For ex-ample we change the flow table rules to drop all outgoingpackets of VM2 disabling any further attacks Figure 5(b)shows the result of the countermeasure
However if we assume that the detection of the attack hasbeen delayed (ie the attack is detected after a t amount of time
has passed since the actual event of an attack) the attackerwould consequently have progressed further from compro-mising VM2 in our example )is is depicted in Figure 6(a))e attacker has successfully compromised SW1 after com-promising VM2 but the attack detection only alerted the SDNadministrator the progress of the attack at VM2 In order topredict its current attack scenario we use the full AG and focuson all possible attack paths from the given detection point asshown in Figure 6(c) Using the flow table rule change as thecountermeasure our approach is to limit the attack path up toh-hops where h is the number of hops from the node withinitial attack detection For example if we use 2-hop pathdisable then the result is shown as in Figure 6(b) As a resultwe are able to disable further attack paths of the attacker in atrade-off to some loss of SDN functionalities In conclusionthis is to show that we can still maintain some functionalities ofthe SDN while disabling any potential ongoing attacks Weinvestigate how security is affected further in Section 5
34 Attack Response SDN can manipulate the flow of dataplane using flow table )erefore when an attack occurs inthe SDN environment it is possible to block the attack pathby modifying the flow table in addition to the responsemethod (eg patching a vulnerability) used in the existingnetwork However if the response is delayed the attackermay succeed in exploiting the next target before the defenseis implemented We considered system loss and cost ofaction based on the relationship between the attackerrsquos at-tack time and the defenderrsquos response time For that weassume the following First the attack detection (IDS) iscomplete and all nodes can be monitored at the same timeSecond all of network flows can be changed using the flowtable )ird the devices or software that make up the SDNare not changed )e attack time and response time that weuse follow the following definition
Definition 2 Attack time tA is defined as the time taken foran attacker to succeed in attacking the next host connected atthe current location
Definition 3 Response time is defined as tR tD + tS + tCHere tD is defined as the time taken to detect an attackerrsquosattack attempt on the host (attack detection time) tS isdefined as the time taken to calculate the security model inreal time or to retrieve it from the precomputed securitymodel (security model calculation time) tC is defined as thetime required to apply a countermeasure to one host(countermeasure time)
Given the above definition an example of comparisonsbetween attack time and response time can be expressed asfollows
Example 1 Figure 5(b) shows tR tA )e loss node is VM2and the action node is SW1 Assuming that both the cost ofdamage from the attack and the cost of the action are 100 thetotal cost is 200
Security and Communication Networks 5
VM1V2prime
VM1V2
VM1
VM4
VM5
VM6
A target
VM2
VM3
VM1V1
VM2V2SW2V1
SW3V1
SW1V1
A
An attacker
VM2V1
VM3V2
VM3V1
VM2V2prime
VM4V2prime
VM4V2
VM6V2
VM6V1 VM6V2prime
VM4V1
VM5V2
VM5V1 VM5V2prime
VM3V2prime
Vulnerability
VM
Reachability
Figure 4 An AG of the SDN
Attackdetected
SW3
SW2
SW1
A
A
VM1
VM2
VM3
VM4
VM5
VM6
(a)
SW3
SW2
SW1
AA
VM1
VM2
VM3
VM4
VM5
VM6
(b)
Figure 5 Continued
6 Security and Communication Networks
Example 2 Figure 6(b) shows tR 2 times tA )e lossnodes are VM2 and SW1 and the action nodes are SW2 andSW3 Assuming that both the cost of damage from the attackand the cost of the action are 100 the total cost is 400
If tR is less than tA the attack can take immediate actionon the detected node But in reality this is not always trueand therefore the attacker has extra time to continue
compromising nodes in the SDN k is used to determine theattackers attack progress It also indicates the number ofpossible SDN nodes that the attacker may have compro-mised (ie a predictive value to estimate the attackerrsquosprogress) Hence the defender must take action on thenodes that is up to k hops in distance when the condition ofequation (6) is satisfied For example if tR and tA are the
SW2
SW2 SW2SW3
SW3SW3SW3SW3SW3
SW3 SW3 SW3 SW3
SW3
SW1 SW1
A
VM1
VM4 VM5 VM6
VM6VM6
VM6 VM6
VM6 VM6 VM6
VM6
VM6
VM6
VM3
VM5 VM5
VM4 VM5
VM5VM4
(c)
Figure 5 Attack detection and countermeasure without detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2(c) Full AG after countermeasure applied
VM1
SW2
SW1
Attackerrsquosexpected location
Attackdetected
SW3VM2A
VM3VM5
VM6
VM4
A
(a)
VM1
VM2
SW2
SW2SW1
A
A VM5
VM6
VM4
VM3
(b)
SW2
SW3
SW3 SW3
VM1
A
VM4 VM5
VM6
VM6 VM6
(c)
Figure 6 Attack detection and countermeasure with detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2 andSW1 (c) Full AG after countermeasure applied
Security and Communication Networks 7
same then k is 1 )e defender can then take action on anode that is 1 hop away Using Algorithm 1 the defender canselect the node to take action
k times tA le tR lt (k + 1) times tA (6)
)e countermeasures should be applied as soon aspossible to minimize the loss of the entire system If youcannot reduce tD and tC in tR you should reduce tS Ratherthan calculating the security model in a real time when anattack occurs it is possible to reduce the tS by searching andapplying a model that matches the current situation amongthe precomputed security models
4 Precomputation and Attack Prediction forSecurity Assessment
)is section introduces the precomputation of attack sce-narios and attack scenario prediction by taking into accountthe delays in attack detections We can precompute theattack scenarios in order to reduce the time taken to evaluatethem We also take into account the delays observed inattack detection mechanisms and propose an attack scenarioprediction method to enhance the capabilities of SDN de-fense mechanisms )e generations of both the full graphand the HARM can be found in [17]
41 Full Graph Assessing the security of SDN in real timefaces a scalability problem using existing graphical securitymodels as presented in Section 7 To address this problemwe precompute all possible attack scenarios using full AGBy precomputing all possible attack scenarios offline we canreuse this information in real time when necessary Forprecomputation of attack scenarios we use a full AG whichrepresents all possible attack paths Algorithm 2 is used togenerate a full AG )e inputs required are the AG attackerlocation and the target node )en the algorithm searchesfor all possible attack paths of the given attack scenarioGiven the attacker outside the SDN and the target node ofVM6 the full AG of the example SDN is shown in Figure 7For simplicity we only represented attack paths of VMs asthe size of the full AG grows exponentially relative to the AGabove
42 HARM )e full AG above is used for fast real-timesecurity assessment for particular attack scenarios Howeverit is not scalable to enumerate all possible attack scenarios fora security overview of the SDN Instead we use the HARM[17] to assess the security of the SDN in a more scalablemanner )e HARM models network nodes and theirvulnerabilities onto multiple layers and utilizes the benefitsof hierarchy to reduce the scalability complexity We gen-erate a 2-HARM (a two-layered HARM) of the exampleSDN as shown in Figure 8)e formalism of the 2-HARM isas follows
Definition 4 )e two-layered HARM is defined as a 3-tupleH (U L M) Here U is the AG and L is the ATs forH andV where M is the mapping between the upper layer
components and lower layer components )is mapping isdescribed by M U⟶ L Each host in the upper layer mayhave a corresponding AT in the lower layer
)e upper layer of the HARM uses the AG to representthe reachability between the nodes in the SDN (ie the VMsand the switches) Hence we define U as follows
Definition 5 An AG in the upper layer of the HARM isdefined as a 2-tuple U (N E) where N is a finite set ofnodes in the SDN and EsubeN times N is a set of edges where apair of nodes
)e lower layer of the HARM is a set of attack trees(ATs) [29] where each AT represents the vulnerabilityinformation of each upper layer node of the HARM (ieSDN nodes) We define each L in the lower layer of theHARM as follows
Definition 6 An AT in the lower layer of the HARM isdefined as a 5-tuple L (A B c g root) where A is a finiteset of vulnerabilities and B is a set of gates which are theinner nodes of L We require AcapB and root isin AcupBFunction c B⟶ P(AcupB) describes the children of eachinner node in at (we assume there are no cycles) Functiong B⟶ ANDOR describes the type of each gate )e
procedure RNS(AGSDN ND tA tR)
if tA gt tR thenSend ND to Reconfiguration Module
elsefor all E from ND to Ni do
tR⟵ tR minus tA
RNS(AGSDN Ni tA tR)
end forend if
end procedure
ALGORITHM 1 Response node selection algorithm
procedure fullAG(AG Ncr Ntg)
Mark Ncr visitedStackpush(Ncr)
if Ncr Ntg thenReturn Stack
else if Sizeof(ENcr)ne 0 then
for i⟵0 to Sizeof(ENcr) in AG do
Nnext⟵de stination of ENcr
i
if Nnext is uniquely aligned thenfullAG (AG Nnext Ntg)
end ifend for
elseStackclear
end ifend procedure
ALGORITHM 2 Algorithm to generate a full AG
8 Security and Communication Networks
representation of the attack tree Ln associated to the hostn isin N is as follows
Ln Asube nvuls (7)
)is means that the vulnerabilities of a node are com-bined using logical AND and OR gates
Given the definitions above the example SDN in theform of the HARM can be represented as follows
Example 3 e Upper and Lower Layer Mapping Figure 8shows HARM of the SDN)e HARM for given SDNmodelis H (U L M) where U and L are the AG and the set of
SW1
SW2 SW3SW2 SW2
SW1SW1
SW3SW3SW3
SW3 SW3
SW3 SW3 SW3 SW3 SW3
SW3SW3SW3SW3
SW2
VM1
VM5 VM5 VM5
VM2
A
VM3
VM5
VM6VM6
VM6VM6
VM6
VM5VM4
VM6
VM6VM6VM6VM6
VM6
VM6VM6
VM6
VM4 VM5 VM4
VM6
VM5VM4
Figure 7 A full AG of the SDN
Upper layer
An attacker
A
0971
09710971
0971
0943
0943
0971
0539
2013ndash0013058
2012ndash0001093
2012ndash0001093
2013ndash0013058
2012ndash0001093
2012ndash0001093
2012ndash4546043
2012ndash4002090
2012ndash4002090
2013ndash0013058
2012ndash0001093
075Openflow
control
075Openflow
control
075Openflow
control
2012ndash0001093
root
0943
0387
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash2131075
2012ndash2131075
2012ndash2131075
0387
root 0943root
0971root 0943
0387 05390539
root 0971root
075
0749
075
0744
0971
0723
0943
0882
075
0744
0943
0701
A target
VM6
VM4
VM5
VM2
VM1
VM3
VM1 VM2 VM3 VM4
SW3SW2SW1VM6VM5
SW3
SW2
SW1
Lower layer
Figure 8 A HARM of the SDN in Figure 4
Security and Communication Networks 9
ATs in the upper and the lower layer and M U⟶ L is aone-to-one mapping of the upper layer U to the corre-sponding lower layer L
Example 4 e Upper Layer the AG shown in Figure 8 is adirected graph AGSDN (NSDN ESDN) where NSDN AVM1 VM2 VM3 VM4 VM5 VM6 SW1 SW2 SW3 andESDN (A VM1) (A VM2) (AVM3 ) (VM1 SW1) (VM2SW1) (VM3 SW1) (VM1 SW2) (SW1 SW2) (SW1 VM5)(SW2 VM4) (SW2 VM5) (SW2 SW3) (VM4 SW3) (VM5SW3) (SW3 VM6)
Example 5 e Lower Layer the ATs in the lower layer areshown in Figure 8 )e set of conditions required tocompromise VM1 is given by LVM1 (AVM1 BVM1
cVM1 gVM1 rootVM1) where AVM1 WV1WV2 WV2prime1113864 1113865 is aset of components which are the leaves (vulnerabilities)BVM1 AND1OR11113864 1113865 cAND1 WV1WV2prime1113864 1113865 cOR1 AND11113864
WV2 gVM1(rootVM1) OR1 and rootVM1 root root isin
AVM1 cupBVM1
5 Result and Analysis
In this section we investigate the effectiveness of using fullAG for precomputation taking into account various securitymetrics Regardless of which model we use the securitymetric computed will be the same Since both full AG andthe HARM computes the same metric values we do notexplicitly present those results in this paper
First we look at changes in security metrics with andwithout deploying countermeasure where we change theflow table rules to block attack paths up to three steps inSection 51 )en we conduct simulations to investigate theperformance difference of computing an AG used in theHARM to a full AG for precomputation in Section 53
51 Change in Security Metrics For this experiment we usethe example SDN as shown in Figure 3 as our experimentaltestbed In this system service is not available unless a packetis sent to the database So we assume that the networkadministrator cannot change the flow table rules of SW3 andVM6 due to system constraints (ie they need to be func-tional to continuously provide SDN service) To ensure theoperability we extend this assumption such that at least oneconnection path exists such that usersrsquo requests can behandled Although modifying flows can affect the perfor-mance of the SDN we only consider the minimal cost toenhance the security of SDN in this paper (ie the minimumnumber of flow changes for maximized security) For ex-ample an alternative flow path can be used to continuedelivering the service but it may create a bottleneck effect ifthe traffic is not managed carefully We will investigate thetrade-off between enhancing security and degrading thenetwork performance in our future work
First we investigate the change in security when pre-dicting potential attack in 1-hop and then we measure thechange in the probability of attack success and the systemrisk )e result is shown in Figure 9 which shows that
blocking 1-hop at SW1 or SW2 flows can minimize theprobability and the risk than other nodes
On the other hand if the detection of an attack wasdelayed we need to consider further steps in order tomitigate the attack So we also look at 2-hop flow blocking ofnodes where the combinations are shown in Table 3 )eresult is shown in Figure 10 which shows a similar result tothe 1-hop blocking (ie the best practice is to block flowthrough SW1 or SW2) However we observe that the im-portance of nodes for defense has changed (ie the prioritiesto secure SDN components can vary when the number ofhops changes) For instance blocking the flow through VM2and SW2 can also achieve a similar effect where VM2 in the1-hop analysis was significantly worse
Lastly we look at the 3-hop flow blocking Table 4shows the combinations of three nodes and their flows to beblocked With the given attack scenario we have 21 pos-sible combinations of nodes out of the maximum numberof 35 Figure 11 shows the result where three conditionsthat include SW2 minimized the probability of attacksuccess and the system risk but only one condition thatincludes SW1 )is indicates that we look into variousattack paths as well as the importance of nodes In con-clusion we observe that our proposed solution has iden-tified SW2 as the most important SDN component tosecure In general the most vulnerable node or the nodewith many connections to other nodes in the network canbe the most important node Another method of analyzingthe importance of nodes is the network centrality measure[30] For the running example it is obvious to pick it upeasily by inspection but when the SDN becomes larger andmore complex this can be done easily using the proposedsolution whereas it would be near impossible and im-practical by human efforts
52 Numerical Sensitivity Analysis )e slower the responseto an attack the more attackers can attack the node )isresults in more loss to the system We conducted an ex-periment to compare the losses incurred in the system withthe costs required to take action in response time Since losscost and cost of action cannot be defined objectively thesensitivity analysis methodology was applied In this ex-periment we calculated loss and response costs based ondetection time and attack time when an attacker successfullyattacked VM2
In the first experiment we applied a sensitivity analysisto the loss cost )e corresponding cost was fixed at 100 andthe loss cost increased from 0 to 500 In each case the totalcost of ownership was calculated Figure 12(a) shows theexperimental result As the response time is slower than theattack time the total cost is higher
Second we applied a sensitivity analysis to the responsecosts )e loss cost was fixed at 100 and the correspondingcost was increased from 0 to 500 And as in the previousexperiment we calculated the total cost for each caseExperimental results show that the total cost of ownershipvaries depending on the situation such as Figure 12(b) If adefender defends a node that is far from the compromised
10 Security and Communication Networks
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
the SDN configurations and settings the operation system ofeach node and vulnerabilities can be found as shown inTable 2 For simplicity we chose only a few vulnerabilities inthe SDN for each node (OS vulnerabilities for VMs andOpenFlow vulnerability for SDN switches) but all vulner-abilities can be modeled as in [23]
32 Security Modeling and Analysis
321 Common Vulnerability Scoring System (CVSS) Inorder to measure the severity of vulnerabilities we use theCVSS base score (BS) [24] First we mention a few keyupdates to the CVSS BS system )e base vector takes intoconsideration of the ldquoUser Interactionrdquo and ldquoPrivilegesRequiredrdquo and ldquoPhysical Metricrdquo has been added to theattack vector Confidentiality integrity and availabilitymeasures are changed from None Partial Complete toNone Low High and ldquoAccess Complexityrdquo has been
changed to ldquoAttack Complexityrdquo )e following equationsare used to compute the CVSS BS metric which we simplydenoted as ldquoBSrdquo (as shown in equation (1)) ldquoIMrdquo representsthe Impact Metric (as shown in equation (2)) and ldquoErdquo rep-resents the Exploitability Metric (as shown in equation (3))
BS (06 times IM + 04 times E minus 15) times f(IM) (1)
IM 1041 times(1 minus (1 minus C) times(1 minus I) times(1 minus A)) (2)
E 20 times AC times AU times AV (3)
Based on risk computation in [5] we utilize the CVSS BSin order to compute the system risk which is calculated asshown in equation (4) (ie the system risk is a factor of
SDNcontroller
Control plane
Data plane
Applicationserver
Database
Web server
VM1
VM2
VM3VM4
VM5
SW3
SW2SW1
VM6
Internet
SDN control protocol (eg OpenFlow)Physicallogical connection on data planeRedundancy connection
Figure 3 Example SDN configuration
Table 1 )e flow table
SW IDMatch fields
Action PriorityPort Src Dst
SW1
1 lowast lowast Forward port 2 12 lowast VM4 Forward port 3 12 lowast VM5 Forward port 3 14 lowast VM5 Forward port 5 3lowast lowast VM6 Drop 9
SW2
1 lowast lowast Forward port 2 12 lowast VM6 Forward port 3 34 VM1 VM4 Forward port 2 34 VM1 VM5 Forward port 2 3lowast lowast VM6 Drop 2
SW3 1 lowast VM6 Forward port 2 1
Table 2 Operation system and vulnerabilities in each node
Node OS CVE ID CVSS BS Impact
VM1 Win 7 CVE-2013-0013 58 49CVE-2012-0001 93 10
VM2 Win 7 CVE-2015-0006 61 47CVE-2015-1675 93 10
VM3 Linux CVE-2012-4546 43 29CVE-2014-0100 93 82
VM4 Win 7 CVE-2017-8495 60 48CVE-2017-8717 93 10
VM5 Linux CVE-2015-7312 44 29CVE-2015-4002 90 85
VM6 Linux CVE-2017-0626 43 29CVE-2017-6264 93 82
SW1 Openflow 25 CVE-2014-5035 68 64SW2 Openflow 27 CVE-2017-9263 65 65SW3 Openflow 28 CVE-2017-14970 59 68
4 Security and Communication Networks
impact and probability of an attack) In order to compute thesystem security risk we need to know the probability of anattack success and the impact Here we use the exploitabilitymetric associated with each vulnerability (as shown in Ta-ble 2) to represent the probability of an attack success as inequation (5) and use the impact metric directly from theCVSS
RiskVul IM times Pattack (4)
Pattack BS10
(5)
322 Attack Graph for SDN Here we describe the AG usedto model SDN which captures the sequence of vulnera-bilities to be exploited to achieve the attack goal We assumethe attack goal is to execute arbitrary code on VM6 First wedefine an AG as follows
Definition 1 An AG is a directed graph AG (V E) whereV is a finite set of vulnerabilities in the networked system andEsubeV times V is a set of edges where a pair of vulnerabilities(vi vj) | vi isin V vi ne vj is a mapping of nodesvi⟶ vj forallpost(vi) pre(vj) such that the postcondition ofvi satisfies the precondition of vj
Given the definition above we can generate an AG tomap attack scenarios of our example SDN as shown inFigure 4 Given the model and the system risk calculationsteps above we can compute the system risk associated withour example SDN For instance the attacker can exploitvulnerabilities WV1 and WV2 as specified in Table 2 forWindows 7-based VMs If the attacker exploits WV1 vul-nerability then RiskWV1
is 2842 (ie the impact of 49multiplied by the probability of 58) SimilarlyRiskWV2
93 RiskLV1 1247 RiskLV2
765 andRiskOFV1
4352
33 IntrusionDetection In this section we take into accountthe time factor when an attack has been detected It ispossible that an ongoing attack may have progressed furtherat the time of detection )erefore it is important to takeinto consideration which attack scenarios are important inorder to mitigate the attack Generally attack detectionshould consider Bayesian eory but we assume the attackdetection mechanisms in the SDN is correct (eg we can usedetection mechanisms such as in [25ndash28]) If we considerBayesian theory attack detection is similar to applying the)reshold RandomWalk with Credit-Based connection ratelimiting (TRW-CB) algorithm in [28] )e detection rate is9254 and a false alarm rate is 748
Figure 5 shows the detection of an attack success at VM2Given the attacker has not yet progressed any further theSDN administrator can deploy countermeasures For ex-ample we change the flow table rules to drop all outgoingpackets of VM2 disabling any further attacks Figure 5(b)shows the result of the countermeasure
However if we assume that the detection of the attack hasbeen delayed (ie the attack is detected after a t amount of time
has passed since the actual event of an attack) the attackerwould consequently have progressed further from compro-mising VM2 in our example )is is depicted in Figure 6(a))e attacker has successfully compromised SW1 after com-promising VM2 but the attack detection only alerted the SDNadministrator the progress of the attack at VM2 In order topredict its current attack scenario we use the full AG and focuson all possible attack paths from the given detection point asshown in Figure 6(c) Using the flow table rule change as thecountermeasure our approach is to limit the attack path up toh-hops where h is the number of hops from the node withinitial attack detection For example if we use 2-hop pathdisable then the result is shown as in Figure 6(b) As a resultwe are able to disable further attack paths of the attacker in atrade-off to some loss of SDN functionalities In conclusionthis is to show that we can still maintain some functionalities ofthe SDN while disabling any potential ongoing attacks Weinvestigate how security is affected further in Section 5
34 Attack Response SDN can manipulate the flow of dataplane using flow table )erefore when an attack occurs inthe SDN environment it is possible to block the attack pathby modifying the flow table in addition to the responsemethod (eg patching a vulnerability) used in the existingnetwork However if the response is delayed the attackermay succeed in exploiting the next target before the defenseis implemented We considered system loss and cost ofaction based on the relationship between the attackerrsquos at-tack time and the defenderrsquos response time For that weassume the following First the attack detection (IDS) iscomplete and all nodes can be monitored at the same timeSecond all of network flows can be changed using the flowtable )ird the devices or software that make up the SDNare not changed )e attack time and response time that weuse follow the following definition
Definition 2 Attack time tA is defined as the time taken foran attacker to succeed in attacking the next host connected atthe current location
Definition 3 Response time is defined as tR tD + tS + tCHere tD is defined as the time taken to detect an attackerrsquosattack attempt on the host (attack detection time) tS isdefined as the time taken to calculate the security model inreal time or to retrieve it from the precomputed securitymodel (security model calculation time) tC is defined as thetime required to apply a countermeasure to one host(countermeasure time)
Given the above definition an example of comparisonsbetween attack time and response time can be expressed asfollows
Example 1 Figure 5(b) shows tR tA )e loss node is VM2and the action node is SW1 Assuming that both the cost ofdamage from the attack and the cost of the action are 100 thetotal cost is 200
Security and Communication Networks 5
VM1V2prime
VM1V2
VM1
VM4
VM5
VM6
A target
VM2
VM3
VM1V1
VM2V2SW2V1
SW3V1
SW1V1
A
An attacker
VM2V1
VM3V2
VM3V1
VM2V2prime
VM4V2prime
VM4V2
VM6V2
VM6V1 VM6V2prime
VM4V1
VM5V2
VM5V1 VM5V2prime
VM3V2prime
Vulnerability
VM
Reachability
Figure 4 An AG of the SDN
Attackdetected
SW3
SW2
SW1
A
A
VM1
VM2
VM3
VM4
VM5
VM6
(a)
SW3
SW2
SW1
AA
VM1
VM2
VM3
VM4
VM5
VM6
(b)
Figure 5 Continued
6 Security and Communication Networks
Example 2 Figure 6(b) shows tR 2 times tA )e lossnodes are VM2 and SW1 and the action nodes are SW2 andSW3 Assuming that both the cost of damage from the attackand the cost of the action are 100 the total cost is 400
If tR is less than tA the attack can take immediate actionon the detected node But in reality this is not always trueand therefore the attacker has extra time to continue
compromising nodes in the SDN k is used to determine theattackers attack progress It also indicates the number ofpossible SDN nodes that the attacker may have compro-mised (ie a predictive value to estimate the attackerrsquosprogress) Hence the defender must take action on thenodes that is up to k hops in distance when the condition ofequation (6) is satisfied For example if tR and tA are the
SW2
SW2 SW2SW3
SW3SW3SW3SW3SW3
SW3 SW3 SW3 SW3
SW3
SW1 SW1
A
VM1
VM4 VM5 VM6
VM6VM6
VM6 VM6
VM6 VM6 VM6
VM6
VM6
VM6
VM3
VM5 VM5
VM4 VM5
VM5VM4
(c)
Figure 5 Attack detection and countermeasure without detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2(c) Full AG after countermeasure applied
VM1
SW2
SW1
Attackerrsquosexpected location
Attackdetected
SW3VM2A
VM3VM5
VM6
VM4
A
(a)
VM1
VM2
SW2
SW2SW1
A
A VM5
VM6
VM4
VM3
(b)
SW2
SW3
SW3 SW3
VM1
A
VM4 VM5
VM6
VM6 VM6
(c)
Figure 6 Attack detection and countermeasure with detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2 andSW1 (c) Full AG after countermeasure applied
Security and Communication Networks 7
same then k is 1 )e defender can then take action on anode that is 1 hop away Using Algorithm 1 the defender canselect the node to take action
k times tA le tR lt (k + 1) times tA (6)
)e countermeasures should be applied as soon aspossible to minimize the loss of the entire system If youcannot reduce tD and tC in tR you should reduce tS Ratherthan calculating the security model in a real time when anattack occurs it is possible to reduce the tS by searching andapplying a model that matches the current situation amongthe precomputed security models
4 Precomputation and Attack Prediction forSecurity Assessment
)is section introduces the precomputation of attack sce-narios and attack scenario prediction by taking into accountthe delays in attack detections We can precompute theattack scenarios in order to reduce the time taken to evaluatethem We also take into account the delays observed inattack detection mechanisms and propose an attack scenarioprediction method to enhance the capabilities of SDN de-fense mechanisms )e generations of both the full graphand the HARM can be found in [17]
41 Full Graph Assessing the security of SDN in real timefaces a scalability problem using existing graphical securitymodels as presented in Section 7 To address this problemwe precompute all possible attack scenarios using full AGBy precomputing all possible attack scenarios offline we canreuse this information in real time when necessary Forprecomputation of attack scenarios we use a full AG whichrepresents all possible attack paths Algorithm 2 is used togenerate a full AG )e inputs required are the AG attackerlocation and the target node )en the algorithm searchesfor all possible attack paths of the given attack scenarioGiven the attacker outside the SDN and the target node ofVM6 the full AG of the example SDN is shown in Figure 7For simplicity we only represented attack paths of VMs asthe size of the full AG grows exponentially relative to the AGabove
42 HARM )e full AG above is used for fast real-timesecurity assessment for particular attack scenarios Howeverit is not scalable to enumerate all possible attack scenarios fora security overview of the SDN Instead we use the HARM[17] to assess the security of the SDN in a more scalablemanner )e HARM models network nodes and theirvulnerabilities onto multiple layers and utilizes the benefitsof hierarchy to reduce the scalability complexity We gen-erate a 2-HARM (a two-layered HARM) of the exampleSDN as shown in Figure 8)e formalism of the 2-HARM isas follows
Definition 4 )e two-layered HARM is defined as a 3-tupleH (U L M) Here U is the AG and L is the ATs forH andV where M is the mapping between the upper layer
components and lower layer components )is mapping isdescribed by M U⟶ L Each host in the upper layer mayhave a corresponding AT in the lower layer
)e upper layer of the HARM uses the AG to representthe reachability between the nodes in the SDN (ie the VMsand the switches) Hence we define U as follows
Definition 5 An AG in the upper layer of the HARM isdefined as a 2-tuple U (N E) where N is a finite set ofnodes in the SDN and EsubeN times N is a set of edges where apair of nodes
)e lower layer of the HARM is a set of attack trees(ATs) [29] where each AT represents the vulnerabilityinformation of each upper layer node of the HARM (ieSDN nodes) We define each L in the lower layer of theHARM as follows
Definition 6 An AT in the lower layer of the HARM isdefined as a 5-tuple L (A B c g root) where A is a finiteset of vulnerabilities and B is a set of gates which are theinner nodes of L We require AcapB and root isin AcupBFunction c B⟶ P(AcupB) describes the children of eachinner node in at (we assume there are no cycles) Functiong B⟶ ANDOR describes the type of each gate )e
procedure RNS(AGSDN ND tA tR)
if tA gt tR thenSend ND to Reconfiguration Module
elsefor all E from ND to Ni do
tR⟵ tR minus tA
RNS(AGSDN Ni tA tR)
end forend if
end procedure
ALGORITHM 1 Response node selection algorithm
procedure fullAG(AG Ncr Ntg)
Mark Ncr visitedStackpush(Ncr)
if Ncr Ntg thenReturn Stack
else if Sizeof(ENcr)ne 0 then
for i⟵0 to Sizeof(ENcr) in AG do
Nnext⟵de stination of ENcr
i
if Nnext is uniquely aligned thenfullAG (AG Nnext Ntg)
end ifend for
elseStackclear
end ifend procedure
ALGORITHM 2 Algorithm to generate a full AG
8 Security and Communication Networks
representation of the attack tree Ln associated to the hostn isin N is as follows
Ln Asube nvuls (7)
)is means that the vulnerabilities of a node are com-bined using logical AND and OR gates
Given the definitions above the example SDN in theform of the HARM can be represented as follows
Example 3 e Upper and Lower Layer Mapping Figure 8shows HARM of the SDN)e HARM for given SDNmodelis H (U L M) where U and L are the AG and the set of
SW1
SW2 SW3SW2 SW2
SW1SW1
SW3SW3SW3
SW3 SW3
SW3 SW3 SW3 SW3 SW3
SW3SW3SW3SW3
SW2
VM1
VM5 VM5 VM5
VM2
A
VM3
VM5
VM6VM6
VM6VM6
VM6
VM5VM4
VM6
VM6VM6VM6VM6
VM6
VM6VM6
VM6
VM4 VM5 VM4
VM6
VM5VM4
Figure 7 A full AG of the SDN
Upper layer
An attacker
A
0971
09710971
0971
0943
0943
0971
0539
2013ndash0013058
2012ndash0001093
2012ndash0001093
2013ndash0013058
2012ndash0001093
2012ndash0001093
2012ndash4546043
2012ndash4002090
2012ndash4002090
2013ndash0013058
2012ndash0001093
075Openflow
control
075Openflow
control
075Openflow
control
2012ndash0001093
root
0943
0387
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash2131075
2012ndash2131075
2012ndash2131075
0387
root 0943root
0971root 0943
0387 05390539
root 0971root
075
0749
075
0744
0971
0723
0943
0882
075
0744
0943
0701
A target
VM6
VM4
VM5
VM2
VM1
VM3
VM1 VM2 VM3 VM4
SW3SW2SW1VM6VM5
SW3
SW2
SW1
Lower layer
Figure 8 A HARM of the SDN in Figure 4
Security and Communication Networks 9
ATs in the upper and the lower layer and M U⟶ L is aone-to-one mapping of the upper layer U to the corre-sponding lower layer L
Example 4 e Upper Layer the AG shown in Figure 8 is adirected graph AGSDN (NSDN ESDN) where NSDN AVM1 VM2 VM3 VM4 VM5 VM6 SW1 SW2 SW3 andESDN (A VM1) (A VM2) (AVM3 ) (VM1 SW1) (VM2SW1) (VM3 SW1) (VM1 SW2) (SW1 SW2) (SW1 VM5)(SW2 VM4) (SW2 VM5) (SW2 SW3) (VM4 SW3) (VM5SW3) (SW3 VM6)
Example 5 e Lower Layer the ATs in the lower layer areshown in Figure 8 )e set of conditions required tocompromise VM1 is given by LVM1 (AVM1 BVM1
cVM1 gVM1 rootVM1) where AVM1 WV1WV2 WV2prime1113864 1113865 is aset of components which are the leaves (vulnerabilities)BVM1 AND1OR11113864 1113865 cAND1 WV1WV2prime1113864 1113865 cOR1 AND11113864
WV2 gVM1(rootVM1) OR1 and rootVM1 root root isin
AVM1 cupBVM1
5 Result and Analysis
In this section we investigate the effectiveness of using fullAG for precomputation taking into account various securitymetrics Regardless of which model we use the securitymetric computed will be the same Since both full AG andthe HARM computes the same metric values we do notexplicitly present those results in this paper
First we look at changes in security metrics with andwithout deploying countermeasure where we change theflow table rules to block attack paths up to three steps inSection 51 )en we conduct simulations to investigate theperformance difference of computing an AG used in theHARM to a full AG for precomputation in Section 53
51 Change in Security Metrics For this experiment we usethe example SDN as shown in Figure 3 as our experimentaltestbed In this system service is not available unless a packetis sent to the database So we assume that the networkadministrator cannot change the flow table rules of SW3 andVM6 due to system constraints (ie they need to be func-tional to continuously provide SDN service) To ensure theoperability we extend this assumption such that at least oneconnection path exists such that usersrsquo requests can behandled Although modifying flows can affect the perfor-mance of the SDN we only consider the minimal cost toenhance the security of SDN in this paper (ie the minimumnumber of flow changes for maximized security) For ex-ample an alternative flow path can be used to continuedelivering the service but it may create a bottleneck effect ifthe traffic is not managed carefully We will investigate thetrade-off between enhancing security and degrading thenetwork performance in our future work
First we investigate the change in security when pre-dicting potential attack in 1-hop and then we measure thechange in the probability of attack success and the systemrisk )e result is shown in Figure 9 which shows that
blocking 1-hop at SW1 or SW2 flows can minimize theprobability and the risk than other nodes
On the other hand if the detection of an attack wasdelayed we need to consider further steps in order tomitigate the attack So we also look at 2-hop flow blocking ofnodes where the combinations are shown in Table 3 )eresult is shown in Figure 10 which shows a similar result tothe 1-hop blocking (ie the best practice is to block flowthrough SW1 or SW2) However we observe that the im-portance of nodes for defense has changed (ie the prioritiesto secure SDN components can vary when the number ofhops changes) For instance blocking the flow through VM2and SW2 can also achieve a similar effect where VM2 in the1-hop analysis was significantly worse
Lastly we look at the 3-hop flow blocking Table 4shows the combinations of three nodes and their flows to beblocked With the given attack scenario we have 21 pos-sible combinations of nodes out of the maximum numberof 35 Figure 11 shows the result where three conditionsthat include SW2 minimized the probability of attacksuccess and the system risk but only one condition thatincludes SW1 )is indicates that we look into variousattack paths as well as the importance of nodes In con-clusion we observe that our proposed solution has iden-tified SW2 as the most important SDN component tosecure In general the most vulnerable node or the nodewith many connections to other nodes in the network canbe the most important node Another method of analyzingthe importance of nodes is the network centrality measure[30] For the running example it is obvious to pick it upeasily by inspection but when the SDN becomes larger andmore complex this can be done easily using the proposedsolution whereas it would be near impossible and im-practical by human efforts
52 Numerical Sensitivity Analysis )e slower the responseto an attack the more attackers can attack the node )isresults in more loss to the system We conducted an ex-periment to compare the losses incurred in the system withthe costs required to take action in response time Since losscost and cost of action cannot be defined objectively thesensitivity analysis methodology was applied In this ex-periment we calculated loss and response costs based ondetection time and attack time when an attacker successfullyattacked VM2
In the first experiment we applied a sensitivity analysisto the loss cost )e corresponding cost was fixed at 100 andthe loss cost increased from 0 to 500 In each case the totalcost of ownership was calculated Figure 12(a) shows theexperimental result As the response time is slower than theattack time the total cost is higher
Second we applied a sensitivity analysis to the responsecosts )e loss cost was fixed at 100 and the correspondingcost was increased from 0 to 500 And as in the previousexperiment we calculated the total cost for each caseExperimental results show that the total cost of ownershipvaries depending on the situation such as Figure 12(b) If adefender defends a node that is far from the compromised
10 Security and Communication Networks
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
impact and probability of an attack) In order to compute thesystem security risk we need to know the probability of anattack success and the impact Here we use the exploitabilitymetric associated with each vulnerability (as shown in Ta-ble 2) to represent the probability of an attack success as inequation (5) and use the impact metric directly from theCVSS
RiskVul IM times Pattack (4)
Pattack BS10
(5)
322 Attack Graph for SDN Here we describe the AG usedto model SDN which captures the sequence of vulnera-bilities to be exploited to achieve the attack goal We assumethe attack goal is to execute arbitrary code on VM6 First wedefine an AG as follows
Definition 1 An AG is a directed graph AG (V E) whereV is a finite set of vulnerabilities in the networked system andEsubeV times V is a set of edges where a pair of vulnerabilities(vi vj) | vi isin V vi ne vj is a mapping of nodesvi⟶ vj forallpost(vi) pre(vj) such that the postcondition ofvi satisfies the precondition of vj
Given the definition above we can generate an AG tomap attack scenarios of our example SDN as shown inFigure 4 Given the model and the system risk calculationsteps above we can compute the system risk associated withour example SDN For instance the attacker can exploitvulnerabilities WV1 and WV2 as specified in Table 2 forWindows 7-based VMs If the attacker exploits WV1 vul-nerability then RiskWV1
is 2842 (ie the impact of 49multiplied by the probability of 58) SimilarlyRiskWV2
93 RiskLV1 1247 RiskLV2
765 andRiskOFV1
4352
33 IntrusionDetection In this section we take into accountthe time factor when an attack has been detected It ispossible that an ongoing attack may have progressed furtherat the time of detection )erefore it is important to takeinto consideration which attack scenarios are important inorder to mitigate the attack Generally attack detectionshould consider Bayesian eory but we assume the attackdetection mechanisms in the SDN is correct (eg we can usedetection mechanisms such as in [25ndash28]) If we considerBayesian theory attack detection is similar to applying the)reshold RandomWalk with Credit-Based connection ratelimiting (TRW-CB) algorithm in [28] )e detection rate is9254 and a false alarm rate is 748
Figure 5 shows the detection of an attack success at VM2Given the attacker has not yet progressed any further theSDN administrator can deploy countermeasures For ex-ample we change the flow table rules to drop all outgoingpackets of VM2 disabling any further attacks Figure 5(b)shows the result of the countermeasure
However if we assume that the detection of the attack hasbeen delayed (ie the attack is detected after a t amount of time
has passed since the actual event of an attack) the attackerwould consequently have progressed further from compro-mising VM2 in our example )is is depicted in Figure 6(a))e attacker has successfully compromised SW1 after com-promising VM2 but the attack detection only alerted the SDNadministrator the progress of the attack at VM2 In order topredict its current attack scenario we use the full AG and focuson all possible attack paths from the given detection point asshown in Figure 6(c) Using the flow table rule change as thecountermeasure our approach is to limit the attack path up toh-hops where h is the number of hops from the node withinitial attack detection For example if we use 2-hop pathdisable then the result is shown as in Figure 6(b) As a resultwe are able to disable further attack paths of the attacker in atrade-off to some loss of SDN functionalities In conclusionthis is to show that we can still maintain some functionalities ofthe SDN while disabling any potential ongoing attacks Weinvestigate how security is affected further in Section 5
34 Attack Response SDN can manipulate the flow of dataplane using flow table )erefore when an attack occurs inthe SDN environment it is possible to block the attack pathby modifying the flow table in addition to the responsemethod (eg patching a vulnerability) used in the existingnetwork However if the response is delayed the attackermay succeed in exploiting the next target before the defenseis implemented We considered system loss and cost ofaction based on the relationship between the attackerrsquos at-tack time and the defenderrsquos response time For that weassume the following First the attack detection (IDS) iscomplete and all nodes can be monitored at the same timeSecond all of network flows can be changed using the flowtable )ird the devices or software that make up the SDNare not changed )e attack time and response time that weuse follow the following definition
Definition 2 Attack time tA is defined as the time taken foran attacker to succeed in attacking the next host connected atthe current location
Definition 3 Response time is defined as tR tD + tS + tCHere tD is defined as the time taken to detect an attackerrsquosattack attempt on the host (attack detection time) tS isdefined as the time taken to calculate the security model inreal time or to retrieve it from the precomputed securitymodel (security model calculation time) tC is defined as thetime required to apply a countermeasure to one host(countermeasure time)
Given the above definition an example of comparisonsbetween attack time and response time can be expressed asfollows
Example 1 Figure 5(b) shows tR tA )e loss node is VM2and the action node is SW1 Assuming that both the cost ofdamage from the attack and the cost of the action are 100 thetotal cost is 200
Security and Communication Networks 5
VM1V2prime
VM1V2
VM1
VM4
VM5
VM6
A target
VM2
VM3
VM1V1
VM2V2SW2V1
SW3V1
SW1V1
A
An attacker
VM2V1
VM3V2
VM3V1
VM2V2prime
VM4V2prime
VM4V2
VM6V2
VM6V1 VM6V2prime
VM4V1
VM5V2
VM5V1 VM5V2prime
VM3V2prime
Vulnerability
VM
Reachability
Figure 4 An AG of the SDN
Attackdetected
SW3
SW2
SW1
A
A
VM1
VM2
VM3
VM4
VM5
VM6
(a)
SW3
SW2
SW1
AA
VM1
VM2
VM3
VM4
VM5
VM6
(b)
Figure 5 Continued
6 Security and Communication Networks
Example 2 Figure 6(b) shows tR 2 times tA )e lossnodes are VM2 and SW1 and the action nodes are SW2 andSW3 Assuming that both the cost of damage from the attackand the cost of the action are 100 the total cost is 400
If tR is less than tA the attack can take immediate actionon the detected node But in reality this is not always trueand therefore the attacker has extra time to continue
compromising nodes in the SDN k is used to determine theattackers attack progress It also indicates the number ofpossible SDN nodes that the attacker may have compro-mised (ie a predictive value to estimate the attackerrsquosprogress) Hence the defender must take action on thenodes that is up to k hops in distance when the condition ofequation (6) is satisfied For example if tR and tA are the
SW2
SW2 SW2SW3
SW3SW3SW3SW3SW3
SW3 SW3 SW3 SW3
SW3
SW1 SW1
A
VM1
VM4 VM5 VM6
VM6VM6
VM6 VM6
VM6 VM6 VM6
VM6
VM6
VM6
VM3
VM5 VM5
VM4 VM5
VM5VM4
(c)
Figure 5 Attack detection and countermeasure without detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2(c) Full AG after countermeasure applied
VM1
SW2
SW1
Attackerrsquosexpected location
Attackdetected
SW3VM2A
VM3VM5
VM6
VM4
A
(a)
VM1
VM2
SW2
SW2SW1
A
A VM5
VM6
VM4
VM3
(b)
SW2
SW3
SW3 SW3
VM1
A
VM4 VM5
VM6
VM6 VM6
(c)
Figure 6 Attack detection and countermeasure with detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2 andSW1 (c) Full AG after countermeasure applied
Security and Communication Networks 7
same then k is 1 )e defender can then take action on anode that is 1 hop away Using Algorithm 1 the defender canselect the node to take action
k times tA le tR lt (k + 1) times tA (6)
)e countermeasures should be applied as soon aspossible to minimize the loss of the entire system If youcannot reduce tD and tC in tR you should reduce tS Ratherthan calculating the security model in a real time when anattack occurs it is possible to reduce the tS by searching andapplying a model that matches the current situation amongthe precomputed security models
4 Precomputation and Attack Prediction forSecurity Assessment
)is section introduces the precomputation of attack sce-narios and attack scenario prediction by taking into accountthe delays in attack detections We can precompute theattack scenarios in order to reduce the time taken to evaluatethem We also take into account the delays observed inattack detection mechanisms and propose an attack scenarioprediction method to enhance the capabilities of SDN de-fense mechanisms )e generations of both the full graphand the HARM can be found in [17]
41 Full Graph Assessing the security of SDN in real timefaces a scalability problem using existing graphical securitymodels as presented in Section 7 To address this problemwe precompute all possible attack scenarios using full AGBy precomputing all possible attack scenarios offline we canreuse this information in real time when necessary Forprecomputation of attack scenarios we use a full AG whichrepresents all possible attack paths Algorithm 2 is used togenerate a full AG )e inputs required are the AG attackerlocation and the target node )en the algorithm searchesfor all possible attack paths of the given attack scenarioGiven the attacker outside the SDN and the target node ofVM6 the full AG of the example SDN is shown in Figure 7For simplicity we only represented attack paths of VMs asthe size of the full AG grows exponentially relative to the AGabove
42 HARM )e full AG above is used for fast real-timesecurity assessment for particular attack scenarios Howeverit is not scalable to enumerate all possible attack scenarios fora security overview of the SDN Instead we use the HARM[17] to assess the security of the SDN in a more scalablemanner )e HARM models network nodes and theirvulnerabilities onto multiple layers and utilizes the benefitsof hierarchy to reduce the scalability complexity We gen-erate a 2-HARM (a two-layered HARM) of the exampleSDN as shown in Figure 8)e formalism of the 2-HARM isas follows
Definition 4 )e two-layered HARM is defined as a 3-tupleH (U L M) Here U is the AG and L is the ATs forH andV where M is the mapping between the upper layer
components and lower layer components )is mapping isdescribed by M U⟶ L Each host in the upper layer mayhave a corresponding AT in the lower layer
)e upper layer of the HARM uses the AG to representthe reachability between the nodes in the SDN (ie the VMsand the switches) Hence we define U as follows
Definition 5 An AG in the upper layer of the HARM isdefined as a 2-tuple U (N E) where N is a finite set ofnodes in the SDN and EsubeN times N is a set of edges where apair of nodes
)e lower layer of the HARM is a set of attack trees(ATs) [29] where each AT represents the vulnerabilityinformation of each upper layer node of the HARM (ieSDN nodes) We define each L in the lower layer of theHARM as follows
Definition 6 An AT in the lower layer of the HARM isdefined as a 5-tuple L (A B c g root) where A is a finiteset of vulnerabilities and B is a set of gates which are theinner nodes of L We require AcapB and root isin AcupBFunction c B⟶ P(AcupB) describes the children of eachinner node in at (we assume there are no cycles) Functiong B⟶ ANDOR describes the type of each gate )e
procedure RNS(AGSDN ND tA tR)
if tA gt tR thenSend ND to Reconfiguration Module
elsefor all E from ND to Ni do
tR⟵ tR minus tA
RNS(AGSDN Ni tA tR)
end forend if
end procedure
ALGORITHM 1 Response node selection algorithm
procedure fullAG(AG Ncr Ntg)
Mark Ncr visitedStackpush(Ncr)
if Ncr Ntg thenReturn Stack
else if Sizeof(ENcr)ne 0 then
for i⟵0 to Sizeof(ENcr) in AG do
Nnext⟵de stination of ENcr
i
if Nnext is uniquely aligned thenfullAG (AG Nnext Ntg)
end ifend for
elseStackclear
end ifend procedure
ALGORITHM 2 Algorithm to generate a full AG
8 Security and Communication Networks
representation of the attack tree Ln associated to the hostn isin N is as follows
Ln Asube nvuls (7)
)is means that the vulnerabilities of a node are com-bined using logical AND and OR gates
Given the definitions above the example SDN in theform of the HARM can be represented as follows
Example 3 e Upper and Lower Layer Mapping Figure 8shows HARM of the SDN)e HARM for given SDNmodelis H (U L M) where U and L are the AG and the set of
SW1
SW2 SW3SW2 SW2
SW1SW1
SW3SW3SW3
SW3 SW3
SW3 SW3 SW3 SW3 SW3
SW3SW3SW3SW3
SW2
VM1
VM5 VM5 VM5
VM2
A
VM3
VM5
VM6VM6
VM6VM6
VM6
VM5VM4
VM6
VM6VM6VM6VM6
VM6
VM6VM6
VM6
VM4 VM5 VM4
VM6
VM5VM4
Figure 7 A full AG of the SDN
Upper layer
An attacker
A
0971
09710971
0971
0943
0943
0971
0539
2013ndash0013058
2012ndash0001093
2012ndash0001093
2013ndash0013058
2012ndash0001093
2012ndash0001093
2012ndash4546043
2012ndash4002090
2012ndash4002090
2013ndash0013058
2012ndash0001093
075Openflow
control
075Openflow
control
075Openflow
control
2012ndash0001093
root
0943
0387
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash2131075
2012ndash2131075
2012ndash2131075
0387
root 0943root
0971root 0943
0387 05390539
root 0971root
075
0749
075
0744
0971
0723
0943
0882
075
0744
0943
0701
A target
VM6
VM4
VM5
VM2
VM1
VM3
VM1 VM2 VM3 VM4
SW3SW2SW1VM6VM5
SW3
SW2
SW1
Lower layer
Figure 8 A HARM of the SDN in Figure 4
Security and Communication Networks 9
ATs in the upper and the lower layer and M U⟶ L is aone-to-one mapping of the upper layer U to the corre-sponding lower layer L
Example 4 e Upper Layer the AG shown in Figure 8 is adirected graph AGSDN (NSDN ESDN) where NSDN AVM1 VM2 VM3 VM4 VM5 VM6 SW1 SW2 SW3 andESDN (A VM1) (A VM2) (AVM3 ) (VM1 SW1) (VM2SW1) (VM3 SW1) (VM1 SW2) (SW1 SW2) (SW1 VM5)(SW2 VM4) (SW2 VM5) (SW2 SW3) (VM4 SW3) (VM5SW3) (SW3 VM6)
Example 5 e Lower Layer the ATs in the lower layer areshown in Figure 8 )e set of conditions required tocompromise VM1 is given by LVM1 (AVM1 BVM1
cVM1 gVM1 rootVM1) where AVM1 WV1WV2 WV2prime1113864 1113865 is aset of components which are the leaves (vulnerabilities)BVM1 AND1OR11113864 1113865 cAND1 WV1WV2prime1113864 1113865 cOR1 AND11113864
WV2 gVM1(rootVM1) OR1 and rootVM1 root root isin
AVM1 cupBVM1
5 Result and Analysis
In this section we investigate the effectiveness of using fullAG for precomputation taking into account various securitymetrics Regardless of which model we use the securitymetric computed will be the same Since both full AG andthe HARM computes the same metric values we do notexplicitly present those results in this paper
First we look at changes in security metrics with andwithout deploying countermeasure where we change theflow table rules to block attack paths up to three steps inSection 51 )en we conduct simulations to investigate theperformance difference of computing an AG used in theHARM to a full AG for precomputation in Section 53
51 Change in Security Metrics For this experiment we usethe example SDN as shown in Figure 3 as our experimentaltestbed In this system service is not available unless a packetis sent to the database So we assume that the networkadministrator cannot change the flow table rules of SW3 andVM6 due to system constraints (ie they need to be func-tional to continuously provide SDN service) To ensure theoperability we extend this assumption such that at least oneconnection path exists such that usersrsquo requests can behandled Although modifying flows can affect the perfor-mance of the SDN we only consider the minimal cost toenhance the security of SDN in this paper (ie the minimumnumber of flow changes for maximized security) For ex-ample an alternative flow path can be used to continuedelivering the service but it may create a bottleneck effect ifthe traffic is not managed carefully We will investigate thetrade-off between enhancing security and degrading thenetwork performance in our future work
First we investigate the change in security when pre-dicting potential attack in 1-hop and then we measure thechange in the probability of attack success and the systemrisk )e result is shown in Figure 9 which shows that
blocking 1-hop at SW1 or SW2 flows can minimize theprobability and the risk than other nodes
On the other hand if the detection of an attack wasdelayed we need to consider further steps in order tomitigate the attack So we also look at 2-hop flow blocking ofnodes where the combinations are shown in Table 3 )eresult is shown in Figure 10 which shows a similar result tothe 1-hop blocking (ie the best practice is to block flowthrough SW1 or SW2) However we observe that the im-portance of nodes for defense has changed (ie the prioritiesto secure SDN components can vary when the number ofhops changes) For instance blocking the flow through VM2and SW2 can also achieve a similar effect where VM2 in the1-hop analysis was significantly worse
Lastly we look at the 3-hop flow blocking Table 4shows the combinations of three nodes and their flows to beblocked With the given attack scenario we have 21 pos-sible combinations of nodes out of the maximum numberof 35 Figure 11 shows the result where three conditionsthat include SW2 minimized the probability of attacksuccess and the system risk but only one condition thatincludes SW1 )is indicates that we look into variousattack paths as well as the importance of nodes In con-clusion we observe that our proposed solution has iden-tified SW2 as the most important SDN component tosecure In general the most vulnerable node or the nodewith many connections to other nodes in the network canbe the most important node Another method of analyzingthe importance of nodes is the network centrality measure[30] For the running example it is obvious to pick it upeasily by inspection but when the SDN becomes larger andmore complex this can be done easily using the proposedsolution whereas it would be near impossible and im-practical by human efforts
52 Numerical Sensitivity Analysis )e slower the responseto an attack the more attackers can attack the node )isresults in more loss to the system We conducted an ex-periment to compare the losses incurred in the system withthe costs required to take action in response time Since losscost and cost of action cannot be defined objectively thesensitivity analysis methodology was applied In this ex-periment we calculated loss and response costs based ondetection time and attack time when an attacker successfullyattacked VM2
In the first experiment we applied a sensitivity analysisto the loss cost )e corresponding cost was fixed at 100 andthe loss cost increased from 0 to 500 In each case the totalcost of ownership was calculated Figure 12(a) shows theexperimental result As the response time is slower than theattack time the total cost is higher
Second we applied a sensitivity analysis to the responsecosts )e loss cost was fixed at 100 and the correspondingcost was increased from 0 to 500 And as in the previousexperiment we calculated the total cost for each caseExperimental results show that the total cost of ownershipvaries depending on the situation such as Figure 12(b) If adefender defends a node that is far from the compromised
10 Security and Communication Networks
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
VM1V2prime
VM1V2
VM1
VM4
VM5
VM6
A target
VM2
VM3
VM1V1
VM2V2SW2V1
SW3V1
SW1V1
A
An attacker
VM2V1
VM3V2
VM3V1
VM2V2prime
VM4V2prime
VM4V2
VM6V2
VM6V1 VM6V2prime
VM4V1
VM5V2
VM5V1 VM5V2prime
VM3V2prime
Vulnerability
VM
Reachability
Figure 4 An AG of the SDN
Attackdetected
SW3
SW2
SW1
A
A
VM1
VM2
VM3
VM4
VM5
VM6
(a)
SW3
SW2
SW1
AA
VM1
VM2
VM3
VM4
VM5
VM6
(b)
Figure 5 Continued
6 Security and Communication Networks
Example 2 Figure 6(b) shows tR 2 times tA )e lossnodes are VM2 and SW1 and the action nodes are SW2 andSW3 Assuming that both the cost of damage from the attackand the cost of the action are 100 the total cost is 400
If tR is less than tA the attack can take immediate actionon the detected node But in reality this is not always trueand therefore the attacker has extra time to continue
compromising nodes in the SDN k is used to determine theattackers attack progress It also indicates the number ofpossible SDN nodes that the attacker may have compro-mised (ie a predictive value to estimate the attackerrsquosprogress) Hence the defender must take action on thenodes that is up to k hops in distance when the condition ofequation (6) is satisfied For example if tR and tA are the
SW2
SW2 SW2SW3
SW3SW3SW3SW3SW3
SW3 SW3 SW3 SW3
SW3
SW1 SW1
A
VM1
VM4 VM5 VM6
VM6VM6
VM6 VM6
VM6 VM6 VM6
VM6
VM6
VM6
VM3
VM5 VM5
VM4 VM5
VM5VM4
(c)
Figure 5 Attack detection and countermeasure without detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2(c) Full AG after countermeasure applied
VM1
SW2
SW1
Attackerrsquosexpected location
Attackdetected
SW3VM2A
VM3VM5
VM6
VM4
A
(a)
VM1
VM2
SW2
SW2SW1
A
A VM5
VM6
VM4
VM3
(b)
SW2
SW3
SW3 SW3
VM1
A
VM4 VM5
VM6
VM6 VM6
(c)
Figure 6 Attack detection and countermeasure with detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2 andSW1 (c) Full AG after countermeasure applied
Security and Communication Networks 7
same then k is 1 )e defender can then take action on anode that is 1 hop away Using Algorithm 1 the defender canselect the node to take action
k times tA le tR lt (k + 1) times tA (6)
)e countermeasures should be applied as soon aspossible to minimize the loss of the entire system If youcannot reduce tD and tC in tR you should reduce tS Ratherthan calculating the security model in a real time when anattack occurs it is possible to reduce the tS by searching andapplying a model that matches the current situation amongthe precomputed security models
4 Precomputation and Attack Prediction forSecurity Assessment
)is section introduces the precomputation of attack sce-narios and attack scenario prediction by taking into accountthe delays in attack detections We can precompute theattack scenarios in order to reduce the time taken to evaluatethem We also take into account the delays observed inattack detection mechanisms and propose an attack scenarioprediction method to enhance the capabilities of SDN de-fense mechanisms )e generations of both the full graphand the HARM can be found in [17]
41 Full Graph Assessing the security of SDN in real timefaces a scalability problem using existing graphical securitymodels as presented in Section 7 To address this problemwe precompute all possible attack scenarios using full AGBy precomputing all possible attack scenarios offline we canreuse this information in real time when necessary Forprecomputation of attack scenarios we use a full AG whichrepresents all possible attack paths Algorithm 2 is used togenerate a full AG )e inputs required are the AG attackerlocation and the target node )en the algorithm searchesfor all possible attack paths of the given attack scenarioGiven the attacker outside the SDN and the target node ofVM6 the full AG of the example SDN is shown in Figure 7For simplicity we only represented attack paths of VMs asthe size of the full AG grows exponentially relative to the AGabove
42 HARM )e full AG above is used for fast real-timesecurity assessment for particular attack scenarios Howeverit is not scalable to enumerate all possible attack scenarios fora security overview of the SDN Instead we use the HARM[17] to assess the security of the SDN in a more scalablemanner )e HARM models network nodes and theirvulnerabilities onto multiple layers and utilizes the benefitsof hierarchy to reduce the scalability complexity We gen-erate a 2-HARM (a two-layered HARM) of the exampleSDN as shown in Figure 8)e formalism of the 2-HARM isas follows
Definition 4 )e two-layered HARM is defined as a 3-tupleH (U L M) Here U is the AG and L is the ATs forH andV where M is the mapping between the upper layer
components and lower layer components )is mapping isdescribed by M U⟶ L Each host in the upper layer mayhave a corresponding AT in the lower layer
)e upper layer of the HARM uses the AG to representthe reachability between the nodes in the SDN (ie the VMsand the switches) Hence we define U as follows
Definition 5 An AG in the upper layer of the HARM isdefined as a 2-tuple U (N E) where N is a finite set ofnodes in the SDN and EsubeN times N is a set of edges where apair of nodes
)e lower layer of the HARM is a set of attack trees(ATs) [29] where each AT represents the vulnerabilityinformation of each upper layer node of the HARM (ieSDN nodes) We define each L in the lower layer of theHARM as follows
Definition 6 An AT in the lower layer of the HARM isdefined as a 5-tuple L (A B c g root) where A is a finiteset of vulnerabilities and B is a set of gates which are theinner nodes of L We require AcapB and root isin AcupBFunction c B⟶ P(AcupB) describes the children of eachinner node in at (we assume there are no cycles) Functiong B⟶ ANDOR describes the type of each gate )e
procedure RNS(AGSDN ND tA tR)
if tA gt tR thenSend ND to Reconfiguration Module
elsefor all E from ND to Ni do
tR⟵ tR minus tA
RNS(AGSDN Ni tA tR)
end forend if
end procedure
ALGORITHM 1 Response node selection algorithm
procedure fullAG(AG Ncr Ntg)
Mark Ncr visitedStackpush(Ncr)
if Ncr Ntg thenReturn Stack
else if Sizeof(ENcr)ne 0 then
for i⟵0 to Sizeof(ENcr) in AG do
Nnext⟵de stination of ENcr
i
if Nnext is uniquely aligned thenfullAG (AG Nnext Ntg)
end ifend for
elseStackclear
end ifend procedure
ALGORITHM 2 Algorithm to generate a full AG
8 Security and Communication Networks
representation of the attack tree Ln associated to the hostn isin N is as follows
Ln Asube nvuls (7)
)is means that the vulnerabilities of a node are com-bined using logical AND and OR gates
Given the definitions above the example SDN in theform of the HARM can be represented as follows
Example 3 e Upper and Lower Layer Mapping Figure 8shows HARM of the SDN)e HARM for given SDNmodelis H (U L M) where U and L are the AG and the set of
SW1
SW2 SW3SW2 SW2
SW1SW1
SW3SW3SW3
SW3 SW3
SW3 SW3 SW3 SW3 SW3
SW3SW3SW3SW3
SW2
VM1
VM5 VM5 VM5
VM2
A
VM3
VM5
VM6VM6
VM6VM6
VM6
VM5VM4
VM6
VM6VM6VM6VM6
VM6
VM6VM6
VM6
VM4 VM5 VM4
VM6
VM5VM4
Figure 7 A full AG of the SDN
Upper layer
An attacker
A
0971
09710971
0971
0943
0943
0971
0539
2013ndash0013058
2012ndash0001093
2012ndash0001093
2013ndash0013058
2012ndash0001093
2012ndash0001093
2012ndash4546043
2012ndash4002090
2012ndash4002090
2013ndash0013058
2012ndash0001093
075Openflow
control
075Openflow
control
075Openflow
control
2012ndash0001093
root
0943
0387
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash2131075
2012ndash2131075
2012ndash2131075
0387
root 0943root
0971root 0943
0387 05390539
root 0971root
075
0749
075
0744
0971
0723
0943
0882
075
0744
0943
0701
A target
VM6
VM4
VM5
VM2
VM1
VM3
VM1 VM2 VM3 VM4
SW3SW2SW1VM6VM5
SW3
SW2
SW1
Lower layer
Figure 8 A HARM of the SDN in Figure 4
Security and Communication Networks 9
ATs in the upper and the lower layer and M U⟶ L is aone-to-one mapping of the upper layer U to the corre-sponding lower layer L
Example 4 e Upper Layer the AG shown in Figure 8 is adirected graph AGSDN (NSDN ESDN) where NSDN AVM1 VM2 VM3 VM4 VM5 VM6 SW1 SW2 SW3 andESDN (A VM1) (A VM2) (AVM3 ) (VM1 SW1) (VM2SW1) (VM3 SW1) (VM1 SW2) (SW1 SW2) (SW1 VM5)(SW2 VM4) (SW2 VM5) (SW2 SW3) (VM4 SW3) (VM5SW3) (SW3 VM6)
Example 5 e Lower Layer the ATs in the lower layer areshown in Figure 8 )e set of conditions required tocompromise VM1 is given by LVM1 (AVM1 BVM1
cVM1 gVM1 rootVM1) where AVM1 WV1WV2 WV2prime1113864 1113865 is aset of components which are the leaves (vulnerabilities)BVM1 AND1OR11113864 1113865 cAND1 WV1WV2prime1113864 1113865 cOR1 AND11113864
WV2 gVM1(rootVM1) OR1 and rootVM1 root root isin
AVM1 cupBVM1
5 Result and Analysis
In this section we investigate the effectiveness of using fullAG for precomputation taking into account various securitymetrics Regardless of which model we use the securitymetric computed will be the same Since both full AG andthe HARM computes the same metric values we do notexplicitly present those results in this paper
First we look at changes in security metrics with andwithout deploying countermeasure where we change theflow table rules to block attack paths up to three steps inSection 51 )en we conduct simulations to investigate theperformance difference of computing an AG used in theHARM to a full AG for precomputation in Section 53
51 Change in Security Metrics For this experiment we usethe example SDN as shown in Figure 3 as our experimentaltestbed In this system service is not available unless a packetis sent to the database So we assume that the networkadministrator cannot change the flow table rules of SW3 andVM6 due to system constraints (ie they need to be func-tional to continuously provide SDN service) To ensure theoperability we extend this assumption such that at least oneconnection path exists such that usersrsquo requests can behandled Although modifying flows can affect the perfor-mance of the SDN we only consider the minimal cost toenhance the security of SDN in this paper (ie the minimumnumber of flow changes for maximized security) For ex-ample an alternative flow path can be used to continuedelivering the service but it may create a bottleneck effect ifthe traffic is not managed carefully We will investigate thetrade-off between enhancing security and degrading thenetwork performance in our future work
First we investigate the change in security when pre-dicting potential attack in 1-hop and then we measure thechange in the probability of attack success and the systemrisk )e result is shown in Figure 9 which shows that
blocking 1-hop at SW1 or SW2 flows can minimize theprobability and the risk than other nodes
On the other hand if the detection of an attack wasdelayed we need to consider further steps in order tomitigate the attack So we also look at 2-hop flow blocking ofnodes where the combinations are shown in Table 3 )eresult is shown in Figure 10 which shows a similar result tothe 1-hop blocking (ie the best practice is to block flowthrough SW1 or SW2) However we observe that the im-portance of nodes for defense has changed (ie the prioritiesto secure SDN components can vary when the number ofhops changes) For instance blocking the flow through VM2and SW2 can also achieve a similar effect where VM2 in the1-hop analysis was significantly worse
Lastly we look at the 3-hop flow blocking Table 4shows the combinations of three nodes and their flows to beblocked With the given attack scenario we have 21 pos-sible combinations of nodes out of the maximum numberof 35 Figure 11 shows the result where three conditionsthat include SW2 minimized the probability of attacksuccess and the system risk but only one condition thatincludes SW1 )is indicates that we look into variousattack paths as well as the importance of nodes In con-clusion we observe that our proposed solution has iden-tified SW2 as the most important SDN component tosecure In general the most vulnerable node or the nodewith many connections to other nodes in the network canbe the most important node Another method of analyzingthe importance of nodes is the network centrality measure[30] For the running example it is obvious to pick it upeasily by inspection but when the SDN becomes larger andmore complex this can be done easily using the proposedsolution whereas it would be near impossible and im-practical by human efforts
52 Numerical Sensitivity Analysis )e slower the responseto an attack the more attackers can attack the node )isresults in more loss to the system We conducted an ex-periment to compare the losses incurred in the system withthe costs required to take action in response time Since losscost and cost of action cannot be defined objectively thesensitivity analysis methodology was applied In this ex-periment we calculated loss and response costs based ondetection time and attack time when an attacker successfullyattacked VM2
In the first experiment we applied a sensitivity analysisto the loss cost )e corresponding cost was fixed at 100 andthe loss cost increased from 0 to 500 In each case the totalcost of ownership was calculated Figure 12(a) shows theexperimental result As the response time is slower than theattack time the total cost is higher
Second we applied a sensitivity analysis to the responsecosts )e loss cost was fixed at 100 and the correspondingcost was increased from 0 to 500 And as in the previousexperiment we calculated the total cost for each caseExperimental results show that the total cost of ownershipvaries depending on the situation such as Figure 12(b) If adefender defends a node that is far from the compromised
10 Security and Communication Networks
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
Example 2 Figure 6(b) shows tR 2 times tA )e lossnodes are VM2 and SW1 and the action nodes are SW2 andSW3 Assuming that both the cost of damage from the attackand the cost of the action are 100 the total cost is 400
If tR is less than tA the attack can take immediate actionon the detected node But in reality this is not always trueand therefore the attacker has extra time to continue
compromising nodes in the SDN k is used to determine theattackers attack progress It also indicates the number ofpossible SDN nodes that the attacker may have compro-mised (ie a predictive value to estimate the attackerrsquosprogress) Hence the defender must take action on thenodes that is up to k hops in distance when the condition ofequation (6) is satisfied For example if tR and tA are the
SW2
SW2 SW2SW3
SW3SW3SW3SW3SW3
SW3 SW3 SW3 SW3
SW3
SW1 SW1
A
VM1
VM4 VM5 VM6
VM6VM6
VM6 VM6
VM6 VM6 VM6
VM6
VM6
VM6
VM3
VM5 VM5
VM4 VM5
VM5VM4
(c)
Figure 5 Attack detection and countermeasure without detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2(c) Full AG after countermeasure applied
VM1
SW2
SW1
Attackerrsquosexpected location
Attackdetected
SW3VM2A
VM3VM5
VM6
VM4
A
(a)
VM1
VM2
SW2
SW2SW1
A
A VM5
VM6
VM4
VM3
(b)
SW2
SW3
SW3 SW3
VM1
A
VM4 VM5
VM6
VM6 VM6
(c)
Figure 6 Attack detection and countermeasure with detection delay (a) Attack detection at VM2 (b) Applying flow table to block VM2 andSW1 (c) Full AG after countermeasure applied
Security and Communication Networks 7
same then k is 1 )e defender can then take action on anode that is 1 hop away Using Algorithm 1 the defender canselect the node to take action
k times tA le tR lt (k + 1) times tA (6)
)e countermeasures should be applied as soon aspossible to minimize the loss of the entire system If youcannot reduce tD and tC in tR you should reduce tS Ratherthan calculating the security model in a real time when anattack occurs it is possible to reduce the tS by searching andapplying a model that matches the current situation amongthe precomputed security models
4 Precomputation and Attack Prediction forSecurity Assessment
)is section introduces the precomputation of attack sce-narios and attack scenario prediction by taking into accountthe delays in attack detections We can precompute theattack scenarios in order to reduce the time taken to evaluatethem We also take into account the delays observed inattack detection mechanisms and propose an attack scenarioprediction method to enhance the capabilities of SDN de-fense mechanisms )e generations of both the full graphand the HARM can be found in [17]
41 Full Graph Assessing the security of SDN in real timefaces a scalability problem using existing graphical securitymodels as presented in Section 7 To address this problemwe precompute all possible attack scenarios using full AGBy precomputing all possible attack scenarios offline we canreuse this information in real time when necessary Forprecomputation of attack scenarios we use a full AG whichrepresents all possible attack paths Algorithm 2 is used togenerate a full AG )e inputs required are the AG attackerlocation and the target node )en the algorithm searchesfor all possible attack paths of the given attack scenarioGiven the attacker outside the SDN and the target node ofVM6 the full AG of the example SDN is shown in Figure 7For simplicity we only represented attack paths of VMs asthe size of the full AG grows exponentially relative to the AGabove
42 HARM )e full AG above is used for fast real-timesecurity assessment for particular attack scenarios Howeverit is not scalable to enumerate all possible attack scenarios fora security overview of the SDN Instead we use the HARM[17] to assess the security of the SDN in a more scalablemanner )e HARM models network nodes and theirvulnerabilities onto multiple layers and utilizes the benefitsof hierarchy to reduce the scalability complexity We gen-erate a 2-HARM (a two-layered HARM) of the exampleSDN as shown in Figure 8)e formalism of the 2-HARM isas follows
Definition 4 )e two-layered HARM is defined as a 3-tupleH (U L M) Here U is the AG and L is the ATs forH andV where M is the mapping between the upper layer
components and lower layer components )is mapping isdescribed by M U⟶ L Each host in the upper layer mayhave a corresponding AT in the lower layer
)e upper layer of the HARM uses the AG to representthe reachability between the nodes in the SDN (ie the VMsand the switches) Hence we define U as follows
Definition 5 An AG in the upper layer of the HARM isdefined as a 2-tuple U (N E) where N is a finite set ofnodes in the SDN and EsubeN times N is a set of edges where apair of nodes
)e lower layer of the HARM is a set of attack trees(ATs) [29] where each AT represents the vulnerabilityinformation of each upper layer node of the HARM (ieSDN nodes) We define each L in the lower layer of theHARM as follows
Definition 6 An AT in the lower layer of the HARM isdefined as a 5-tuple L (A B c g root) where A is a finiteset of vulnerabilities and B is a set of gates which are theinner nodes of L We require AcapB and root isin AcupBFunction c B⟶ P(AcupB) describes the children of eachinner node in at (we assume there are no cycles) Functiong B⟶ ANDOR describes the type of each gate )e
procedure RNS(AGSDN ND tA tR)
if tA gt tR thenSend ND to Reconfiguration Module
elsefor all E from ND to Ni do
tR⟵ tR minus tA
RNS(AGSDN Ni tA tR)
end forend if
end procedure
ALGORITHM 1 Response node selection algorithm
procedure fullAG(AG Ncr Ntg)
Mark Ncr visitedStackpush(Ncr)
if Ncr Ntg thenReturn Stack
else if Sizeof(ENcr)ne 0 then
for i⟵0 to Sizeof(ENcr) in AG do
Nnext⟵de stination of ENcr
i
if Nnext is uniquely aligned thenfullAG (AG Nnext Ntg)
end ifend for
elseStackclear
end ifend procedure
ALGORITHM 2 Algorithm to generate a full AG
8 Security and Communication Networks
representation of the attack tree Ln associated to the hostn isin N is as follows
Ln Asube nvuls (7)
)is means that the vulnerabilities of a node are com-bined using logical AND and OR gates
Given the definitions above the example SDN in theform of the HARM can be represented as follows
Example 3 e Upper and Lower Layer Mapping Figure 8shows HARM of the SDN)e HARM for given SDNmodelis H (U L M) where U and L are the AG and the set of
SW1
SW2 SW3SW2 SW2
SW1SW1
SW3SW3SW3
SW3 SW3
SW3 SW3 SW3 SW3 SW3
SW3SW3SW3SW3
SW2
VM1
VM5 VM5 VM5
VM2
A
VM3
VM5
VM6VM6
VM6VM6
VM6
VM5VM4
VM6
VM6VM6VM6VM6
VM6
VM6VM6
VM6
VM4 VM5 VM4
VM6
VM5VM4
Figure 7 A full AG of the SDN
Upper layer
An attacker
A
0971
09710971
0971
0943
0943
0971
0539
2013ndash0013058
2012ndash0001093
2012ndash0001093
2013ndash0013058
2012ndash0001093
2012ndash0001093
2012ndash4546043
2012ndash4002090
2012ndash4002090
2013ndash0013058
2012ndash0001093
075Openflow
control
075Openflow
control
075Openflow
control
2012ndash0001093
root
0943
0387
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash2131075
2012ndash2131075
2012ndash2131075
0387
root 0943root
0971root 0943
0387 05390539
root 0971root
075
0749
075
0744
0971
0723
0943
0882
075
0744
0943
0701
A target
VM6
VM4
VM5
VM2
VM1
VM3
VM1 VM2 VM3 VM4
SW3SW2SW1VM6VM5
SW3
SW2
SW1
Lower layer
Figure 8 A HARM of the SDN in Figure 4
Security and Communication Networks 9
ATs in the upper and the lower layer and M U⟶ L is aone-to-one mapping of the upper layer U to the corre-sponding lower layer L
Example 4 e Upper Layer the AG shown in Figure 8 is adirected graph AGSDN (NSDN ESDN) where NSDN AVM1 VM2 VM3 VM4 VM5 VM6 SW1 SW2 SW3 andESDN (A VM1) (A VM2) (AVM3 ) (VM1 SW1) (VM2SW1) (VM3 SW1) (VM1 SW2) (SW1 SW2) (SW1 VM5)(SW2 VM4) (SW2 VM5) (SW2 SW3) (VM4 SW3) (VM5SW3) (SW3 VM6)
Example 5 e Lower Layer the ATs in the lower layer areshown in Figure 8 )e set of conditions required tocompromise VM1 is given by LVM1 (AVM1 BVM1
cVM1 gVM1 rootVM1) where AVM1 WV1WV2 WV2prime1113864 1113865 is aset of components which are the leaves (vulnerabilities)BVM1 AND1OR11113864 1113865 cAND1 WV1WV2prime1113864 1113865 cOR1 AND11113864
WV2 gVM1(rootVM1) OR1 and rootVM1 root root isin
AVM1 cupBVM1
5 Result and Analysis
In this section we investigate the effectiveness of using fullAG for precomputation taking into account various securitymetrics Regardless of which model we use the securitymetric computed will be the same Since both full AG andthe HARM computes the same metric values we do notexplicitly present those results in this paper
First we look at changes in security metrics with andwithout deploying countermeasure where we change theflow table rules to block attack paths up to three steps inSection 51 )en we conduct simulations to investigate theperformance difference of computing an AG used in theHARM to a full AG for precomputation in Section 53
51 Change in Security Metrics For this experiment we usethe example SDN as shown in Figure 3 as our experimentaltestbed In this system service is not available unless a packetis sent to the database So we assume that the networkadministrator cannot change the flow table rules of SW3 andVM6 due to system constraints (ie they need to be func-tional to continuously provide SDN service) To ensure theoperability we extend this assumption such that at least oneconnection path exists such that usersrsquo requests can behandled Although modifying flows can affect the perfor-mance of the SDN we only consider the minimal cost toenhance the security of SDN in this paper (ie the minimumnumber of flow changes for maximized security) For ex-ample an alternative flow path can be used to continuedelivering the service but it may create a bottleneck effect ifthe traffic is not managed carefully We will investigate thetrade-off between enhancing security and degrading thenetwork performance in our future work
First we investigate the change in security when pre-dicting potential attack in 1-hop and then we measure thechange in the probability of attack success and the systemrisk )e result is shown in Figure 9 which shows that
blocking 1-hop at SW1 or SW2 flows can minimize theprobability and the risk than other nodes
On the other hand if the detection of an attack wasdelayed we need to consider further steps in order tomitigate the attack So we also look at 2-hop flow blocking ofnodes where the combinations are shown in Table 3 )eresult is shown in Figure 10 which shows a similar result tothe 1-hop blocking (ie the best practice is to block flowthrough SW1 or SW2) However we observe that the im-portance of nodes for defense has changed (ie the prioritiesto secure SDN components can vary when the number ofhops changes) For instance blocking the flow through VM2and SW2 can also achieve a similar effect where VM2 in the1-hop analysis was significantly worse
Lastly we look at the 3-hop flow blocking Table 4shows the combinations of three nodes and their flows to beblocked With the given attack scenario we have 21 pos-sible combinations of nodes out of the maximum numberof 35 Figure 11 shows the result where three conditionsthat include SW2 minimized the probability of attacksuccess and the system risk but only one condition thatincludes SW1 )is indicates that we look into variousattack paths as well as the importance of nodes In con-clusion we observe that our proposed solution has iden-tified SW2 as the most important SDN component tosecure In general the most vulnerable node or the nodewith many connections to other nodes in the network canbe the most important node Another method of analyzingthe importance of nodes is the network centrality measure[30] For the running example it is obvious to pick it upeasily by inspection but when the SDN becomes larger andmore complex this can be done easily using the proposedsolution whereas it would be near impossible and im-practical by human efforts
52 Numerical Sensitivity Analysis )e slower the responseto an attack the more attackers can attack the node )isresults in more loss to the system We conducted an ex-periment to compare the losses incurred in the system withthe costs required to take action in response time Since losscost and cost of action cannot be defined objectively thesensitivity analysis methodology was applied In this ex-periment we calculated loss and response costs based ondetection time and attack time when an attacker successfullyattacked VM2
In the first experiment we applied a sensitivity analysisto the loss cost )e corresponding cost was fixed at 100 andthe loss cost increased from 0 to 500 In each case the totalcost of ownership was calculated Figure 12(a) shows theexperimental result As the response time is slower than theattack time the total cost is higher
Second we applied a sensitivity analysis to the responsecosts )e loss cost was fixed at 100 and the correspondingcost was increased from 0 to 500 And as in the previousexperiment we calculated the total cost for each caseExperimental results show that the total cost of ownershipvaries depending on the situation such as Figure 12(b) If adefender defends a node that is far from the compromised
10 Security and Communication Networks
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
same then k is 1 )e defender can then take action on anode that is 1 hop away Using Algorithm 1 the defender canselect the node to take action
k times tA le tR lt (k + 1) times tA (6)
)e countermeasures should be applied as soon aspossible to minimize the loss of the entire system If youcannot reduce tD and tC in tR you should reduce tS Ratherthan calculating the security model in a real time when anattack occurs it is possible to reduce the tS by searching andapplying a model that matches the current situation amongthe precomputed security models
4 Precomputation and Attack Prediction forSecurity Assessment
)is section introduces the precomputation of attack sce-narios and attack scenario prediction by taking into accountthe delays in attack detections We can precompute theattack scenarios in order to reduce the time taken to evaluatethem We also take into account the delays observed inattack detection mechanisms and propose an attack scenarioprediction method to enhance the capabilities of SDN de-fense mechanisms )e generations of both the full graphand the HARM can be found in [17]
41 Full Graph Assessing the security of SDN in real timefaces a scalability problem using existing graphical securitymodels as presented in Section 7 To address this problemwe precompute all possible attack scenarios using full AGBy precomputing all possible attack scenarios offline we canreuse this information in real time when necessary Forprecomputation of attack scenarios we use a full AG whichrepresents all possible attack paths Algorithm 2 is used togenerate a full AG )e inputs required are the AG attackerlocation and the target node )en the algorithm searchesfor all possible attack paths of the given attack scenarioGiven the attacker outside the SDN and the target node ofVM6 the full AG of the example SDN is shown in Figure 7For simplicity we only represented attack paths of VMs asthe size of the full AG grows exponentially relative to the AGabove
42 HARM )e full AG above is used for fast real-timesecurity assessment for particular attack scenarios Howeverit is not scalable to enumerate all possible attack scenarios fora security overview of the SDN Instead we use the HARM[17] to assess the security of the SDN in a more scalablemanner )e HARM models network nodes and theirvulnerabilities onto multiple layers and utilizes the benefitsof hierarchy to reduce the scalability complexity We gen-erate a 2-HARM (a two-layered HARM) of the exampleSDN as shown in Figure 8)e formalism of the 2-HARM isas follows
Definition 4 )e two-layered HARM is defined as a 3-tupleH (U L M) Here U is the AG and L is the ATs forH andV where M is the mapping between the upper layer
components and lower layer components )is mapping isdescribed by M U⟶ L Each host in the upper layer mayhave a corresponding AT in the lower layer
)e upper layer of the HARM uses the AG to representthe reachability between the nodes in the SDN (ie the VMsand the switches) Hence we define U as follows
Definition 5 An AG in the upper layer of the HARM isdefined as a 2-tuple U (N E) where N is a finite set ofnodes in the SDN and EsubeN times N is a set of edges where apair of nodes
)e lower layer of the HARM is a set of attack trees(ATs) [29] where each AT represents the vulnerabilityinformation of each upper layer node of the HARM (ieSDN nodes) We define each L in the lower layer of theHARM as follows
Definition 6 An AT in the lower layer of the HARM isdefined as a 5-tuple L (A B c g root) where A is a finiteset of vulnerabilities and B is a set of gates which are theinner nodes of L We require AcapB and root isin AcupBFunction c B⟶ P(AcupB) describes the children of eachinner node in at (we assume there are no cycles) Functiong B⟶ ANDOR describes the type of each gate )e
procedure RNS(AGSDN ND tA tR)
if tA gt tR thenSend ND to Reconfiguration Module
elsefor all E from ND to Ni do
tR⟵ tR minus tA
RNS(AGSDN Ni tA tR)
end forend if
end procedure
ALGORITHM 1 Response node selection algorithm
procedure fullAG(AG Ncr Ntg)
Mark Ncr visitedStackpush(Ncr)
if Ncr Ntg thenReturn Stack
else if Sizeof(ENcr)ne 0 then
for i⟵0 to Sizeof(ENcr) in AG do
Nnext⟵de stination of ENcr
i
if Nnext is uniquely aligned thenfullAG (AG Nnext Ntg)
end ifend for
elseStackclear
end ifend procedure
ALGORITHM 2 Algorithm to generate a full AG
8 Security and Communication Networks
representation of the attack tree Ln associated to the hostn isin N is as follows
Ln Asube nvuls (7)
)is means that the vulnerabilities of a node are com-bined using logical AND and OR gates
Given the definitions above the example SDN in theform of the HARM can be represented as follows
Example 3 e Upper and Lower Layer Mapping Figure 8shows HARM of the SDN)e HARM for given SDNmodelis H (U L M) where U and L are the AG and the set of
SW1
SW2 SW3SW2 SW2
SW1SW1
SW3SW3SW3
SW3 SW3
SW3 SW3 SW3 SW3 SW3
SW3SW3SW3SW3
SW2
VM1
VM5 VM5 VM5
VM2
A
VM3
VM5
VM6VM6
VM6VM6
VM6
VM5VM4
VM6
VM6VM6VM6VM6
VM6
VM6VM6
VM6
VM4 VM5 VM4
VM6
VM5VM4
Figure 7 A full AG of the SDN
Upper layer
An attacker
A
0971
09710971
0971
0943
0943
0971
0539
2013ndash0013058
2012ndash0001093
2012ndash0001093
2013ndash0013058
2012ndash0001093
2012ndash0001093
2012ndash4546043
2012ndash4002090
2012ndash4002090
2013ndash0013058
2012ndash0001093
075Openflow
control
075Openflow
control
075Openflow
control
2012ndash0001093
root
0943
0387
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash2131075
2012ndash2131075
2012ndash2131075
0387
root 0943root
0971root 0943
0387 05390539
root 0971root
075
0749
075
0744
0971
0723
0943
0882
075
0744
0943
0701
A target
VM6
VM4
VM5
VM2
VM1
VM3
VM1 VM2 VM3 VM4
SW3SW2SW1VM6VM5
SW3
SW2
SW1
Lower layer
Figure 8 A HARM of the SDN in Figure 4
Security and Communication Networks 9
ATs in the upper and the lower layer and M U⟶ L is aone-to-one mapping of the upper layer U to the corre-sponding lower layer L
Example 4 e Upper Layer the AG shown in Figure 8 is adirected graph AGSDN (NSDN ESDN) where NSDN AVM1 VM2 VM3 VM4 VM5 VM6 SW1 SW2 SW3 andESDN (A VM1) (A VM2) (AVM3 ) (VM1 SW1) (VM2SW1) (VM3 SW1) (VM1 SW2) (SW1 SW2) (SW1 VM5)(SW2 VM4) (SW2 VM5) (SW2 SW3) (VM4 SW3) (VM5SW3) (SW3 VM6)
Example 5 e Lower Layer the ATs in the lower layer areshown in Figure 8 )e set of conditions required tocompromise VM1 is given by LVM1 (AVM1 BVM1
cVM1 gVM1 rootVM1) where AVM1 WV1WV2 WV2prime1113864 1113865 is aset of components which are the leaves (vulnerabilities)BVM1 AND1OR11113864 1113865 cAND1 WV1WV2prime1113864 1113865 cOR1 AND11113864
WV2 gVM1(rootVM1) OR1 and rootVM1 root root isin
AVM1 cupBVM1
5 Result and Analysis
In this section we investigate the effectiveness of using fullAG for precomputation taking into account various securitymetrics Regardless of which model we use the securitymetric computed will be the same Since both full AG andthe HARM computes the same metric values we do notexplicitly present those results in this paper
First we look at changes in security metrics with andwithout deploying countermeasure where we change theflow table rules to block attack paths up to three steps inSection 51 )en we conduct simulations to investigate theperformance difference of computing an AG used in theHARM to a full AG for precomputation in Section 53
51 Change in Security Metrics For this experiment we usethe example SDN as shown in Figure 3 as our experimentaltestbed In this system service is not available unless a packetis sent to the database So we assume that the networkadministrator cannot change the flow table rules of SW3 andVM6 due to system constraints (ie they need to be func-tional to continuously provide SDN service) To ensure theoperability we extend this assumption such that at least oneconnection path exists such that usersrsquo requests can behandled Although modifying flows can affect the perfor-mance of the SDN we only consider the minimal cost toenhance the security of SDN in this paper (ie the minimumnumber of flow changes for maximized security) For ex-ample an alternative flow path can be used to continuedelivering the service but it may create a bottleneck effect ifthe traffic is not managed carefully We will investigate thetrade-off between enhancing security and degrading thenetwork performance in our future work
First we investigate the change in security when pre-dicting potential attack in 1-hop and then we measure thechange in the probability of attack success and the systemrisk )e result is shown in Figure 9 which shows that
blocking 1-hop at SW1 or SW2 flows can minimize theprobability and the risk than other nodes
On the other hand if the detection of an attack wasdelayed we need to consider further steps in order tomitigate the attack So we also look at 2-hop flow blocking ofnodes where the combinations are shown in Table 3 )eresult is shown in Figure 10 which shows a similar result tothe 1-hop blocking (ie the best practice is to block flowthrough SW1 or SW2) However we observe that the im-portance of nodes for defense has changed (ie the prioritiesto secure SDN components can vary when the number ofhops changes) For instance blocking the flow through VM2and SW2 can also achieve a similar effect where VM2 in the1-hop analysis was significantly worse
Lastly we look at the 3-hop flow blocking Table 4shows the combinations of three nodes and their flows to beblocked With the given attack scenario we have 21 pos-sible combinations of nodes out of the maximum numberof 35 Figure 11 shows the result where three conditionsthat include SW2 minimized the probability of attacksuccess and the system risk but only one condition thatincludes SW1 )is indicates that we look into variousattack paths as well as the importance of nodes In con-clusion we observe that our proposed solution has iden-tified SW2 as the most important SDN component tosecure In general the most vulnerable node or the nodewith many connections to other nodes in the network canbe the most important node Another method of analyzingthe importance of nodes is the network centrality measure[30] For the running example it is obvious to pick it upeasily by inspection but when the SDN becomes larger andmore complex this can be done easily using the proposedsolution whereas it would be near impossible and im-practical by human efforts
52 Numerical Sensitivity Analysis )e slower the responseto an attack the more attackers can attack the node )isresults in more loss to the system We conducted an ex-periment to compare the losses incurred in the system withthe costs required to take action in response time Since losscost and cost of action cannot be defined objectively thesensitivity analysis methodology was applied In this ex-periment we calculated loss and response costs based ondetection time and attack time when an attacker successfullyattacked VM2
In the first experiment we applied a sensitivity analysisto the loss cost )e corresponding cost was fixed at 100 andthe loss cost increased from 0 to 500 In each case the totalcost of ownership was calculated Figure 12(a) shows theexperimental result As the response time is slower than theattack time the total cost is higher
Second we applied a sensitivity analysis to the responsecosts )e loss cost was fixed at 100 and the correspondingcost was increased from 0 to 500 And as in the previousexperiment we calculated the total cost for each caseExperimental results show that the total cost of ownershipvaries depending on the situation such as Figure 12(b) If adefender defends a node that is far from the compromised
10 Security and Communication Networks
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
representation of the attack tree Ln associated to the hostn isin N is as follows
Ln Asube nvuls (7)
)is means that the vulnerabilities of a node are com-bined using logical AND and OR gates
Given the definitions above the example SDN in theform of the HARM can be represented as follows
Example 3 e Upper and Lower Layer Mapping Figure 8shows HARM of the SDN)e HARM for given SDNmodelis H (U L M) where U and L are the AG and the set of
SW1
SW2 SW3SW2 SW2
SW1SW1
SW3SW3SW3
SW3 SW3
SW3 SW3 SW3 SW3 SW3
SW3SW3SW3SW3
SW2
VM1
VM5 VM5 VM5
VM2
A
VM3
VM5
VM6VM6
VM6VM6
VM6
VM5VM4
VM6
VM6VM6VM6VM6
VM6
VM6VM6
VM6
VM4 VM5 VM4
VM6
VM5VM4
Figure 7 A full AG of the SDN
Upper layer
An attacker
A
0971
09710971
0971
0943
0943
0971
0539
2013ndash0013058
2012ndash0001093
2012ndash0001093
2013ndash0013058
2012ndash0001093
2012ndash0001093
2012ndash4546043
2012ndash4002090
2012ndash4002090
2013ndash0013058
2012ndash0001093
075Openflow
control
075Openflow
control
075Openflow
control
2012ndash0001093
root
0943
0387
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash4546043
2012ndash4002090
2012ndash4002090
2012ndash2131075
2012ndash2131075
2012ndash2131075
0387
root 0943root
0971root 0943
0387 05390539
root 0971root
075
0749
075
0744
0971
0723
0943
0882
075
0744
0943
0701
A target
VM6
VM4
VM5
VM2
VM1
VM3
VM1 VM2 VM3 VM4
SW3SW2SW1VM6VM5
SW3
SW2
SW1
Lower layer
Figure 8 A HARM of the SDN in Figure 4
Security and Communication Networks 9
ATs in the upper and the lower layer and M U⟶ L is aone-to-one mapping of the upper layer U to the corre-sponding lower layer L
Example 4 e Upper Layer the AG shown in Figure 8 is adirected graph AGSDN (NSDN ESDN) where NSDN AVM1 VM2 VM3 VM4 VM5 VM6 SW1 SW2 SW3 andESDN (A VM1) (A VM2) (AVM3 ) (VM1 SW1) (VM2SW1) (VM3 SW1) (VM1 SW2) (SW1 SW2) (SW1 VM5)(SW2 VM4) (SW2 VM5) (SW2 SW3) (VM4 SW3) (VM5SW3) (SW3 VM6)
Example 5 e Lower Layer the ATs in the lower layer areshown in Figure 8 )e set of conditions required tocompromise VM1 is given by LVM1 (AVM1 BVM1
cVM1 gVM1 rootVM1) where AVM1 WV1WV2 WV2prime1113864 1113865 is aset of components which are the leaves (vulnerabilities)BVM1 AND1OR11113864 1113865 cAND1 WV1WV2prime1113864 1113865 cOR1 AND11113864
WV2 gVM1(rootVM1) OR1 and rootVM1 root root isin
AVM1 cupBVM1
5 Result and Analysis
In this section we investigate the effectiveness of using fullAG for precomputation taking into account various securitymetrics Regardless of which model we use the securitymetric computed will be the same Since both full AG andthe HARM computes the same metric values we do notexplicitly present those results in this paper
First we look at changes in security metrics with andwithout deploying countermeasure where we change theflow table rules to block attack paths up to three steps inSection 51 )en we conduct simulations to investigate theperformance difference of computing an AG used in theHARM to a full AG for precomputation in Section 53
51 Change in Security Metrics For this experiment we usethe example SDN as shown in Figure 3 as our experimentaltestbed In this system service is not available unless a packetis sent to the database So we assume that the networkadministrator cannot change the flow table rules of SW3 andVM6 due to system constraints (ie they need to be func-tional to continuously provide SDN service) To ensure theoperability we extend this assumption such that at least oneconnection path exists such that usersrsquo requests can behandled Although modifying flows can affect the perfor-mance of the SDN we only consider the minimal cost toenhance the security of SDN in this paper (ie the minimumnumber of flow changes for maximized security) For ex-ample an alternative flow path can be used to continuedelivering the service but it may create a bottleneck effect ifthe traffic is not managed carefully We will investigate thetrade-off between enhancing security and degrading thenetwork performance in our future work
First we investigate the change in security when pre-dicting potential attack in 1-hop and then we measure thechange in the probability of attack success and the systemrisk )e result is shown in Figure 9 which shows that
blocking 1-hop at SW1 or SW2 flows can minimize theprobability and the risk than other nodes
On the other hand if the detection of an attack wasdelayed we need to consider further steps in order tomitigate the attack So we also look at 2-hop flow blocking ofnodes where the combinations are shown in Table 3 )eresult is shown in Figure 10 which shows a similar result tothe 1-hop blocking (ie the best practice is to block flowthrough SW1 or SW2) However we observe that the im-portance of nodes for defense has changed (ie the prioritiesto secure SDN components can vary when the number ofhops changes) For instance blocking the flow through VM2and SW2 can also achieve a similar effect where VM2 in the1-hop analysis was significantly worse
Lastly we look at the 3-hop flow blocking Table 4shows the combinations of three nodes and their flows to beblocked With the given attack scenario we have 21 pos-sible combinations of nodes out of the maximum numberof 35 Figure 11 shows the result where three conditionsthat include SW2 minimized the probability of attacksuccess and the system risk but only one condition thatincludes SW1 )is indicates that we look into variousattack paths as well as the importance of nodes In con-clusion we observe that our proposed solution has iden-tified SW2 as the most important SDN component tosecure In general the most vulnerable node or the nodewith many connections to other nodes in the network canbe the most important node Another method of analyzingthe importance of nodes is the network centrality measure[30] For the running example it is obvious to pick it upeasily by inspection but when the SDN becomes larger andmore complex this can be done easily using the proposedsolution whereas it would be near impossible and im-practical by human efforts
52 Numerical Sensitivity Analysis )e slower the responseto an attack the more attackers can attack the node )isresults in more loss to the system We conducted an ex-periment to compare the losses incurred in the system withthe costs required to take action in response time Since losscost and cost of action cannot be defined objectively thesensitivity analysis methodology was applied In this ex-periment we calculated loss and response costs based ondetection time and attack time when an attacker successfullyattacked VM2
In the first experiment we applied a sensitivity analysisto the loss cost )e corresponding cost was fixed at 100 andthe loss cost increased from 0 to 500 In each case the totalcost of ownership was calculated Figure 12(a) shows theexperimental result As the response time is slower than theattack time the total cost is higher
Second we applied a sensitivity analysis to the responsecosts )e loss cost was fixed at 100 and the correspondingcost was increased from 0 to 500 And as in the previousexperiment we calculated the total cost for each caseExperimental results show that the total cost of ownershipvaries depending on the situation such as Figure 12(b) If adefender defends a node that is far from the compromised
10 Security and Communication Networks
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
ATs in the upper and the lower layer and M U⟶ L is aone-to-one mapping of the upper layer U to the corre-sponding lower layer L
Example 4 e Upper Layer the AG shown in Figure 8 is adirected graph AGSDN (NSDN ESDN) where NSDN AVM1 VM2 VM3 VM4 VM5 VM6 SW1 SW2 SW3 andESDN (A VM1) (A VM2) (AVM3 ) (VM1 SW1) (VM2SW1) (VM3 SW1) (VM1 SW2) (SW1 SW2) (SW1 VM5)(SW2 VM4) (SW2 VM5) (SW2 SW3) (VM4 SW3) (VM5SW3) (SW3 VM6)
Example 5 e Lower Layer the ATs in the lower layer areshown in Figure 8 )e set of conditions required tocompromise VM1 is given by LVM1 (AVM1 BVM1
cVM1 gVM1 rootVM1) where AVM1 WV1WV2 WV2prime1113864 1113865 is aset of components which are the leaves (vulnerabilities)BVM1 AND1OR11113864 1113865 cAND1 WV1WV2prime1113864 1113865 cOR1 AND11113864
WV2 gVM1(rootVM1) OR1 and rootVM1 root root isin
AVM1 cupBVM1
5 Result and Analysis
In this section we investigate the effectiveness of using fullAG for precomputation taking into account various securitymetrics Regardless of which model we use the securitymetric computed will be the same Since both full AG andthe HARM computes the same metric values we do notexplicitly present those results in this paper
First we look at changes in security metrics with andwithout deploying countermeasure where we change theflow table rules to block attack paths up to three steps inSection 51 )en we conduct simulations to investigate theperformance difference of computing an AG used in theHARM to a full AG for precomputation in Section 53
51 Change in Security Metrics For this experiment we usethe example SDN as shown in Figure 3 as our experimentaltestbed In this system service is not available unless a packetis sent to the database So we assume that the networkadministrator cannot change the flow table rules of SW3 andVM6 due to system constraints (ie they need to be func-tional to continuously provide SDN service) To ensure theoperability we extend this assumption such that at least oneconnection path exists such that usersrsquo requests can behandled Although modifying flows can affect the perfor-mance of the SDN we only consider the minimal cost toenhance the security of SDN in this paper (ie the minimumnumber of flow changes for maximized security) For ex-ample an alternative flow path can be used to continuedelivering the service but it may create a bottleneck effect ifthe traffic is not managed carefully We will investigate thetrade-off between enhancing security and degrading thenetwork performance in our future work
First we investigate the change in security when pre-dicting potential attack in 1-hop and then we measure thechange in the probability of attack success and the systemrisk )e result is shown in Figure 9 which shows that
blocking 1-hop at SW1 or SW2 flows can minimize theprobability and the risk than other nodes
On the other hand if the detection of an attack wasdelayed we need to consider further steps in order tomitigate the attack So we also look at 2-hop flow blocking ofnodes where the combinations are shown in Table 3 )eresult is shown in Figure 10 which shows a similar result tothe 1-hop blocking (ie the best practice is to block flowthrough SW1 or SW2) However we observe that the im-portance of nodes for defense has changed (ie the prioritiesto secure SDN components can vary when the number ofhops changes) For instance blocking the flow through VM2and SW2 can also achieve a similar effect where VM2 in the1-hop analysis was significantly worse
Lastly we look at the 3-hop flow blocking Table 4shows the combinations of three nodes and their flows to beblocked With the given attack scenario we have 21 pos-sible combinations of nodes out of the maximum numberof 35 Figure 11 shows the result where three conditionsthat include SW2 minimized the probability of attacksuccess and the system risk but only one condition thatincludes SW1 )is indicates that we look into variousattack paths as well as the importance of nodes In con-clusion we observe that our proposed solution has iden-tified SW2 as the most important SDN component tosecure In general the most vulnerable node or the nodewith many connections to other nodes in the network canbe the most important node Another method of analyzingthe importance of nodes is the network centrality measure[30] For the running example it is obvious to pick it upeasily by inspection but when the SDN becomes larger andmore complex this can be done easily using the proposedsolution whereas it would be near impossible and im-practical by human efforts
52 Numerical Sensitivity Analysis )e slower the responseto an attack the more attackers can attack the node )isresults in more loss to the system We conducted an ex-periment to compare the losses incurred in the system withthe costs required to take action in response time Since losscost and cost of action cannot be defined objectively thesensitivity analysis methodology was applied In this ex-periment we calculated loss and response costs based ondetection time and attack time when an attacker successfullyattacked VM2
In the first experiment we applied a sensitivity analysisto the loss cost )e corresponding cost was fixed at 100 andthe loss cost increased from 0 to 500 In each case the totalcost of ownership was calculated Figure 12(a) shows theexperimental result As the response time is slower than theattack time the total cost is higher
Second we applied a sensitivity analysis to the responsecosts )e loss cost was fixed at 100 and the correspondingcost was increased from 0 to 500 And as in the previousexperiment we calculated the total cost for each caseExperimental results show that the total cost of ownershipvaries depending on the situation such as Figure 12(b) If adefender defends a node that is far from the compromised
10 Security and Communication Networks
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
node loss cost may occur at a node with a relatively shortdistance However if the cost of response is greater than thecost of loss taking action on multiple nodes significantlyincreases the total cost of ownership In this case takingaction on one node that is farther away even if the loss isconsidered may be a way to save the total cost ofownership
53 Simulation To investigate the performance of pre-computing the full AG in comparison to the AG we simulatethe generation and evaluation time via simulations )eprecomputation of the full AG is important as it reduces thesecurity evaluation time for real-time mitigation while it isalso used for attack prediction As increasing the number ofnodes put both AG and full AG in an exponential timecomplexity [16] we focus on generation and evaluationwhen certain node flows are blocked as shown in Table 5
)e comparison results are shown in Figure 13 it showsthat the full AG outperforms the AG in terms of evaluationtime for all the conditions )is indicates that real-timesecurity assessment for a large-sized SDN (or any othergeneral networks) using AG may not be feasible [17] andthere is an efficiency of precomputing all possible attackpaths using the full AG And it is more efficient to utilizemore scalable security models such as HARM
6 Discussion and Limitations
61 Scalability )e framework provides an approach toassessing the security of SDN and applying countermea-sures to the system using a security model for real-time
Initial VM1 VM2 VM3 VM4 VM5 SW1 SW2
Block node using flow table
PAS
0
200
400
600
800
1000
Risk
PASRisk
0
02
04
06
08
1
Figure 9 Block one node vs security metrics
Table 3 A set of two-node block conditions
ID NodesC1 VM1VM2C2 VM1VM3C3 VM1VM4C4 VM1VM5C5 VM1SW2C6 VM2VM3C7 VM2VM4C8 VM2VM5C9 VM2SW1C10 VM2SW2C11 VM3VM4C12 VM3VM5C13 VM3SW1C14 VM3SW2C15 VM4VM5C16 VM4SW1C17 VM4SW2C18 VM5SW1
PASRisk
Initial C3 C6 C9 C12 C15 C18
Block nodes using flow table
PAS
0
200
400
600
800
1000
Risk
0
02
04
06
08
1
Figure 10 Block two nodes vs security metrics
Table 4 A set of three-node block conditions
ID NodesC1 VM1VM2VM4C2 VM1VM2VM5C3 VM1VM2SW2C4 VM1VM3VM4C5 VM1VM3VM5C6 VM1VM3SW2C7 VM1VM4VM5C8 VM1VM4SW2C9 VM2VM3VM4C10 VM2VM3VM5C11 VM2VM3SW1C12 VM2VM3SW2C13 VM2VM4VM5C14 VM2VM4SW1C15 VM2VM4SW2C16 VM2VM5SW1C17 VM3VM4VM5C18 VM3VM4SW1C19 VM3VM4SW2C20 VM3VM5SW1C21 VM4VM5SW1
Security and Communication Networks 11
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
intrusion responses However the security model hasscalability issues In our future work we will considerimproving the performance of security modeling andanalysis for the SDN as we face an exponential timecomplexity when the number of nodes in the SDNincreases
62 SDN Attack Surface Furthermore we use networkdevices that exist in the data plane for security modelingHowever SDN has a variety of components and threatvectors in addition to the data plane Accordingly we willincorporate the control plane and the SDN controller in themodel in order to assess the security posture of the whole
life-cycle of the SDN In addition the network may normallyhave an internal attacker But we only used scenarios inwhich attacker would always break in from the outside Wecan deal with internal attacker in our future work
PASRisk
Initial C3 C6 C9 C12 C15 C18 C21
Block nodes using flow table
0
02
04
06
08
1
PAS
0
200
400
600
800
1000
Risk
Figure 11 Block three nodes vs security metrics
Loss cost
0
500
1000
1500
2000
2500
3000
3500
Tota
l cos
t
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
0 100 200 300 400 500
(a)
0 100 200 300 400 500Response cost
Tota
l cos
t
0
200
400
600
800
1000
1200
1400
tR lt tAtR = tAtR = 2tA
tR = 3tAtR = 4tA
(b)
Figure 12 Cost sensitivity analysis (a) Loss cost vs total cost (b) Response cost vs total cost
Table 5 A set of conditions that include specific node(s)
ID NodesC1 VM1C2 SW2C3 VM1SW2C4 VM4SW1C5 VM2VM4SW2C6 VM3VM5SW1
12 Security and Communication Networks
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
63 Evaluation Correctness of Different Vulnerabilities Inthis paper we removed the assumption that an IDS may notwork in real time and also the detection rate may not be100 )is is more realistic as an attack which was detectedat the entry point but progressed to install a backdoor on anuserrsquos computer may not be mitigated effectively by onlyenhancing the entry point vulnerability As such we gobeyond securing the point of detection and evaluate thepossible extensions of the damage However we did notexplicitly evaluated the effects of different vulnerabilitiespresent where some system settings may be mitigated wellby securing the detection point (eg security by design) Aswe only focused on the usefulness of precomputation wewill investigate the impact of secure design in the context ofour work in the future
64 Multiple Attackers In this paper we focused only on asingle attacker version but in reality there can be multipleattackers trying to exploit the SDN in various entry routesHowever because we already precomputed all possible at-tack paths and the IDSes are working in real time our attackresponse module only has to make sure that different at-tackers are differentiated when formulating countermea-sures In this way our proposed solution can mitigatemultiple attackers even exploiting different attack surfacesOn the other hand we only handled targeted attacks)erefore volume-based attacks such as DDoS are notappropriately addressed by our solution We will investigatethe mitigation schemes for volume-based attacks in the SDNin our future work
65 Network Topology Changes In this paper we changedthe network flow to respond to the attack when it occurredHowever the network topology of an SDN can be dynamic)erefore when the model changes it is necessary to redothe precomputation of the changing model )is could be a
similar solution to the MTD in response to an attack [5] Inour future work we will investigate the application ofprecomputation to changing models
7 Related Work
71 General SDN Security Various security issues related tothe SDN have been studied previously [1 31ndash34] Kreutzet al [6] presented new threat vectors of the SDN that werenot present in traditional networks)ey also provided somepotential solutions to mitigate their identified threatsHowever they do not specify the means to evaluate thosethreats We aim to provide solutions to some of theseproblems in this paper Shin et al [35] presented a frame-work named FRESCO which is to enhance the security of theOpenFlow protocol for the SDN allowing them to detectandmitigate attacks)is work shows that SDN componentssuch as SDN switches are prone to cyber attacks Porras et al[36] presented SE-Floodlight an extension to a widely usedOpenFlow Floodlight Controller to provide additional se-curity features to protect the control plane of the SDN Ourpaper aims to leverage these technologies and provide acomprehensive security analysis of the SDN
72 Intrusion Detection in SDN An intrusion is defined as asuccessfully carried out attack including any maliciousbehavior in the system Intrusion detection is an activity todetect such intrusions It is ideal to detect all the intrusionwith 100 accuracy but in practice this is infeasible Be-cause intrusion detection is not perfect there is always falsealarm such as true-positive and false-positive rates Severaltypes of research have been conducted on attack detection inthe SDN environment Dhawan et al [25] proposedSPHINX a framework to detect attacks on network topologyand data plane forwarding Braga et al [26] proposed alightweight method for detecting DDoS attacks based ontraffic flow capabilities Giotis et al [27] presented how toapply SDN for distributed denial of service (DDoS) miti-gation by using OpenFlow protocol as a means to enhancethe legacy Remote Triggered Black-Hole (RTBH) And in[28] they performed anomaly detection and mitigation inthe SDN architecture through an efficient and scalablemechanism Although not perfect we can leverage thesetechniques to detect intrusions in the SDN which can beused to formulate optimal countermeasures using theHARM
73 Security Modeling for SDN For security modeling andanalysis Chung et al [37] presented NICE a network in-trusion detection and countermeasure selection framework)e core of this framework is using an AG to evaluate thesecurity However there are limitations of using an AG dueto its scalability issues Similarly many of the existinggraphical security models as described in [10 11] sufferfrom the scalability and adaptability problems [5] Typicallythe scalability problem arises when these models have real-time constraints In order to address this issue our approachis to precompute attack scenarios in advance and use them
Initial C1 C2 C3 C4 C5 C6
Specific nodes
0
5
10
15
20
25
30
35
40
45
50Se
curit
y ev
alua
tion
time (
ms)
Attack graphFull attack graph
Figure 13 Specific node(s) vs security evaluation time
Security and Communication Networks 13
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
where necessary Hence we propose to use a full AG aspresented in [18] to generate all possible attack paths in theprecomputation Moreover we also use the HARM [17] thatsupports scalable and adaptable security modeling andanalysis By precomputing all possible attack paths we canquickly evaluate the security posture of the SDN when anintrusion is detected and formulate effective countermea-sures in real time
8 Conclusion
SDN provides functionalities that can dynamically controlthe network flow enabling a more robust and economicalway of managing network communications However it alsointroduced new vulnerabilities and attack vectors that werenot present previously As a result many have proposedsecurity solutions to strengthen the SDN against cyber at-tacks Nevertheless there is still a lack of security modelingand analysis for SDN which enables a system administratorto have a systematic security overview of the SDN
In this paper we proposed a security modeling andanalysis framework with precomputation for the SDN toformulate countermeasures in real time )e pre-computation method was used for the AG full AG andthe HARM to generate attack scenarios of the currentSDN which can then be used in conjunction with the IDSand correlate with the precomputed attack scenariosFurther the precomputed models can be used for pre-dicting potential attacks in case the detection mechanismsare delayed To verify we carried out experimentalanalysis on the SDN testbed and simulations whichshowed that our proposed approaches would be practicaland effective in the SDN to defend against an ongoingattack in real time
Data Availability
)e vulnerability data used to support the findings of thisstudy are included within the article
Conflicts of Interest
)e authors declare that they have no conflicts of interest
References
[1] G Stabler A Rosen S Goasguen and K-C Wang ldquoElastic ipand security groups implementation using openflowrdquo inProceedings of the 6th International Workshop on Virtuali-zation Technologies in Distributed Computing Date ser VTDCrsquo12 pp 53ndash60 ACM New York NY USA 2012
[2] D Kreutz F M V Ramos P Verıssimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networkinga comprehensive surveyrdquo Proceedings of the IEEE vol 103no 1 p 63 2015
[3] M Tariq B Koldehofe S Bhowmik and K RothermelldquoPLEROMA A SDN-based high performance publishsub-scribe middlewarerdquo in Proceedings of the 15th InternationalMiddleware Conference (Middleware 2014) pp 217ndash228ACM New York NY USA 2014
[4] J Jafarian E Al-Shaer and Q Duan ldquoOpenflow random hostmutation transparent moving target defense using softwaredefined networkingrdquo in Proc of the 1st Workshop on HotTopics in Software Defined Networks (HotSDN 2012)pp 127ndash132 ACM New York NY USA 2012
[5] J B Hong and D S Kim ldquoAssessing the effectiveness ofmoving target defenses using security modelsrdquo IEEE Trans-actions on Dependable and Secure Computing vol 13 no 2pp 163ndash177 2016
[6] D Kreutz F M Ramos and P Verissimo ldquoTowards secureand dependable software-defined networksrdquo in Proceedings ofthe Second ACM SIGCOMM Workshop on Hot Topics inSoftware Defined Networking ser HotSDN rsquo13 pp 55ndash60ACM New York NY USA 2013
[7] S Lee C Yoon C Lee S Shin V Yegneswaran andP A Porras ldquoDelta a security assessment framework forsoftware-defined networksrdquo in Proceedings of the 2017 Net-work and Distributed System Security Symposium San DiegoCA USA March 2017
[8] S Lee J Kim S Shin P Porras and V YegneswaranldquoAthena A framework for scalable anomaly detection insoftware-defined networksrdquo in Proceedings of the 2017 47thAnnual IEEEIFIP International Conference on DependableSystems and Networks (DSN) pp 249ndash260 Denver CO USAJune 2017
[9] S Nanda F Zafari C DeCusatis E Wedaa and B YangldquoPredicting network attack patterns in sdn using machinelearning approachrdquo in Proceedings of the 2016 IEEE Confer-ence on Network Function Virtualization and Software DefinedNetworks (NFV-SDN) pp 167ndash172 Palo Alto CA USANovember 2016
[10] B Kordy L Pietre-Cambacedes and P Schweitzer ldquoDAG-based attack and defense modeling donrsquot miss the forest forthe attack treesrdquo Computer Science Review vol 13-14pp 1ndash38 2014
[11] J B Hong D S Kim C-J Chung and D Huang ldquoA surveyon the usability and practical applications of graphical se-curity modelsrdquo Computer Science Review vol 26 pp 1ndash162017
[12] H Xu J Su X Zong and L Yan ldquoAttack identification forsoftware-defined networking based on attack trees and ex-tension innovation methodsrdquo in Proceedings of the 2017 9thIEEE International Conference on Intelligent Data Acquisitionand Advanced Computing Systems Technology and Applica-tions (IDAACS) vol 1 pp 485ndash489 Bucharest RomaniaSeptember 2017
[13] L Yao P Dong T Zheng H Zhang X Du and M GuizanildquoNetwork security analyzing and modeling based on petri netand attack tree for sdnrdquo in Proceedings of the 2016 Interna-tional Conference on Computing Networking and Commu-nications (ICNC) pp 1ndash5 Kauai HI USA February 2016
[14] A Roy D Kim and K Trivedi ldquoScalable optimal counter-measure selection using implicit enumeration on attackcountermeasure treesrdquo in Proceedings of the 42nd AnnualIEEEIFIP International Conference on Dependable Systemsand Networks (DSN 2012) pp 1ndash12 IEEE Computer SocietyLos Alamitos CA USA June 2012
[15] J Hong and D Kim ldquoPerformance analysis of scalable attackrepresentation modelsrdquo in Security and Privacy Protection inInformation Processing Systems (SEC 2013) L JanczewskiH Wolfe and S Shenoi Eds vol 405 pp 330ndash343 SpringerBerlin Germany 2013
14 Security and Communication Networks
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
[16] R Lippmann and K Ingols ldquoAn Annotated Review of PastPapers on Attack Graphsrdquo Technical report ESC-TR-2005-054 MIT Lincoln Laboratory Lexington MA USA 2005
[17] J B Hong and D S Kim ldquoTowards scalable security analysisusing multi-layered security modelsrdquo Journal of Network andComputer Applications vol 75 pp 156ndash168 2016
[18] K Ingols R Lippmann and K Piwowarski ldquoPractical attackgraph generation for network defenserdquo in Proceedings of the22nd Annual Computer Security Applications Conference(ACSAC 2006) pp 121ndash130 Miami Beach FL USA De-cember 2006
[19] Z Shu J Wan D Li J Lin A V Vasilakos and M ImranldquoSecurity in software-defined networking threats andcountermeasuresrdquoMobile Networks and Applications vol 21no 5 pp 764ndash776 2016
[20] M Albanese S Jajodia and S Noel ldquoTime-efficient and cost-effective network hardening using attack graphsrdquo in Pro-ceedings of the 42nd Annual IEEEIFIP International Con-ference on Dependable Systems and Networks (DSN 2012)IEEE Computer Society Los Alamitos CA USA June 2012
[21] J Beale R Deraison H Meer R Temmingh and CWalteNESSUS project Syngress Publishing Burlington MA USA2002 httpwwwnessusorg
[22] O Developers ldquo)e open vulnerability assessment system(openvas)rdquo 2012
[23] J Hong and D Kim ldquoScalable security model generation andanalysis using k-importance measuresrdquo in Security and Pri-vacy in Communication Networks (SecureComm 2013) T ZiaA Zomaya V Varadharajan and M Mao Eds vol 127pp 270ndash287 Springer Berlin Germany 2013
[24] M Schiffman G Eschelbeck D Ahmad A Wright andS Romanosky CVSS A Common vulnerability scoring systemNational Infrastructure Advisory Council (NIAC) GoogleScholar 2004
[25] M Dhawan R Poddar K Mahajan and V Mann ldquoSphinxdetecting security attacks in software-defined networksrdquo inProceedings of the 2015 Network and Distributed System Se-curity Symposium vol 15 pp 8ndash11 San Diego CA USAFebruary 2015
[26] R Braga E M M Braga and A Passito ldquoPassito ldquoLight-weight ddos flooding attack detection using noxopenflowrdquo inProceedings of the 2010 IEEE 35th Conference on LocalComputer Networks ser LCN rsquo10 pp 408ndash415 IEEE Com-puter Society Washington DC USA October 2010
[27] K Giotis G Androulidakis and V Maglaris ldquoLeveraging sdnfor efficient anomaly detection and mitigation on legacynetworksrdquo in Proceedings of the 2014 ird EuropeanWorkshop on Software Defined Networks ser EWSDN rsquo14pp 85ndash90 IEEE Computer Society Washington DC USASeptember 2014
[28] K Giotis C Argyropoulos G Androulidakis D Kalogerasand V Maglaris ldquoCombining openflow and sflow for aneffective and scalable anomaly detection and mitigationmechanism on sdn environmentsrdquo Computer Networksvol 62 pp 122ndash136 2014
[29] B Schneier Secrets and Lies Digital Security in a NetworkedWorld John Wiley amp Sons Hoboken NJ USA 2000
[30] J Hong and D Kim ldquoScalable security analysis in hierarchicalattack representation model using centrality measuresrdquo inProceedings of the 43rd Annual IEEEIFIP InternationalConference on Dependable Systems and Networks Workshop(DSNW 2013) pp 1ndash8 Budapest Hungary June 2013
[31] N Gude T Koponen J Pettit et al ldquoNox towards an op-erating system for networksrdquo ACM SIGCOMM ComputerCommunication Review vol 38 no 3 pp 105ndash110 2008
[32] M Casado T Garfinkel A Akella et al ldquoA protection ar-chitecture for enterprise networksrdquo in Proceedings of the 15thConference on USENIX Security Symposium-Volume 15 serUSENIX-SSrsquo06 USENIX Association Berkeley CA USA July2006
[33] J Matias J Garay A Mendiola N Toledo and E JacobldquoFlownac flow-based network access controlrdquo in Proceedingsof the 2014 ird European Workshop on Software DefinedNetworks ser EWSDN rsquo14 pp 79ndash84 IEEE Computer So-ciety Washington DC USA September 2014
[34] J B Guang Yao and P Xiao ldquoSource address validationsolution with openflownox architecturerdquo in Proceedings ofthe 2011 19th IEEE International Conference on NetworkProtocols pp 7ndash12 Vancouver Canada October 2011
[35] S Shin P A Porras V Yegneswaran et al ldquoModularcomposable security services for software-defined networksrdquoin Proceedings of the 20th Annual Network amp DistributedSystem Security Symposium )e Internet Society San DiegoCA USA 2013
[36] P Porras S Cheung M Fong K Skinner andV Yegneswaran ldquoSecuring the software-defined networkcontrol layerrdquo in Proceedings of the 2015 Network and Dis-tributed System Security Symposium (NDSS) San Diego CAUSA February 2015
[37] C-J Chung P Khatkar T Xing J Lee and D Huang ldquoNICEnetwork intrusion detection and countermeasure selection invirtual network systemsrdquo IEEE Transactions on Dependableand Secure Computing vol 10 no 4 pp 198ndash211 2013
Security and Communication Networks 15
![ResearchArticle - Hindawi Publishing Corporationdownloads.hindawi.com/journals/scn/2018/6362010.pdf · searchable encryption [], and ciphertext retrieval scheme ... ing ciphertexts](https://img.pdfslide.us/doc/110x75/5f39935a6465f17c391d0773/researcharticle-hindawi-publishing-searchable-encryption-and-ciphertext-retrieval.jpg)
