Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5
Available online at www.sciencedirect.com
j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / c o s e
Risk based S ecurity E nforcement in Software
Defined Network
Bata Krishna Tripathy
a , ∗, Debi Prasad Das
b , Swagat Kumar Jena
a , Padmalochan Bera
a
a School of Electrical Sciences, Indian Institute of Technology Bhubaneswar, India b Department of Computer Science and Engineering, National Institute of Technology Rourkela, India
a r t i c l e i n f o
Article history:
Received 5 March 2018
Revised 1 July 2018
Accepted 24 July 2018
Available online 31 July 2018
Keywords:
Software Defined Network (SDN)
Network control functions (NF)
Common Vulnerability Scoring
System (CVSS)
Vulnerability
Exposure
Threat
Risk
a b s t r a c t
Software Defined Network (SDN) paradigm provides intelligent and efficient management
of different network control functions (NF) depending on changes in traffic behavior, service
providers’ requirements and application context. However, the logical centralization of con-
trollers’ functions opens up challenges towards enforcing security perimeter over the under-
lying network and the assets involved. In this paper, we propose a risk assessment model for
pro-active secure flow control and routing of traffic in SDN. The proposed model determines
threat value of different SDN entities by analyzing vulnerability and exposure with respect
to Common Vulnerability Scoring System (CVSS). The risk of a given traffic is calculated
as cumulative threat values of the SDN entities that guides the flow and routing control
functions in generating secure flow rules for the forwarding switches. The efficacy of the
proposed model is demonstrated through extensive case studies of an enterprise network.
© 2018 Elsevier Ltd. All rights reserved.
1. Introduction
Software Defined Networking (SDN) is an emerging network-ing paradigm that allows intelligent and efficient manage-ment of network control functions. It allows execution of dif-ferent network control functions as a logically centralizedcontroller by decoupling them from the underlying forward-ing network ( Nishtha and Sood, 2014 ) consisting of variousnetwork devices, e.g., switches, routers, access points, etc. Thecontroller provides better flexibility and configuration controlto the users with easy and on-demand dynamic configura-tion of the network and its resources ( Ghodsi, 2011 ). The SDNmodel shown in Fig. 1 provides several benefits over the tra-ditional network such as (i) simple and reliable network, (ii)
∗ Corresponding author. E-mail addresses: [email protected] (B.K. Tripathy), [email protected]
https://doi.org/10.1016/j.cose.2018.07.010 0167-4048/© 2018 Elsevier Ltd. All rights reserved.
programmability feature, (iii) flexible device configuration andtroubleshooting, and (iv) virtualization of the network. Dueto these extensive features, Software Defined Networking hasattained significant attention to research community start-ing from academics to industries and has several applicationsin ranging from data centers to wide area networking, cloudcomputing, Internet of Things, Mobile Ad hoc Networking, cel-lular networking, etc. ( Kumar et al., 2015 ).
Software Defined Networking (SDN) enables efficientservice provisioning to end users from various enterpriseapplications based on Service Level Agreements (SLAs) anddynamic requirements in terms of policies by maintainingthe global view of the network. Among various SDN enabledcommunication protocol, the majority of the SDN applica-tions implement OpenFlow protocol ( OpenFlow White Paper )
(D.P. Das), [email protected] (S.K. Jena), [email protected] (P. Bera).
322 c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5
Fig. 1 – A model of Software Defined Networking.
ttan
msnmwl
tSu
2ta
Te
t
Tbbh
atcdatta
pwrtbc
r
1
Ttswd
tgcd
A
sttpttmvtt
tSufl
it
sbetcs
nsct
o support necessary interaction between the controllers and
he switches as OpenFlow is a vendor-independent standard
nd hence allows for interoperability between heterogeneous etworking devices.
Despite the advantages provided by SDN, various perfor- ance and security challenges have been major concerns
ince its evolution. The performance and security issues those eed to be addressed for efficient deployment of SDN are the anagement of complex policies in a simple interface, net- orking delay, lack of standardized interfaces between SDN
ayers, load balancing, packet scheduling, etc. In addition,here exist various open problems to utilize the benefits of DN ( Jammal, 2014 ). The most important problems lie in: (i) sable, reliable and efficient network service offerings ( Kreutz,015 ); (ii) extensible control function execution platform with
he change in network size and requirements ( Metzler, 2012 ); nd (iii) end-to-end security enforcement to network services.he thrust of this paper is to provide a seamless solution for enforcing nd-to-end security in SDN .
A number of security solutions have been contributed by he research communities to address these security issues.hese vary from access control mechanisms to encryption- ased authentication schemes. On the other hand, a num- er of security approaches have been proposed to en- ance the SDN framework using middlebox architectures. In
ddition, few researchers focus on developing Intrusion De- ection System and Intrusion Prevention System to ensure se- urity in SDN. Whereas other classes of researchers aim at ifferent aspects of security approaches such as developing secure flow specification language, inspecting packet level hreats, certificate authentication etc. to detect various at- acks such as Denial of Service, Spoofing, Man-in-the-middle ttacks, etc.
However, the state-of-art SDN security solutions do not rovide an end-to-end secure flow of packets across the net- ork segments by assessing the behavior of the traffic with
espect to different SDN components as the internal architec- ure of SDN as well as the heterogeneous policy rules enforced
y distributed policy enforcing servers impose several security hallenges.
In the next subsection, we discuss the challenges of secu- ity enforcement in SDN with a motivating example.
.1. Motivation
he open user-control, ubiquitous execution of network func- ions and centralized control management introduce various ecurity threats in different levels of Software-Defined Net- ork architecture. The major security challenges in SDN are emonstrated with an example here.
Fig. 2 shows an SDN environment for a segment of an en- erprise network. Here, the Network Application Server (AP) enerates network access control and flow configuration poli- ies based on requirements and those policies are realized
ynamically in the corresponding network control functions.t the Northbound interface (controller-application interface),ecurity challenges with respect to giving permission to al- er the network policies to an application may cause harm
o the whole network. In this scenario, there is a potential ossibility of AP being compromised as it is exposed to ex- ernal users. This might lead to altering the policy rules for he network functions. As a result, the network functions
ight be realized incorrectly that may allow propagation of arious attacks across the network. These attacks can ex- end to Denial of Service (DoS), code injection, and hidden
unnel. Now, consider the scenario, where the flow control func-
ion is driven by the rules generated from Network Application
erver (AP) and Network Management Server (NMS). In such
biquitous computing scenarios, there is a possibility of con- icts amongst the flow rules generated by these servers. This,
n turn, might cause compromising the NMS by the AP leading o security and performance violations in the network.
The controller generates appropriate flow entries from the et of network policy rules and pushes them into the flow ta- les. An SDN cannot distinguish the flow entry of a newly gen- rated application from an older one. So, there is a possibility hat a new network policy generated by an application server an bypass and override the security policy predefined by the ecurity administrator.
Furthermore, there may be vulnerable applications run- ing in end hosts, controllers, and switches leading to various tate-of-art attacks. In addition, the attack paths may be reated across the network segment as the switches along the raffic route may have various open ports. In some cases, the
c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5 323
Fig. 2 – A security threat scenario.
network traffic containing malware, trojan or spams originat-ing from corrupted hosts (due to vulnerabilities) might resultin compromised network functions that can be manifestedas different end-point attacks in the networks.
However, the existing security solutions for SDN do notsupport analyzing the behavior of the traffic with respect todifferent SDN components that may lead to various vulnera-bilities and risks that may have a huge impact on the organiza-tional assets. Therefore, an appropriate security enforcementmechanism needs to be introduced to pro-actively analyze therisks of traffics and creating strong isolation between the net-work functions. The main objective of this paper is to providean end-to-end security mechanism for SDN. The major contri-bution of our work lies in developing a novel network securityenforcement function for SDN based on risk assessment.
The proposed security function determines threat value ofdifferent SDN entities by analyzing vulnerability and exposurewith respect to Common Vulnerability Scoring System (CVSS)( Mell et al., 2006 ). The risk of a given traffic is calculated ascumulative threat values of the SDN entities that guides theflow controller in generating secure flow rules for the forward-ing switches.
The remainder of the paper is organized as follows. InSection 2 , we discuss the relevant works related to the secu-rity enforcement mechanisms in SDN. In Section 3 , we presentan overview of our proposed security enforcement functionsfor SDN briefly. In Section 4 , we discuss the Risk_Analyze func-tion in detail, that assesses the risk of different SDN entities
with respect to a given traffic request. Then, we evaluate ourproposed security enforcement functions with a case study inSection 5 . Finally, we conclude the paper in Section 6 .
2. Related work
Software Defined Network simplifies network deploymentand operation along with providing a programmable platformfor managing enterprise and carrier networks. However, withthe introduction of open interfaces in SDN and knowledge ofprotocols in different application programming interfaces, thedoor is thrown open to the attackers. A number of researchworks have been contributed in the area of security enforce-ment in Software Defined Networking environment.
The research communities focus on exploiting SDN to im-prove network security with dynamic detection and mitiga-tion of suspicious activity in a network. Kreutz et al. (2013) re-ported that the centralized nature of controller and the net-work programmability scope introduce new threats in SDN.Mehdi et al. (2011) propose the implementation of SDN toprovide better security in terms of intrusion detection in asmall enterprise environment. OpenSAFE ( Ballard et al., 2010 )addresses security issues for an arbitrary direction of traf-fic with a novel flow specification language, namely ALARMS.FRESCO ( Shin, 2013 ) presents a security application devel-opment framework with different security enabled modu-lar functions that implement python based flow monitoring
324 c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5
aGm
tOhpbpieeaia
tirsdMtg
tso
2acdEic
DvdtftSfrwttsfgEc
ts
tpat
ewOt
(F(
n(ntf
ipeiat
2aigetFtS
samne
s
3f
Tmmcicttflrs
3
Imcfp
nd threat detection functions. FleXam ( Shirali-Shahreza and
anjali, 2013 ) facilitates packet level inspection to detect and
itigate security threats like botnet and worm propagation. In addition, various security issues of SDN itself have at-
racted the research communities. NICE ( Canini, 2012 ) secures penFlow Applications using intrusion detection with the elp of attack graphs based analytical models. However, such
ath exploration approaches do not cope well with extensi- le applications. FlowChecker ( Al-Shaer and Al-Haj., 2010 ) ex- loits FlowVisor ( Sherwood, 2009 ) to detect inconsistencies
n policies from multiple applications or the multi-controller nvironment. FLOVER ( Son et al.) deals with conflicting flow
ntries with predefined network policies using assertion sets nd modulo theories. FortNOX ( Porras, 2012 ) resolves conflicts n flow entry installation with role-based and signature-based
uthentication. Another class of researchers aims at developing encryp-
ion approach based security solutions for SDN. The authors n Lam et al. (2015) proposed an Identity-Based Cryptog- aphy (IBC) protocol based mechanism for ensuring secure outhbound and east/west-bound communication in a multi- omain distributed SDN environment. The work ( Natanzi and
ajma, 2017b ) presented a security solution in which the con- roller provides network information only for authorized pro- rams through a safe REST API ( Sohan et al., 2017 ) based onhe NTRU algorithm ( Hoffstein et al., 1998 ) and the NSS digital ignature ( Hostein et al., 2000 ). By analyzing various threats riginating from different SDN layers, the literature ( Shi et al.,017 ) presented a different SDN security framework based on
ttribute-based encryption that enables an improved access ontrol method. Another work ( Natanzi and Majma, 2017a ) eveloped a different authentication scheme by using the lliptic Curve Cryptography on the basis of PKI certificate ver- fication for ensuring a secure communication in distributed
ontroller environment. Gabriel et al. (2014) proposed a technique for handling
istributed Denial of Service (DDoS) attack in an SDN en- ironment, by assessing risk through the means of a cyber- efense system. HiFIND ( Li et al., 2010 ) is a highly secured
echnique that prevents SDN platform from DDoS attacks or high-density data packets providing protection to cus- omers and service provider. SN-SECurity Architecture (SN- ECA) ( Bernardo and Chua, 2015 ) presents a formal security ramework that integrates and validates different security pa- ameters in the SDN/NFV design and implementation. The ork in Wang et al. (2017) presented a detect and defense con-
rol function called as SDN sEcure COntroller (SECO) to pro- ect against Denial of Service (DoS) attack originating from
witches or hosts. SECO uses the switch port statistics per- ormance and the attack source positioning feature from the lobal view of the network for this purpose. The authors in
taiwi et al. (2017) proposed a security scheme for SDN that onsists of different components, i.e., a mapping algorithm,ake-over process, synchronization messages, heartbeat mes- ages, and protective mode to prevent against DoS attack.
Avant guard in literature ( Shin et al., 2013 ) uses connec- ion migration and actuating triggers as security features to rovide security between the forwarding and control plane long with improving the response rate of the controller to he forwarding plane traffic requests. The authors in Kloti
t al. (2013) proposed a model to analyze the potential threats hen data plane communicates with the controller using the penFlow protocol using STRIDE ( Shawn et al., 2015 ) and at-
ack trees to detect various attacks. The authors in Yao et al.2016) proposed a different approach to analyze and model orwarding and Control planes Separation Network Structure FCSNS) in SDN based on STRIDE ( Shawn et al., 2015 ), Petriet, and Attack tree models. In another work, Controller DAC
Tseng et al., 2017 ) presented a controller-independent dy- amic access control scheme to ensure protection of SDN con-
rollers against malicious access by applications through dif- erent APIs (east/westbound and north/southbound).
On the other hand, few researchers focused on develop- ng security middle-boxes for SDN execution platform accom- lishing its programmability feature. Slick framework ( Anwer t al., 2013 ) presents a centralized controller for implement- ng and migrating functions onto customized middle-boxes llowing applications for routing security requirements based
raffic request. FlowTags architecture ( Fayazbakhsh et al.,013 ) is another minimally modified middle-box that inter- cts with an SDN controller through a FlowTags (traffic flow
nformation embedded in packet headers) Application Pro- ramming Interface (API). Another work, the SIMPLE policy nforcement layer ( Qazi et al., 2013 ) requires no modification
o middlebox or SDN in contrast to Anwer et al. (2013) and
ayazbakhsh et al. (2013) . However, middlebox security solu- ions incur significant overhead for security enforcement in
DN. However, the state-of-art security mechanisms do not en-
ure end-to-end security enforcement with the systematic nalysis of real-time and heterogeneous traffic, and assess- ent of the behavior of different SDN entities. Our proposed
etwork security enforcement functions will effectively and
fficiently address these problems. In the next section, we present an overview of our proposed
ecurity enforcement mechanism for SDN.
. Proposed security enforcement framework
or SDN
his section presents our proposed SDN security enforce- ent framework. We propose a novel security enforce- ent function called Risk_Analyze that along with the policy
ontrol functions: Trust_Verify, Policy_Conflict_Resolve and Pol- cy_Consistency_Check ( Tripathy, 2016 ) provides end-to-end se- urity in SDN. Here, the main emphasis of the paper is on
he Risk_Analyze function. Fig. 3 shows the overall architec- ure of the SDN control functions and the process of traffic ow through these functional modules. The proposed secu- ity enforcement functions are briefly discussed in following ubsections.
.1. Trust_Verify
n SDN, different network application servers and manage- ent servers generate policy rules for different network appli-
ations dynamically as per the requirements. The Trust_Verify unction ( Tripathy, 2016 ) checks the following properties of the olicy enforcing servers and certifies them.
c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5 325
Fig. 3 – Proposed risk based security enforcement framework for SDN.
• The certificate has been issued by a valid certificate author-ity (CA).
• The certificate has not been expired (or been revoked). • The names listed in the certificate match the domain
names.
In addition, it performs verification of PKI (Public KeyInfrastructure) certificate and trust of the links (inter-faces/ports). Hence, the Trust_Verify function ensures defenseagainst security violations through any compromised applica-tion or management server. The detailed algorithm is demon-strated in our previous work ( Tripathy, 2016 ).
3.2. Policy_Conflict_Resolve
Policy_Conflict_Resolve function ( Tripathy, 2016 ) detects the po-tential conflicts between the heterogeneous policy rules re-ceived by SDN control plane using pattern matching and re-solves them by using the concept of rule override. The over-
ride function uses artificial intelligence based algorithms toresolve the conflicts between heterogeneous policies. ThePolicy_Conflict_Resolve function manages these heterogeneousconflicts by prioritizing the levels of administrators in corre-spondence to different Application and Management Serversbased on their roles. For example, a Network ManagementServer (NMS) usually has higher priority than an ApplicationServer (AP) to serve the traffic as per the requirements. Hence,policy rules set by NMS overrides the policy rules set by AP. Thedetailed algorithm is presented in our previous work ( Tripathy,2016 ).
3.3. Policy_Consistency_Check
SDN platform supports dynamic changes in the applicationlayer by different administrators in the form of requirementsor high-level Service Level Agreements (SLAs). The changesmay be due to altering existing policies, adding or remov-ing policies, installing or removing applications, etc. So, if any
326 c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5
pitt
vtocct
3
Tieefi(mme
ivitte
fi
2Rgs
4f
TSRo
lttnv
wlnt
tpp
Fig. 4 – Parsing CVE values from NVD and storing as CVS
values in local vulnerability database for risk assessment.
tT
e
ntupsrpc
Tra
Xtsas
ttOoidt
dtcpicos
olicy is modified in the application layer, it must be reflected
n the flow tables of the data plane switches in order to adapt o the changes in requirements and to allow correct propaga- ion of traffic across the network.
The Policy_Consistency_Check function proposed in our pre- ious work ( Tripathy, 2016 ) detects the inconsistency between
he application layer and data layer. It checks the satisfiability f the existing flow rules in the SDN switches and the updated
onflict-free policy rule sets. This process is triggered by any hange in the Policy repository and at each packet arrival in
he SDN switches.
.4. Risk_Analyze
he three secure control functions, i.e., Trust_Verify, Pol- cy_Conflict_Resolve , and Policy_Consistency_Check compositely nable secure and efficient policy enforcement in SDN. How- ver, there is possibility of security breaches due to miscon- gurations, vulnerabilities, and backdoors in different entities
i.e., compromised end hosts, compromised switches, and compro- ised controller ). Our proposed Risk_Analyze first extracts threat odels for different entities for a given traffic request consid-
ring vulnerability and exposure of each of the entities. Then,t calculates the overall risk of the corresponding traffic in- olved using the weighted sum of the threat values and crit- cality of the traffic request. The calculated risk measures for he related traffic are fed to the routing and flow control func- ions for generating correct routing and flow rules. This will nsure secure flow and routing of traffic in SDN.
We have already discussed the three policy control unctions, i.e., Trust_Verify, Policy_Conflict_Resolve , and Pol- cy_Consistency_Check in details in our previous work ( Tripathy,016 ). The main thrust of this paper lies in developing isk_Analyze function that ensures end-to-end security for a iven traffic request in SDN environment. The next section de- cribes our proposed Risk_Analyze function in detail.
. Risk_Analyze : the risk assessment function
or SDN
his section explains our proposed risk assessment model for DN using the Risk_Analyze function in detail. Our proposed
isk_Analyze function considers the following parameters in
rder to assess the risk of various types of traffic. (a) Vulnerability : It is defined as a software and hardware
evel weakness in the network entities, which may allow an at- acker to reduce the information assurance of the entities and
he underlying network (Vulnerability) . We use Common Vul- erability Scoring System (CVSS) ( Mell et al., 2006 ) for defining ulnerability of the network entities.
(b) Exposure : It is defined as the state or condition of a net- ork being unprotected and open to the risk of suffering the
oss of information (Exposure) . We determine the threat of a etwork entity as the ratio of the potentially unprotected por- ion of the entity to the total entity size.
(c) Threat : Threats are potential events for vulnerabilities hat might lead to exposure of the network and adversely im- act the organizational assets (Threat) . Vulnerability and ex- osure of an entity are used to determine its threat value.
(d) Risk : It is a qualitative measure of potential security hreat and its impact on the network ( Cybersecurity Risk: A
horough Definition ). The Common Vulnerability Scoring System (CVSS) ( Mell
t al., 2006 ) plays an important role for risk assessment of theetwork entities in order to ensure secure flow of traffic across he network segment. The proposed risk assessment module ses a data structure called vulnerability database for this pur- ose. The vulnerability database is a local repository (offline) tored in the controller and is periodically updated with the ecent Common Vulnerability Score (CVS) values of the ap- lications or protocols or services running in different SDN
omponents or entities (controller, end hosts, and switches).he CVS values are computed by extracting necessary met- ics from online National Vulnerability Database (NVD) using script (python).
The recent vulnerability values available in NVD are in
ML format that contains two standard scores: V2 and V3 in
he form of Common Vulnerability and Exposure (CVE) mea- ures. The detailed process of parsing CVE values from NVD
nd storing in local vulnerability database as CVS values in- ide the controller is explained in Fig. 4 . It is to be notedhat in the vulnerability database, there exists exactly one en- ry of CVS value for an application with its version and the perating System platform as it is the updated CVSS value f the application parsed from NVD’s recent XML file us-
ng the script. The structure of an entry in the vulnerability atabase is 〈 Application / service / protocol, Version, Operating sys- em, CVS value 〉 .
Generally, the V3 standard is an improvement over V2 stan- ard as V3 considers the context of attacker’s access rights o read/write/execute to exploit the vulnerability and physi- al manipulation of the affected components. Hence, our pro- osed risk assessment module uses the V3 version of CVE as
ts CVS value for necessary risk assessment for secure pro- essing and flow a given traffic request. However, for some lder vulnerabilities there exist only V2 values in NVD. In
uch case, the CVS value for a vulnerability is calculated in
c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5 327
Table 1 – Transformation of V2 metrics and their values for CVS computation.
V2 metric Value Transformed
metric Value
Base metrics Exploitability group Access vector Local: 0.395 Attack vector Local: 0.55
Adjacent network: 0.646 Adjacent: 0.62 Network: 1.0 Network: 0.85
Access complexity High: 0.35 Attack complexity High: 0.44 Medium: 0.61 Medium: 0.62 Low: 0.71 Low: 0.77
Authentication Multiple: 0.45 Privileges required High: 0.27 Single: 0.56 Low: 0.62 None: 0.704 None: 0.85
Impact group Confidentiality, integrity, and availability
None: 0.0 Confidentiality, integrity, and availability
None: 0.0
Partial: 0.275 Low: 0.22 Complete: 0.66 High: 0.56
Temporal metrics Exploitability Unproven: 0.85 Exploitability Unproven: 0.91
Proof-of-concept: 0.9 Proof-of-concept: 0.94 Functional: 0.95 Functional: 0.97 High: 1.0 High: 1.0
Remediation level Official fix: 0.87 Remediation level Official fix: 0.95 Temporary fix: 0.90 Temporary fix: 0.96 Workaround: 0.95 Workaround: 0.97 Unavailable: 1.0 Unavailable: 1.0
Report confidence Unconfirmed: 0.90 Report confidence Unknown: 0.92 Uncorroborated: 0.95 Reasonable: 0.96 Confirmed: 1.0 Confirmed: 1.0
Environmental metrics General Modifiers Collateral damage
potential None: 0 Attack vector None: 0
Low (light loss): 0.1 Physical: 0.2 Low-medium: 0.3 Local: 0.55 Medium-high: 0.4 Adjacent network: 0.62 High (catastrophic loss): 0.5 Network: 0.85
Target distribution None: 0 Attack complexity None: 0 Low: 0.25 Low: 0.77 Medium: 0.75 Medium: 0.62 High: 1.0 High: 0.44
Impact subscore modifier Confidentiality, integrity, and availability requirements
Low: 0.5 Confidentiality, integrity, and availability requirements
Low: 0.5
Medium: 1.0 Medium: 1.0 High: 1.51 High: 1.5
(
two steps from the available V2 metrics in NVD as discussedbelow.
(i) Step 1 – transformation of V2 metrics: In order to compute the overall vulnerability value, CVSSconsiders certain metrics that define the hardware, soft-ware and network level vulnerabilities. The V2 version dif-fers from the V3 version in terms of the metrics and theirvalues considered for overall vulnerability score computa-tion. However, for some older vulnerabilities, V3 value isnot available in the NVD. In this scenario, the CVS valuefor a vulnerability in our solution is estimated from theV2 metrics available in the XML file by appropriately trans-forming the metrics and their values as shown in Table 1 .
The transformation is performed as per the CVSS V2 andCVSS V3 standards. These metrics after the transformation process are thenused for the necessary CVS computation in the proposedmechanism. The estimation of CVS value for a vulnerabil-ity is performed as explained below in the subsequent step.
ii) Step 2 – calculation of CVS values: The CVS value for a vulnerability is determined from thedesired metrics obtained in the previous step, using thestandard equations for the overall V3 version of CVSS com-putation ( CVSS V3 ) with optimization in order to minimizethe overhead of the CVS computation process. The proce-dure of the overall CVS value calculation is illustrated inFig. 5 .
328 c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5
Fig. 5 – CVS computation of vulnerabilities from the transformed metrics in case of nonavailability of V3 value in NVD.
Tmwt
dv
t
mt
tD
4
Tewi
he entities of the Software Defined Network architecture ight be the potential sources of vulnerabilities in the net- ork ( Prasad et al., 2015 ). In this paper, we have considered
he following SDN entities for risk assessment.
• compromised end hosts • compromised switches • compromised controller
In our Risk_Analyze function, we extract threat models for ifferent entities with respect to a given traffic request using ulnerability and exposure analysis of those entities. Then,he overall risk of a given traffic request is calculated as cu-
ulative threat values of the SDN entities and criticality of he traffic request.
The following subsections illustrate the threat model and
he risk assessment model for different entities of Software efined Network.
.1. Threat model for SDN entities
his subsection presents the threat model for different SDN
ntities for a specific traffic request. The threat associated
ith different SDN entities are modeled using the vulnerabil- ty and exposure of the entities as follows.
c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5 329
V
V
V
4.1.1. Threat model for an end host The threat level of an end host is modeled using the vulner-ability and exposure of the host. The model is presented asfollows.
(i) Vulnerability of an end host : A number of vulnerable appli-cations such as FTP, RSH, nmap etc. may be running in an endhost for processing a specific traffic request. The vulnerabilityof an end host V h is calculated as the average of the CommonVulnerability Scores (CVS) of all the applications running onthe host extracted from the vulnerability database, i.e.,
h =
1 10
∗∑ k
i =1 CVS i k
(1)
where h ε{ x, y }. Here, x and y are the source and destinationhosts, respectively. CVS i is the Common Vulnerability Score ofthe i th application running in the host h , and k is the numberof applications running in the host. The average value of theCVS of all applications is divided by 10 in order to normalizethe value of V h to 1 as the CVS of the applications lie between0 to 10.
(ii) Exposure of an end host : The exposure of an end host E his determined considering the number of hosts that may beaffected because of the vulnerability in the target end host.Hence, it is computed as,
E h =
n N
(2)
where n is the number of hosts communicating with the targethost and N is the total number of hosts in the network.
(iii) Threat value of an end host : Threat value of an end-host τh
is calculated as a product of vulnerability and the exposure ofthe end host for a traffic request t . Mathematically it is definedas follows.
τh = V h ∗ E h (3)
τh lies between 0 and 1. τh = 1 indicates the entity has highrisk of being compromised.
Similarly, we can define threat model for switches and con-troller with respect to a given traffic request.
4.1.2. Threat model for a switch
The threat model for an SDN switch is assessed using its vul-nerability and exposure analysis as follows.
(i) Vulnerability of a switch : The vulnerability of a switch V s
is determined as the ratio sum of the Common VulnerabilityScores (CVS) of the protocols running on the switch. For exam-ple, protocols are Multiprotocol Label Switching (MPLS) proto-col, Label Distribution Protocol (LDP), etc. Our model can flex-ibly accommodate any new protocol used in switches. Mathe-matically, it is determined as,
s =
1 10
∗∑ q
i =1 CVS i q
(4)
where CVS i is the Common Vulnerability Score of the i th pro-tocol running on the switch s (0 ≤ CVS i ≤ 1), and q is the num-ber of protocols running on the switch s . Similar to determin-ing the value of V h , the ratio sum of the CVS of all protocols
running on the switch is divided by 10 so as to normalize thevalue of V s to 1.
(ii) Exposure of a switch : Exposure of a switch E s is definedusing the probability of malfunctioning involved with an ac-tive connection and total number of ports on that switch. E s iscalculated as,
E s =
x p ∗ (1 − x ) P−p
P (5)
where p is the number of active connections, P is the totalnumber of ports on the switch and x is the probability of anactive port getting malfunctioned. For standard ports, i.e., [0–1023], x is varied between 0 and 0.5. On the other hand, forvarious application specific non-standard ports, 0.5 < x ≤ 1. Forexample, for running FTP application on standard ports suchas 989 and 990, we use x = 0 . 3 whereas for running the sameFTP application on a non-standard port such as 4901, we con-sider x = 0 . 6 .
(iii) Threat value of a switch : Vulnerability and exposure of aswitch are used to determine its threat value. Threat value τ s
of a switch s is determined as,
τs = V s ∗ E s (6)
In addition, the proposed model determines the threatvalue of a traffic route. An access route r ( x, y ) is defined as asequence of switches < s 1 , s 2 , . . . , s m
> from source host x todestination host y in the network, where Inter face (s i , s i +1 ) = T and reachable (x, y ) = T . Threat value τ r of the route r associ-ated to a traffic t is calculated using the threat values of theswitches along that route as follows.
τr =
∑ m
i =1 τs i
m
(7)
where m is the number of switches in the access route r . Thethreat value of a route lies between 0 and 1.
4.1.3. Threat model for network controller The threat model for an SDN controller is evaluated using thevulnerability and exposure analysis of the control functions inthe SDN control plane as follows.
(i) Vulnerability of a controller : A controller may run variousnetwork control functions such as Load Balancing, AnalysisEngine, Control-Plane MainApp, etc. Hence, the vulnerabilityV c of a controller c is estimated using the mean of CommonVulnerability Score (CVS) of the control functions running onit. If CVS i is the Common Vulnerability Score of the i th controlfunction running on the controller c , and j is the number ofprotocols running on the controller c , then V c is calculated as,
c =
1 10
∗∑ j
i =1 CVS i j
(8)
Similar to Eqs. (1) and (4) , V c is normalized so that its valuelies between 0 and 1 as the CVS of the control functions run-ning the controller lie between 0 to 10. The proposed modelcan be extended to include any new control functions.
(ii) Exposure of a controller : Exposure of a controller E c is de-fined as the ratio between the number of dependent network
330 c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5
ftn
E
fv
τ
ct
4
Omsi
a
A
1
1
1
1
1
1
1
1
1
1
2
pfi
hcSs
w
a
Table 2 – Risk assessment model of SDN.
Traffic criticality Total threat value
≤ 0.39 0.4–0.69 ≥ 0.7
H M H C
M L M H
L L L M
Note: C – Critical, H – High, M – Medium and L – Low.
i
w
b
i
i
capipphct
t
ssi
w
Rtfs
Tas
eb
5
Trssat
unctions ( l ) (as execution of the control functions depend on
he output of other control functions) and the total number of etwork functions ( L ). Mathematically, it is calculated as,
c =
l L
(9)
(iii) Threat value of a controller : Threat value of a controller τ c
or a given traffic request t is determined as the product of its ulnerability and exposure measures, i.e.,
c = V c ∗ E c (10)
The threat value of a controller lies between 0 and 1. The following subsection illustrates the Risk_Analyze that
alculates the risk for a given traffic request as the cumulative hreat values of the different SDN entities.
.2. Risk_Analyze
ur proposed risk assessment model first evaluates threat odel for different SDN entities as discussed in the previous
ubsection. Then, the overall risk measure τ t of a given traffic t s calculated as the cumulative threat values of the end hosts,ccess route and the control functions involved. Algorithm 1
lgorithm 1 Risk_Analyze algorithm.
1: procedure Risk_Analyze 2: for each traffic t do 3: analyze packet header 4: Entity set E= { x, y, r, c } and Route 5: r = { s 1 , s 2 , . . . , s m
} 6: for each entity i ∈ E− { r } do 7: find V i
8: find E i 9: calculate τi = V i * E i 0: end for 1: for each switch s ∈ r do 2: find V s
3: find E s 4: calculate τs = V s * E s 5: end for 6: calculate τr =
∑ m i =1 τs i m
7: calculate τt = w x * τx + w y * τy
8: + w r * τr + w c * τc
9: end for 0: end procedure
resents the risk assessment procedure associated with a traf- c.
Algorithm 1 uses weights: w x , w y , w r , and w c for sourceost x , destination host y , access route r , and the controller , respectively, in order to consider the criticality of each
DN entity. w r is the sum of weights of all the switches <
1 , s 2 , . . . , s m
> along the route r .
r = w s 1 + w s 2 + · · · + w s m (11)
These weights are selected based on criticality of the nodes nd should be chosen such that their sum must be equal to 1.
.e.,
x + w y + w r + w c = 1 (12)
Total threat value τ t associated with a traffic t always lies etween 0 and 1.
The threat value ( τ t ) associated to a traffic t and its critical-ty ( I t ) are used to define the risk ( R t ) of the traffic. The critical-ty of the traffic can be High (H), Medium (M) or Low (L). Theriticality of a traffic depends on the impact of the traffic in
specific application context. For example, in a Banking ap- lication, transactions have high impact and hence have High
mportance whereas the generation of logs has medium im- act leading to Medium importance. On the other hand, sim- le query processing has low impact in the context and hence ave low importance. So, we consider three different traffic riticality levels; i.e., High (H), Medium (M) and Low (L), respec- ively, for these three types of traffic.
The mapping function for assessing the risk of a specific raffic is expressed as:
f : τt × I t −→ R t (13)
Table 2 shows the Risk assessment model of SDN with re- pect to the criticality of the traffic and threat level with re- pect to the specific traffic. For example, if criticality of a traffic s High (H) and its threat value is 5.5, then the risk associatedith the traffic is High (H).
The calculated risk measures determined by the proposed
isk_Analyze function, are used in the flow and routing con- rol functions to extract an optimal route with minimal risk or the given traffic request. This process is executed recur- ively until an optimal route with minimal risk is found.hen, the flow rule with this route and other flow attributes re populated in the flow tables of corresponding forwarding witches.
In the next section, we demonstrate our proposed security nforcement function with an extensive case study of an SDN
ased enterprise network.
. Experimental results: case study
his section presents the performance of our proposed secu- ity enforcement functions with a case study. Fig. 6 shows a egment of an SDN based large enterprise network with four ubnets corresponding to different departments, i.e., Research
nd Development (R & D), Finance, Sale, and Customer Rela- ionship (CR). The underlying SDN platform executes a set of
c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5 331
Fig. 6 – A segment of an enterprise network.
control functions such as Wireshark, mainApp, OpenSSL, etc.inside the controller. The end hosts run applications FTP, RSH,nmap etc. In addition, the switches run protocols, e.g., MPLS,LDP, etc.
The requirements on various network traffic are stated asfollows:
Req 1 : All outbound traffic from CR department should gothrough Proxy server (PS).
Req 2 : All traffic from employees of R & D working outsideshould be served through Virtual Private Network (VPN) withhigh bandwidth.
Req 3 : Any incoming traffic to R & D and Finance should beforwarded through policy check and security compliance.
Req 4 : Any outbound traffic from R & D and Finance shouldguarantee high bandwidth and availability.
Req 5 : Customers should be able to communicate to CRthrough a secure channel and remote shell service (RSH). Letthey connect through port number 8091.
Req 6 : The employees of Finance and Sale should performfile transfer or transaction with proper authentication.
Req 7 : All traffic related to financial transaction from Fi-nance to employees of R & D should be authenticated.
In order to process the traffic requests with respect to theserequirements, the SDN controller must ensure secure flowof traffic across the network segment. The next subsectionpresents the efficacy of our proposed risk assessment modelwith different test cases considering the above-mentioned re-quirements.
5.1. Efficacy of the security control functions
We have implemented our proposed security enforcementcontrol functions in mininet simulator ( Mininet Documenta-tion ) with OpenFlow controller ( OpenFlow White Paper, Open-Flow Specification ). We have generated different traffic withvarying traffic rates from 10 traffic per sec (TPS) to 100 traf-fic per sec (TPS). Our proposed functions Trust_Verify, Pol-
icy_Conflict_Resolve, Policy_Consistency_Check , and Risk_Analyzeare applied on these traffic to generate secure flow and routingcontrol rules.
In order to process the traffic requests as per the above-mentioned requirements, our proposed risk assessmentmodel first extracts the CVS scores or values of various relatedapplications, protocols, and services running in different lay-ers of the network from local vulnerability database. Table 3shows the CVS scores of some of the applications, protocols,and services running in different components of the SDN en-vironment under test with their vulnerability details. For ex-ample, OpenSSL v1.0.2b is a network control function runningin the controller and has CVS score 5.9 that leads to confiden-tiality violation. On the other hand, nmap service running onend host with Android 6.1 Operating system has CVS score 7.8and has impact like DoS attack, Arbitrary controller code ex-ecution. Similarly, LDP is a protocol running on an OpenFlowswitch has CVS value 7.5.
Based on the CVS Score of the related applications, proto-cols and services with respect to a given traffic request theRisk_Analyze function determines the threat model for differ-ent SDN entities. The overall threat value is calculated as thecumulative threat values of the SDN entities. Finally, the riskof the specific traffic request is determined with respect to thefinal threat value and the criticality of the traffic. These riskmeasures guide the flow and routing controller to decide theflow rules (routing path along with other flow attributes) to bepopulated in the flow tables of the switches.
Table 4 shows the results of Risk_Analyze function for fewsample traffic requests taken as test cases. For example, thetraffic request t 1 associated to Req 1 has medium risk withroute r 1 and low risk with route r 2 . Hence, the routing pathdecided by the flow and routing control function is r 2 . Simi-larly, the traffic request t 2 associated to Req 2 has high risk withroute r 1 and medium risk with route r 2 . Therefore, the route r 2is chosen for traffic t 2 . The abbreviations used in the Table 4 areas follows.
332 c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5
Table 3 – Common Vulnerability Score (CVS) of applications/services/protocols.
Applications/ Services/ Protocols
version Operating System
Bug details CVE id (online NVD) ( National Vulnerability Database )
Vulnerabilities CVS (local Vulnerability database)
OpenSSL 1.0.2b Cisco NX-OS 6.0 Internal bug – “error state” mechanism
with direct call of SSL_read() or SSL_write() functions
CVE-2017-3737 Confidentiality violation
5.9
Wireshark 2.2.11 Cisco NX-OS 6.0 Internal bug –improper use of new line characters in File_read_line function
CVE-2017-17935 DoS attack 7.5
RSH NA Linux compatibility with fileio.c in Vim
8.0.10
CVE-2017-17087 Obtaining root/admin privileges
5.5
SSL NA Linux Lack of server’s host name verification with subjectAltName field in X.509 certificate
CVE-2017-1000209 Man-in-the-middle attack, spoofing
5.9
VPN NA Linux Bug in the web-based management interface of Cisco Adaptive Security Appliance (ASA) Software
CVE-2017-12265 Arbitrary web script injection
6.1
nmap NA Android 6.1 elevated privilege vulnerability in System Server in Android
CVE-2016-6707 DoS attack, arbitrary controller code execution
7.8
FTP Light FTP v1.1
Windows Buffer overflow in the “writelogentry”function
CVE-2017-1000218 DoS attack, arbitrary controller code execution, and obtaining root/admin privileges
9.8
MPLS NA Cisco NX-OS 6.0 Bug in Cisco Carrier Routing System
(CRS) 5.1 for processing IPv6-over-MPLS packets
CVE-2016-6401 DoS attack, arbitrary web script injection
5.3
LDP NA Cisco NX-OS 6.0 infinite loop due to a bug in print-lldp.c function of LLDP parser of tcpdump 4.9.1
CVE-2017-12997 DoS attack, malicious code execution
7.5
MainApp NA Cisco NX-OS 6.0 hardcoded credentials for TELNET and SSH
sessions
CVE-2016-1329 Obtaining root/admin privileges
9.8
s
• C – Critical, H – High, M – Medium, and L – Low. • CR – Customer Relationship, and R & D – Research and De-
velopment. • AS – Access Switch, DS – Distribution Switch, CS – Core
Switch, BR – Border Router, FW – Firewall, IDS – Intrusion
Detection System, PS – Proxy Server, and DNS – Domain
Name Server.
Table 5 shows the statistics of the output of the proposed
ecurity enforcement functions in SDN with respect to the
c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5 333
Table 4 – Result of the Risk_Analyze function.
Traffic Criticality Route Risk Selected route
t 1 ⇔ Req 1 L r 1 : CR − AS 3 − DS 1 − CS 0 − F W − BR − Int ernet M r 2 r 2 : CR − AS 3 − DS 1 − IPSec − CS 1 − PS − BR − Int ernet L
t 2 ⇔ Req 2 M r 1 : Internet − BR − CS 1 − PS − DS 0 − AS 0 − R & D H r 2 r 2 : Internet − BR − F W − CS 0 − DNS − IDS − DS 0 − AS 0 − R & D M
t 3 ⇔ Req 3 H r 1 : Internet − BR − CS 1 − DS 0 − Finance H r 2 r 2 : Internet − BR − F W − CS 0 − DNS − IDS − DS 0 − Finance M
t 4 ⇔ Req 4 M r 1 : R & D − AS 0 − DS 0 − IDS − CS 0 − DNS − F W − BR − Int ernet H r 2 r 2 : R & D − AS 0 − DS 0 − CS 1 − PS − BR − Int ernet M
t 5 ⇔ Req 5 L r 1 : Internet − BR − CS 1 − PS − IPSec − DS 1 − AS 3 − CR M r 2 r 2 : Internet − BR − F W − CS 0 − DNS − DS 1 − AS 3 − CR L
t 6 ⇔ Req 6 H r 1 : Finance − AS 1 − DS 0 − IDS − CS 0 − DS 1 − AS 2 − Sales H r 2 r 2 : Finance − AS 1 − DS 0 − CS 1 − IPSec − DS 1 − AS 2 − Sales M
t 7 ⇔ Req 7 H r 1 : Finance − AS 1 − DS 0 − IDS − AS 0 − R & D M r 1 r 2 : Finance − AS 1 − DS 0 − AS 0 − R & D C
Table 5 – Output of proposed security enforcement func- tions.
TREQ CNF BLK CONS RISK
15 5 3 2 25 30 16 3 2 40 50 30 10 12 70 100 60 20 25 160
Fig. 7 – Execution time of the proposed network security
functions w.r.t. traffic rate.
total number of traffic requests. The abbreviations TREQ, CNF,BLK, CONS, RISK in the table indicate the number of trafficrequests, number of conflicts detected and resolved, num-ber of applications blocked, number of inconsistencies iden-tified between existing flow rules and updated policy rules,and number of risks mitigated respectively. Our previous work( Tripathy, 2016 ) already discusses the number of conflicts de-tected, potential compromised applications blocked, and thenumber of inconsistencies resolved for a specific traffic re-quest. In this paper, we determine the number of potentialrisks associated with a given traffic request. The number ofrisks in this context means the number of vulnerabilities de-termined to have either one of the risk values: Low, Medium,High or Critical associated with a specific traffic request. Therecan be more than one vulnerabilities related to a given trafficrequest in this case. While finding the overall vulnerability ofend hosts, switches and controllers respectively in Eqs. (1) , ( 4 )and ( 8 ) for a specific traffic request, we maintain a data struc-ture to keep track of the individual vulnerabilities associatedto the applications with their risk levels. The same is reportedwith their impact with respect a specific traffic request andthe risks of different levels are mitigated appropriately.
The efficacy of our proposed security functions is eval-uated in terms of execution time with varying traffic rate.Fig. 7 shows the execution time for different security enforce-ment functions. In our previous work ( Tripathy, 2016 ), we al-ready observed that, the execution time of Trust_Verify and Pol-icy_Consistency_Check functions almost remains constant withincrease in traffic rate. On the other hand, the execution timeof Policy_Conflict_Resolve function increases quadratically withthe increase in traffic rates as reported in Tripathy (2016) . This
is due to increase in the number of policy and flow controlrules with the increase in traffic rate. In this paper, we eval-uate the execution time of Risk_Analyze function and reportthat it increases almost linearly with the increase in trafficrate. This is due to the use of a fixed threat model with a spe-cific number of parameters used (vulnerability, exposure, andtraffic criticality).
It is observed that the overall execution time of our pro-posed security enforcement functions lies within 2 s for traf-fic rate of 100 TPS that imply that these functions incur lessoverhead and is considerably reasonable for any kind of net-work. Our proposed functions incorporated in the SDN con-trol plane ensures end-to-end secure transmission of pack-ets across the network control execution environment andthereby strengthens the security perimeter over the underly-ing network.
In future, we plan to extend our proposed security enforce-ment functions for heterogeneous network environmentswith varying requirements and application context. In addi-tion, sensitivity analysis will be incorporated in the proposed
334 c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5
sv
2oet
6
Tftwpcoltrttrbassnw
R
A
A
A
B
B
C
C
C
E
E
F
G
G
H
H
J
K
K
K
K
L
L
M
M
M
M
N
ecurity solution as it helps in identifying the sources of the ulnerabilities in the system. Sensitivity ( Younis and Malaiya,015 ) is mathematically defined as the ratio of the number f correctly predicted vulnerabilities those may be potentially xploitable to the number of actually exploitable vulnerabili- ies.
. Conclusion
he Software Defined Network (SDN) paradigm might suffer rom various security threats due to its inherent characteris- ics such as open user-control, ubiquitous execution of net- ork functions and centralized control management. In this aper, a risk assessment model is proposed where the core omponent, i.e., the Risk_Analyze function analyzes the risk f a specific traffic request based on the threat models of re-
ated SDN entities. Then, these risk values are communicated
o flow and routing control function for generating secure flow
ules with no or minimal risk. The proposed security solu- ion enables a pro-active end-to-end security assessment of he traffic requests and accordingly ensures a secure flow and
outing process. The efficacy of our proposed functions has een evaluated through a case study of an enterprise network nd the results have been reported. In future, the proposed
ecurity mechanism will be enhanced with appropriate sen- itivity analysis to find out the potential sources of the vul- erabilities. In addition, the security functions will be verified
ith varying requirements and context.
E F E R E N C E S
Complete Guide to the Common Vulnerability Scoring System
Version 2.0. [online]. Available: https://www.first.org/cvss/v2/guide , (2007).
l-Shaer E , Al-Haj S . Flowchecker: configuration analysis and
verification of federated openflow infrastructures. Proceedings of the third ACM workshop on assurable and
usable security configuration, 2010 .nwer, B., Benson, T., Feamster, N., Levin, D., & Rexford, J. (2013). A
slick control plane for network middleboxes. Open
Networking Summit. [Online]. Available: http://nextstep-esolutions.com/Clients/ONS2.0/pdf/2013/ researchtrack/posterpapers/nal/ons2013-nal51.pdf, (2013).
allard JR , Rae I , Akella A . Extensible and scalable network monitoring using opensafe. Proceedings of the internet network management workshop/workshop on research on
enterprise networking (INM/WREN), 2010 .ernardo DV , Chua BB . Introduction and analysis of SDN and NFV
security architecture (SN-SECA). Proceedings of the twenty-ninth IEEE international conference on advanced
information networking and applications. Gwangiu; 2015. p. 796–801 .
anini M , et al . A NICE way to test openflow applications. Proceedings of the ninth USENIX conference on networked
systems design and implementation, 2012 .ommon Vulnerability Scoring System v3.0: Specification
Document. [online]. Available: https://www.first.org/cvss/specification-document , (2017).
ybersecurity Risk: A Thorough Definition. Bitsight. [online]. Available: https://www.bitsighttech.com/blog/ cybersecurity- risk- thorough- definition , (2017).
taiwi W , Biltawi M , Almajali S . Securing distributed SDN
controllers against dos attacks. Proceedings of the 2017 international conference on new trends in computing sciences (ICTCS). Amman; 2017. p. 203–6 .
xposure. [online]. Available: http://www.businessdictionary.com/definition/exposure.html , (2017).
ayazbakhsh S , Sekar V , Yu M , Mogul J . Flowtags: enforcing network-wide policies in the presence of dynamic middlebox actions. Proceedings of the second workshop on hot topics in
software defined networks. ACM, 2013 .abriel , et al . Achieving DDos resiliency in a software defined
network by intelligent risk assessment based on neural networks and danger theory. Proceedings of the fifteenth
international symposium on computational intelligence and
informatics. IEEE; 2014. p. 319–24 .hodsi , et al . Intelligent design enables architectural evolution.
Proceedings of the tenth ACM workshop hot topics in
networks; 2011. p. 1–6 .offstein J , Pipher J , Silverman JH . NTRU: a ring-based public key
cryptosystem. Algorithmic number theory, ANTS. Springer; 1998. p. 267–88 .
offstein J., Pipher J., Silverman J.H. (2001) NSS: An NTRU
Lattice-Based Signature Scheme. In: Pfitzmann B. (eds) Advances in Cryptology — EUROCRYPT 2001. EUROCRYPT
2001. Lecture Notes in Computer Science, vol 2045. Springer, Berlin, Heidelberg
ammal M , et al . Software defined networking: state of the art and research challenges. Comput Netw 2014;72:74–98 . Elsevier
loti R , Kotronis V , Smith P . Openflow: a security analysis. Proceedings of the twenty-first IEEE international conference on network protocols (ICNP). Gttingen, Germany; 2013. p. 1–6 .
reutz D , et al . Software-defined networking: a comprehensive survey. Proc IEEE 2015;103(1):14–76 . January
reutz D , Ramos F , Verissimo P . Towards secure and dependable software-defined networks. Proceedings of the second ACM
SIGCOMM workshop on hot topics in software defined networking; 2013. p. 55–60 .
umar A , Jain S , Naik U , et al . BWE: flexible, hierarchical bandwidth allocation for WAN distributed computing. Proceedings of the ACM conference on special interest group
on data communication (SIGCOMM’15). London, UK; 2015. p. 1–14 . August
am J-H , Lee S-G , Lee H-J , Oktian YE . Securing distributed SDN
with IBC. Proceedings of the 2015 seventh international conference on ubiquitous and future networks. Sapporo; 2015.p. 921–5 .
i Z , Gao Y , Chen Y . HiFIND: a high-speed flow-level intrusion
detection approach with dos resiliency. Comput Netw
2010;54(8):1282–99 .ehdi SA , Khalid J , Khayam SA . Revisiting traffic anomaly
detection using software defined networking. Recent advances in intrusion detection. Springer; 2011. p. 161–80 .
ell P , Scarfone K , Romanosky S . Common vulnerability scoring system. IEEE Secur Priv 2006;4(6):85–9 . December
etzler (2012). Research: understanding software-defined networks. Information week reports (pp. 1–25). October [Online] Available: http: //reports.informationweek.com/abstract/6/9044/Data-Center/ research- understanding- software- defined- networks.html , (2012).
ininet Documentation. Github. [Online]. Available: https://github.com/mininet/mininet/wiki/Documentation , (2016).
atanzi SBH , Majma MR . Secure distributed controllers in SDN
based on ECC public key infrastructure. Proceedings of the 2017 international conference on electrical and computing technologies and applications (ICECTA). Ras Al Khaimah; 2017a. p. 1–5 .
c o m p u t e r s & s e c u r i t y 7 8 ( 2 0 1 8 ) 3 2 1 – 3 3 5 335
Natanzi SBH , Majma MR . Secure northbound interface for SDN
applications with NTRU public key infrastructure. Proceedingsof the fourth IEEE international conference on
knowledge-based engineering and innovation (KBEI). Tehran; 2017b. p. 0452–8 .
Nishtha , Sood M . Software defined network-architectures. Proceedings of 2014 international conference on parallel, distributed and grid computing (PDGC); 2014. p. 451–6 .December
National Vulnerability Database (NVD). [online]. Available: https://nvd.nist.gov/ , (2018).
OpenFlow Switch Specification. [Online]. Available: https://www.opennetworking.org/images/stories/downloads/ sdn- resources/onf- specifications/openflow/ openflow- spec- v1.3.0.pdf, (2012).
Software-Defined Networking: The New Norm for Networks. [Online]. Available: https://www.opennetworking.org/images/stories/downloads/ sdn- resources/white- papers/wp- sdn- newnorm.pdf, (2012).
Porras P , et al . A security enforcement kernel for openflow
networks. Proceedings of the first workshop on hot topics in
software defined networks. ACM; 2012. p. 121–6 .Prasad AS , Koll D , Fu X . On the security of software-defined
networks. Proceedings of the fourth European workshop on
software defined networks. Bilbao; 2015. p. 105–6 .Qazi ZA , Tu CC , Chiang L , Miao R , Sekar V , Yu M . SIMPLE-fying
middlebox policy enforcement using SDN. Proceedings of the 2013 ACM SIGCOMM, 2013 . August
Shawn, H., Scott, L., Tomasz, O., & Adam, S. (2015). Uncover security design flaws using the STRIDE approach. Mar.[Online]. Available: http://msdn.microsoft.com/en-gb/magazine/cc163519.aspx , (2015).
Sherwood, R., et al. (2009). Flowvisor: a network virtualization
layer. Openflow switch consortium.Shi Y , Dai F , Ye Z . An enhanced security framework of software
defined network based on attribute-based encryption. Proceedings of the fourth 2017 international conference on
systems and informatics (ICSAI). Hangzhou; 2017. p. 965–969 .
Shin S , et al . FRESCO: modular composable security services for software-defined networks. Proceedings of the network and
distributed security symposium, 2013 .Shin S , Yegneswaran V , Porras P , Gu G . AVANT-GUARD: scalable
and vigilant switch flow management in software-defined networks. Proceedings of the ACM conference on computer and communications security. Berlin, Germany; 2013. p. 413–24 .
Shirali-Shahreza S , Ganjali Y . Efficient implementation of security applications in openflow controller with flexam. Proceedings of the twenty-first IEEE annual symposium on
high-performance interconnects. IEEE; 2013. p. 49–54 .Sohan SM , Maurer F , Anslow C , Robillard MP . A study of the
effectiveness of usage examples in REST API documentation. Proceedings of the 2017 IEEE symposium on visual languages and human-centric computing (VL/HCC). Raleigh, NC; 2017. p. 53–61 .
Son, S., et al. Model checking invariant security properties in
openflow. [Online]. Available: http://faculty.cse.tamu.edu/guofei/paper/Flover-ICC13.pdf, (2013).
Threat (Computer). Wikipedia. [online]. Available: https://en.wikipedia.org/wiki/Threat _ (computer) , (2018).
Tripathy BK , et al . A novel secure and efficient policy management framework for software defined network. Proceedings of the forty IEEE annual computer software and
applications conference. IEEE; 2016. p. 423–30 .
Tseng Y , Pattaranantakul M , He R , Zhang Z , Nat-Abdesselam F . Controller DAC: securing SDN controller with dynamic access control. Proceedings of the 2017 IEEE international conference on communications (ICC). Paris; 2017. p. 1–6 .
Vulnerability (Computing). Wikipedia. [online]. Available: https://en.wikipedia.org/wiki/Vulnerability _ (computing) , (2018).
Wang S , Chavez KG , Kandeepan S . SECO: SDN secure COntroller algorithm for detecting and defending denial of service attacks. Proceedings of the fifth international conference on
information and communication technology (ICoIC7). Melaka; 2017. p. 1–6 .
Yao L , Dong P , Zheng T , Zhang H , Du X , Guizani M . Network security analyzing and modeling based on petri net and
attack tree for SDN. Proceedings of the 2016 international conference on computing, networking and communications (ICNC). Kauai, HI; 2016. p. 1–5 .
Younis AA , Malaiya YK . Comparing and evaluating CVSS base metrics and microsoft rating system. Proceedings of the 2015 IEEE international conference on software quality, reliability and security. Vancouver, BC; 2015. p. 252–61 .
Bata Krishna Tripathy is a Ph.D. student inSchool of Electrical Sciences, Indian Instituteof Technology Bhubaneswar, India. He re-ceived his M.Tech. degree from Indian Insti-tute of Technology Kharagpur, India in 2014.He has completed his B.Tech. from Insti-tute of Technical Education and Research,Bhubaneswar, India in 2007. He has expertisein Mobile Ad hoc Networking, Software De-fined Networking, and Network Security.
Debi Prasad Das has received his B.Tech.degree from National Institute of Technol-ogy Rourkela, India in 2017. He was workingas an intern at Indian Institute of Technol-ogy Bhubaneswar, India in summer and win-ter vacations during B.Tech. He is currentlyplaced in Itron American Technology com-pany, Bangalore, India as a Software Engi-neer. He has expertise in Software DefinedNetworking and Network Security.
Swagat Kumar Jena is a Project in School ofElectrical Sciences, Indian Institute of Tech-nology Scholar Bhubaneswar, India. He re-ceived his M.Tech. degree from Indian Insti-tute of Technology Kharagpur, India in 2014.He has completed his B.Tech. from SeemantaEngineering College, Jharpokharia, India in2008. He has expertise in Internet of Things,Wireless Sensor Network, and Network Se-curity.
Padmalochan Bera received his Ph.D. fromIndian Institute of Technology Kharagpur,India in 2011. He completed his M.E. de-gree from West Bengal University of Tech-nology, Kolkata, India and his B.E. from Ja-davpur University, Kolkata, India in 2001. Heis currently working as an Assistant Pro-fessor in School of Electrical Sciences, IITBhubaneswar, India. He has expertise in Net-work and Cyber Physical Systems Security,Software Defined Networking, Cloud Com-puting, Formal Verification and optimiza-tion.