A Novel Stealthy Attack to Gather SDN Configuration-Information

A Novel Stealthy Attack to Gather SDN Configuration-Information

Software Defined Networking (SDN) is a recent network architecture based on the separation of forwarding functions from network logic, and provides high flexibility in the management of the network. In this paper, we show how an attacker can exploit SDN programmability to obtain detailed knowledge a...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on emerging topics in computing 2020-04, Vol.8 (2), p.328-340
Hauptverfasser: Conti, Mauro, De Gaspari, Fabio, Mancini, Luigi V.
Format: Artikel
Sprache:eng
Schlagworte:
Computer architecture
Configurations
Control systems
Cybersecurity
Decision making
Network architecture
Quality of service architectures
SDN
Security
side-channel
Software defined networking
stealth information-gathering
Virtualization
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 340
container_issue 2
container_start_page 328
container_title IEEE transactions on emerging topics in computing
container_volume 8
creator Conti, Mauro
De Gaspari, Fabio
Mancini, Luigi V.
description Software Defined Networking (SDN) is a recent network architecture based on the separation of forwarding functions from network logic, and provides high flexibility in the management of the network. In this paper, we show how an attacker can exploit SDN programmability to obtain detailed knowledge about the network behaviour. In particular, we introduce a novel attack, named Know Your Enemy (KYE), which allows an attacker to gather vital information about the configuration of the network. Through the KYE attack, an attacker can obtain information ranging from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that the KYE attack can be performed in a stealthy fashion, allowing an attacker to learn configuration secrets without being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. Finally, we address the KYE attack by proposing an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideration.
doi_str_mv 10.1109/TETC.2018.2806977
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_crossref_primary_10_1109_TETC_2018_2806977</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>8293865</ieee_id><sourcerecordid>2410517315</sourcerecordid><originalsourceid>FETCH-LOGICAL-c336t-43963e6b38cc22f9cf7f4ca0429b5b1703ed4d58be15b37337a667af223d7a6d3</originalsourceid><addsrcrecordid>eNpNkE9PAjEQxRujiQT5AMZLE8-LbWf7Z0-GoCIJwQN4brrdVhZhi91iwrd3EWKcy7zDezMvP4RuKRlSSoqH5fNyPGSEqiFTRBRSXqAeo0JlQnJy-U9fo0Hbrkk3iopCyB56HOF5-HYbvEjObNLqgEcpGfuJU8ATk1Yu4sXTHI9D4-uPfTSpDk02bXyI2199g6682bRucN599P7StXnNZm-T6Xg0yyyASFkOhQAnSlDWMuYL66XPrSE5K0peUknAVXnFVekoL0ECSCOENJ4xqDpZQR_dn-7uYvjauzbpddjHpnupWU4JpxIo71z05LIxtG10Xu9ivTXxoCnRR1T6iEofUekzqi5zd8rUzrk_v2IFKMHhBzieYzY</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2410517315</pqid></control><display><type>article</type><title>A Novel Stealthy Attack to Gather SDN Configuration-Information</title><source>IEEE Electronic Library (IEL)</source><creator>Conti, Mauro ; De Gaspari, Fabio ; Mancini, Luigi V.</creator><creatorcontrib>Conti, Mauro ; De Gaspari, Fabio ; Mancini, Luigi V.</creatorcontrib><description>Software Defined Networking (SDN) is a recent network architecture based on the separation of forwarding functions from network logic, and provides high flexibility in the management of the network. In this paper, we show how an attacker can exploit SDN programmability to obtain detailed knowledge about the network behaviour. In particular, we introduce a novel attack, named Know Your Enemy (KYE), which allows an attacker to gather vital information about the configuration of the network. Through the KYE attack, an attacker can obtain information ranging from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that the KYE attack can be performed in a stealthy fashion, allowing an attacker to learn configuration secrets without being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. Finally, we address the KYE attack by proposing an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideration.</description><identifier>ISSN: 2168-6750</identifier><identifier>EISSN: 2168-6750</identifier><identifier>DOI: 10.1109/TETC.2018.2806977</identifier><identifier>CODEN: ITETBT</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Computer architecture ; Configurations ; Control systems ; Cybersecurity ; Decision making ; Network architecture ; Quality of service architectures ; SDN ; Security ; side-channel ; Software defined networking ; stealth information-gathering ; Virtualization</subject><ispartof>IEEE transactions on emerging topics in computing, 2020-04, Vol.8 (2), p.328-340</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2020</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c336t-43963e6b38cc22f9cf7f4ca0429b5b1703ed4d58be15b37337a667af223d7a6d3</citedby><cites>FETCH-LOGICAL-c336t-43963e6b38cc22f9cf7f4ca0429b5b1703ed4d58be15b37337a667af223d7a6d3</cites><orcidid>0000-0003-4859-2191 ; 0000-0001-9718-1044 ; 0000-0002-3612-1934</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/8293865$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,776,780,792,27610,27901,27902,54733,54908</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/8293865$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Conti, Mauro</creatorcontrib><creatorcontrib>De Gaspari, Fabio</creatorcontrib><creatorcontrib>Mancini, Luigi V.</creatorcontrib><title>A Novel Stealthy Attack to Gather SDN Configuration-Information</title><title>IEEE transactions on emerging topics in computing</title><addtitle>TETC</addtitle><description>Software Defined Networking (SDN) is a recent network architecture based on the separation of forwarding functions from network logic, and provides high flexibility in the management of the network. In this paper, we show how an attacker can exploit SDN programmability to obtain detailed knowledge about the network behaviour. In particular, we introduce a novel attack, named Know Your Enemy (KYE), which allows an attacker to gather vital information about the configuration of the network. Through the KYE attack, an attacker can obtain information ranging from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that the KYE attack can be performed in a stealthy fashion, allowing an attacker to learn configuration secrets without being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. Finally, we address the KYE attack by proposing an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideration.</description><subject>Computer architecture</subject><subject>Configurations</subject><subject>Control systems</subject><subject>Cybersecurity</subject><subject>Decision making</subject><subject>Network architecture</subject><subject>Quality of service architectures</subject><subject>SDN</subject><subject>Security</subject><subject>side-channel</subject><subject>Software defined networking</subject><subject>stealth information-gathering</subject><subject>Virtualization</subject><issn>2168-6750</issn><issn>2168-6750</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2020</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpNkE9PAjEQxRujiQT5AMZLE8-LbWf7Z0-GoCIJwQN4brrdVhZhi91iwrd3EWKcy7zDezMvP4RuKRlSSoqH5fNyPGSEqiFTRBRSXqAeo0JlQnJy-U9fo0Hbrkk3iopCyB56HOF5-HYbvEjObNLqgEcpGfuJU8ATk1Yu4sXTHI9D4-uPfTSpDk02bXyI2199g6682bRucN599P7StXnNZm-T6Xg0yyyASFkOhQAnSlDWMuYL66XPrSE5K0peUknAVXnFVekoL0ECSCOENJ4xqDpZQR_dn-7uYvjauzbpddjHpnupWU4JpxIo71z05LIxtG10Xu9ivTXxoCnRR1T6iEofUekzqi5zd8rUzrk_v2IFKMHhBzieYzY</recordid><startdate>20200401</startdate><enddate>20200401</enddate><creator>Conti, Mauro</creator><creator>De Gaspari, Fabio</creator><creator>Mancini, Luigi V.</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0003-4859-2191</orcidid><orcidid>https://orcid.org/0000-0001-9718-1044</orcidid><orcidid>https://orcid.org/0000-0002-3612-1934</orcidid></search><sort><creationdate>20200401</creationdate><title>A Novel Stealthy Attack to Gather SDN Configuration-Information</title><author>Conti, Mauro ; De Gaspari, Fabio ; Mancini, Luigi V.</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c336t-43963e6b38cc22f9cf7f4ca0429b5b1703ed4d58be15b37337a667af223d7a6d3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2020</creationdate><topic>Computer architecture</topic><topic>Configurations</topic><topic>Control systems</topic><topic>Cybersecurity</topic><topic>Decision making</topic><topic>Network architecture</topic><topic>Quality of service architectures</topic><topic>SDN</topic><topic>Security</topic><topic>side-channel</topic><topic>Software defined networking</topic><topic>stealth information-gathering</topic><topic>Virtualization</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Conti, Mauro</creatorcontrib><creatorcontrib>De Gaspari, Fabio</creatorcontrib><creatorcontrib>Mancini, Luigi V.</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on emerging topics in computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Conti, Mauro</au><au>De Gaspari, Fabio</au><au>Mancini, Luigi V.</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A Novel Stealthy Attack to Gather SDN Configuration-Information</atitle><jtitle>IEEE transactions on emerging topics in computing</jtitle><stitle>TETC</stitle><date>2020-04-01</date><risdate>2020</risdate><volume>8</volume><issue>2</issue><spage>328</spage><epage>340</epage><pages>328-340</pages><issn>2168-6750</issn><eissn>2168-6750</eissn><coden>ITETBT</coden><abstract>Software Defined Networking (SDN) is a recent network architecture based on the separation of forwarding functions from network logic, and provides high flexibility in the management of the network. In this paper, we show how an attacker can exploit SDN programmability to obtain detailed knowledge about the network behaviour. In particular, we introduce a novel attack, named Know Your Enemy (KYE), which allows an attacker to gather vital information about the configuration of the network. Through the KYE attack, an attacker can obtain information ranging from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that the KYE attack can be performed in a stealthy fashion, allowing an attacker to learn configuration secrets without being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. Finally, we address the KYE attack by proposing an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideration.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TETC.2018.2806977</doi><tpages>13</tpages><orcidid>https://orcid.org/0000-0003-4859-2191</orcidid><orcidid>https://orcid.org/0000-0001-9718-1044</orcidid><orcidid>https://orcid.org/0000-0002-3612-1934</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 2168-6750
ispartof IEEE transactions on emerging topics in computing, 2020-04, Vol.8 (2), p.328-340
issn 2168-6750
2168-6750
language eng
recordid cdi_crossref_primary_10_1109_TETC_2018_2806977
source IEEE Electronic Library (IEL)
subjects Computer architecture
Configurations
Control systems
Cybersecurity
Decision making
Network architecture
Quality of service architectures
SDN
Security
side-channel
Software defined networking
stealth information-gathering
Virtualization
title A Novel Stealthy Attack to Gather SDN Configuration-Information
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-09T22%3A06%3A56IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20Novel%20Stealthy%20Attack%20to%20Gather%20SDN%20Configuration-Information&rft.jtitle=IEEE%20transactions%20on%20emerging%20topics%20in%20computing&rft.au=Conti,%20Mauro&rft.date=2020-04-01&rft.volume=8&rft.issue=2&rft.spage=328&rft.epage=340&rft.pages=328-340&rft.issn=2168-6750&rft.eissn=2168-6750&rft.coden=ITETBT&rft_id=info:doi/10.1109/TETC.2018.2806977&rft_dat=%3Cproquest_RIE%3E2410517315%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2410517315&rft_id=info:pmid/&rft_ieee_id=8293865&rfr_iscdi=true