進階搜尋


   電子論文尚未授權公開,紙本請查館藏目錄
(※如查詢不到或館藏狀況顯示「閉架不公開」,表示該本論文不在書庫,無法取用。)
系統識別號 U0026-2908201817030200
論文名稱(中文) 軟體定義網路中拓樸攻擊偵測機制
論文名稱(英文) On Topology Poisoning Detection in Software Defined Networking
校院名稱 成功大學
系所名稱(中) 電腦與通信工程研究所
系所名稱(英) Institute of Computer & Communication
學年度 106
學期 2
出版年 107
研究生(中文) 洪勤硯
研究生(英文) Chen-Yen Hung
學號 Q36054308
學位類別 碩士
語文別 英文
論文頁數 56頁
口試委員 指導教授-林輝堂
口試委員-楊竹星
口試委員-李忠憲
口試委員-王平
口試委員-鄭伯炤
中文關鍵字 軟體定義網路  拓樸攻擊 
英文關鍵字 Software Defined Network  Topology Poison 
學科別分類
中文摘要 隨著網路的快速發展,以及雲端的應用越來越廣泛,網路設備的數量也逐年增加,管理也越加困難。因此,軟體定義網路 (SDN) 成為現今網路趨勢。SDN網路和傳統網路不同的是,在SDN架構中網路設備的控制層和傳輸層是分離的。傳輸層主要為 SDN 的交換器,依照來自控制器的指示與設定來處理封包。控制層則為一個集中式控制器(Controller),透過特定的介面將網路封包的處理規則和動作下傳給各個交換機。SDN的優勢在於能夠及時掌握網路的狀況,能立即做出相對應的處理對策並採取行動,並在交換器上運行安全政策。為了掌握網路狀況,網路拓樸的建構是不可或缺的。在SDN網路中,一般利用OFDP (OpenFlow Discovery Protocol) 來完成拓樸發現。在OFDP中是依靠LLDP (Link Layer Discovery Protocol) 來實現交換器之間鏈結的發現。但是LLDP並沒有一個良好的驗證機制,導致攻擊者容易捏造假的LLDP封包,或是轉傳LLDP封包來混淆控制器。因此,本研究提出一套安全機制,來驗證封包的完整性以及封包的路徑。另外,針對封包轉傳攻擊,本研究利用封包經過正常鏈結和偽造鏈結的差異,來判別是否有受到攻擊。並利用兩種不同的判別方法,可以在不同的情況來做使用。最後,不論在模擬的環境還是真實的環境,本方法都能有效地偵測出是否有遭受攻擊。
英文摘要 With the development of the network and the cloud applications, the number of network devices is increasing. Devices management and configuration becomes a problem. Therefore, Software Defined Networking has become the trend. The difference between a SDN network and a tradition network is that the data plane and the forwarding plane are separated in the SDN network. The forwarding plane is primarily an SDN controller that follows the rules from the controller to process incoming packets. The control plane is a centralized controller which can send the rules and actions to each switch via the SDN southbound protocol such as OpenFlow. The advantage of the separated architecture is that the controller can collect network conditions immediately and send corresponded countermeasures to the switch. In order to get network information, we must first create a global view. In most SDN controllers, it uses OFDP (OpenFlow Discovery Protocol) to discover the network topology. In OFDP, LLDP (Link Layer Discovery Protocol) is used to discover the links between two switches. However, LLDP lacks a good authentication. It will let an attacker poison the network topology via launch fake LLDP injection attack or LLDP relay attack. Therefore, this thesis proposes a mechanism to authenticate packet integrity and routing. For LLDP relay attack, this thesis uses the differences between benign links and forged links to detect the attack. At last, the result shows that either in a simulated environment or a real environment, proposed method can effectively detect the attack.
論文目次
摘要 ............................ I
Abstract ....................... II
Acknowledgements .............. IV
Contents ....................... V
List of Figures .......... VII
List of Tables .............. IX
Chapter 1 ...................... 1
1.1 Overview ......... 1
1.2 Software-Defined Networking ...... 2
1.3 OpenFlow ....... 3
1.4 SDN Topology Discovery ............... 6
1.4.1 Host Discovery .................... 7
1.4.2 Switch Discovery ................. 7
1.4.3 Link Discovery .................... 8
1.5 SDN Topology Poison .................. 10
1.5.1 Fake LLDP Injection Attack............. 10
1.5.2 LLDP Relay Attack ........... 11
1.6 Impact on Network ...................... 12
1.7 Current Solution on Topology Poison...... 14
1.8 Motivation .... 15
1.9 Objective ....... 16
1.10 Thesis Outline ............................ 18
Chapter 2 .................... 19
2.1 OFDPv2 ........ 19
2.2 TopoGuard ... 21
2.3 Authentication of LLDP packet ... 24
2.4 SPHINX ............ 25
Chapter 3 ............................... 27
3.1 Proposed Scheme ......................... 27
3.1.1 LLDP Authentication Scheme...................... 28
3.1.2 LLDP Relay Attack Detection Scheme........... 32
3.1.2.1 Statistical Based Method................. 33
3.1.2.2 Machine Learning Based Method....... 34
Chapter 4 ............................ 39
4.1 Environment ....... 39
4.2 Experiment Result .......................... 41
4.2.1 Packet Transfer Time....... 41
4.2.2 Effect of Different Topology on Statistical Based Method............ 43
4.2.3 Effect of Different Outlier Detection Method................................ 45
4.2.4 Effect of Link Load on Packet Transfer Time............................... 46
4.2.5 SVM ........... 48
4.3 Compare with Current Solution.... 49
Chapter 5 ...................... 51
Bibliography ................ 53
參考文獻 [1] N. Mckeown, "Software-defined networking," INFOCOM keynote talk, Apr, 2009.
[2] D. Kreutz et al., “Software-defined networking: A comprehensive survey,” Proc. IEEE, vol. 103, no. 1, pp. 14–76, Jan. 2015.
[3] T. Alharbi, M. Portmann, and F. Pakzad, “The (in) security of topology discovery in software defined networks,” in Proc. of the 40
[4] F. Pakzad, M. Portmann, W. L. Tan, and J. Indulska, “Efficient topology discovery in OpenFlow-based software defined networks,” Comput. Commun., vol. 77, pp. 52–61, Mar. 2016.
[5] A. K. Saha, K. Sambyo, and C. T. Bhunia, “Topology discovery, loop finding and alternative path solution in POX controller,” in Proc. Int. MultiConf. Eng. Comput. Sci., Hong Kong, pp. 553–557, 2016.
[6] Open vSwitch. [Online]. Available: http://openvswitch.org, 2018
[7] Z. Shu et al., “Security in software-defined networking: Threats and countermeasures,” Mobile Netw. Appl., pp. 1–13, Jan. 2016.
[8] S. Civanlar, E. Lokman, B. Kaytaz, and A. M. Tekalp, “Distributed management of service-enabled flow-paths across multiple SDN domains,” in Proc. Eur. Conf. Netw. Commun. (EuCNC), Paris, France, pp. 360–364, 2015.
[9] S. R. Chowdhury, M. F. Bari, R. Ahmed, and R. Boutaba, “PayLess: A low cost network monitoring framework for software defined networks,” in Proc. IEEE Netw. Oper. Manag. Symp. (NOMS), Kraków, Poland, pp. 1–9, 2014.
[10] T. Zou, H. Xie, and H. Yin, “Supporting software defined networking with application layer traffic optimization,” Google Patent 13 801 850, 2013.
[11] C.-J. Chung, P. Khatkar, T. Xing, J. Lee, and D. Huang, “NICE: Network intrusion detection and countermeasure selection in virtual network systems,” IEEE Trans. Depend. Secure Comput., vol. 10, no. 4, pp. 198–211, Jul./Aug. 2013.
[12] H. Hu, W. Han, G.-J. Ahn, and Z. Zhao, “FLOWGUARD: Building robust firewalls for software-defined networks,” in Proc. 3rd Workshop Hot Topics Softw. Defined Netw., Chicago, IL, USA, pp. 97–102, 2014.
[13] N. McKeown et al., ‘‘OpenFlow: Enabling innovation in campus networks,’’ SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69–74, Mar. 2008.
[14] Open Networking Foundation (ONF) [Online]. Available: https://www.opennetworking.org/, 2018
[15] B. A. A. Nunes, M. Mendonca, X.-N. Nguyen, K. Obraczka, and T. Turletti, “A survey of software-defined networking: Past, present, and future of programmable networks,” IEEE Commun. Surveys Tuts., vol. 16, no. 3, pp. 1617–1634, 2014.
[16] S. Shenker, M. Casado, T. Koponen, and N. McKeown, “The future of networking, and the past of protocols,” in Proc. Open Netw. Summit, vol. 20. Stanford, CA, USA, 2011.
[17] C. Monsanto, J. Reich, N. Foster, J. Rexford, and D. Walker, “Composing software defined networks,” presented at the 10th USENIX Symp. Netw. Syst. Design Implement. (NSDI), Lombard, IL, USA, pp. 1–13, 2013.
[18] F. Pakzad, M. Portmann, W. L. Tan, and J. Indulska, “Efficient topology discovery in software defined networks,” in Proc. 8th Int. Conf. Signal Process. Commun. Syst. (ICSPCS), Gold Coast, QLD, Australia, pp. 1–8, 2014.
[19] S. Hong, L. Xu, H. Wang, and G. Gu, “Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures,” in NDSS’15, 2015.
[20] M. Dhawan, R. Poddar, K. Mahajan, and V. Mann, “SPHINX: Detecting security attacks in software-defined networks,” in Proc. Netw. Distrib. Syst. Security (NDSS) Symp., San Diego, CA, USA, 2015.
[21] H. Krawczyk, M. Bellare, and R. Canetti, “HMAC: Keyed-hashing for message authentication,” IETF RFC 2104, pp. 1–11, 1997.
[22] M. Mitzenmacher, “Compressed Bloom Filters,” Proc. ACM Symp. Principles of Distributed Computing, pp. 144-150, 2001.
[23] S. Seo, “A Review and Comparison of Methods for Detecting Outliers in Univariate Data Sets”. Master of Science, University of Pittsburgh, Pennsylvania., 2006
[24] F. R. Hampel, “A general qualitative definition of robustness,” Ann. Math. Stat., vol. 42, pp. 1887-1896, 1971.
[25] F. R. Hampel, “The influence curve and its role in robust estimation,” J. Amer. Statist. Assoc., vol. 69, no. 346, pp. 383-393, 1974.
[26] R. K. Pearson, “Outliers in process modeling and identification,” IEEE Trans. Control Syst. Technol., vol. 10, no. 1, pp. 55–63, Jan. 2002.
[27] H. Liu, S. Shah, and W. Jiang, “On-line outlier detection and data cleaning,” Computers & Chemical Engineering, vol. 28, no. 9, pp. 1635–1647, 2004.
[28] C. Cortes and V. Vapnik, “Support vector networks,” Machine Learning, vol. 20, pp. 273–297, 1995.
[29] T. S. Hai, and N. T. Thuy, “Image classification using support vector machine and artificial neural network,” in Int. Journal of Information Technology and Computer Science (IJITCS), vol.4, no.5, pp. 32-38, 2012.
[30] S. M. H. Bamakan, H. Wang, Y. Tian, and Y. Shi, “An effective intrusion detection framework based on mclpsvm optimized by time-varying chaos particle swarm optimization,” Neurocomputing, vol. 199, pp. 90–102, 2016.
[31] Ryu SDN Framework. [Online]. Available: https://osrg.github.io/ryu/, 2018
[32] Mininet. [Online]. Available: http://mininet.org/, 2018
[33] OpenWrt. [Online]. Available: https://openwrt.org/, 2018
[34] J. W. Tukey. “Exploratory data analysis”. Reading, Ma, 231:32, 1977.
[35] H. Sim, F. F. Gan, and T. C. Chang, “Outlier Labeling with Boxplot Procedures”, Journal of the American Statistical Association, vol. 100, no. 470, pp. 642-652, 2005.
[36] Y.H. Dovoedo, S. Chakraborti, “Boxplot-Based Outlier Detection for the Location-Scale Family”, Communication in Statistics Simulation and Computation, 44(6), p.1492-1513, 2015.
[37] S. Avallone, S. Guadagno, D. Emma, A. Pescapè, and G. Ventre, “D-itg distributed internet traffic generator” in QEST. IEEE Computer Society, pp. 316-317, 2004.
論文全文使用權限
  • 同意授權校內瀏覽/列印電子全文服務,於2023-08-31起公開。
  • 同意授權校外瀏覽/列印電子全文服務,於2023-08-31起公開。


  • 如您有疑問,請聯絡圖書館
    聯絡電話:(06)2757575#65773
    聯絡E-mail:etds@email.ncku.edu.tw