SDN-RDCD: A Real-Time and Reliable Method for Detecting Compromised SDN Devices
A software-defined network (SDN) is increasingly deployed in many practical settings, bringing new security risks, e.g., SDN controller and switch hijacking. In this paper, we propose a real-time method to detect compromised SDN devices in a reliable way. The proposed method aims at solving the detection problem of compromised SDN devices when both the controller and the switch are trustless, and it is complementary with existing detection methods. Our primary idea is to employ backup controllers to audit the handling information of network update events collected from the primary controller and its switches, and to detect compromised devices by recognizing inconsistent or unexpected handling behaviors among the primary controller, backup controllers, and switches. Following this idea, we first capture each network update request and its execution result in the primary controller, collect each received network update instruction and the information of any state update in switches, and deliver these four kinds of information to those backup controllers in an auditor role. An auditor controller is designed to create an audit record for each received network update request and to add its execution result of this network update request as well as the received four kinds of matching information to the audit record. In particular, heterogeneous auditor controllers are proposed to avoid the same vulnerability with the primary controller. The audit algorithm and theoretical proof of its effectiveness for security enhancement are then presented. Finally, based on our prototype implementation, our experimental results further validate the proposed method and its low costs.
Software defined network (SDN), controller hijacking, switch hijacking, SDN forensics, anomaly detection.