Software-Defined Cyber Agility for Active Cyber Defense
Analytics
161 views ◎123 downloads ⇓
Abstract
The scale and sophistication of stealthy and persistent cyber-attacks like distributed denial-of-service (DDoS) and man-in-the-middle (MitM) have been rapidly increasing in recent years. There are fundamental Internet properties, attributed to the ossification of the Internet, which make the defense against such threats a very challenging task. First, static network paths lead to low-cost reconnaissance of the critical network resources which always represent a small number due to the power-law distribution of the traffic flows. Second, the lack of real-time information sharing and integration obstruct a coordinated defense. Third, the lack of network agility due to the rigid process of correct network reconfiguration makes timely mitigation of cyber-threats infeasible or highly costly. Recently, software-defined networking (SDN) is introduced to lessen the Internet ossification; however, it has its problems, e.g., flooding at the switches due to a minor control traffic interruptions.In this dissertation, we develop an agile defense capability called Active Cyber Defense (ACD), to defend against cyber-attacks mentioned above. ACD is a cyber-resiliency capability that dynamically orchestrates security architectures while adapting security policies and configurations, proactively or reactively, based on an active investigation of threat observables. The objectives of ACD are to make SDN resilient against SDN-specific vulnerabilities and employing SDN to defend against stealthy DDoS attacks. We have developed a security architecture called Software-Defined Cyber Agility (SDA), inspired and enabled by SDN, to offer ACD. This agile security architecture allows programmable and on-demand functionality, reconfigurability and manageability of security and resiliency countermeasures. It employs virtual networks (VNs) as they offer the ability to allocate resources in the network dynamically (VN Migration).The ACD defends against three problems in this dissertation. First, it protects against the stealthy DDoS attacks either by proactively invalidating the attacker's knowledge of the critical network footprint or by employing early attack detection techniques to isolate attack traffic. In proactive defense, ACD offers a dynamic and threat-aware VN migration technique that mutates the physical footprint of the VN. It offers three novel agility primitives. (1) Move, which enables VN to migrate from one physical footprint to another. (2) Split, which allows isolating specific flows into a different VN. (3) Merge, which enables two or more VNs to share the same physical footprint.Second, ACD implements an in-designed resilient SDN control plane to significantly increase the inherent resilience of SDN against the DoS attacks and other network faults. It uses the same SDN network resources to offer this boost in resilience. Essentially, it minimizes the sharing of critical resources among data and control traffic and elastically increases the limited control traffic processing capacity of the SDN switches on-demand by dynamically using the under-utilized resources in the network.Third, ACD defends SDN against DoS attack caused by introducing interruptions in the SDN control traffic. In this novel SDN attack, an adversary can compromise a few SDN switches and uses these to degrade network throughput severely, and cause data flooding by dropping only a small fraction of control traffic unsuspiciously. ACD offers a solution that intelligently and dynamically distributes the routes of control traffic through the network such that the analysis of packet loss over these control paths instantly reveals the MitM switches.We formalize ACD as a constraints satisfaction problem using Satisfiability Modulo Theory. We develop this as a correct-by-construction framework to handle dynamic network conditions while satisfying fundamental network constraints like switch resources, traffic matrix, QoS requirements, etc. We implement ACD on real virtualized infrastructures like PlanetLab and Mininet.