Robustness-as-evolvability: building a dynamic control plane with Software-Defined Networking
Lead Research Organisation:
University of Strathclyde
Department Name: Computer and Information Sciences
Abstract
Highly available information networks are an increasingly essential component of the modern society. Targeted attacks are a key threat to the availability of these networks. These attacks exploit weak components in network infrastructure and attack them, triggering side-effects that harm the ultimate victim. Targeted attacks are carried out using highly distributed attacker networks called botnets comprising between thousands and hundreds of thousands of compromised computers. A key feature is that botnets are programmable allowing the attacker to adapt to evolve and adapt to defences developed by infrastructure providers. However current network infrastructure is largely static and hence cannot adapt to a fast evolving attacker.
To design effective responses, a programmable network infrastructure enabling large-scale cooperation is necessary. Our research will create a new form of secure network infrastructure which detects targeted attacks on itself. It then automatically restructures the infrastructure to maximise attack resilience. Finally, it self-verifies whether global properties of safety and correctness can be assured even though each part of the infrastructure only has a local view of the world.
Our research will examine techniques to collect and merge inferences across distributed vantage points within a network whilst minimising risks to user privacy from data-aggregation using novel privacy techniques. We make a start on addressing the risks introduced by programmability itself, by developing smart assurance techniques that can verify evidence of good intention before the infrastructure is reprogrammed.
We set three fundamental design objectives for our design:
(1) Automated and seamless restructuring of network infrastructure to withstand attacks aimed at strategic targets on the infrastructure.
(2) A measurement system that allows dynamic allocation of resources and fine control over the manner, location, frequency, and intensity of data collected at each monitoring location on the infrastructure.
(3) Assurance of safety and compliance to sound principles of structural resilience when infrastructure is reprogrammed.
Our aim is to develop future network defences based on a smart and evolving network infrastructure.
To design effective responses, a programmable network infrastructure enabling large-scale cooperation is necessary. Our research will create a new form of secure network infrastructure which detects targeted attacks on itself. It then automatically restructures the infrastructure to maximise attack resilience. Finally, it self-verifies whether global properties of safety and correctness can be assured even though each part of the infrastructure only has a local view of the world.
Our research will examine techniques to collect and merge inferences across distributed vantage points within a network whilst minimising risks to user privacy from data-aggregation using novel privacy techniques. We make a start on addressing the risks introduced by programmability itself, by developing smart assurance techniques that can verify evidence of good intention before the infrastructure is reprogrammed.
We set three fundamental design objectives for our design:
(1) Automated and seamless restructuring of network infrastructure to withstand attacks aimed at strategic targets on the infrastructure.
(2) A measurement system that allows dynamic allocation of resources and fine control over the manner, location, frequency, and intensity of data collected at each monitoring location on the infrastructure.
(3) Assurance of safety and compliance to sound principles of structural resilience when infrastructure is reprogrammed.
Our aim is to develop future network defences based on a smart and evolving network infrastructure.
Planned Impact
Our joint research program (with industrial and academic partners) will provide new foundations for a resilient network infrastructure. The medium term beneficiaries of this research will be parties who have a stake in the development of future networking infrastructure, and, in the much longer and wider term, everyone who relies on resilience of the global digital infrastructure.
Our technologies will give private sector companies competitive advantage, by making their SDN-based networking tools provide additional functionality, aimed directly at tackling security issues. Our techniques will give greater confidence in network infrastructure; thus enabling utility companies and government to move more critical infrastructure onto standard backbones.
Software-Defined Networking (SDN) promises massive reduction in costs. The proposed work programme has the potential to demonstrate that not only could SDN switches provide fundamentally better security (by incorporating programmability and hence dynamic algorithms for measurement and response), they might achieve it cheaper than conventional hardware routers.
Our technologies will give private sector companies competitive advantage, by making their SDN-based networking tools provide additional functionality, aimed directly at tackling security issues. Our techniques will give greater confidence in network infrastructure; thus enabling utility companies and government to move more critical infrastructure onto standard backbones.
Software-Defined Networking (SDN) promises massive reduction in costs. The proposed work programme has the potential to demonstrate that not only could SDN switches provide fundamentally better security (by incorporating programmability and hence dynamic algorithms for measurement and response), they might achieve it cheaper than conventional hardware routers.
Publications
Gardiner J
(2021)
Controller-in-the-Middle
Nagaraja S
(2021)
VoIPLoc
Nagaraja S
(2019)
Clicktok
Shah R
(2019)
Do we have the time for IRM?
Shah R
(2019)
Poster
| Description | In the consolidation phase of the project where the many parts come together to form the whole. We have made significant progress towards solving the problem of a malicious controller, developed an access control model for sharing SDN monitoring data in a cross-federated environment, developed SDN-based defenses for various attacks on the Internet including: DoS attacks on IRM systems and Clickfraud attacks on advertising networks, and securing robotic cyberphysical systems. |
| Exploitation Route | We are closely working to disseminate the academic outputs into the industry via an active industry collaboration with Keysight Technologies. We are also closely working with academics and practitioners in CyberPhysical Systems area in the global south to enable others to build on your work and to en Beyond these achievements, in 2020 the team applied the defense techniques developed within the project to develop network-centric defences for teleoperated surgical robots. |
| Sectors | Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Electronics,Financial Services, and Management Consultancy,Healthcare |
| Description | The SDN testbed we have created has been used by several organisations -- University of Bristol, University of Lancaster, Juniper, Brocade, VMWare, Samsung, and Fortinet to develop SDN security testing strategies, test SDN products and carry out research in SDN security. The RASE router-cache-security module produced in this project was considered for productisation by a hardware switch manufacturer. We have also worked hard to raise awareness of SDN security challenges within UK government. As a result of our actions, a specific funding pot to support testbed usage has been created which has been accessed by two universities thus far. |
| Description | Collaboration on advanced AI-enabled SDN controllers |
| Organisation | Indian Institute of Science Bangalore |
| Country | India |
| Sector | Academic/University |
| PI Contribution | Quorum based software-defined controllers applied to Cyber-Physical Systems |
| Collaborator Contribution | AI components for the SDN controller |
| Impact | Work in progress |
| Start Year | 2018 |
| Description | Software-Defined Network Measurement |
| Organisation | Keysight Technologies |
| Country | United States |
| Sector | Private |
| PI Contribution | Techniques for network measurement and traceability using software-defined networks |
| Collaborator Contribution | Knowledge, confidential IP, and hardware in the test and instrumentation space. |
| Impact | SDN security demonstrator for test and instrumentation |
| Start Year | 2018 |
| Title | Dynamic defenses for targeted attacks on SDN switches |
| Description | We have developed a dynamic router migration capability that enables a switch under attack to seamlessly transfer its load to other switches in the network. |
| Type Of Technology | Software |
| Year Produced | 2015 |
| Impact | A really interesting point about this security component is that it works as a load balancer during peacetime and automatically switches to a defensive stance when under attacks. In other words, it offers a benefit even during peacetime and causes little overheads. |
| Title | RASE Alpha stage prototype for defenses against cache attacks |
| Description | This alpha stage prototype for modified PICA-8 switch that can defend against attacks on the switch's FIFO caching algorithm. |
| Type Of Technology | Software |
| Year Produced | 2017 |
| Impact | This product has been nominated for the second short list by PICA switches, we are very confident that the code will enter production once it comes to beta stage. |
| Title | Tamper proof audit trail for SDN controllers |
| Description | Tamper proof audit trail for SDN controllers, leverages Ethereum-based smart contracts to enforce semantics of correct operation and tamper proof properties. |
| Type Of Technology | Software |
| Year Produced | 2019 |
| Impact | This software is being considered for product development by a major OEM. |
| Description | Dissemination talks |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Postgraduate students |
| Results and Impact | 9 talks (2 international and 7 national) were given to disseminate the project outputs |
| Year(s) Of Engagement Activity | 2018 |
| Description | SDN Workshop |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Professional Practitioners |
| Results and Impact | University level workshop on the Secure Software-Defined Networks and their applications on IoT and CPS environments. |
| Year(s) Of Engagement Activity | 2018 |