WedgeTail: An Intrusion Prevention System for the Data Plane of Software Defined Networks

TL;DR

WedgeTail is an autonomous intrusion prevention system for SDN data planes that detects malicious forwarding devices by analyzing packet trajectories without relying on pre-defined rules.

Contribution

It introduces a novel trajectory-based, rule-free approach for detecting malicious SDN forwarding devices, enhancing security and adaptability.

Findings

Successfully detected all malicious forwarding devices in simulations.

Operates without pre-defined rules, enabling easy deployment across diverse SDN setups.

Efficiently identifies malicious actions like packet drop and generation.

Abstract

Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Software Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail, an Intrusion Prevention System (IPS) designed to secure the SDN data plane. WedgeTail regards forwarding devices as points within a geometric space and stores the path packets take when traversing the network as trajectories. To be efficient, it prioritizes forwarding devices before inspection using an unsupervised trajectory-based sampling mechanism. For each of the forwarding device, WedgeTail computes the expected and actual trajectories of packets and `hunts' for any forwarding device not processing packets as expected. Compared to related work, WedgeTail is also capable of distinguishing between malicious actions such as packet drop and generation. Moreover, WedgeTail employs a radically different methodology that enables detecting threats autonomously. In fact, it has no reliance on pre-defined rules by an administrator and may be easily imported to protect SDN networks with different setups, forwarding devices, and controllers. We have evaluated WedgeTail in simulated environments, and it has been capable of detecting and responding to all implanted malicious forwarding devices within a reasonable time-frame. We report on the design, implementation, and evaluation of WedgeTail in this manuscript.