Gwardar: Towards Protecting a Software-Defined Network from Malicious Network Operating Systems

TL;DR

Gwardar is a system designed to detect and protect against malicious or compromised SDN controllers by monitoring data plane trajectories and verifying controller instructions to ensure network integrity.

Contribution

It introduces a novel intrusion protection system that maintains a virtual replica of the data plane to detect anomalies caused by compromised controllers.

Findings

High detection accuracy achieved

Effective identification of malicious controller behavior

Practical deployment with reasonable response times

Abstract

A Software-Defined Network (SDN) controller (aka. Network Operating System or NOS) is regarded as the brain of the network and is the single most critical element responsible to manage an SDN. Complimentary to existing solutions that aim to protect a NOS, we propose an intrusion protection system designed to protect an SDN against a controller that has been successfully compromised. Gwardar maintains a virtual replica of the data plane by intercepting the OpenFlow messages exchanged between the control and data plane. By observing the long-term flow of the packets, Gwardar learns the normal set of trajectories in the data plane for distinct packet headers. Upon detecting an unexpected packet trajectory, it starts by verifying the data plane forwarding devices by comparing the actual packet trajectories with the expected ones computed over the virtual replica. If the anomalous trajectories match the NOS instructions, Gwardar inspects the NOS itself. For this, it submits policies matching the normal set of trajectories and verifies whether the controller submits matching flow rules to the data plane and whether the network view provided to the application plane reflects the changes. Our evaluation results prove the practicality of Gwardar with a high detection accuracy in a reasonable time-frame.