Advertisement

A Forensic Methodology for Software-Defined Network Switches

  • Tommy Chin
  • Kaiqi Xiong
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 511)

Abstract

This chapter presents a forensic methodology for computing systems in a software-defined networking environment that consists of an application plane, control plane and data plane. The methodology involves a forensic examination of the software-defined networking infrastructure from the perspective of a switch. Memory images of a live switch and southbound communications are leveraged to enable forensic investigators to identify and locate potential evidence for triage in real time. The methodology is evaluated using a real-world testbed exposed to network attacks. The experimental results demonstrate the effectiveness of the methodology for forensic investigations of software-defined networking infrastructures.

Keywords

Software-defined networks Incident response Forensics Switches 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    Akella, A., Xiong, K.: Quality of service (QoS) guaranteed network resource allocation via software-defined networking (SDN). In: Proceedings of the Twelfth International Conference on Dependable, Autonomic and Secure Computing, pp. 7–13 (2014)Google Scholar
  2. [2]
    Bates, A., Butler, K., Haeberlen, A., Sherr, M., Zhou, W.: Let SDN be your eyes: secure forensics in data center networks. In: Proceedings of the Network and Distributed System Security Workshop on Security of Emerging Network Technologies (2014)Google Scholar
  3. [3]
    Berman, M., Chase, J., Landweber, L., Nakao, A., Ott, M., Raychaudhuri, D., Ricci, R., Seskar, I.: GENI: A federated testbed for innovative network experiments. Journal of Computer Networks 61, 5–24 (2014)CrossRefGoogle Scholar
  4. [4]
    Chin, T., Mountrouidou, X., Li, X., Xiong, K.: An SDN-supported collaborative approach for DDoS flooding detection and containment. In: Proceedings of the IEEE Military Communications Conference, pp. 659–664 (2015)Google Scholar
  5. [5]
    Chin, T., Mountrouidou, X., Li, X., Xiong, K.: Selective packet inspection to detect DoS flooding using software-defined networking. In: Proceedings of the Thirty-Fifth IEEE International Conference on Distributed Computing Systems Workshops, pp. 95–99 (2015)Google Scholar
  6. [6]
    Francois, J., Festor, O: Anomaly traceback using software-defined networking. In: Proceedings of the IEEE International Workshop on Information Forensics and Security, pp. 203–208 (2014)Google Scholar
  7. [7]
    Hong, S., Xu, L., Wang, H., Gu, G.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: Proceedings of the Twenty-Second Annual Network and Distributed System Security Symposium (2015)Google Scholar
  8. [8]
    Hu, H., Han, W., Ahn, G., Zhao, Z.: FlowGuard: building robust firewalls for software-defined networks. In: Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, pp. 97–102 (2014)Google Scholar
  9. [9]
    Kang, M., Lee, S., Gligor, V.: The crossfire attack. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 127–141 (2013)Google Scholar
  10. [10]
    Khan, S., Gani, A., Wahab, A., Abdelaziz, A., Bagiwa, M.: FML: a novel forensic management layer for software-defined networks. In: Proceedings of the Sixth IEEE International Conference on Cloud System and Big Data Engineering (Confluence), pp. 619–623 (2016)Google Scholar
  11. [11]
    Kreutz, D., Ramos, F., Verissimo, P.: Towards secure and dependable software-defined networks. In: Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software-Defined Networking, pp. 55–60 (2013)Google Scholar
  12. [12]
    Liaskos, C., Kotronis, V., Dimitropoulos, X.: A novel framework for modeling and mitigating distributed link flooding attacks. In: Proceedings of the Thirty-Fifth IEEE International Conference on Computer Communications (2016)Google Scholar
  13. [13]
    Maynor, D., Mookhey, K., Cervini, J., Roslan, F., Beaver, K.: Metasploit Toolkit for Penetration Testing, Exploit Development and Vulnerability Research, Syngress, Burlington, Massachusetts (2007)Google Scholar
  14. [14]
    Mininet, Mininet (2017). mininet.org
  15. [15]
    Open Networking Foundation, OpenFlow Switch Specification, Version 1.5.1 (Protocol Version 0x06), ONF TS-025, Menlo Park, California (2015)Google Scholar
  16. [16]
    Pfaff, B., Pettit, J., Koponen, T., Jackson, E., Zhou, A., Rajahalme, J., Gross, J., Wang, A., Stringer, J., Shelar, P., Amidon, K., Casado, M.: The design and implementation of Open vSwitch. In: Proceedings of the Twelfth USENIX Symposium on Networked Systems Design and Implementation, pp. 117–130 (2015)Google Scholar
  17. [17]
    Project Floodlight, Floodlight (2017). www.projectfloodlight.org/floodlight
  18. [18]
    Volatility Foundation, Volatility Framework (2017). www.volatilityfoundation.org
  19. [19]
    Wang, H., Xu, L., Gu, G.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: Proceedings of the Forty-Fifth IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 239–250 (2015)Google Scholar
  20. [20]
    Xiong, K.: Web services performance modeling and analysis. In: Proceedings of the International Symposium on High Capacity Optical Networks and Enabling Technologies (2006)Google Scholar
  21. [21]
    Xiong, K.: Multiple priority customer service guarantees in cluster computing. In: Proceedings of the IEEE International Symposium on Parallel and Distributed Processing (2009)Google Scholar
  22. [22]
    Xiong, K.: Resource Optimization and Security for Cloud Services. John Wiley and Sons, Hoboken (2014)CrossRefGoogle Scholar
  23. [23]
    Zaalouk, A., Khondoker, R., Marx, R., Bayarou, K.: OrchSec: an orchestrator-based architecture for enhancing network security using network monitoring and SDN control functions. In: Proceedings of the Twenty-Sixth Network Operations and Management Symposium (2014)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  1. 1.University of South FloridaTampaUSA

Personalised recommendations