Visible to the public Towards comprehensive protection for OpenFlow controllers

TitleTowards comprehensive protection for OpenFlow controllers
Publication TypeConference Paper
Year of Publication2017
AuthorsZhang, S., Jia, X., Zhang, W.
Conference Name2017 19th Asia-Pacific Network Operations and Management Symposium (APNOMS)
Date PublishedSept. 2017
ISBN Number978-1-5386-1101-2
Keywordsadaptive networks, agile networks, attack vectors, composability, Computer architecture, Computer bugs, computer network security, control logic, control plane-data ploane decoupling, control systems, cross layer diversity, Cross Layer Security, dynamic networks, industrial control systems, malicious controller, OpenFlow controller, OpenFlow critical component, Operating systems, pubcrawl, Resiliency, security, telecommunication control, Virtual machine monitors

OpenFlow has recently emerged as a powerful paradigm to help build dynamic, adaptive and agile networks. By decoupling control plane from data plane, OpenFlow allows network operators to program a centralized intelligence, OpenFlow controller, to manage network-wide traffic flows to meet the changing needs. However, from the security's point of view, a buggy or even malicious controller could compromise the control logic, and then the entire network. Even worse, the recent attack Stuxnet on industrial control systems also indicates the similar, severe threat to OpenFlow controllers from the commercial operating systems they are running on. In this paper, we comprehensively studied the attack vectors against the OpenFlow critical component, controller, and proposed a cross layer diversity approach that enables OpenFlow controllers to detect attacks, corruptions, failures, and then automatically continue correct execution. Case studies demonstrate that our approach can protect OpenFlow controllers from threats coming from compromised operating systems and themselves.

Citation Keyzhang_towards_2017