Know Your Enemy: Stealth Configuration-Information Gathering in SDN

Software Defined Networking (SDN) is a network architecture that aims at providing high flexibility through the separation of the network logic from the forwarding functions. The industry has already widely adopted SDN and researchers thoroughly analyzed its vulnerabilities, proposing solutions to improve its security. However, we believe important security aspects of SDN are still left uninvestigated. In this paper, we raise the concern of the possibility for an attacker to obtain knowledge about an SDN network. In particular, we introduce a novel attack, named Know Your Enemy (KYE), by means of which an attacker can gather vital information about the configuration of the network. This information ranges from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that an attacker can perform a KYE attack in a stealthy fashion, i.e., without the risk of being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. To address the KYE attack, we also propose an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideratio

LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks

Software Defined Networking (SDN) is a new networking architecture which aims to provide better decoupling between network control (control plane) and data forwarding functionalities (data plane). This separation introduces several benefits, such as a directly programmable and (virtually) centralized network control. However, researchers showed that the required communication channel between the control and data plane of SDN creates a potential bottleneck in the system, introducing new vulnerabilities. Indeed, this behavior could be exploited to mount powerful attacks, such as the control plane saturation attack, that can severely hinder the performance of the whole network. In this paper we present LineSwitch, an efficient and effective solution against control plane saturation attack. LineSwitch combines SYN proxy techniques and probabilistic blacklisting of network traffic. We implemented LineSwitch as an extension of OpenFlow, the current reference implementation of SDN, and evaluate our solution considering different traffic scenarios (with and without attack). The results of our preliminary experiments confirm that, compared to the state-of-the-art, LineSwitch reduces the time overhead up to 30%, while ensuring the same level of protection.Comment: In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2015). To appea

A Novel Stealthy Attack to Gather SDN Configuration-Information

Software Defined Networking (SDN) is a recent network architecture based on the separation of forwarding functions from network logic, and provides high flexibility in the management of the network. In this paper, we show how an attacker can exploit SDN programmability to obtain detailed knowledge about the network behaviour. In particular, we introduce a novel attack, named Know Your Enemy (KYE), which allows an attacker to gather vital information about the configuration of the network. Through the KYE attack, an attacker can obtain information ranging from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that the KYE attack can be performed in a stealthy fashion, allowing an attacker to learn configuration secrets without being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. Finally, we address the KYE attack by proposing an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideration

Minerva: A File-Based Ransomware Detector

Ransomware is a rapidly evolving type of malware designed to encrypt user files on a device, making them inaccessible in order to exact a ransom. Ransomware attacks resulted in billions of dollars in damages in recent years and are expected to cause hundreds of billions more in the next decade. With current state-of-the-art process-based detectors being heavily susceptible to evasion attacks, no comprehensive solution to this problem is available today. This paper presents Minerva, a new approach to ransomware detection. Unlike current methods focused on identifying ransomware based on process-level behavioral modeling, Minerva detects ransomware by building behavioral profiles of files based on all the operations they receive in a time window. Minerva addresses some of the critical challenges associated with process-based approaches, specifically their vulnerability to complex evasion attacks. Our evaluation of Minerva demonstrates its effectiveness in detecting ransomware attacks, including those that are able to bypass existing defenses. Our results show that Minerva identifies ransomware activity with an average accuracy of 99.45% and an average recall of 99.66%, with 99.97% of ransomware detected within 1 second.Comment: 19 pages, 3 figure

Iron in X-COP: tracing enrichment in cluster outskirts with high accuracy abundance profiles

We present the first metal abundance profiles for a representative sample of massive clusters. Our measures extend to $R_{500}$ and are corrected for a systematic error plaguing previous outskirt estimates. Our profiles flatten out at large radii, admittedly not a new result, however the radial range and representative nature of our sample extends its import well beyond previous findings. We find no evidence of segregation between cool-core and non-cool-core systems beyond $\sim 0.3 R_{500}$, implying that, as was found for thermodynamic properties (Ghirardini et al, 2019), the physical state of the core does not affect global cluster properties. Our mean abundance within $R_{500}$ shows a very modest scatter, $<$15%, suggesting the enrichment process must be quite similar in all these massive systems. This is a new finding and has significant implications on feedback processes. Together with results from thermodynamic properties presented in a previous X-COP paper, it affords a coherent picture where feedback effects do not vary significantly from one system to another. By combing ICM with stellar measurements we have found the amount of Fe diffused in the ICM to be about ten times higher than that locked in stars. Although our estimates suggest, with some strength, that the measured iron mass in clusters is well in excess of the predicted one, systematic errors prevent us from making a definitive statement. Further advancements will only be possible when systematic uncertainties, principally those associated to stellar masses, both within and beyond $R_{500}$, can be reduced.Comment: 23 pages, 23 figures; submitted to A&

CHEX-MATE: CLUster Multi-Probes in Three Dimensions (CLUMP-3D), I. Gas Analysis Method using X-ray and Sunyaev-Zel'dovich Effect Data

Galaxy clusters are the products of structure formation through myriad physical processes that affect their growth and evolution throughout cosmic history. As a result, the matter distribution within galaxy clusters, or their shape, is influenced by cosmology and astrophysical processes, in particular the accretion of new material due to gravity. We introduce an analysis method to investigate the 3D triaxial shapes of galaxy clusters from the Cluster HEritage project with XMM-Newton -- Mass Assembly and Thermodynamics at the Endpoint of structure formation (CHEX-MATE). In this work, the first paper of a CHEX-MATE triaxial analysis series, we focus on utilizing X-ray data from XMM and Sunyaev-Zel'dovich (SZ) effect maps from Planck and ACT to obtain a three dimensional triaxial description of the intracluster medium (ICM) gas. We present the forward modeling formalism of our technique, which projects a triaxial ellipsoidal model for the gas density and pressure to compare directly with the observed two dimensional distributions in X-rays and the SZ effect. A Markov chain Monte Carlo is used to estimate the posterior distributions of the model parameters. Using mock X-ray and SZ observations of a smooth model, we demonstrate that the method can reliably recover the true parameter values. In addition, we apply the analysis to reconstruct the gas shape from the observed data of one CHEX-MATE galaxy cluster, Abell 1689, to illustrate the technique. The inferred parameters are in agreement with previous analyses for that cluster, and our results indicate that the geometrical properties, including the axial ratios of the ICM distribution, are constrained to within a few percent. With much better precision than previous studies, we thus further establish that Abell 1689 is significantly elongated along the line of sight, resulting in its exceptional gravitational lensing properties.Comment: submitted to A&A, comments welcom

LineSwitch: Tackling Control Plane Saturation Attacks in Software-Defined Networking.

none4sinoneAmbrosin, Moreno; Conti, Mauro; Gaspari, Fabio De; Poovendran, RadhaAmbrosin, Moreno; Conti, Mauro; Gaspari, Fabio De; Poovendran, Radh

Amplified Distributed Denial of Service Attack in Software Defined Networking

none4sinoneAmbrosin, Moreno; Conti, Mauro; Gaspari, Fabio De; Devarajan, NishanthAmbrosin, Moreno; Conti, Mauro; Gaspari, Fabio De; Devarajan, Nishant