Automated Monitoring and Security Services in Federated Software-defined Network Infrastructures

Abstract

This dissertation explores technological advances for network programmability and softwarization to implement automated services for network monitoring and security. Its main focus are software-defined schemas pertaining to data collection, anomaly detection and (collaborative) mitigation of large-scale cyber-attacks. Initially, we introduce a monitoring architecture for the collection and processing of network monitoring data exported from dispersed vantage points, i.e. agents within devices. These measurements are used to create centralized and localized monitoring views that enhance visibility into anomalous events. Typically, such processing techniques perform well, but rely on traditional protocols for data extraction. In contrast, data plane programmability presents a promising alternative for rapid data processing and anomaly detection. To that end, the P4 Domain Specific Language is investigated to offload related workloads directly within network hardware. Specifically, we propose an in-network DDoS anomaly detection schema that combines important metrics (flows, packet symmetry) typically associated with malicious traffic. These metrics are maintained per protected subnets and evaluated within time-based epochs to generate alarms for external mitigation systems. In addition to anomaly detection, this dissertation also explores solutions for attack mitigation. As a first step, we propose a framework that distributes filtering rules for multi-vector anomalies to devices across an attack path, enhancing their mitigation potential. Specifically, this is modeled as a combinatorial optimization problem that assigns source-based mitigation actions to devices, considering operator policies for specific attacks and hardware constraints. An important aspect of this work is the automated distribution of rules to heterogeneous multi-vendor environments. To that end, popular techniques for network automation are investigated to seamlessly translate and distribute generic directives to device-specific instructions. Subsequently, the proposed approach is extended to multi-domain scenarios by establishing trusted federations among network providers for collaborative DDoS mitigation. This approach attempts to preserve on-premise resources and prevent saturation of important links by mitigating malicious traffic earlier in the attack path. Our mitigation schema incorporates blockchain-based smart contracts for signaling, coordination and orchestration purposes. Similarly to our earlier efforts, filtering rules for malicious sources are appropriately assigned to federated partners, factoring in the importance of each flow and the reliability of a potential mitigator. Source-based approaches may raise issues primarily in terms of scalability and effectiveness. As an alternative, recent technological advances may be used to create customized and agile solutions that employ IP-agnostic traffic characteristics for DDoS defense. To that end, this dissertation considers a two-level schema for anomaly detection and mitigation. The first level incorporates our P4 approach as a coarse-grained DDoS detection mechanism; triggered alarms are used to identify the suspected attack vector (protocol, port). Accordingly, a second protection level is instantiated tailored to the identified attack vector. Data related to the attack are collected in a fine-grained manner via high performance programmable XDP middleboxes. The collected data are fed to a supervised Machine Learning algorithm, that classifies packets as malicious or benign. Features corresponding to malicious packets are used to create unique signatures, employed for filtering purposes. This approach relies on distinct packet characteristics of malicious traffic and not frequently spoofed source IPs. The proposed mechanisms are evaluated under realistic scenarios in modern experimental setups comprised of P4/XDP-capable hardware, SDN switches, virtual machines and physical servers, using real network data and synthesized traffic traces.