VISKA Malicious Switch(es) Detection/Attack Categorization Algorithm |
Let G be the graph representing the SDN network |
Let n be number of switches in G |
Let e be the number of edges in G |
Let V be the granular network view/partition to be checked for maliciousness. Initially V = G |
Let m be the maximum malicious partition size ( to reach single switch granularity) |
Let , be the controller probing processes allocated for probing the bootstrapping network view V |
VISKA(V, , ) |
If (VPS(V, , ) = malicious) |
if () |
return V (containing malicious switch) |
else |
(V1, V2,, ) = NVP (G, n, e) |
VISKA(V1, , ) |
VISKA(V2, , ) |
else return (correct or congested partition behavior) |
VPS: View Probing and Sketching function |
VPS(V, , ) |
Randomly Generate probing data D1() at |
and send to |
sketch: create sketch data vector , and = 0, counts=0 at |
for each packet in D1 |
compute |
insert at index in sketch vector: |
|
compute |
|
|
send: to VISKA service for analysis |
Compute: (steps sketch through send) on to generate and send , |
At VISKA |
count=0 |
|
for from 1 to |
if |
|
|
|
if or |
return malicious, call MACM ( |
else if |
return correct, congested |
else |
return correct |
NVP: Network Views Partitioning Function |
NVP (G, n, e) |
(G1, G2) = Karger(G, n, e) |
Insert forwarding rules for the probing packets |
on controller |
At the SDN network controller |
(i) Isolate network partitions V1, V2 corresponding |
to the Karger output (G1, G2) |
return(V1, V2, , ) |
MACM: Malfunction and Attack Categorization Module |
MACM () |
if |
if |
(attack to Category I where an active attack is being initiated in the network) |
else // |
(attack to Category II where a time delay introducing attack is introduced in the network) |
if |
malicious switch(es) ingress and egress traffic is collected and mined: |
if E_Sum( )/I_Sum( ) > Ed |
for each destIP in table E_Dest |
if (E_Sum(destIP)-I_Sum(destIP)>dos) AND |
(E_count(destIP) ā I_count(destIP)> p) |
alarm: DoS on destIP (Flooding) |
if (E_count_ACK(destIP)-E_count_SYN(destIP) <con) |
AND (E_Avg(destIP)< syn) AND ((E_count(destIP) |
ā I_count(destIP)>p) |
alarm: DoS on destIP (SYN attack) |
else if E_Sum()/I_Sum() <Id |
for each destIP in table E_Dest |
if (E_count(destIP) ā I_count(destIP))< |
alarm: interruption of traffic to destIP |
else // E_Sum()/I_Sum() within boundaries) |
for each destIP in table I_Dest |
if (dest-IP is not in E_Dest) AND |
(I_count(destIP)- E_count(destIP) <bh) |
alarm: blocking on dest IP |
for each srcIP in table I_Src |
if (srcIP is not in E_Src) AND (I_count(srcIP)- |
E_count(srcIP) <bh) |
alarm: blocking on srcIP |
for each destIP in E_Dest |
if destIP is not in I_Dest AND |
E_count(destIP)>mitm |
alarm: MITM attack at destIP |