| VISKA Malicious Switch(es) Detection/Attack Categorization Algorithm |
| Let G be the graph representing the SDN network |
| Let n be number of switches in G |
| Let e be the number of edges in G |
| Let V be the granular network view/partition to be checked for maliciousness. Initially V = G |
| Let m be the maximum malicious partition size ( to reach single switch granularity) |
| Let , be the controller probing processes allocated for probing the bootstrapping network view V |
| VISKA(V, , ) |
| If (VPS(V, , ) = malicious) |
| if () |
| return V (containing malicious switch) |
| else |
| (V1, V2,, ) = NVP (G, n, e) |
| VISKA(V1, , ) |
| VISKA(V2, , ) |
| else return (correct or congested partition behavior) |
| VPS: View Probing and Sketching function |
| VPS(V, , ) |
| Randomly Generate probing data D1() at |
| and send to |
| sketch: create sketch data vector , and = 0, counts=0 at |
| for each packet in D1 |
| compute |
| insert at index in sketch vector: |
|
| compute |
|
|
| send: to VISKA service for analysis |
| Compute: (steps sketch through send) on to generate and send , |
| At VISKA |
| count=0 |
|
| for from 1 to |
| if |
|
|
|
| if or |
| return malicious, call MACM ( |
| else if |
| return correct, congested |
| else |
| return correct |
| NVP: Network Views Partitioning Function |
| NVP (G, n, e) |
| (G1, G2) = Karger(G, n, e) |
| Insert forwarding rules for the probing packets |
| on controller |
| At the SDN network controller |
| (i) Isolate network partitions V1, V2 corresponding |
| to the Karger output (G1, G2) |
| return(V1, V2, , ) |
| MACM: Malfunction and Attack Categorization Module |
| MACM () |
| if |
| if |
| (attack to Category I where an active attack is being initiated in the network) |
| else // |
| (attack to Category II where a time delay introducing attack is introduced in the network) |
| if |
| malicious switch(es) ingress and egress traffic is collected and mined: |
| if E_Sum( )/I_Sum( ) > Ed |
| for each destIP in table E_Dest |
| if (E_Sum(destIP)-I_Sum(destIP)>dos) AND |
| (E_count(destIP) ā I_count(destIP)> p) |
| alarm: DoS on destIP (Flooding) |
| if (E_count_ACK(destIP)-E_count_SYN(destIP) <con) |
| AND (E_Avg(destIP)< syn) AND ((E_count(destIP) |
| ā I_count(destIP)>p) |
| alarm: DoS on destIP (SYN attack) |
| else if E_Sum()/I_Sum() <Id |
| for each destIP in table E_Dest |
| if (E_count(destIP) ā I_count(destIP))< |
| alarm: interruption of traffic to destIP |
| else // E_Sum()/I_Sum() within boundaries) |
| for each destIP in table I_Dest |
| if (dest-IP is not in E_Dest) AND |
| (I_count(destIP)- E_count(destIP) <bh) |
| alarm: blocking on dest IP |
| for each srcIP in table I_Src |
| if (srcIP is not in E_Src) AND (I_count(srcIP)- |
| E_count(srcIP) <bh) |
| alarm: blocking on srcIP |
| for each destIP in E_Dest |
| if destIP is not in I_Dest AND |
| E_count(destIP)>mitm |
| alarm: MITM attack at destIP |
