Democratic Supervision Makes Controls in Software-Defined Networks More Secure

摘要

The centralized control of Software-Defined Networking (SDN) brings innovation and convenience to the network, but many current SDN controllers also have some security bugs that are easily exploited by attackers. Once the master controller which has sufficient management rights is compromised, entire network can be damaged. For this, we propose a mechanism of democratic supervision in SDN, which adds a proxy between the control plane and the data plane to monitor whether the master controller is abnormal. The proxy sends OpenFlow requests from the switch to multiple diverse controllers and collects flow entries that they respond to. Then it compares these flow entries to judge whether the behavior of the master controller is different from that of other controllers. However, flow entries with the same function may be different in number or content, so we need to analyze their forwarding semantics to compare them, instead of simply comparing their contents. The advantage of this supervision mechanism is that it allows the controller to defend against many known or unknown attacks without debugging all its vulnerabilities. Experimental results show that it is effective in detecting malicious behavior, and it is also efficient under a certain scale of networks.