| Summary: | 碩士 === 國立中正大學 === 資訊工程研究所 === 105 === Software-defined network (SDN) separates the control plane from underlying devices and it allows network managers to control data plane from a global view. While SDN brings many conveniences to management, it also introduces new security threats. Knowing reactive rules, attackers can launch denial-of-service (DoS) attacks by sending numerous rule-matched packets which trigger packet-in packets to overburden the controller. In this work, we present a novel method "INferring SDN by ProbIng and Rule Extraction" (INSPIRE) to discover the flow rules in SDN from probing packets. We consider the delay time from probing packets, classify them into defined classes, and infer the rules. This method involves three relevant steps: probing, clustering and rule inference. First, it sends forged packets with various header fields to measure processing and propagation time in the path. Then, It uses k-means clustering to classify the packets into multiple classes based on the packet delay time. Finally, the apriori algorithm will be used to find common header fields in the classes to infer the flow rules. We show how INSPIRE is able to infer flow rules through simulation, and the accuracy of inference can be up to 98.41% with very low false-positive rates.
|
|---|
