Skip to main content
Vulnerability Assessment

Project Coordinator (EU) :

Sapienza University of Rome

Country of the EU Coordinator :

Italy

Organisation Type :

Academia

Project participants :

Sapienza University of Rome

Prof Novella Bartolini is the Italian PI of the project. She is a professor at the Department of Computer Science of Sapienza University of Rome.  She carried out research related to the project in three main areas: SDN optimization, network recovery and robustness augmentation, and network monitoring.

Dr. Viviana Arrigoni, Ph.D., co-PI of the Sapienza research unit, key person in supervision of the experiments. She is a postdoctoral researcher and co-author of several joint papers on network tomography and monitoring. She carries out research also on self-recovering networking and adaptive routing in SDN networks.

Federico Trombetti, PhD Student, he is co-author of several joint papers on network tomography.

Matteo Prata, Ph.D. student. He is co-author of several joint papers on self-recovering networking and adaptive routing in SDN networks.

 

Penn State University

Ting He (US partner) has worked extensively on network state identification and SDN. Her works on network tomography provide theory and algorithms with provable performances for host-based inference of the structure and state of a computer network that cannot be directly observed from the control plane, thus providing means to assess what a host-based adversary can learn from end-to-end measurements.

Tian Xie, Ph.D. student,  carrying out research on network management, monitoring, and SDN network security.

Sanchal Thakkar, Ph.D. student,  carrying out research on network management, monitoring, and SDN network security.

 

State of US partner :

Pennsylvania

Starting date :

Vulnerability Assessment and Robust Defenses for Optimized Attacks in Dynamic SDNs Experiment


Experiment description

The project focuses on renovating the internet by extending the applicability of the SDN paradigm to open networks. The flexible data plane and the logically centralized control plane of SDN make it a competitive architecture for offering a large number of heterogeneous data sources or services. The separation and centralization of networking functionalities in the control layer of the architecture offers the prospect of new opportunities for performance optimization, dependability, as well as green resource management.

However, the SDN paradigm was born mainly for optimizing network traffic management mostly in enterprises, private data centers, and networks. For this reason, extending this paradigm to wide-area open networks poses a number of concerns, among which security is the utmost.


This project will advance the state of the art in flow management in an SDN-based distributed data/service system under performance-critical scenarios, which may be related to ongoing attacks or to network failures, perceived by the end hosts as performance losses or degradation. The project will then focus on the network vulnerabilities and defense best practices. It will consider implementing techniques for increasing an SDN network’s robustness, and capability to promptly react to ongoing attacks and performance-critical events.


The project addresses the following topics of the fourth NGIAtlantic call:

  • b.1) Strengthening the trustworthiness and resilience of the internet,
  • b.4) Open Internet architecture renovation.

 

The experimental study conducted by this project will serve two purposes. The first is to highlight vulnerabilities of current SDN implementation, with the realization of a real experiment where some switches of an SDN architecture will be targeted by a cache pollution attack, with the objective of slowing down the network and causing legitimate flows to request a controller intervention for setting up their flow rules at switches.


Considering the vulnerabilities evidenced above, the second purpose is to implement and evaluate various defence techniques.


We will consider novel cache replacement policies, specifically tailored to ensure robustness against the aforementioned attacks. We will also consider dynamic resource provisioning policies, where vulnerable areas of the network will be first detected by means of either passive or active end-to-end
measurements, then reinforced by means of the addition of new nodes and links, which creates alternative paths for load balancing, and attack neutralization.

The results of the project will lead to dynamic and responsive control of the system performance and to the capability to determine flow routing policies whose potentialities extend beyond security and vulnerability issues. In fact, the results of the project offer novel opportunities for enabling energy-saving policies in large data centers. Therefore the project activities will also extend the research on green internet design.

 

Impacts :

Impact 1: Enhanced EU – US cooperation in Next Generation Internet, including policy cooperation.
This project clearly sets out to target shared values of the EU and US, such as openness, dependability,
and security.
It proposes a thorough study that aims at extending the use of the Software-Defined Networking paradigm beyond its current use mostly in private, enterprise networks. The project addresses the following topics of the fourth NGIAtlantic call:

  • b.1) Strengthening the trustworthiness and resilience of the internet,
  • b.4) Open Internet architecture renovation.

It does so by implementing techniques for increasing an SDN network’s robustness, and capability to promptly react to intentional attacks or to network failures possibly due to natural phenomena, or disasters.

Impact 2: Reinforced collaboration and increased synergies between the Next Generation Internet and the Tomorrow's Internet programmes.
The NGI and Tomorrow’s Internet initiatives aim at reshaping the internet to face important challenges to respond to fundamental needs of trust, security, dependability, and energy-efficient internet. With the purpose of creating a trustworthy paradigm where a controller is in charge of optimizing the network reaction to external attacks or to upcoming performance issues, the project brings together researchers from both EU and US to share knowledge, build common goals and pave the path to new common research and experiments.

Impact 3: Developing interoperable solutions and joint demonstrators, contributions to standards.
The experimental study conducted by this project will serve two purposes. The first is to highlight vulnerabilities of current SDN implementation, with the realization of a real experiment where some switches of an SDN architecture will be targeted by a cache pollution attack, with the objective of slowing down the network and causing legitimate flows to request a controller intervention for setting up their flow rules at switches.
Considering the vulnerabilities evidenced above, the second purpose is to implement and evaluate various defense techniques. We will consider novel cache replacement policies, specifically tailored to ensure robustness against the aforementioned attacks. We will also consider dynamic resource provisioning policies, where vulnerable areas of the network will be first detected by means of either passive or active end-to-end measurements, then reinforced by means of the addition of new nodes and links, which creates alternative paths for load balancing, and attack neutralization.

Impact 4: An EU - US ecosystem of top researchers, hi-tech start-ups / SMEs and Internet-related communities collaborating on the evolution of the Internet
According to the NGIatlantic program, the project will foster the development of joint research and related experiments which build upon previous work performed both jointly and individually by the two partners of the project consortium.
The consortium will devote most of its efforts to the development of a common experimental testbed that will create opportunities for partners in the EU and US to carry on additional research grounding on the results of the project.

 

Results :

With the proposed experiments, we want to contribute to the improvement of the efficiency and the resilience of software-defined networks. Even though many researchers are now focusing their work on software-defined networking, the current state of the art lacks thorough experimentation of
results. Existing evaluations are either based on simulations or on a Mininet emulated platform modeling a single switch [3]. We plan to extend previous studies in a twofold manner, using both emulators of a large network and a hardware platform comprising several switches. While the first allows the study of large-scale networks with arbitrary topology, the second is considerably more restrictive but also more realistic in representing real-world performance.

The main goals of our experiment are:

  1. Implementation of an efficient and low-cost monitoring system for SDNs, able to spot vulnerabilities in a fast and reliable way.
  2. Highlighting the impact of cache pollution attacks on SDNs.
  3. Testing both reactive and proactive defense strategies.


Our experiments will have an impact with respect to the following factors:

  • Dissemination of self-configuring, self-adaptive and self-healing networks.
  • Incentivizing green networking/computing architectures thanks to our dynamic resource provisioning strategy.
  • Increasing the security of SDNs.

 

NGI related Topic :

Strengthening Trustworthiness and Resilience Of the Internet

Call Reference :

4

The 30-months project NGIatlantic.eu will push the Next Generation Internet a step further by providing cascade funding to EU-based researchers and innovators in carrying out Next Generation Internet related experiments in collaboration with US research teams.




contact action add button