Diagnosing missing events in distributed systems with negative provenance

Wu, Yang Chang; Zhao, Mingchen; Haeberlen, Andreas; Zhou, Wenchao; Loo, Boon Thau

doi:10.1145/2740070.2626335

Cited by 33 publications

(30 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…PROVSDN [59] prevents cross-app poisoning attacks in real time using a provenance graph structure to enforce information flow control, and FORENGUARD [62] records previous causal relationships to identify root causes. Negative provenance [65], differential provenance [13], and meta provenance [64] have been proposed to explain why SDN routing events did not occur and to propose bug fixes, but such methods require either a history of traces or reference examples of "good" behavior; furthermore, analysis of SDN applications in those systems must be written in or translated into the Datalog language NDlog prior to analysis. The aforementioned systems record code paths that were taken rather than all potential code paths, which limits their effectiveness in identifying potential vulnerabilities ahead of time.…”

Section: Event-driven Architecturesmentioning

confidence: 99%

Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking

Ujcich¹,

Jero²,

Skowyra³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Software-defined networking (SDN) achieves a programmable control plane through the use of logically centralized, event-driven controllers and through network applications (apps) that extend the controllers' functionality. As control plane decisions are often based on the data plane, it is possible for carefully crafted malicious data plane inputs to direct the control plane towards unwanted states that bypass network security restrictions (i.e., cross-plane attacks). Unfortunately, because of the complex interplay among controllers, apps, and data plane inputs, at present it is difficult to systematically identify and analyze these cross-plane vulnerabilities. We present EVENTSCOPE, a vulnerability detection tool that automatically analyzes SDN control plane event usage, discovers candidate vulnerabilities based on missing event-handling routines, and validates vulnerabilities based on data plane effects. To accurately detect missing event handlers without ground truth or developer aid, we cluster apps according to similar event usage and mark inconsistencies as candidates. We create an event flow graph to observe a global view of events and control flows within the control plane and use it to validate vulnerabilities that affect the data plane. We applied EVENTSCOPE to the ONOS SDN controller and uncovered 14 new vulnerabilities. 1 An SDN controller service or app often consists of multiple functional units, which we call components. A functional unit ends at an API boundary or event dispatch.

show abstract

Section: Event-driven Architecturesmentioning

confidence: 99%

Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking

Ujcich¹,

Jero²,

Skowyra³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…However, they neglected the position information of the word since a specific word normally has its unique position in one template. Log correlation analysis: Log correlation techniques [17][18][19] are widely used in the attack diagnosis field. They make causality analysis of DNS logs, HTTP logs, WFP logs and system logs of the communication platform or device.…”

Section: Related Workmentioning

confidence: 99%

Anomalies Detection and Proactive Defence of Routers Based on Multiple Information Learning

Teng

Shen

et al. 2019

Entropy

View full text Add to dashboard Cite

Routers are of great importance in the network that forward the data among the communication devices. If an attack attempts to intercept the information or make the network paralyzed, it can launch an attack towards the router and realize the suspicious goal. Therefore, protecting router security has great importance. However, router systems are notoriously difficult to understand or diagnose for their inaccessibility and heterogeneity. A common way of gaining access to the router system and detecting the anomaly behaviors is to inspect the router syslogs or monitor the packets of information flowing to the routers. These approaches just diagnose the routers from one aspect but do not correlate multiple logs. In this paper, we propose an approach to detect the anomalies and faults of the routers with multiple information learning. First, we do the offline learning to transform the benign or corrupted user actions into the syslogs. Then, we construct the log correlation among different events. During the detection phase, we calculate the distance between the event and the cluster to decide if it is an anomalous event and we use the attack chain to predict the potential threat. We applied our approach in a university network which contains Huawei, Cisco and Dlink routers for three months. We aligned our experiment with former work as a baseline for comparison. Our approach obtained 89.6% accuracy in detecting the attacks, which is 5.1% higher than the former work. The results show that our approach performs in limited time as well as memory usages and has high detection and low false positives.

show abstract

“…Distributed system debugging [11,54] requires strong confidentiality. An entity that wishes to debug its own system may depend on provenance data from external authorities.…”

Section: Case Studies: a Need For Ppnpmentioning

confidence: 99%

“…For distributed system debugging [11,54] and IoT tracking [50] that require strong confidentiality, it is necessary to apply GE1 from Figure 1 with the fragmentation-aware SSEF scheme in Figure 2. For confidentiality, any querier who does not hold the authorized token for a color c would not be able to access the vertices and edges with that color, even if it holds the ciphertext the for entire graph.…”

Section: Term(c)mentioning

confidence: 99%

Privacy-preserving network provenance

et al. 2017

Self Cite

View full text Add to dashboard Cite

Network accountability, forensic analysis, and failure diagnosis are becoming increasingly important for network management and security. Network provenance significantly aids network administrators in these tasks by explaining system behavior and revealing the dependencies between system states. Although resourceful, network provenance can sometimes be too rich, revealing potentially sensitive information that was involved in system execution. In this paper, we propose a cryptographic approach to preserve the confidentiality of provenance (sub)graphs while allowing users to query and access the parts of the graph for which they are authorized. Our proposed solution is a novel application of searchable symmetric encryption (SSE) and more generally structured encryption (SE). Our SE-enabled provenance system allows a node to enforce access control policies over its provenance data even after the data has been shipped to remote nodes (e.g., for optimization purposes). We present a prototype of our design and demonstrate its practicality, scalability, and efficiency for both provenance maintenance and querying.

show abstract

Diagnosing missing events in distributed systems with negative provenance

Cited by 33 publications

References 25 publications

Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking

Automated Discovery of Cross-Plane Event-Based Vulnerabilities in Software-Defined Networking

Anomalies Detection and Proactive Defence of Routers Based on Multiple Information Learning

Privacy-preserving network provenance

Contact Info

Product

Resources

About