FTMaster: A Detection and Mitigation System of Low-Rate Flow Table Overflow Attacks via SDN

Tang, Dan; Gao, Chenjun; Liang, Wei; Zhang, Jiliang; Li, Keqin

doi:10.1109/tnsm.2023.3270339

Cited by 9 publications

(6 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the overflow phase, the attacker aims to overflow the flow table covertly. The research conducted in [23] and [24] indicates a certain correlation between stealthiness and the growth trends of packet-in messages and flow entries. Specifically, when there is a significant increase in the number of packet-in messages or a more pronounced growth trend in flow entries, the stealthiness of the attack becomes lower.…”

Section: B Alfo Modelmentioning

confidence: 94%

“…In this paper, the capacity of the flow table is set to 1500, with a default idle timeout of 10 seconds [24]. To generate background traffic, we use the Tcpreplay tool [40] on host h8 to replay the IMC-10 data center network trace [41] dataset.…”

Section: Figure 7 Experimental Topologymentioning

confidence: 99%

“…As shown in Tables 6 to 8, the flow entries classification model exhibits an accuracy and F1 score of around 99%, indicating its accurate identification of attack flow entries. In terms of false positive rates, it can be observed that the To evaluate the capability of ALFO-Guard in detecting ALFO, we compare its detection performance with LOFT-Guard [23] and FTMaster [24]. Specifically, this study trains the detection models using the same dataset under different flow entry eviction mechanisms, and the detection results are shown in Tables 6 to 8.…”

Section: Acc =mentioning

confidence: 99%

See 2 more Smart Citations

Research on Detection and Mitigation Methods of Adaptive Flow Table Overflow Attacks in Software-Defined Networks

Zeng,

Wang,

Liu

2024

IEEE Access

View full text Add to dashboard Cite

In Software-Defined Networks (SDN), the ternary content addressable memory (TCAM) capacity in switches is limited, making them vulnerable to low-rate flow table overflow attacks. Most existing research in this field has not focused on the influence of flow entry eviction mechanisms on the effectiveness of such attacks. This paper proposes an adaptive low-rate flow table overflow attack (ALFO), which can adopt corresponding attack modes under different flow entry eviction mechanisms, significantly degrading network service quality. Due to the different features of ALFO under different attack modes, the existing attack detection methods are ineffective in this attack. Therefore, this paper proposes a detection and mitigation framework, which is called adaptive low-rate flow table overflow attack guard framework (ALFO-Guard). It extracts flow features from flow entry information in the switch and aggregates them into a current-time graph model. Then, combining graph neural networks, it performs graph anomaly detection and flow entry classification to identify attack flow entries. Finally, the attack can be eliminated by deleting the identified attack flow entries and blocking the attack flows.The effectiveness of ALFO and ALFO-Guard is validated through extensive experiments, and the experimental results demonstrate that ALFO-Guard can effectively defend against ALFO.INDEX TERMS SDN, Flow table overflow, Low-rate attacks, Graph neural network.

show abstract

Section: B Alfo Modelmentioning

confidence: 94%

Section: Figure 7 Experimental Topologymentioning

confidence: 99%

Section: Acc =mentioning

confidence: 99%

See 1 more Smart Citation

Research on Detection and Mitigation Methods of Adaptive Flow Table Overflow Attacks in Software-Defined Networks

Zeng,

Wang,

Liu

2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…According to [21], the ML/DL for intrusion detection/prevention system still has several problems to solve. For instance, [22,23] showed either not enough performance or remarkable accuracy with a high false positive ratio. Since ML/DL-based techniques in the research area tend to take eviction mechanisms against the attack flow rules, a high false positive ratio is fatal.…”

Section: Bandwidthmentioning

confidence: 99%

HSDT: Table-Overflow Attack Defender with Historical Statistics Based Dynamic Timeout in Software Defined Networks

Noh,

Park

2023

Applied Sciences

View full text Add to dashboard Cite

A Software Defined Network (SDN) provides efficient network management by decoupling two planes: the control plane and the data plane. However, although SDN provides efficient network management, it also causes several critical vulnerabilities. In particular, the lack of memory for a flow table in the data plane can be exploited to conduct a flow table overflow attack. This paper proposes a history-based dynamic timeout scheme to mitigate the flow table overflow attack. The proposed scheme dynamically sets up both hard timeout and idle timeout based on statistical history for each flow, which can quickly remove attack flows from a flow table. Consequently, it can keep the occupancy of the flow table low and secure the robustness against the flow table overflow attack. The experiment results show that the proposed HSDT can mitigate the overflow attack with reasonable overhead by effectively evicting attack flow rules from the flow table while it has a minimal impact on the other normal flow rules and bandwidth.

show abstract

“…[120], [121], [122], [123], [124], [125], [126], [127], [128], [129], [130], [131], [132], [133], [134], [135], [136], [137], [138], [139], [140], [141], [142], [143], [144], [145], [146], [147], [148], [149], [150], [151], [152], [153], [154], [155], [156], [157], [158] Privacy and Security (42 papers ∼ 25.3%) CCS 13 7.8 %…”

Section: Publication Venuesmentioning

confidence: 99%

The Missing Link in Network Intrusion Detection: Taking AI/ML Research Efforts to Users

Dietz,

Mühlhauser,

Kögel

et al. 2024

IEEE Access

View full text Add to dashboard Cite

Intrusion Detection Systems (IDS) tackle the challenging task of detecting network attacks as fast as possible. As this is getting more complex in modern enterprise networks, Artificial Intelligence (AI) and Machine Learning (ML) have gained substantial popularity in research. However, their adoption into real-world IDS solutions remains poor. Academic research often overlooks the interconnection of users and technical aspects. This leads to less explainable AI/ML models that hinder trust among AI/ML non-experts. Additionally, research often neglects secondary concerns such as usability and privacy. If IDS approaches conflict with current regulations or if administrators cannot deal with attacks more effectively, enterprises will not adopt the IDS in practice. To identify those problems systematically, our literature survey takes a user-centric approach; we examine IDS research from the perspective of stakeholders by applying the concept of personas. Further, we investigate multiple factors limiting the adoption of AI/ML in security and suggest technical, non-technical, and user-related considerations to enhance the adoption in practice. Our key contributions are threefold. (i) We derive personas from realistic enterprise scenarios, (ii) we provide a set of relevant hypotheses in the form of a review template, and (iii), based on our reviews, we derive design guidelines for practical implementations. To the best of our knowledge, this is the first paper that analyzes practical adoption barriers of AI/ML-based intrusion detection solutions concerning appropriateness of data, reproducibility, explainability, practicability, usability, and privacy. Our guidelines may help researchers to holistically evaluate their AI/ML-based IDS approaches to increase practical adoption.

show abstract

FTMaster: A Detection and Mitigation System of Low-Rate Flow Table Overflow Attacks via SDN

Cited by 9 publications

References 47 publications

Research on Detection and Mitigation Methods of Adaptive Flow Table Overflow Attacks in Software-Defined Networks

Research on Detection and Mitigation Methods of Adaptive Flow Table Overflow Attacks in Software-Defined Networks

HSDT: Table-Overflow Attack Defender with Historical Statistics Based Dynamic Timeout in Software Defined Networks

The Missing Link in Network Intrusion Detection: Taking AI/ML Research Efforts to Users

Contact Info

Product

Resources

About