OFX (OpenFlow eXtension Framework)

OFX is a framework for improving the performance and scalability of OpenFlow applications (specifically security applications) by allowing a network's control server to push parts of its flow installation and packet processing logic down to switch CPUs, which reduces overhead by avoiding the traditionally long path between the switch and the controller and improves scalability by running on the distributed switches instead of the centralized control server. OFX is implemented entirely as software that integrates with existing control platforms and OpenFlow switches.

More Information

Timing Attacks in Software-defined Networks

The flow tables in an SDN can reveal very sensitive information about a network, such as its host communication patterns or access control policies. In this project, we develop a non-intrusive timing attack that allows an adversary to infer the contents of SDN switch flow tables to learn these and other sensitive details about a network by analyzing the timing of a SDN's control server. We benchmarked our attack on a testbed with a physical OpenFlow switch and found that it was very effective. We also developed a defense that mitigates the attack by normalizing the response time of an SDN's control plane. Our defense is implemented as software that runs on the switch CPU (i.e. an OFX module) and was effective on physical OpenFlow switches.

More Information

  • Timing Based Reconniasance and Defense in Software-defined Networks. John Sonchack, Anurag Dubey, Adam J. Aviv, Eric Keller, and Jonathan M. Smith. Proceedings of the 32nd Annual Computer Security Applications Conference (ACSAC).
  • Timing SDN Control Planes to Infer Network Configurations. John Sonchack, Adam J. Aviv, and Eric Keller. Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization (SDN-NFV Sec).

LESS (A Simulator for Large-scale Evaluations of network Security Systems)

LESS is an agent-based statistical simulator for testing large scale network security systems. LESS generates synthetic flow records based on parameters derived from anonymized network traces and statistical studies of network threats. LESS's output can be used to study and compare large scale network security systems such as blacklist generators, botnetdetectors, and collaborative anomaly detectors.

More Information

  • LESS Is More: Host-Agent Based Simulator for Large-Scale Evaluation of Security Systems. John Sonchack and Adam J. Aviv. In the proceedings of ESORICS 2014.
  • Bridging the Data Gap: Data Related Challenges in Evaluating Large Scale Collaborative Security Systems. John Sonchack, Adam J. Aviv, and Johnathan M. Smith. In the proceedings of the 6th Workshop on Cyber Security Evaluation and Testing (CSET'13).
  • Parameterized Trace Scaling A poster at Usenix 2013. Still looking for the source PDF..

ROCK (Rule-set Optimization via Collaborative Knowledge)

ROCK is a collaborative filtering system for IDS rules. IDS operators rate a few rules based on local observations, and submit the ratings to ROCK. ROCK correlates their ratings and recommends each IDS operator rules that they haven't rated, based on the correlations between IDS operator ratings. (e.g. here are some rules that other IDS operators with similar networks and preferences as you found effective.)

More Information

  • Cross-domain Collaboration for Improved IDS Rule Set Selection. John Sonchack and Adam J. Aviv. Journal of Information Security and Applications 24 (JISA).