Software-Defined Adversarial Trajectory Sampling
This addresses security vulnerabilities in routing protocols for computer networks, offering a solution to detect hardware backdoors, though it appears incremental as an extension of software-defined networking.
The paper tackles the problem of untrusted network hardware by introducing Software-Defined Adversarial Trajectory Sampling (SoftATS), an OpenFlow-based mechanism that provably detects adversarial switches or routers performing attacks like rerouting or packet modification, with evaluation showing performance overheads.
Today's routing protocols critically rely on the assumption that the underlying hardware is trusted. Given the increasing number of attacks on network devices, and recent reports on hardware backdoors this assumption has become questionable. Indeed, with the critical role computer networks play today, the contrast between our security assumptions and reality is problematic. This paper presents Software-Defined Adversarial Trajectory Sampling (SoftATS), an OpenFlow-based mechanism to efficiently monitor packet trajectories, also in the presence of non-cooperating or even adversarial switches or routers, e.g., containing hardware backdoors. Our approach is based on a secure, redundant and adaptive sample distribution scheme which allows us to provably detect adversarial switches or routers trying to reroute, mirror, drop, inject, or modify packets (i.e., header and/or payload). We evaluate the effectiveness of our approach in different adversarial settings, report on a proof-of-concept implementation, and provide a first evaluation of the performance overheads of such a scheme.