Preacher: Network Policy Checker for Adversarial Environments

Preacher: Network Policy Checker for Adversarial Environments

Abstract

Private networks are typically assumed to be trusted as security mechanisms are usually deployed on hosts and the data plane is managed in-house. The increasing number of attacks on network devices, and recent reports on backdoors, forces us to revisit existing security assumptions and demands new approaches to detect malicious activity. This paper presents Preacher, a runtime network policy checker, which leverages a secure, redundant and adaptive sample distribution scheme that allows us to provably detect and localize adversarial switches or routers trying to reroute, mirror, drop, inject, or modify packets (i.e., header and/or payload) even under collusion. The analysis performed by Preacher is highly parallelizable. We show that emerging programmable networks provide an ideal vehicle to detect suspicious network activity. Furthermore, we analytically and empirically evaluate the effectiveness of our approach in different adversarial settings, report on a proof-ofconcept implementation using ONOS, and provide insights into the resource and performance overheads of Preacher.

Grafik Top
Authors
  • Thimmaraju, Kashyap
  • Schiff, Liron
  • Schmid, Stefan
Grafik Top
Supplemental Material
Shortfacts
Category
Journal Paper
Divisions
Communication Technologies
Subjects
Informatik Allgemeines
Journal or Publication Title
IEEE/ACM Transactions on Networking
ISSN
1063-6692
Date
2021
Export
Grafik Top