Preacher: Network Policy Checker for Adversarial Environments

Preacher: Network Policy Checker for Adversarial Environments

Abstract

Private networks are typically assumed to be trusted as security mechanisms are usually deployed on hosts and the data plane is managed in-house. The increasing number of attacks on network devices, and recent reports on backdoors, forces us to revisit existing security assumptions and demands new approaches to detect malicious activity. This paper presents Preacher, a runtime network policy checker, which leverages a secure, redundant and adaptive sample distribution scheme that allows us to provably detect adversarial switches or routers trying to reroute, mirror, drop, inject, or modify packets (i.e., header and/or payload) even under collusion. Additionally, the analysis performed by Preacher is highly parallelizable. We show that emerging programmable networks provide an ideal vehicle to detect suspicious network activity. Furthermore, we analytically and empirically evaluate the effectiveness of our approach in different adversarial settings, report on a proof-ofconcept implementation using ONOS, and provide insights into the resource and performance overheads of Preacher.

Grafik Top
Authors
  • Thimmaraju, Kashyap
  • Schiff, Liron
  • Schmid, Stefan
Grafik Top
Supplemental Material
Shortfacts
Category
Paper in Conference Proceedings or in Workshop Proceedings (Paper)
Event Title
38th International Symposium on Reliable Distributed Systems (SRDS) 2019
Divisions
Communication Technologies
Subjects
Informatik Allgemeines
Event Location
Lyon, France
Event Type
Conference
Event Dates
1-4 Oct 2019
Date
2019
Export
Grafik Top