TY - GEN
T1 - Heimdallr
T2 - 38th Annual Computer Security Applications Conference, ACSAC 2022
AU - Seo, Minjae
AU - Kim, Jaehan
AU - Marin, Eduard
AU - You, Myoungsung
AU - Park, Taejune
AU - Lee, Seungsoo
AU - Shin, Seungwon
AU - Kim, Jinwoo
N1 - Publisher Copyright:
© 2022 ACM.
PY - 2022/12/5
Y1 - 2022/12/5
N2 - Software-defined wide area network (SD-WAN) has emerged as a new paradigm for steering a large-scale network flexibly by adopting distributed software-defined network (SDN) controllers. The key to building a logically centralized but physically distributed control-plane is running diverse cluster management protocols to achieve consistency through an exchange of control traffic. Meanwhile, we observe that the control traffic exposes unique time-series patterns and directional relationships due to the operational structure even though the traffic is encrypted, and this pattern can disclose confidential information such as control-plane topology and protocol dependencies, which can be exploited for severe attacks. With this insight, we propose a new SD-WAN fingerprinting system, called Heimdallr. It analyzes periodical and operational patterns of SD-WAN cluster management protocols and the context of flow directions from the collected control traffic utilizing a deep learning-based approach, so that it can classify the cluster management protocols automatically from miscellaneous control traffic datasets. Our evaluation, which is performed in a realistic SD-WAN environment consisting of geographically distant three campus networks and one enterprise network shows that Heimdallr can classify SD-WAN control traffic with ≥ 93%, identify individual protocols with ≥ 80% macro F-1 scores, and finally can infer control-plane topology with ≥ 70% similarity.
AB - Software-defined wide area network (SD-WAN) has emerged as a new paradigm for steering a large-scale network flexibly by adopting distributed software-defined network (SDN) controllers. The key to building a logically centralized but physically distributed control-plane is running diverse cluster management protocols to achieve consistency through an exchange of control traffic. Meanwhile, we observe that the control traffic exposes unique time-series patterns and directional relationships due to the operational structure even though the traffic is encrypted, and this pattern can disclose confidential information such as control-plane topology and protocol dependencies, which can be exploited for severe attacks. With this insight, we propose a new SD-WAN fingerprinting system, called Heimdallr. It analyzes periodical and operational patterns of SD-WAN cluster management protocols and the context of flow directions from the collected control traffic utilizing a deep learning-based approach, so that it can classify the cluster management protocols automatically from miscellaneous control traffic datasets. Our evaluation, which is performed in a realistic SD-WAN environment consisting of geographically distant three campus networks and one enterprise network shows that Heimdallr can classify SD-WAN control traffic with ≥ 93%, identify individual protocols with ≥ 80% macro F-1 scores, and finally can infer control-plane topology with ≥ 70% similarity.
KW - Fingerprinting
KW - Network Security
KW - Software-defined Networking
UR - https://www.scopus.com/pages/publications/85144048616
U2 - 10.1145/3564625.3564642
DO - 10.1145/3564625.3564642
M3 - Conference contribution
AN - SCOPUS:85144048616
T3 - ACM International Conference Proceeding Series
SP - 949
EP - 963
BT - Proceedings - 38th Annual Computer Security Applications Conference, ACSAC 2022
PB - Association for Computing Machinery
Y2 - 5 December 2022 through 9 December 2022
ER -