WedgeTail: an intrusion prevention system for the data plane of software defined networks

Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Soft- ware Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail, an Intrusion Prevention System (IPS) designed to secure the SDN data plane. WedgeTail regards forward- ing devices as points within a geometric space and stores the path packets take when traversing the network as trajecto- ries. To be efficient, it prioritizes forwarding devices before inspection using an unsupervised trajectory-based sampling mechanism. For each of the forwarding device, WedgeTail computes the expected and actual trajectories of packets and 'hunts' for any forwarding device not processing pack- ets as expected. Compared to related work, WedgeTail is also capable of distinguishing between malicious actions such as packet drop and generation. Moreover, WedgeTail em- ploys a radically different methodology that enables detect- ing threats autonomously. In fact, it has no reliance on pre-defined rules by an administrator and may be easily im- ported to protect SDN networks with different setups, for- warding devices, and controllers. We have evaluated Wed- geTail in simulated environments, and it has been capable of detecting and responding to all implanted malicious for- warding devices within a reasonable time-frame. We report on the design, implementation, and evaluation of WedgeTail in this manuscript.