Security of Software Defined Networking (SDN) Cognitive Radio Network (CRN)

Prepared by: Ameer Sameer Hamood University of Babylon - Iraq Information Technology - Information Networks

Security of Software Defined Networking (SDN)

OverviewDefinition Software Defined Networking (SDN) SDN security & Security ChallengesSDN Attack Surface & Attacks ExamplesSDN Threat ModelOpen Research issues SDN Future Research DirectionsSimulator for Software Defined Networking

Overview

Definition Cognitive NetworkSecurity of Cognitive Radios & ThreatsSecurity issues in cognitive radioAttacks and the proposed defense mechanismsOpen Research issues in Cognitive RadioEvaluation Methodologies for Cognitive NetworkingFuture Research DirectionsSimulator for Cognitive Radio

Security of Cognitive Radio Network (CRN)

What is Software Defined Networking (SDN) ?

•All of these are mechanisms.• SDN is not a mechanism.•It is a framework to solve a set of problems Many solutions•Software-Defined Networking (SDN) has been envisioned as a way to reduce the complexity of network configuration and management, enabling innovation in production networks.

Figure 1

SDN is a framework to allow network administrators to automatically and dynamically manage and control a large number of network devices, services, topology,traffic paths, and packet handling(quality of service)policies using high-level languages and APIs. See fig 2:

Software Defined Networking Definition

Figure 2

Although much has been said about the benefits of SDN to solve persistent network security problems, our current knowledge on SDN threats and attacks is limited. The new systems required to carry out SDN functions may themselves come under malicious attacks.While some attacks will be common to existing networks, others will be more specific to SDN. Adversaries will inevitably exploit SDN systems if a successful network compromise could be achieved through such exploitations.A vulnerable SDN network could therefore undermine security and availability of the entire network. See fig 3:

Software Defined Networking Security

Figure 3

Software Defined Networking Security (con..)

New features and new network deployments can introduce faults and risks that open the door for threats that did not previously exist or are more serious than before. For exampleone provider’s SDN controller can directly access and manipulate another provider’s SDN switches. This configuration is not recommended for deployment in practice. In addition to the traditional attack vectors on traffic flows, switches, administrative stations, and recovery and fault diagnosis, the controllers and the communications related to the Controller plane result in new security issues that are specific to SDN.

SDN-Specific Security Challenges

1- Centralized Control2- Programmability A - Traffic and resource isolation B - Trust between third party applications and the controller C - Interface Security protection on A-CPI and I-CPI3- Challenge of Integrating Legacy Protocols4- Cross Domain Connection5- etc…

SDN-Specific Security Challenges(cont..)

1- Centralized ControlCentralized control or logically centralized control (i.e. distributed but coordinated control function) exposes a high-value asset to attackers.Attackers may attempt to manipulate the common network services or even control the entire network by tricking or compromising a controller . This is distinct from a larger number of autonomous assets in a completely distributed control domain.

SDN-Specific Security Challenges(cont..)

2- ProgrammabilityNew types of threats arise due to the explicit programmatic

access SDN offers to clients that are typically separate organizational or business entities. This new business model presents requirements that do not exist within closed administrative domains in terms of protecting system integrity, third-party data and open interfaces.

SDN-Specific Security Challenges(cont..)

2- Programmability A-Traffic and resource isolationOperators must ensure that business management and real-time control information of one entity is fully isolated from that of all others Best practices from existing automated interfaces between customer and provider business support systems may be of use here. This element extends to the existing security issue of multi-tenant traffic and resource isolation to avoid interference and misuse. Due to the new business model for SDN described above, there may be additional dynamic interactions introducing further requirements for isolation in order to meet different SLAs, private addressing issues, etc.

SDN-Specific Security Challenges(cont..)

2- Programmability B- Trust between third party applications and the controllerProgrammability is a double-edged sword; it offers flexibility to implement newly innovated market-driven applications but it also opens the door to malicious and vulnerable applications. Authentication and different authorization levels should be enforced at the point of application registration to the controller in order to limit the controller exposure.

SDN-Specific Security Challenges(cont..)

2- Programmability C- Interface Security protection on A-CPI and I-CPIBeyond the communication with applications through A-CPIs a controller may be controlled either by an upper layer controller or may work in tandem with another controller at the same hierarchical level. Lack of protection across these interfaces may lead to malicious attacks on the SDN. Security attributes and operation checkpoints should therefore be defined for securing A-CPIs and I-CPIs (Intermediate - controller plane interface).

SDN-Specific Security Challenges(cont..)

3- Challenge of Integrating Legacy ProtocolsSDN interfaces and protocols are being developed in the recognized context of escalating exploitation of technical and process deficiencies, with increasingly severe consequences that could lead to security issues. However, experience has demonstrated the difficulty of retrofitting security capabilities into existing technologies (Domain Name Server (DNS) and Border Gateway Protocol(BGP) are notable examples). It is critical that compatibility be checked before implementing legacy protocols (e.g., Network Address Translation (NAT), BGP) into SDN. It is also important that weaknesses previously addressed by legacy architectures not be repeated or even inflated when building the SDN framework.

SDN-Specific Security Challenges(cont..)

4- Cross Domain ConnectionAn additional requirement of SDN implementation requires that infrastructure of different domains can be connected. This can be realized by connecting controllers of different providers via the I-CPI. The mechanisms to establish trust relationships, to determine authorization level in order to prevent abuse and secure channel setup should all be considered.

SDN-Specific Security Challenges(cont..)

The SDN threat modeling requires understanding of the SDN architectural components and their interconnections. Figure 4 illustrates a typical SDN architecture to reveal the main SDN building blocks, which include the SDN planes and interfaces. Any of these architectural components could contain vulnerabilities and be exploited by attackers to compromise a SDN network.

SDN Attack Surface

Figure 4. The SDN components

The SDN components

Figure 4

attacks could be launched on SDN components to achieve unauthorized access, unauthorized disclosure of information, unauthorized modification, destruction, and/or disruption of service.1-Unauthorized Access Using Password Brute-Forcing or Password-Guessing Attacks2-Unauthorized Access Using Remote Application Exploitation Attacks3-Unauthorized Disclosure of Information Using RAM scraping Attacks4-etc ……

SDN Attacks Examples

1- Unauthorized Access Using Password Brute-Forcing or Password- Guessing Attacks•Figure 5. An unauthorized access attack is illustrated using the EXT->ACC->MGR path.

SDN Attacks Examples(cont..)

Figure 5

1- Generic network infrastructure threats 2- SDN specific Threats 3- Network Virtualization Threats

SDN Threat Model

1- Generic network infrastructure threats

1- Physical threats2- Damage/loss3- Failures/malfunctions4- Outages 5- Disaster6- Legal

we present types of threats that are specific to SDN. Such threats may relate to different assets in the reference SDN architecture 1- Data forging 2-Traffic diversion 3-Side channel attack4- Flooding attack 5- Software/firmware exploits 6- Denial of Service (DoS) 7- Identity spoofing 8- API exploitation9- Memory scraping10- Remote application exploitation11-Traffic sniffing

2- SDN specific Threats

Figure 6 :Threats of SDN reference architecture

2- SDN specific Threats(cont..)

1- Data forging: This threat involves compromising an SDN element (e.g., controller, router, switch) in order to forge network data and launch other attacks (e.g., DOS).

2-Traffic diversion: This threat involves compromising a network element in order to divert traffic flows and to enable eavesdropping. Traffic diversion is a threat relating to network elements of the data plane.

3- Side channel attack: This threat involves extracting information on existing flow rules that are used by network elements. The threat can be realized by exploiting patterns of network operations (e.g. exploiting the time required for establishing a network connection).

2- SDN specific Threats(cont..)

4-Flooding attack: Flooding attacks involve compromising a SDN component in order to make it flood other components, which it interacts with. 5- Software/firmware exploits: This threat involves exploiting vulnerabilities of the software/firmware in order to cause some malfunction, reduction or disruption of service, eavesdrop data or destroy/compromise data.6- Denial of Service (DoS): This threat relates to attacks aimed at causing reduction or disruption of the SDN service. DoS threats may occur in all layers of the SDN reference architecture. At the data plane, DoS can be caused by attackers, which flood the bandwidth or resources of network elements.

2- SDN specific Threats(cont..)

7- Identity spoofing: Identity spoofing is a threat where a threat agent successfully determines the identity of a legitimate entity and then masquerades this entity in order to launch further attacks. 8-API exploitation: This threat involves exploiting the API of a software component in order to launch different types of further attacks such as the unauthorized disclosure, compromise of integrity and/or destruction of information, or the unauthorized destruction/ degradation of service. 9-Memory scraping: This threat arises when an attacker scans the physical memory of a software component in order to extract sensitive information that is it not authorized to have.

2- SDN specific Threats(cont..)

10- Remote application exploitation: In this threat, an attacker gains access or obtains higher access privileges to an SDN application by exploiting software vulnerabilities of it. This can then be used to execute operations illegitimately.

11-Traffic sniffing:Traffic sniffing involves tapping data flows within a network. In SDN, traffic sniffing has been identified primarily as an attack upon the communication link between an application at the SDN application plane and a controller at the control plane in order to gain access to important controller configuration data or application-level credentials.

2- SDN Threat Model(cont..)

3- Network Virtualization Threats Network virtualization threats are threats related to the underlying IT infrastructure used for virtualizing network operations. Such threats can be distinguished into:

1- Threats related to servers running virtualized network functions (virtualized host abuse) 2- Threats to data centres hosting SDN operations (Data centre threats): 3- Threats related to virtualization mechanism: (Network Virtualization bypassing):

• Scalability:

• Control plane bottleneck.• Single controller is not sufficient to manage large scale network.

• How many controllers are needed to support large scale network?• When to scale down?

• Multi Controllers.• Each controller is responsible to a subset of the network.• Concern with synchronization and communication between controllers.• How to slice the resources among controllers?

• Latency between controllers and switches.• Less accurate decision?

What is Relation between WSN and SDN?

Open Research issues SDN

Open Research issues SDN(cont..)• Slicing Resources (CPU, bandwidth, etc).

- How to allocate resources to different controllers and users?- Formulated to optimization and fairness problems.

• Using SDN to achieve more green DCN.•No substantial works in this area.•As 2015, few publications on this subject are published in IEEE ICC and IEEEE Globecom.•Some software may provide measurement on power usage or capability to turn on/off switches.

• NetFPGA, Mininet and OpenFlow?

How to leverage from SDN approach to have more flexible and secure WSN & IoT?

Open Research issues SDN as 2015(cont..)

The future, however, will most likely use a combination of these(and perhaps other) models, standards, and implementations. Models such as I2RS are likely to be used to provide network programmability in those heterogeneous environments in which scalability is the primary concern. The architectural models underlying I2RS envision layered, distributed control planes in which the control and data planes share fate.

Future Research Directions

Using a software-defined radio together with MATLAB and Simulink for wireless design, simulation, and analysis enables engineers and students to:1- Set up SDR hardware with preconfigured radio functions2- Transmit and receive standards-based and custom-generated signals3- Test designs in the presence of interference and other real-world conditions4- Perform real-time signal analysis and measurement5- Deploy, prototype, and verify custom designs on SDR hardware using HDL and C code generation from algorithm models6- Verify implementation with radio-in-the loop tests

Simulator for Software Defined Networking

Pareto-Optimal Resilient Controller Placement in SDN-based Core Networks by David Hock, Matthias Hartmann, Steffen Gebert, Michael Jarschel, Thomas Zinner, Phuoc Tran-Gia from the University of Wuerzburg, GermanyA Matlab-based tool for calculating pareto-optimal placements of controllers in a network topology.https://github.com/lsinfo3/poco

Pareto Optimal Controller Placement (POCO) Matlab-based tool

Figure 7

OpenDaylight SDN Controller with the Mininet Network Emulator

OpenDaylight (ODL) is a popular open-source SDN controller framework. To learn more about OpenDaylight, it is helpful to use it to manage an emulated network of virtual switches and virtual hosts. Most people use the Mininet network emulator to create a virtual SDN network for OpenDaylight to control. https://www.opendaylight.org/platform-overview-beryllium

Figure 8

Mininet Network Emulator

Mininet is a network emulator which creates a network of virtual hosts, switches, controllers, and links. Mininet hosts run standard Linux network software, and its switches support OpenFlow for highly flexible custom routing and Software-Defined Networking.Mininet supports research, development, learning, prototyping, testing, debugging, and any other tasks that could benefit from having a complete experimental network on a laptop or other PC.http://mininet.org/

Figure 9

NS-3 Network Simulator

NS-3 is a discrete-event open-source network simulator for Internet systems, used primarily for research and educational use. NS-3 is a complex tool that runs simulations described by code created by users, so you may need programming skills to use it.https://www.nsnam.org/

Figure 10

Cognitive radio offers the promise of intelligent radios that can learn from and adapt to their environment.And change how they communicate, it's crucial that they select optimal, secure means of communications. Data integrity and confidentiality can be handled by higher-layer cryptographic securityCognitive radio can be described as an intelligent and dynamically reconfigurable radio .See Figure.11, cognitive radio scenario

Definition Cognitive Network

Figure.11, cognitive radio scenario

Definition Cognitive Network(cont..)

The main objective of the security system is to protect thecommunication from the malicious users. The cognitive radio network has the same security requirements as that of the general wireless networks because of the open air nature of wireless media . The major difference between the cognitive radio network and the traditional wireless network is that it doesn’t operate on a fixed frequency spectrum i.e. the frequency spectrum is being used dynamically.

Security of Cognitive Radio

Security of Cognitive Radio at different layers

1- Physical layer - Example of possible attacks (Intentional jamming attack)2- Link layer- Example of possible attacks (Biased utility attack , DOS attack)3- Network layer- Example of possible attacks (Hole attack)4- Transport layer- Example of possible attacks (Key depletion attack)5- Application layer- As a result, any attack on physical, link,network or transport layers may have an adverse affect on the application layer

- Secure authentication mechanisms,- Confidentiality,- Data integrity,- Accessibility,- Multimodal strategies for the isolation of adversary nodes,- Ability to differentiate between adversaries and unintentionally misbehaving SUs

Security Requirement of Cognitive Radio

Threat is a constant danger through persons, objects, or any resources where as an attack is an act of or event that exploits the vulnerability. The policies, learning mechanisms, and self-propagation in cognitive radio architecture prevents the threats (cannot escape the threats). In CR, a threat can happen while sensing of information (due to involvement of a malicious user).This information will then feed for learning and decision making. The results produced will lead to inappropriate decisions (unacceptable decisions) due to a malicious user injected the faults.

Threats and Attacks in Cognitive Radio Networks

Attacks Layer Involved in Cognitive Radio Networks

Cross-layer attacks are possible in CRN. There is a need to be given individual attention for such attacks. Jamming on routing information happens due to lack of common control channels. Traffic analysis attack on data privacy and location privacy will be avoided by authentication and controlling the access rights of cognitive user.

Attacks Layer Involved in Cognitive Radio Networks(cont..)

In comparison with traditional wireless networks, there are more chances open to attackers in cognitive radio technology. As a result, security in cognitive radio networks has become a challenging task . Quality of service (QoS) provisioning and security requirement for the entire network may be adversely affected by these weaknesses and vulnerable aspects, introduced by the nature of cognitive radio .The data in the wireless media may be eavesdropped or altered without notice and the channel might be jammed or overused by the adversaries

Security issues in cognitive radio

- multi-hop cognitive radio networks - medium access control (MAC) and network layers of the multi-hop cognitive radio protocol stack. Issues considered include efficient spectrum sharing, optimal relay node selection, interference mitigation, end-to-end delay, etc.-Surveys on Channel Assignment Problem in CRN - Spectrum Assignment * Selection criteria, approaches, techniques, and challenges - Channel Assignment Algorithms * Coordination mechanisms, objectives, solving approaches, network types, number of radios, PU characteristics, routing dependencies, and channel models.

Open Research issues in Cognitive Radio

- Problems in Multichannel Hidden Terminal - Energy Efficient MAC Protocol- Self-interference Problem- Negotiation Mechanism and Time Synchronization

Open Research issues in Cognitive Radio(cont..)

1- Broader Evaluation - System wide - Interdisciplinary - Scale - Safety - Realism - Rigor2- Testbed Requirements3- Cognitive Radio Platforms- Base stations , Client nodes , Mobile platforms4- Testbed Deployment and Management

Evaluation Methodologies for Cognitive Networking

Most of the proposed solutions do not cover major issues related to CR dynamic environment. Therefore, some research proposals are first suggested in the context of MAC protocol entity.More research in future is required to search for accurate sensing schemes. Although the hardware limitations of CR users is a critical issue on spectrum sensing. So, more efficient and robust alternatives must be investigated in terms of CCC design. Clear assignments to deal with transmit power, coding scheme, transmission rate to the CR users must be devised

Future Research Directions

Further research may include QoS for SUs in the context of dynamic resource availability.However, ensuring a reliable network coordination and reconfiguration mechanism is another major issue that must be addressed efficiently.Majority of the current research has focused on improving the throughput of CR networks.Clear assignments to deal with transmit power, coding scheme, transmission rate to the CR users must be devised. MAC Design focusing on energy introduces new challenges in CR MAC design research.

Future Research Directions(cont..)

1- simulation framework based on NS2 (CogNS) for cognitive radio networks2- NS-3 Simulator Extension for Cognitive Radio3- matlab4- Cognitive Radio Simulation based on OMNeT++/MiXiM

Simulator for Cognitive Radio

simulation framework based on NS2 (CogNS)

framework can be used to investigate and evaluate the impact of lower layers, i.e., MAC and physical layer, on the transport and network layers protocols. Due to the importance of packet drop probability, end-to-end delay and throughput as QoS requirements in real-time reliable applications, these metrics are evaluated over CRNs through CogNS framework.http://cogns.net/

Figure 12

OMNeT++ CR Simulation Framework

OMNeT++/MiXiM was chosen as the developing platform, mainly due to its open source nature, its well-organized modular architecture, the existing documentation, and the provided IDE (Integrated Development Environment).https://omnetpp.org/

Figure 13

Conclusions Security of Software-Defined Networks (SDN)

Security within the SDN paradigm will arguably be a challenge, as all layers, sub-layers and components will need to communicate according to strict security policies. Security challenges for Software-Defined Networks differ in some respects from those of a classical network due to the specific network implementation and SDN’s inherent control and programmability characteristics.our current knowledge on SDN threats and attacks is limited. The new systems required to carry out SDN functions may themselves come under malicious attacks. While some attacks will be common to existing networks, others will be more specific to SDN.

Security of Cognitive Radio Network (CRN)

Most of the attacks presented are specific to PHY-layer cognition. Sensors and decisions at higher layers can often be cryptographically protected, making them less vulnerable to manipulatory attacks.The threat detection mechanisms can be developed for cognitive radio networks in the same lines of intrusion detection mechanisms. The threat detection and protection of information are serious issues in wireless networks as well as cognitive radio networksIntrusion detection models are required in such situations. Cryptographic techniques are useful with the additional burden of computing time.The trust models are more appropriate than to cryptographic techniques due to their simplicity and computational efficiency. Cloud application helps to eliminate hidden terminal problem. But, cloud security is another open problem in CRNs..

Conclusions

Review Question1- What is the relation between SDR and Cognitive radio ?2- What would be an appropriate conceptual model for SDR-CR?3- What is self-propagating AI virus in A virus spreading model for cognitive radio networks ?4-What is The function of MAC protocols to ensure interference-free (with PUs or other CR users) in CR networks?5- what is The Impact of SDN on Network Security ?6- Give list some important design issues that are necessary to be addressed in distributed CR MAC design? 7- What is CCC of CR MAC protocols ?8- What is Technical recommendations for Administrators in SDN ?9-What is Organizational recommendations for Administrators in SDN 10- What is Malicious activity in CRN ?

Reference1-Introduction to Software Defined Networking (SDN) Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 , 20132- Taxonomic Modeling of Security Threats in Software Defined Networking , Jennia Hizver, PhD ,BlackHat Conference , August 5-6, 20153- Principles and Practices for Securing Software-Defined Networks , January 2015, ONF TR-5114- The Software-Defined-Networking Research Group Published by the IEEE Computer Society 1089-7801/13/$31.00 © 2013 IEEE5- “Cognitive Radio Communications and Networks: Principles and Practice” By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009)6- Security in Cognitive Radio Networks : Threats and Mitigation ,T. Charles Clancy, Nathan Goergen7- Security in Cognitive Radio Networks Kresimir Dabcevic, Lucio Marcenaro, Carlo S. Regazzoni , University of Genova, Italy

8- Security Challenges in Cognitive Radio Networks , Hanen Idoudi, Kevin Daimi, and Mustafa Saed9-- Future Directions in Cognitive Radio Network Research , NSF Workshop Report Edited by: Peter Steenkiste, Douglas Sicker, Gary Minden, Dipankar Raychaudhuri March 9-10, 200910- Cognitive Radio: Technology Survey and Future Research Directions José Marinho , Edmundo Monteiro 11- AN INVESTIGATION OF SECURITY CHALLENGES IN COGNITIVE RADIO NETWORS By Deepraj Vernekar in 30-12-201212- Cognitive Radio Networks edited by Yang Xiao, Fei Hu13- Cognitive Radio RF: Overview and Challenges Van Tam Nguyen,1 Frederic Villain,2 and Yann Le Guillou3 1 Institut Mines-Telecom, Telecom ParisTech, LTCI CNRS UMR 5141, 75634 Paris, France 2 BL TV Front End, NXP, 14460 Colombelles, France 3 Renesas Mobile Corporation, 35517 Cesson Sevigne Cedex, France

Reference

14-Threat Landscape and Good Practice Guide for Software Defined Networks/5G DECEMBER 2015 by European Union Agency For Network And Information Security 15- Introduction to Software Defined Network (SDN) By Hengky “Hank” Susanto, Sing Lab, HKUST16- Security Issues and Threats in Cognitive Radio Networks •Yenumula B. Reddy • Department of Computer Science, Grambling State University •Grambling, Louisiana, USA 17- Channel Assignment Algorithms in Cognitive Radio Networks: Taxonomy, Open Issues, and ChallengesARTICLE in IEEE COMMUNICATIONS SURVEYS & TUTORIALS · OCTOBER 201418- Cognitive Radio MAC Protocols: A Survey, Research Issues, and Challenges Mahfuzulhoq Chowdhury1, Asaduzzaman1, and Md. Fazlul Kader Received November 19, 2014; Revised December 29, 2014; Accepted January 26, 2015; Published February 28, 2015

Reference

https://www.researchgate.net/profile/Ameer_Sameer

http://www.slideshare.net/AmeerSameerhttps://www.facebook.com/ameer.Mee

https://www.linkedin.com/in/ameer-sameer-452693107

Any Question :

ameersameer.it@gmail.com