Field-based Security Testing of SDN configuration Updates

[en] Software-defined systems revolutionized the management of hardware devices but introduced quality assurance challenges that remain to be tackled. For example, software defined networks (SDNs) became a key technology for the prompt reconfigurations of network services in many sectors including telecommunications, data centers, financial services, cloud providers, and manufacturing industry. Unfortunately, reconfigurations may lead to mistakes that compromise the dependability of the provided services. In this paper, we focus on the reconfigurations of network services in the satellite communication sector, and target security requirements, which are often hard to verify; for example, although connectivity may function properly, confidentiality may be broken by packets forwarded to a wrong destination. We propose an approach for FIeld-based Security Testing of SDN Configurations Updates (FISTS). First, it probes the network before and after configuration updates. Then, using the collected data, it relies on unsupervised machine learning algorithms to prioritize the inspection of suspicious node responses, after identifying the network nodes that likely match across the two configurations. Our empirical evaluation has been conducted with network data from simulated and real SDN configuration updates for our industry partner, a world-leading satellite operator. Our results show that, when combined with K-Nearest Neighbour, FISTS leads to best results (up to 0.95 precision and 1.00 recall). Further, we demonstrated its scalability.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SVV - Software Verification and Validation

Disciplines :

Computer science

Author, co-author :

MALIK, Jahanzaib ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust > SVV > Team Fabrizio PASTORE

PASTORE, Fabrizio ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

External co-authors :

Language :

English

Title :

Field-based Security Testing of SDN configuration Updates

Publication date :

September 2025

Journal title :

IEEE Transactions on Reliability

eISSN :

0018-9529

Publisher :

Institute of Electrical and Electronics Engineers, New-York, United States - New York

Volume :

Issue :

Pages :

3469-3483

Peer reviewed :

Peer Reviewed verified by ORBi

Focus Area :

Security, Reliability and Trust

FnR Project :

FNR14016225 - Integrated Satellite-terrestrial Systems For Ubiquitous Beyond 5g Communications, 2020 (01/10/2020-30/09/2026) - Symeon Chatzinotas

Name of the research project :

IPBG-ST04

Funders :

FNR - Luxembourg National Research Fund

Funding number :

IPBG19/14016225/INSTRUCT

Data Set :

Replication package for manuscript entitled "Field-based Security Testing of SDN configuration Updates" by Jahanzaib MALIK and Fabrizio PASTORE

Available on ORBilu :

since 07 January 2025

Statistics

Number of views

130 (8 by Unilu)

Number of downloads

43 (3 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

O. Kodheli et al., "Satellite communications in the new space era: A survey and future challenges, " IEEE Commun. Surveys Tut., vol. 23, no. 1, pp. 70-109, Firstquarter 2021.
SES Luxembourg, "SAT-based business-aviation internet services, " Accessed on: 2023. [Online]. Available: https://www. ses. com/find-service/ commercial-aviation/business-aviation
SES Luxembourg, "SAT-based maritime internet services, " Accessed on: 2023. [Online]. Available: https://www. ses. com/find-service/ commercial-maritime
VIASAT, "SAT-based fast internet, "Accessed: Dec. 2024. [Online]. Available: https://www. viasat. com/satellite-internet/
SES Luxembourg, "SAT-based disaster recovery, " Accessed: Dec. 2024. [Online]. Available: https://www. ses. com/find-service/government/hadr
SES Luxembourg, "SAT-based connection of remote communities, " Accessed: Dec. 2024. [Online]. Available: https://www. ses. com/find-service/ telco-mno
Eutelsat, "SAT-based dth broadcasting, " Accessed: Dec. 2024. [Online]. Available: https://www. eutelsat. com/en/satellite-communicationservices/ broadcasting-solutions. html
Eutelsat, "SAT-based IoT connectivity, " Accessed: Dec. 2024. [Online]. Available: https://www. eutelsat. com/en/satellite-communicationsservices. html
O. Michel and E. Keller, "SDN in wide-area networks: A survey, " in Proc. 4th Int. Conf. Softw. Defined Syst., Valencia, Spain, 2017, pp. 37-42.
C. Fu, B. Wang, and W. Wang, "Software-defined wide area networks (SD-WANS): A survey, " Electronics, vol. 13, no. 15, 2024, Art. no. 3011.
Y. Al Mtawa, A. Haque, and H. Lutfiyya, "Migrating from legacy to software defined networks:Anetwork reliability perspective, " IEEE Trans. Rel., vol. 70, no. 4, pp. 1525-1541, Dec. 2021.
N. M. Yungaicela-Naula, V. Sharma, and S. Scott-Hayward, "Misconfiguration in O-Ran: Analysis of the impact of AI/ML, " Comput. Netw., 2024, Art. no. 110455.
D. F. Blanco, F. Le Mouël, T. Lin, and M.-P. Escudié, "A comprehensive survey on software as a service (SaaS) transformation for the automotive systems, " IEEE Access, vol. 11, pp. 73688-73753, 2023.
E. Rojas et al., "Are we ready to drive software-defined networks? A comprehensive survey on management tools and techniques, " ACM Comput. Surv., vol. 51, no. 2, 2018, Art. no. 27.
M. Canini, D. Venzano, P. Perešíni, D. Kostic, and J. Rexford, "A NICE way to test openflow applications, " in Proc. 9th USENIX Conf. Netw. Syst. Des. Implementation, San Jose CA, USA, 2012, Art. no. 10.
D. Lebrun, S. Vissicchio, and O. Bonaventure, "Towards test-driven software defined networking, " in Proc. IEEE Netw. Operations Manage. Symp., Krakow, Poland, 2014, pp. 1-9.
H. Zeng, P. Kazemian, G. Varghese, and N. McKeown, "Automatic test packet generation, " in Proc. 8th Int. Conf. Emerg. Netw. Experiments Technol., New York, NY, USA, 2012, pp. 241-252.
S. K. Fayaz, T. Yu, Y. Tobioka, S. Chaki, and V. Sekar, "Buzz: Testing context-dependent policies in stateful networks, " in Proc. 13th USENIX Conf. Netw. Syst. Des. Implementation, Santa Clara CA, USA, 2016, pp. 275-289.
5The Linux Foundation, "OpenDaylight a modular open platform for customizing and automating networks of any size and scale, " 2023. [Online]. Available: https://www. opendaylight. org/
Versa Networks, "Versa secure SD-WAN, " 2023. [Online]. Available: https://versa-networks. com/products/sd-wan/
S. Lee et al., "A comprehensive security assessment framework for software-defined networks, " Comput. Secur., vol. 91, 2020, Art. no. 101720.
S. Jero, X. Bu, C. Nita-Rotaru, H. Okhravi, R. Skowyra, and S. Fahmy, "Beads: Automated attack discovery in openflow-based SDN systems, " in Proc. Conf. Res, Attacks, Intrusions, Defenses, 2017, pp. 311-333.
A. Bertolino et al., "A survey of field-based testing techniques, " ACM Comput. Surv., vol. 54, no. 5, 2021, Art. no. 92.
G. F. Lyon, NMAP Netw. Scanning: The Official Nmap Project Guide to Netw. Discov. and Secur. Scanning. Sunnyvale, CA, USA: Insecure, 2009. [Online]. Available: http://nmap. org
F. T. Liu, K. M. Ting, and Z. H. Zhou, "Isolation-based anomaly detection, " ACM Trans. Knowl. Discov. Data, vol 6, 2012, Art. no. 3.
M. M. Breunig, H.-P. Kriegel, R. T. Ng, and J. Sander, "LoF: Identifying density-based local outliers, " ACM SIGMOD Rec., vol. 29, no. 2, pp. 93-104, May 2000.
S. Ramaswamy, R. Rastogi, and K. Shim, "Efficient algorithms for mining outliers from large data sets, " ACM SIGMOD Rec., vol. 29, no. 2, pp. 427-438, May 2000.
R. S. King, Cluster Analysis and Data Mining: An Introduction. Herndon, VA, USA: Mercury Learn. & Inf., 2014.
J. MacQueen, "Some methods for classification and analysis of multivariate observations, " in Proc. 5th Berkeley Symp. Math. Statist. Probability, 1967, vol. 1, pp. 281-297.
W. Saied and A. Bouhoula, "A formal approach for automatic detection and correction of SDN switch misconfigurations, " in Proc. 16th Int. Conf. Netw. Serv. Manage., Niagara Falls, Canada, 2020, pp. 1-5.
A. Saâdaoui, N. Ben Youssef Ben Souayeh, and A. Bouhoula, "Automated and optimized formal approach to verify SDN access-control misconfigurations, " in Proc. 13th EAI Int. Conf. Testbeds Res. Infrastruct. Develop. Netw. Communities, Shanghai, China, Dec. 2019, pp. 96-112.
S. Al-Haj and W. J. Tolone, "Flowtable pipeline misconfigurations in software defined networks, " in Proc. IEEE Conf. Comput. Commun. Workshops, Atlanta, GA, USA, 2017, pp. 247-252.
H. Pan, Z. Li, P. Zhang, P. Cui, K. Salamatian, and G. Xie, "Misconfiguration-free compositional SDN for cloud networks, " IEEE Trans. Dependable Secure Comput., vol. 20, no. 3, pp. 2484-2499, May/Jun. 2022.
V. J. Manès et al., "The art, science, and engineering of fuzzing: A survey, " IEEE Trans. Softw. Eng., vol. 47, no. 11, pp. 2312-2331, Nov. 2021.
S. Jero, X. Bu, C. Nita-Rotaru, H. Okhravi, R. Skowyra, and S. Fahmy, "Beads: Automated attack discovery in openflow-based SDN systems, " in Proc. Conf. Res. Attacks, Intrusions, Defenses, 2017, vol. 10453, pp. 311-333.
Fragscapy, Accessed: Dec. 2024. [Online]. Available: https://github. com/ AMOSSYS/Fragscapy
V. T. Pham, M. Bohme, and A. Roychoudhury, "AFLNet: A greybox fuzzer for network protocols, " in Proc. IEEE 13th Int. Conf. Softw. Testing, Validation Verification, 2020, pp. 460-465.
C. Black and S. Scott-Hayward, "A survey on the verification of adversarial data planes in software-defined networks, " Proc. ACM Int. Workshop Softw. Defined Netw. Netw. Funct. Virtualization Secur., 2021, vol. 1, pp. 3-10.
Scapy, Accessed: Dec. 2024. [Online]. Available: https://scapy. net/
H. Zeng, P. Kazemian, G. Varghese, and N. McKeown, "Automatic test packet generation, " in Proc. 8th Int. Conf. Emerg. Netw. Experiments Technol., New York, NY, USA, 2012, pp. 241-252.
S. K. Fayaz, T. Yu, Y. Tobioka, S. Chaki, and V. Sekar, "Buzz: Testing context-dependent policies in stateful networks, " in Proc. 13th USENIX Symp. Netw. Syst. Des. Implementation, Santa Clara, CA, USA, 2016, pp. 275-289.
P. Perešíni, M. Kuzniar, and D. Kostic, "Monocle: Dynamic, fine-grained data plane monitoring, " in Proc. 11th ACM Conf. Emerg. Netw. Experiments Technol., Heidelberg, Germany, 2015, pp. 1-13.
F.-H. Tseng, K.-D. Chang, S.-C. Liao, H.-C. Chao, and V. C. Leung, "Sping: Auser-centred debugging mechanism for software defined networks, " IET Netw., vol. 6, no. 2, pp. 39-46, 2017.
K. Bu, X. Wen, B. Yang, Y. Chen, L. E. Li, and X. Chen, "Is every flow on the right track?: Inspect SDN forwarding with rulescope, " in Proc. IEEE INFOCOM 35th Annu. IEEE Int. Conf. Comput. Commun., San Francisco, CA, USA, 2016, pp. 1-9.
K. Agarwal, E. Rozner, C. Dixon, and J. Carter, "SDN traceroute: Tracing SDN forwarding without changing network behavior, " in Proc. 3rd Workshop Hot Topics Softw. Defined Netw., Chicago IL, USA, 2014, pp. 145-150.
Y. Wang, J. Bi, and K. Zhang, "A tool for tracing network data plane via SDN/OpenFlow, " Sci. China Inf. Sci., vol. 60, no. 2, 2016, Art. no. 022304.
H. Hu, W. Han, G.-J. Ahn, and Z. Zhao, "Flowguard: Building robust firewalls for software-defined networks, " in Proc. 3rdWorkshop Hot Topics Softw. Defined Netw., Chicago IL, USA, 2014, pp. 97-102.
H. Zeng et al., "Libra: Divide and conquer to verify forwarding tables in huge networks, " in Proc. 11th USENIX Symp. Netw. Syst. Des. Implementation, Seattle, WA, USA, 2014, pp. 87-99.
P. Kazemian, G. Varghese, and N. McKeown, "Header space analysis: Static checking for networks, " in Proc. 9th USENIX Symp. Netw. Syst. Des. Implementation, San Jose CA, USA, 2012, pp. 113-126.
S. K. Fayaz and V. Sekar, "Testing stateful and dynamic data planes with flowtest, " in Proc. 3rdWorkshop Hot Topics Softw. Defined Netw., Chicago IL, USA, 2014, pp. 79-84.
P. Berkhin, A Survey of Clustering Data Mining Techniques. Berlin, Heidelberg, Germany: Springer, 2006, pp. 25-71.
R. Xu and D. Wunsch, "Survey of clustering algorithms, " IEEE Trans. Neural Netw., vol. 16, no. 3, pp. 645-678, May 2005.
C. C. Aggarwal and C. K. Reddy, Data Clustering: Algorithms and Applications, 1st ed. London, U. K.: Chapman & Hall/CRC, 2013.
D. Xu and Y. Tian, "A comprehensive survey of clustering algorithms, " Ann. Data Sci., vol. 2, no. 2, pp. 165-193, 2015.
T. Zhang, R. Ramakrishnan, and M. Livny, "Birch: An efficient data clustering method for very large databases, " in Proc. ACM SIGMOD Int. Conf. Manage. Data, New York, NY, USA, 1996, pp. 103-114.
L. Kaufman and P. J. Rousseeuw, Partitioning Around Medoids (Program PAM). Hoboken, NJ, USA: Wiley, 1990, ch. 2, pp. 68-125.
M. Ester, H.-P. Kriegel, J. Sander, and X. Xu, "A density-based algorithm for discovering clusters in large spatial databases with noise, " in Proc. 2nd Int. Conf. Knowl. Discov. Data Mining, Portland, Oregon, USA, 1996, pp. 226-231.
M. Ankerst, M. M. Breunig, H.-P. Kriegel, and J. Sander, "Optics:Ordering points to identify the clustering structure, " in Proc. ACM SIGMOD Int. Conf. Manage. Data, New York, NY, USA, 1999, pp. 49-60.
D. Comaniciu and P. Meer, "Mean shift: A robust approach toward feature space analysis, " IEEE Trans. Pattern Anal. Mach. Intell., vol. 24, no. 5, pp. 603-619, May 2002.
D. Müllner, "Modern hierarchical, agglomerative clustering algorithms, " 2011, arXiv:1109. 2378.
P. J. Rousseeuw, "Silhouettes: A graphical aid to the interpretation and validation of cluster analysis, " J. Comput. Appl. Math., vol. 20, pp. 53-65, 1987.
V. Chandola, A. Banerjee, and V. Kumar, "Anomaly detection: A survey, " ACM Comput. Surv., vol. 41, no. 3, Jul. 2009, Art. no. 15.
A. Boukerche, L. Zheng, and O. Alfandi, "Outlier detection: Methods, models, and classification, " ACM Comput. Surv., vol. 53, no. 3, Jun. 2020, Art. no. 55.
F. T. Liu, K. M. Ting, and Z.-H. Zhou, "Isolation forest, " in Proc. 8th IEEE Int. Conf. Data Mining, Pisa, Italy, 2008, pp. 413-422.
E. M. Knorr and R. T. Ng, "Algorithms for mining distance-based outliers in large datasets, " in Proc. 24th Int. Conf. Very Large Data Bases, San Francisco, CA, USA, 1998, pp. 392-403.
B. Schölkopf, J. C. Platt, J. Shawe-Taylor, A. J. Smola, and R. C. Williamson, "Estimating the support of a high-dimensional distribution, " Neural Comput., vol. 13, no. 7, pp. 1443-1471, 2001.
L. Duan, L. Xu, Y. Liu, and J. Lee, "Cluster-based outlier detection, " Ann. Operations Res., vol. 168, pp. 151-168, 2009.
Salvatore Sanfilippo, "Hping, " Accessed on: 2024. [Online]. Available: https://github. com/antirez/hping
NMAP team, "NMAP: Bypassing firewall rules, " Accessed on: 2024. [Online]. Available: https://nmap. org/book/firewall-subversion. html
A. Burkov, Machine Learning Engineering. Montreal, QC, Canada: True Positive Incorporated, 2020.
SES, "SAT, real name hidden for double blind, " 2023. [Online]. Available: https://www. ses. com/
H. B. Mann and D. R. Whitney, "On a test of whether one of two random variables is stochastically larger than the other, " Ann. Math. Statist., vol. 18, no. 1, pp. 50-60, 1947.
J. Malik, "Replication package, " Accessed on: 2024. [Online]. Available: https://zenodo. org/records/10535145
LuxembourgNationalResearch Fund, "INSTRUCT-INtegrated Satellite-TeRrestrial systems for ubiquitous beyond5Gcommunications, " Accessed on: 2022. [Online]. Available: https://instruct-ipbg. uni. lu/