“Secure Network Monitoring Using Programmable Data Planes”
Master’s thesis, Mestrado em Engenharia Informática, Departamento de Informática, Faculdade de Ciências da Universidade de Lisboa, Sept. 2017
Abstract: Monitoring is a fundamental activity in network management as it provides knowledge about the behavior of a network. Different monitoring methodologies have been employed in practice, with sample-based and sketch-based approaches standing out because of their manageable memory requirements. The accuracy provided by traditional sampling-based monitoring approaches, such as NetFlow, is increasingly being considered insufficient to meet the requirements of today’s networks. By summarizing all traffic for specific statistics of interest, sketch-based alternatives have been shown to achieve higher levels of accuracy for the same cost. Existing switches, however, lack the necessary capability to perform the sort of processing required by this approach. The emergence of programmable switches and the processing they enable in the data plane has recently led sketch-based solutions to be made possible in switching hardware. One limitation of existing solutions is that they lack security. At the scale of the datacenter networks that power cloud computing, this limitation becomes a serious concern. For instance, there is evidence of security incidents perpetrated by malicious insiders inside cloud infrastructures. By compromising the monitoring algorithm, such an attacker can render the monitoring process useless, leading to undesirable actions (such as routing sensitive traffic to disallowed locations). The objective of this thesis is to propose a novel sketch-based monitoring algorithm that is secure. In particular, we propose the design and implementation of a secure and scalable version of the Count-Min algorithm [16, 17], which tracks the frequency of items through a data structure and a set of hash functions. As traditional switches do not have the capabilities to allow these advanced forms of monitoring, we leverage the recently proposed programmable switches. The algorithm was implemented in P4 , a programmable language for programmable switches, which are now able to process packets just as fast as the fastest fixed-function switches . Our evaluation demonstrates that our secure solution entails a negligible performance penalty when compared with the original Count-Min algorithm, despite the security proprieties provided.
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)