WedgeTail 2.0: An Intrusion Prevention System for the Data Plane of Software Defined Networks

Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Software Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail 2.0, an Intrusion Prevention System (IPS) designed to secure the data plane of SDNs. Our solution is capable of localizing malicious forwarding devices and can distinguish between the specicifc malicious actions of a compromised device such as packet drop, fabrication and modification. WedgeTail has no reliance on pre-defined rules by an administrator for its detection and may be easily imported into SDNs with different setups, forwarding devices, and controllers. The process begins by mapping forwarding devices as points within a geometric space and storing the path packets take when traversing the network as trajectories. Before inspection, the forwarding devices are clustered into groups of varying priority based on the frequency of occurrence in packet trajectories over specified time periods. The detection phase consists of computing the expected and actual trajectories of packets for each of the forwarding devices and `hunting' for those not processing packets as expected. We have evaluated WedgeTail 2.0 in simulated environments, and it has been capable of detecting and responding to all implanted malicious forwarding devices within approximately an hour time frame over a large network. We report on the design, implementation, and evaluation of WedgeTail 2.0 in this manuscript.