Hesham Mekky

Application-aware data plane processing in SDN

A key benefit of Software Defined Networks is fine-grained management of network flows made possible by the execution of flow-specific actions based upon inspection and matching of various packet fields. However, current switches and protocols limit the inspected fields to layer 2-4 headers and hence any customized flow-handling that uses higher-layer information necessitates sending the packets to the controller. This is inefficient and slow, adding several switch-to-controller round-trip delays. This paper proposes an extended SDN architecture that enables fast customized packet-handling even when the information used is not restricted to L2-L4. We describe an implementation of this architecture that keeps most of the processing in the data plane and limits the need to send packets to the controller even when higher-layer information is used in packet-handling. We show how some popular applications can be implemented using this extended architecture and evaluate the performance of one such application using a prototype implementation on Open vSwitch. The results show that the proposed architecture has low overhead, good performance and can take advantage of a flexible scale-out design for application deployment.

Timing Attacks on Access Privacy in Information Centric Networks and Countermeasures

In recently proposed information centric networks (ICN), a user issues “interest” packets to retrieve contents from network by names. Once fetched from origin servers, “data” packets are replicated and cached in all routers along routing and forwarding paths, thus allowing further interests from other users to be fulfilled quickly. However, the way ICN caching and interest fulfillment work poses a great privacy risk: the time difference between responses for an interest of cached and uncached content can be used as an indicator to infer whether or not a near-by user has previously requested the same content as that requested by an adversary. This work introduces the extent to which the problem is applicable in ICN and provides several solutions that try to strike a balance between cost and benefits, and raise the bar for an adversary to apply such attack.

Separation of benign and malicious network events for accurate malware family classification

Labeling malware samples with their appropriate malware family helps understand and track malware evolution and develop mitigation techniques. Current malware analysis techniques that use supervised machine learning rely on classification models that are trained on malware traffic generated from a sandbox environment. These models are then used to classify future unseen observations. In practice, however, malware traffic comes mixed with other legitimate “background” traffic from host machines, such as user browsing and software update traffic. Hence, the classifiers accuracy to predict the correct malware label on unseen (mixed) traffic is low. We propose a novel classification system that uses an Independent Component Analysis (ICA) module that applies distribution decomposition to separate the observed traffic into two components, malware traffic and background traffic. We also use a random forest classifier module to learn a classification model for every malware family, and then use it to predict malware family labels using the output of the ICA module. This system is thus capable of labeling malware traffic after removing background artifacts (“noise”), which makes it more efficient and accurate than current classification methods. Our experiments on three malware family datasets show that the performance of our system improves significantly after removing the background traffic artifacts.

VIRO-GENI: SDN-Based Approach for a Non-IP Protocol in GENI

Non-IP protocols always presented a challenge for network researchers to deploy and test at large scale. GENI infrastructure presents a testbed to deploy large scale network experiments, however, non-IP protocols still raises a challenge to deploy since IP is the narrow waist of the Internet. SDN provides an opportunity implement non-IP protocols, however, the OpenFlow standard is still tied to Ethernet/IP/TCP protocol stack. In the paper, we utilize SDN to provide a framework to deploy and test a non-IP protocol, Virtual Id Routing (VIRO), in GENI using an extended Open vSwitch platform.

Network function virtualization enablement within SDN data plane

Software Defined Networking (SDN) can benefit a Network Function Virtualization solution by chaining a set of network functions (NF) to create a network service. Currently, control on NFs is isolated from the SDN, which creates routing inflexibility, flow imbalance and choke points in the network as the controller remains oblivious to the number, capacity and placement of NFs. Moreover, a NF may modify packets in the middle, which makes flow identification at a SDN switch challenging. In this paper, we postulate native NFs within the SDN data plane, where the same logical controller controls both network services and routing. This is enabled by extending SDN to support stateful flow handling based on higher layers in the packet beyond layers 2–4. As a result, NF instances can be chained on demand, directly on the data plane. We present an implementation of this architecture based on Open vSwitch, and show that it enables popular NFs effectively using detailed evaluation and comparison with other alternative solutions.

SAMPO: Online subflow association for multipath TCP with partial flow records

Multipath TCP (MPTCP) is a promising technique for boosting application throughput while using well-known and versatile network socket interfaces. Recently, many interesting applications of MPTCP in various environments such as wireless networks and data centers have been proposed, but little work has been done to investigate the impact of this protocol on conventional network devices. For example, MPTCP throughput advantage can be better achieved if all MPTCP subflows are routed on disjoint paths, but this is currently not feasible since routers are not designed to recognize the membership of MPTCP subflows. In this paper, we take a first step to address this issue by proposing SAMPO, an online algorithm to detect and associate MPTCP subflows in network. The main challenge is that sampling techniques and network dynamics may cause a network device to only obtain partial flow records. SAMPO takes advantage of both protocol information and statistical characteristics of MPTCP data sequence number to overcome the challenge in network. Through analysis and experimentation, we show that SAMPO is able to detect and associate MPTCP subflows with high accuracy even when a small portion of the entire flow records are available.

A Virtual Id Routing Protocol for Future Dynamics Networks and Its Implementation Using the SDN Paradigm

In this paper, we propose Virtual Id Routing (VIRO) a novel “plug-&-play” non-IP routing protocol for future dynamics networks. VIRO decouples routing/forwarding from addressing by introducing a topology-aware, structured virtual id layer to encode the locations of switches and devices in the physical topology. It completely eliminates network-wide flooding in both the data and control planes, and thus is highly scalable and robust. VIRO effectively localizes the effect of failures, performs fast re-routing and supports multiple (logical) topologies on top of the same physical network substrate to further enhance network robustness. We have implemented an initial prototype of VIRO using Open vSwitch, and we extend it (both within the user space and the kernel space) to implement VIRO switching functions in VIRO switches. In addition, we use the POX SDN controller to implement VIRO’s control and management plane functions. We evaluate our prototype implementation through emulation and in the GENI (the Global Environment for Network Innovations) testbed using many synthetic and real topologies. Our evaluation results show that VIRO has better scalability than link-state based protocols (e.g. OSPF and SEATTLE) in terms of routing-table size and control overhead, as well as better mechanisms for failure recovery.

In-Network Dynamic Pathlet Switching with VIRO for SDN Networks

The current best-effort IP protocol cannot readily provide the bandwidth and other service guarantees that many applications such as video streaming require today. End system based path switching and load balancing across multiple paths have been proposed as an alternative approach to meet the bandwidth requirements of todays applications. These solutions require end systems to be multi-homed so as to exploit the path diversity in todays network. In this work we propose a novel in-network path let switching framework for software-defined networks using the Virtual Id routing Protocol (VIRO). In our framework we take advantage of the built-in fast rerouting and load balancing capabilities of VIRO to perform dynamic path let selection, switching and load balancing to fully exploit the path diversity available in the network. Building upon our current VIRO implementation in GENI, we conduct experiments to demonstrate the efficacy of the proposed in-network path let switching framework.

POSTER: Blind Separation of Benign and Malicious Events to Enable Accurate Malware Family Classification

Malware families classification has been studied extensively in the literature. Machine learning based identification techniques rely on building a classification model for the malware traffic, and then the model is used for labeling unseen observations. In practice, malware traffic (malware signal) is mixed with other legitimate traffic (background signal). Consequently, the classifiers effectiveness may be hindered, since the observed traffic is mixed. We propose to apply signal decomposition in order to decompose the observed traffic into two components, malware traffic and background traffic, and then classification techniques are applied effectively on the malware traffic after removing the background attributes. Our preliminary results show the effectiveness of the proposed approach.