Detecting malicious packet drops and misroutings using Header Space Analysis

Software Defined Networking (SDN) provides a logically centralized view of the state of the network, and as a result opens up new ways to manage and monitor networks. In this paper we introduce a novel approach to network intrusion detection in SDNs that takes advantage of these attributes. Our approach can detect compromised routers that produce faulty messages, copy or steal traffic or maliciously drop certain types of packets. To identify these attacks and the affected switches, we correlate the forwarding state of network-i.e. installed forwarding rules-with the forwarding status of packets-i.e. the actual route packets take in the network and detect anomaly in routes. Thus, our approach turns the network itself into a big intrusion detection system. We have evaluated our approach on topologies from real networks by developing an application over OpenDaylight SDN controller and detected simulated dropping and duplicating attacks in these networks.