NDSS 2025 – Detecting SDN Control Policy Manipulation Via Contextual Semantics Of Provenance Graphs
嗯,用户让我用中文总结一下这篇文章的内容,控制在100字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头,直接写描述。首先,我需要仔细阅读文章内容,抓住主要信息。
文章的标题是“Detecting SDN Control Policy Manipulation Via Contextual Semantics Of Provenance Graphs”,看起来是关于SDN控制策略操纵检测的。作者们提出了一个叫做ProvGuard的框架,用于检测CPM攻击。CPM攻击是通过篡改控制器的网络视图来引入错误策略,这可能对SDN的安全性构成威胁。
当前的方法主要关注数据平面,无法有效检测CPM攻击。ProvGuard通过分析控制器活动,构建因果关系图(provenance graph),从而识别异常行为。他们还实现了这个框架在Floodlight控制器上的原型,并成功检测了四种典型的CPM攻击。
接下来,我需要将这些信息浓缩到100字以内。重点包括:SDN控制平面的漏洞、CPM攻击、ProvGuard框架、基于因果关系图的检测方法、以及实验结果。
可能会遇到的问题是如何简洁地表达技术细节而不遗漏关键点。比如,“静态分析”和“序列到序列预测模型”这些术语可能需要简化或省略,以确保内容易于理解且符合字数限制。
最后,确保总结流畅自然,直接描述文章内容,不使用任何开头模板。
</think>
本文提出了一种基于因果关系图的框架ProvGuard,用于检测软件定义网络(SDN)中的控制策略操纵(CPM)攻击。通过分析控制器活动并构建因果关系图,该框架能够识别异常行为并成功检测四种典型CPM攻击。
2025-12-23 20:0:0
Author: securityboulevard.com(查看原文)
阅读量:6
收藏
Session 7A: Network Security 2
Authors, Creators & Presenters: Ziwen Liu (Beihang University), Jian Mao (Beihang University; Tianmushan Laboratory; Hangzhou Innovation Institute, Beihang University), Jun Zeng (National University of Singapore), Jiawei Li (Beihang University; National University of Singapore), Qixiao Lin (Beihang University), Jiahao Liu (National University of Singapore), Jianwei Zhuge (Tsinghua University; Zhongguancun Laboratory), Zhenkai Liang (National University of Singapore)
PAPER
Detecting SDN Control Policy Manipulation Via Contextual Semantics Of Provenance Graphs
Software-Defined Networking (SDN) improves network flexibility by decoupling control functions (control plane) from forwarding devices (data plane). However, the logically centralized control plane is vulnerable to Control Policy Manipulation (CPM), which introduces incorrect policies by manipulating the controller’s network view. Current methods for anomaly detection and configuration verification have limitations in detecting CPM attacks because they focus solely on the data plane. Certain covert CPM attacks are indistinguishable from normal behavior without analyzing the causality of the controller’s decisions. In this paper, we propose ProvGuard, a provenance graph-based detection framework that identifies CPM attacks by monitoring controller activities. ProvGuard leverages static analysis to identify data-plane-related controller operations and guide controller instrumentation, constructing a provenance graph from captured control plane activities. ProvGuard reduces redundancies and extracts paths in the provenance graph as contexts to capture concise and long-term features. Suspicious behaviors are flagged by identifying paths that cause prediction errors beyond the normal range, based on a sequence-to-sequence prediction model. We implemented a prototype of ProvGuard on the Floodlight controller. Our approach successfully identified all four typical CPM attacks that previous methods could not fully address and provided valuable insights for investigating attack behaviors.
ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.
