research-article

Software-Defined Firewall: Enabling Malware Traffic Detection and Programmable Security Control

Authors:

Yuanyuan YangAuthors Info & Claims

ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

Pages 413 - 424

https://doi.org/10.1145/3196494.3196519

Published: 29 May 2018 Publication History

Abstract

Network-based malware has posed serious threats to the security of host machines. When malware adopts a private TCP/IP stack for communications, personal and network firewalls may fail to identify the malicious traffic. Current firewall policies do not have a convenient update mechanism, which makes the malicious traffic detection difficult.

In this paper, we propose Software-Defined Firewall (SDF), a new security design to protect host machines and enable programmable security policy control by abstracting the firewall architecture into control and data planes. The control plane strengthens the easy security control policy update, as in the SDN (Software-Defined Networking) architecture. The difference is that it further collects host information to provide application-level traffic control and improve the malicious traffic detection accuracy. The data plane accommodates all incoming/outgoing network traffic in a network hardware to avoid malware bypassing it. The design of SDF is easy to be implemented and deployed in today's network. We implement a prototype of SDF and evaluate its performance in real-world experiments. Experimental results show that SDF can successfully monitor all network traffic (i.e., no traffic bypassing) and improves the accuracy of malicious traffic identification. Two examples of use cases indicate that SDF provides easier and more flexible solutions to today's host security problems than current firewalls.

References

[1]

Johanna Amann and Robin Sommer. 2015. Providing Dynamic Control to Passive Network Security Monitoring Proc. of the International Symposium on Recent Advances in Intrusion Detection (RAID).

Digital Library

[2]

Marco Canini, Petr Kuznetsov, Dan Levin, and Stefan Schmid. 2015. A Distributed and Robust SDN Control Plane for Transactional Network Updates Proc. of the IEEE International Conference on Computer Communications (INFOCOM).

[3]

Chang Chih-Chung and Lin Chih-Jen. 2017. LIBSVM. https://www.csie.ntu.edu.tw/ cjlin/libsvm/. (2017).

[4]

Juan Deng, Hongda Li, Hongxin Hu, Kuang-Ching Wang, Gail-Joon Ahn, Ziming Zhao, and Wonkyu Han. 2017. On the Safety and Efficiency of Virtual Firewall Elasticity Control Proc. of the Network and Distributed System Security (NDSS).

Digital Library

[5]

Shang Gao, Zecheng Li, Bin Xiao, and Guiyi Wei. 2018. Security Threats in the Data Plane of Software-Defined Networks. IEEE Network (2018).

[6]

Shang Gao, Zhe Peng, Bin Xiao, Aiqun Hu, and Kui Ren. 2017. FloodDefender: Protecting Data and Control Plane Resources under SDN-aimed DoS Attacks Proc. of the IEEE International Conference on Computer Communications (INFOCOM).

[7]

Sungmin Hong, Robert Baykov, Lei Xu, Srinath Nadimpalli, and Guofei Gu. 2016. Towards SDN-Defined Programmable BYOD (Bring Your Own Device) Security Proc. of the Network and Distributed System Security (NDSS).

[8]

Sungmin Hong, Lei Xu, Haopei Wang, and Guofei Gu. 2015. Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures. In Proc. of the Network and Distributed System Security (NDSS).

[9]

Hongxin Hu, Gail-Joon Ahn, and Ketan Kulkarni. 2012. Detecting and Resolving Firewall Policy Anomalies. IEEE Transactions on Dependable and Secure Computing (TDSC) Vol. 9 (2012).

Digital Library

[10]

Hongxin Hu, Wonkyu Han, Gail-Joon Ahn, and Ziming Zhao. 2014. FLOWGUARD: Building Robust Firewalls for Software-Defined Networks Proc. of the ACM Workshop on Hot Topics in Software Defined Networking.

Digital Library

[11]

Gregoire Jacob, Ralf Hund, Christopher Kruegel, and Thorsten Holz. 2011. JACKSTRAWS: Picking Command and Control Connections from Bot Traffic USENIX Security Symposium (USENIX Security).

Digital Library

[12]

Samuel Jero, William Koch, Richard Skowyra, Hamed Okhravi, Cristina Nita-Rotaru, and David Bigelow. 2017. Identifier Binding Attacks and Defenses in Software-Defined Networks Proc. of the USENIX Security Symposium (Security).

[13]

Soyoung Kim, Sora Lee, Geumhwan Cho, Muhammad Ejaz Ahmed, Jaehoon Jeong, and Hyoungshick Kim. 2017. Preventing DNS Amplification Attacks Using the History of DNS Queries with SDN Proc. of the European Symposium on Research in Computer Security (ESORICS).

[14]

Seungsoo Lee, Changhoon Yoon, Chanhee Lee, Seungwon Shin, Vinod Yegneswaran, and Phillip Porras. 2017. DELTA: A Security Assessment Framework for Software-Defined Networks Proc. of the Network and Distributed System Security (NDSS).

[15]

Zhen Ling, Junzhou Luo, Kui Wu, Wei Yu, and Xinwen Fu. 2014. TorWard: Discovery of Malicious Traffic Over Tor Proc. of the IEEE International Conference on Computer Communications (INFOCOM).

[16]

Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. 2008. OpenFlow: Enabling Innovation in Campus Networks ACM SIGCOMM Computer Communication Review.

Digital Library

[17]

Roberto Perdisci, Wenke Lee, and Nick Feamster. 2010. Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. In Proc. of the Symposium on Network System Design and Implementation (NSDI).

Digital Library

[18]

Phillip A Porras, Steven Cheung, Martin W Fong, Keith Skinner, and Vinod Yegneswaran. 2015. Securing the Software Defined Network Control Layer Proc. of the Network and Distributed System Security (NDSS).

[19]

Broadcom. 2017. Broadcom BCM56960 Series. https://www.broadcom.com/products/Switching/Data-Center/BCM56960-Series. (2017).

[20]

Microsoft. 2013. The evolution of Rovnix: Private TCP/IP stacks. https://blogs.technet.microsoft.com/mmpc/2013/07/25/the-evolution-of-rovnix-private-tcpip-stacks/. (2013).

[21]

Open Networking Foundation. 2012. OpenFlow Switch Specification v1.3.0. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.3.0.pdf. (2012).

[22]

RYU SDN Framework Community. 2013. RYU Controller. https://osrg.github.io/ryu/. (2013).

[23]

Seungwon Shin, Lei Xu, Sungmin Hong, and Guofei Gu. 2016. Enhancing Network Security through Software Defined Networking (SDN) Proc. of the International Conference on Computer Communication and Networks (ICCCN).

[24]

Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. 2013. AVANT-GUARD: Scalable and Vigilant Switch Flow Management in Software-Defined Networks Proc. of the ACM Conference on Computer & Communications Security (CCS).

Digital Library

[25]

John Sonchack, Adam J Aviv, Eric Keller, and Jonathan M Smith. 2016. Enabling Practical Software-defined Networking Security Applications with OFX Proc. of the Network and Distributed System Security (NDSS).

[26]

Yong Tang, Bin Xiao, and Xicheng Lu. 2011. Signature Tree Generation for Polymorphic Worms. IEEE Transactions on Computers (TC) Vol. 60 (2011).

Digital Library

[27]

Ilenia Tinnirello, Giuseppe Bianchi, Pierluigi Gallo, Domenico Garlisi, Francesco Giuliano, and Francesco Gringoli. 2012. Wireless MAC Processors: Programming MAC Protocols on Commodity Hardware Proc. of the IEEE International Conference on Computer Communications (INFOCOM).

[28]

Haopei Wang, Lei Xu, and Guofei Gu. 2015. FloodGuard: A DoS Attack Prevention Extension in Software-Defined Networks Proc. of the IEEE/IFIP Dependable Systems and Networks (DSN).

Digital Library

[29]

Xitao Wen, Bo Yang, Yan Chen, Chengchen Hu, Yi Wang, Bin Liu, and Xiaolin Chen. 2016. SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets Proc. of the IEEE/IFIP Dependable Systems and Networks (DSN).

[30]

Cliff C Zou, Weibo Gong, Don Towsley, and Lixin Gao. 2005. The Monitoring and Early Detection of Internet Worms IEEE/ACM Transactions on Networking (TON), Vol. Vol. 13.

Digital Library

Cited By

Pyke MMeng WLampe B(2024)Security on Top of Security: Detecting Malicious Firewall Policy Changes via K-Means ClusteringMachine Learning for Cyber Security10.1007/978-981-97-2458-1_10(145-162)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-981-97-2458-1_10
SHOJI ASHINJO Y(2023)Implementation method of non-bypassable PC application firewalls using virtualization technologies2023 IEEE International Conference on High Performance Computing & Communications, Data Science & Systems, Smart City & Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00066(435-442)Online publication date: 17-Dec-2023
https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00066
Li WZhang XBao HWang QLi Z(2022)Robust network traffic identification with graph matchingComputer Networks10.1016/j.comnet.2022.109368218(109368)Online publication date: Dec-2022
https://doi.org/10.1016/j.comnet.2022.109368
Show More Cited By

Index Terms

Software-Defined Firewall: Enabling Malware Traffic Detection and Programmable Security Control
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Network security
    1. Firewalls

Recommendations

Cat deep system for intrusion detection in software defined networking

The development of software-defined networks (SDN) is the application of the network control, which is more convenient, secure and easy to develop and manage. This paper proposes an intrusion detection system (IDS) in SDN with the developed cat deep ...
Malware Detection for Mobile Devices Using Software-Defined Networking
GREE '13: Proceedings of the 2013 Second GENI Research and Educational Experiment Workshop

The rapid adoption of mobile devices comes with the growing prevalence of mobile malware. Mobile malware poses serious threats to personal information and creates challenges in securing network. Traditional network services provide connectivity but do ...
Ransomware detection and mitigation using software-defined networking: The case of WannaCry
Abstract
Modern day ransomware families implement sophisticated encryption and propagation schemes, thus limiting chances to recover the data almost to zero. We investigate the use of software-defined networking (SDN) to detect and mitigate ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

May 2018

866 pages

ISBN:9781450355766

DOI:10.1145/3196494

General Chairs:
Jong Kim
Pohang University of Science and Technology, South Korea
,
Gail-Joon Ahn
Arizona State University, USA &Samsung Electronics, South Korea
,
Seungjoo Kim
Korea University, South Korea
,
Program Chairs:
Yongdae Kim
KAIST, South Korea
,
Javier Lopez
University of Malaga, Spain
,
Taesoo Kim
Georgia Tech, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 May 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

the Fundamental Research Funds for the Central Universities
National Natural Science Foundation of China
NSFC
HK PolyU G-UACH

Conference

ASIA CCS '18

Sponsor:

SIGSAC

ASIA CCS '18: ACM Asia Conference on Computer and Communications Security

June 4, 2018

Incheon, Republic of Korea

Acceptance Rates

ASIACCS '18 Paper Acceptance Rate 52 of 310 submissions, 17%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
504
Total Downloads

Downloads (Last 12 months)31
Downloads (Last 6 weeks)4

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pyke MMeng WLampe B(2024)Security on Top of Security: Detecting Malicious Firewall Policy Changes via K-Means ClusteringMachine Learning for Cyber Security10.1007/978-981-97-2458-1_10(145-162)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-981-97-2458-1_10
SHOJI ASHINJO Y(2023)Implementation method of non-bypassable PC application firewalls using virtualization technologies2023 IEEE International Conference on High Performance Computing & Communications, Data Science & Systems, Smart City & Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00066(435-442)Online publication date: 17-Dec-2023
https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys60770.2023.00066
Li WZhang XBao HWang QLi Z(2022)Robust network traffic identification with graph matchingComputer Networks10.1016/j.comnet.2022.109368218(109368)Online publication date: Dec-2022
https://doi.org/10.1016/j.comnet.2022.109368
Maleh YQasmaoui YEl Gholami KSadqi YMounir S(2022)A comprehensive survey on SDN security: threats, mitigations, and future directionsJournal of Reliable Intelligent Environments10.1007/s40860-022-00171-89:2(201-239)Online publication date: 8-Feb-2022
https://doi.org/10.1007/s40860-022-00171-8
Daoudi NAllix KBissyandé TKlein J(2021)Lessons Learnt on Reproducibility in Machine Learning Based Android Malware DetectionEmpirical Software Engineering10.1007/s10664-021-09955-726:4Online publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1007/s10664-021-09955-7
Gao SPeng ZXiao BHu ASong YRen K(2020)Detection and Mitigation of DoS Attacks in Software Defined NetworksIEEE/ACM Transactions on Networking10.1109/TNET.2020.298397628:3(1419-1433)Online publication date: Jun-2020
https://doi.org/10.1109/TNET.2020.2983976

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten