Topology Poisoning Attacks and Prevention in Hybrid Software-Defined Networks

<p>The hybrid software-defined networks (SDN) architectures are beneficial for a smooth transition and less costly SDN deployment. However, legacy switches and SDN switches coexistence brings new challenges of deployment inconsistency management and security. Security is not well studied for hybrid SDN architecture. In this paper, we study the topology poisoning attacks in hybrid SDN for the first time. We propose new attack vectors for link fabrication in hybrid SDN. The new attack is named “multi-hop link fabrication”, in which an adversary successfully injects a fake multi-hop link (MHL) by exploiting the link discovery protocols. We presented the Hybrid-Shield, a link verification framework for hybrid SDN link discovery. Hybrid-Shield introduces a novel verification technique that includes: i) monitoring legacy switch and host generated traffic at MHL and ii) validating the existence of legacy switches contained in an MHL. This paper presents the prototype implementation of Hybrid-Shield over a real SDN controller. The experimental evaluation is performed with the mininet virtual network emulation. Our evaluation shows that Hybrid-Shield is capable of detecting MHL fabrication attacks in real-time with high accuracy. Hybrid-Shield’s performance evaluation shows that it is lightweight at the controller as it causes less overhead and requires no additional functionalities at the SDN controller for deployment.</p>

Topology Poisoning Attacks and Prevention in Hybrid Software-Defined Networks

<p>The hybrid software-defined networks (SDN) architectures are beneficial for a smooth transition and less costly SDN deployment. However, legacy switches and SDN switches coexistence brings new challenges of deployment inconsistency management and security. Security is not well studied for hybrid SDN architecture. In this paper, we study the topology poisoning attacks in hybrid SDN for the first time. We propose new attack vectors for link fabrication in hybrid SDN. The new attack is named “multi-hop link fabrication”, in which an adversary successfully injects a fake multi-hop link (MHL) by exploiting the link discovery protocols. We presented the Hybrid-Shield, a link verification framework for hybrid SDN link discovery. Hybrid-Shield introduces a novel verification technique that includes: i) monitoring legacy switch and host generated traffic at MHL and ii) validating the existence of legacy switches contained in an MHL. This paper presents the prototype implementation of Hybrid-Shield over a real SDN controller. The experimental evaluation is performed with the mininet virtual network emulation. Our evaluation shows that Hybrid-Shield is capable of detecting MHL fabrication attacks in real-time with high accuracy. Hybrid-Shield’s performance evaluation shows that it is lightweight at the controller as it causes less overhead and requires no additional functionalities at the SDN controller for deployment.</p>

Addressing Fragmentation and Inconsistency in International Environmental Law Analysis of the Role of Specialised or Treaty Judicial Bodies

This paper analyses the contribution of treaty or specialised judicial bodies to striking problems such as fragmentation and inconsistency within International Environmental Law (IEL) as they fill the gaps in IEL, taking advantage of the absence of an overarching International Environmental Court (IEC) and the indolence of the International Court of Justice (ICJ). It argues that by helping improve the ICJ, they will help resolve IEL&#39;s jurisprudential inconsistency and fragmentation. The paper therefore first explains the sense in which jurisprudential fragmentation and inconsistency underline IEL&#39;s compliance mechanisms, and shows the limits of the state-centripetal approach of the ICJ as a solution to such a problem. Finally, it proposes a state-centrifugal paradigm that stresses how international specialised judicial bodies may help strengthen the ICJ&#39;s fragmentation and inconsistency management functions. To propose this novel approach, this paper employs legal critical methods to expose current gaps in the state-centripetal approach.

INCONSISTENCY MANAGEMENT FOR PRODUCT FAMILIES WITH MANY VARIANTS THROUGH A MODEL-BASED APPROACH IN MODULAR LIGHTWEIGHT DESIGN

In methodical product development, numerous data are used and linked with each other, especially variant-related data. This paper presents a model-based solution for avoiding inconsistencies in the development of product families with many variants and extends it to modular lightweight design. In addition, the inconsistencies in methodical product development were classified and solution approaches were shown. Thus, inconsistencies can be avoided with the presented elaborated data model for an integrated product and process model based on the presented procedure.

Inconsistency Management in Heterogeneous Models - An Approach for the Identification of Model Dependencies and Potential Inconsistencies

In today's engineering projects, interdisciplinary work leads to an increase in interfaces between different departments and domains. As each stakeholder pursues different goals and tasks, a heterogeneous model landscape is required. In each domain, a variety of different model and software implementations provide the essential basis for efficient work. On the interfaces, the risk of model inconsistencies increases. To handle occurring inconsistencies, various approaches have been presented. For model-based systems engineering projects, rule-based methods are considered as the most suitable technique. However, said approaches require a high manual effort in identifying model dependencies and establishing consistency rules. Unfortunately, in particular these steps are not well described and supported. Therefore, this paper presents an easily applicable approach for the identification of model dependencies in interdisciplinary projects. The method is supported by a software implementation and is directly integrated in engineering workflows. A first industrial case study has shown positive effects of the approach and revealed further research goals.

Preference-Based Inconsistency Management in Multi-Context Systems (Extended Abstract)

Establishing information exchange between existing knowledge-based systems can lead to devastating inconsistency. Automatic resolution of inconsistency often is unsatisfactory, because any modification of the information flow may lead to bad or even dangerous conclusions. Methods to identify and select preferred repairs of inconsistency are thus needed. In this work, we leverage the expressive power and generality of Multi-Context Systems (MCS), a formalism for information exchange, to select most preferred repairs, by use of a meta-reasoning transformation. As for computational complexity, finding preferred repairs is not higher than the base case; finding most-preferred repairs is higher, yet worst-case optimal.

Preference-Based Inconsistency Management in Multi-Context Systems

Multi-Context Systems (MCS) are a powerful framework for interlinking possibly heterogeneous, autonomous knowledge bases, where information can be exchanged among knowledge bases by designated bridge rules with negation as failure. An acknowledged issue with MCS is inconsistency that arises due to the information exchange. To remedy this problem, inconsistency removal has been proposed in terms of repairs, which modify bridge rules based on suitable notions for diagnosis of inconsistency. In general, multiple diagnoses and repairs do exist; this leaves the user, who arguably may oversee the inconsistency removal, with the task of selecting some repair among all possible ones. To aid in this regard, we extend the MCS framework with preference information for diagnoses, such that undesired diagnoses are filtered out and diagnoses that are most preferred according to a preference ordering are selected. We consider preference information at a generic level and develop meta-reasoning techniques on diagnoses in MCS that can be exploited to reduce preference-based selection of diagnoses to computing ordinary subset-minimal diagnoses in an extended MCS. We describe two meta-reasoning encodings for preference orders: the first is conceptually simple but may incur an exponential blowup. The second is increasing only linearly in size and based on duplicating the original MCS. The latter requires nondeterministic guessing if a subset-minimal among all most preferred diagnoses should be computed. However, a complexity analysis of diagnoses shows that this is worst-case optimal, and that in general, preferred diagnoses have the same complexity as subset-minimal ordinary diagnoses. Furthermore, (subset-minimal) filtered diagnoses and (subset-minimal) ordinary diagnoses also have the same complexity.