1. Introduction
In recent years, Software-Defined Networking (SDN) has attracted great attention as an emerging future network architecture in fields such as 5G mobile networks, cloud services and so on. The most different thing about SDN compared to traditional network architectures is that its control plane is decoupled from the forwarding plane and the control plane is programmable. With these SDN features, the switches in SDN networks become simple forwarding devices. At the same time, the control plane is implemented in a logically centralized mode. All of these are helpful to simplify policy enforcement and make network configuration and evolution easy [
1,
2,
3,
4,
5,
6].
On the other hand, today’s mobile customers desire to remain connected anywhere, at any time, and using any device. This has triggered the investigation of 5G for the next generation of terrestrial mobile telecommunications. In this context, SDN-based Mobile Networks (SDN-MNs) have emerged as a future architecture for 5G [
7,
8,
9,
10,
11]. SDN-MNs tend to connect all kinds of smart devices and interconnect other heterogeneous networks. More network devices, more types of network devices and more complex network connections are included in SDN-MN concept. This makes SDN-MNs more diverse and complicated than other networks.
Along with the benefits of SDN-MNs, the centralized control and programmability properties also introduce some new properties into the network with new security challenges. Because SDN-MNs provide the ability to directly program the whole network and to create dynamic flow policies instantly according to the current network context, the virtual property is introduced into SDN-MNs and their dynamic property is a consequence. Moreover, SDN has triggered significant interest in network function virtualization (NFV) [
10]. NFV also brings programmability into its application networks. The programmability of SDN and NFV makes SDN-MNs more dynamic than traditional networks. Besides the dynamic nature brought by SDN and NFV, the services and endpoint equipment are mobile in 5G networks. The connectivity is also context-aware depending on the applications in 5G networks and is thus not predicable. All of the characteristics of 5G networks make SDN-MNs very dynamic.
The aforementioned dynamic nature and complexity of SDN-MNs lead to new challenges for security assessments in the SDN-MNs. To defend this type of network, the security methodology must address its dynamic nature and complexity. A number of security studies for SDN have recently been performed [
12,
13,
14,
15,
16]. These works have found that the novel relationship among SDN elements in SDN networks introduces new vulnerabilities, and some of them are only present in SDN networks. For example, in the OpenFlow switch specification, Transport Layer Security (TLS) is used between the controllers and their switches with mutual authentication, but this security feature is not mandatory so it does not specify a standard for TLS. Benton
et al. [
14] found that OpenFlow is vulnerable to man-in-the-middle (MITM) attacks if TLS is not used, and due to its inherent centralized design property, OpenFlow is in the danger of Denial of Service (DoS). A high-level analysis of the overall security of SDN networks is discussed in [
15]. They find that new threats are introduced and new response methods are needed, because of the inherent properties of the centralized design and programmability of SDN networks.
A comprehensive security attack vectors map of SDN is illustrated in
Figure 1. Several attack vectors exist in applications, controllers, network elements and the links or traffic between them. Some of the attacks are common to all types of networks, such as the attack vectors on applications and network elements, but some of them only exist in SDN, such as the attack vectors on the SDN controller and the control links between the controller and network elements.
Figure 1.
Security attack vectors of SDNs.
Figure 1.
Security attack vectors of SDNs.
There is already lots of research focusing on traditional network security assessment. In the earlier period, security assessment methods were only applicable to isolated components. However as multi-stage attacks have become the most harmful network security threats, these methods are not enough. The reason is that these methods did not consider the security holes introduced by the interconnections of local vulnerability [
17]. To address the problem of security holes, attack graphs have been proposed as security assessment methods by building security models of network systems [
17,
18,
19,
20,
21]. In the research of Dantu
et al. [
22], attack graphs are used to model network vulnerabilities. Then they perform a risk analysis by a Bayesian method. The Bayesian method is also used to model potential attack paths in a system described by Liu and Man in [
23]. Based on the background knowledge of the attacker, including attack mechanism, they develop algorithms to compute attack paths. Poolsappasit
et al. [
24] use a Bayesian method to quantify the chances of network compromise. Moreover, they develop a security mitigation and management plan according to these results.
However, none of them can be applied directly in SDN-MNs because they only focus on traditional networks and do not take the special properties of SDN-MNs into consideration. Firstly, these methods are only suitable for relatively static networks. They do not take the dynamic nature of SDN-MNs into consideration. Secondly, the traditional algorithms of attack graph generation are only suitable for relatively simple networks. When the network becomes more complex, the efficiency of these algorithms deceases greatly, so these traditional methods cannot deal with the diversity and complexity of SDN-MNs.
Based on the aforementioned analysis, it is very necessary to have an effective security assessment mechanism for SDN-MNs considering their distinctive features. Firstly, a methodology to measure the total security level of SDN-MNs is needed. When SDN-MNs interconnect nodes in the network, local vulnerabilities will introduce new security holes because of this connectivity [
17]. This methodology needs to not only deal with the security holes, but also deal with the diversity and complexity of SDN-MNs. Secondly, a way to quantify the influence caused by dynamic properties of SDN-MNs is important as well, so besides the methodology, what factors and how they influence SDN-MN security assessments must be taken into consideration.
To address these problems, a security assessment scheme for SDN-MNs using attack graphs and an Analytic Hierarchy Process (AHP) is proposed. The rest of the paper is organized as follows: a background on mobile network architectures and SDN-MNs is introduced in
Section 2. The structure of the proposed security assessment methodology is described in
Section 3.
Section 4 presents the details of the proposed attack graph model and the attack graph generation algorithm. The Node Minimal Effort (NME) attack graph quantification method considering the dynamic factors in SDN-MNs is discussed in
Section 5. In
Section 6, a case study is illustrated. Finally, we conclude the paper in
Section 7.
2. Background
In the past few years, data traffic in mobile networks has seen an explosive growth. The Long Term Evolution (LTE) network architecture has been adopted to meet this evolution and nowadays the LTE architecture has been widely adopted by mobile service providers around the world [
9,
10,
11,
12,
13].
Figure 2 illustrates the LTE architecture proposed by the 3rd Generation Partnership Project (3GPP). It is composed of the LTE core network called the evolved packet core (EPC) and Evolved Universal Terrestrial Radio Access Network (E-UTRAN). EPC includes the packet data network gateway (P-GW), the serving gateway (S-GW) and so on.
Although it significantly improves network performance, LTE creates some new problems. Because all traffic goes through the P-GW in EPC, the P-GW becomes a bottleneck to extend the mobile network, and because each device in this architecture uses specialized hardware and software, it greatly increases the time and equipment costs of the operators when introducing new network functionalities into LTE.
In order to address these challenges, many recent researches have proposed and discussed new mobile network architectures for 5G based on Software-Defined Networking [
9,
10,
11,
12,
13].
Figure 2.
LTE network architecture.
Figure 2.
LTE network architecture.
For example, MobileFlow, illustrated in
Figure 3, is proposed as a SDN-based mobile network architecture in [
10]. The key components in the MobileFlow architecture are the MobileFlow controller and the MobileFlow forwarding engine. Similar to the SDN architecture, MobileFlow separates mobile network control from all user plane elements. MFFEs are interconnected by the IP network and are fully software driven. MobileFlow uses the OpenFlow protocol for communication between controllers and switches and support network layer tunneling. This makes MobileFlow much simpler than traditional EPS elements.
Figure 3.
The MobileFlow network architecture.
Figure 3.
The MobileFlow network architecture.
In [
9], the authors propose a SDN-based architecture of mobile networks named Software-Defined Wireless Networks (SDWN). In the SDWN architecture, programmability is widely introduced into Radio Access Networks (RANs) and the core transport. An API is enabled in order to allow third parties to control the network.
In [
13], the authors propose another SDN-based mobile network architecture named Cellular SDN (CSDN). In the CSDN architecture, radio access networks allow the orchestration of resources using the SDN and NFV techniques. Additionally, these techniques are leveraged for service orchestration.
3. Basics of Security Assessment Methodology
To provide a novel and complete methodology supporting the security assessment for SDN-MNs, there are two main questions that need to be considered. The first one is how to construct a complete security assessment methodology that can take the distinctive features of SDN-MNs into consideration. That means the methodology not only can take their dynamic nature into consideration, but also can promote the security assessment efficiency to address the complexity of SDN-MNs. The second one is how to quantify the security level of the network with regard to the various dynamic factors in SDN-MNs.
To construct the assessment methodology, we propose a novel attack graph modeling method to take the dynamic properties of SDN-MNs into consideration. To address the problem of attack graph scalability caused by the complexity of SDM-MNs, we propose a novel attack graph generation algorithm.
To quantify the security level of a SDN-MN, we define the NME that is used to derive the network security level. To calculate the NME with regard to the dynamic factors in an SDN-MN is a multiple criteria decision-making problem. We integrate AHP and the Technique for Order Preference by Similarity to an Ideal Solution (TOPSIS) to solve the problem. Expert knowledge is critical in the proposed methodology because AHP is a subjective method. The security assessment expert must know well the AHP and the SDN-MN itself. He or she can construct an AHP structure and appoint matrices according to the information collected from the network. The structure of the security assessment for SDN-MNs is illustrated in
Figure 4.
Figure 4.
Basic idea of security assessment for SDN-MNs.
Figure 4.
Basic idea of security assessment for SDN-MNs.
4. Modeling Network Attack Using Attack Graph
An attack graph is defined as a collection of all scenarios of how an attacker achieves its goal to target a system [
24,
25]. As mentioned before, to represent multi-stage network attacks and generate attack graphs, lots of models and methods have been proposed. There is a common efficiency problem in these attack graph generation algorithms, in that SDN-MNs are often diverse and complicated, so an efficient attack graph generation algorithm is a must.
4.1. Definition of Attack Graph and Generation Algorithm
To define and generate attack graphs for SDN-MNs, we use previous work of our group which proposed an attack graph generation algorithm to address the efficiency problem [
26].
The basic concepts of attack graph are defined as follows:
Definition 1: Attack Graph. An attack graph is defined as a tuple . In the definition, denotes Action objects, denotes State objects and denotes Goal objects. Also denotes backward pointers. Finally, denotes forward pointers.
The attack graph definition is shown in
Figure 5. In
Figure 5, real lines denote forward pointers and dotted lines denote backward pointers. Rings identify the instances of State objects, and squares represent the instances of Action objects, and triangles represent the instances of Goal objects.
Figure 5.
Attack graph definition for SDNs.
Figure 5.
Attack graph definition for SDNs.
In the example, state0 is the initial security state of the network. When action a1 or a2 is performed, the security state transfers to state1. Based on state1, if the attacker performs action a3, the security state continues to transfer to state3. At the end, the attacker reaches the attack goal. The rest of the attack graph has the same meaning.
According to the definition of attack graph given above, the attack graph generation algorithm generates attack graphs based on a network knowledge base. The network knowledge base includes vulnerabilities, network connectivity,
etc. We use a “state evolution process” algorithm to generate attack graphs. The state evolution process is illustrated in
Figure 6.
Figure 6.
State evolution process for an attack graph.
Figure 6.
State evolution process for an attack graph.
Until the process meets termination condition, state objects are recursively evolving in the process. In each cycle, the process applies all possible malicious actions. The process includes several function entities as follows:
- (1)
Privilege propagation entity
The privilege propagation function entity is responsible for propagate the privilege according to the current network state.
- (2)
Connectivity analysis entity
The connectivity analysis function entity firstly analyzes the network topology and filtering policy information and then it produces the connectivity between any two nodes.
- (3)
Exploits execution entity
The exploits execution function entity tries to apply all exploit objects to the state objects.
- (4)
Backward marking entity
The backward marking function entity removes all the former indicates. After actions are applied, it marks re-satisfied items with a fresh indicate for the consequences.
The graph building function entity generates a forward pointer or backward pointer according to the actions’ trigger.
The goal check function entity confirms whether the attack is successful in the current security context.
- (7)
Termination check entity
The termination check function entity confirms whether the process has no more ways to evolve. The process should be terminated once there is not a forward pointer. After a complete procedure, the generated attack graph is derived. For more detailed information about the sub-modules of the process readers can refer to [
26].
4.2. Node Minimal Effort
Attack cost is the expense for an attacker to achieve an attack goal. We use attack cost in attack graphs to quantify the security level of the network. Namely, when the attack cost is higher, the network is more secure and vice versa. Normally, there are several actions in one attack behavior. We define action cost to designate the expense for an attacker to perform an action. To evaluate the attack cost of an attack path, we define NME for the nodes in the attack graph:
Definition 2: In an attack graph, NME is the minimal attack cost to reach a node.
There are two types of nodes in our attack graph definition, namely state node and action node. In general, the minimal effort of a state node is the attack cost of the attack path that leads to the state node. If there are several attack paths that leads to the state node, the minimal effort of the state is minimal attack cost in the attack paths. Because of the AND relation, the minimal effort of an action node equal all the NMEs of its prerequisite nodes plus the action cost of itself.
Let
min_effort denotes NME,
min_effort calculated as follows:
where
denotes a instance of the prerequisite nodes of
.
where
denoted a instance of the prerequisite nodes of
, and
denotes the attack cost of
.