SECURING OF SOFTWARE DEFINED NETWORK CONTROLLERS

US 20160050223A1
Filed: 08/15/2014
Published: 02/18/2016
Est. Priority Date: 08/15/2014
Status: Active Grant

First Claim

Patent Images

1. A method of detecting security attacks and securing a software defined network, said method comprising:

utilizing at least one processor to execute computer code configured to perform the steps of;

intercepting one or more control messages;

extracting information from the one or more control messages to create a global network state model;

determining, from the extracted information, presence of at least one prospective modification to the global network state model; and

thereupon determining whether the at least one prospective modification presents a threat to security of the software defined network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and arrangements for securing a software defined network. One or more control messages are intercepted. Information is extracted from the one or more control messages to create a global network state model, and there is determined, from the extracted information, presence of at least one prospective modification to the global network state model. Thereupon, a determination is made as to whether the at least one prospective modification presents a threat to security of the software defined network. Other variants and embodiments are broadly contemplated herein.

10 Citations

View as Search Results

20 Claims

1. A method of detecting security attacks and securing a software defined network, said method comprising:
- utilizing at least one processor to execute computer code configured to perform the steps of;
  
  intercepting one or more control messages;
  
  extracting information from the one or more control messages to create a global network state model;
  
  determining, from the extracted information, presence of at least one prospective modification to the global network state model; and
  
  thereupon determining whether the at least one prospective modification presents a threat to security of the software defined network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method according to claim 1, comprising:
    - defining a permissible global network state;
      
      said determining whether the at least one prospective modification presents a threat to security comprising recording a deviation from the permissible global network state, and thereupon generating an alert.
  - 3. The method according to claim 2, comprising:
    - obtaining administrator feedback with respect to the alert; and
      
      thereupon augmenting the definition of the permissible global network state.
  - 4. The method according to claim 1, wherein said determining whether the at least one prospective modification presents a threat to security comprises:
    - validating the at least one prospective modification as being secure; and
      
      thereupon permitting passage of the intercepted one or more control messages.
  - 5. The method according to claim 4, wherein said validating comprises validating relative to a previously known permissible global network state.
  - 6. The method according to claim 1, wherein the one or more control messages comprise control messages flowing to one or more network controllers.
  - 7. The method according to claim 6, wherein the one or more network controllers comprises a trusted network controller.
  - 8. The method according to claim 6, wherein the one or more network controllers comprises an untrusted network controller.
  - 9. The method according to claim 6, wherein the one or more control messages flow between at least one network element and the one or more network controllers.
  - 10. The method according to claim 6, wherein the one or more control messages flow between at least one system administrator and the one or more network controllers.
  - 11. The method according to claim 1, wherein said extracting comprises extracting header information.
  - 12. The method according to claim 1, wherein the global network state model is created incrementally.
  - 13. The method according to claim 1, wherein said intercepting comprises intercepting control message packets.
  - 14. The method according to claim 1, wherein said intercepting comprises intercepting and replicating one or more control messages.
  - 15. The method according to claim 1, wherein the one or more control messages comprise one or more control messages determined to be relevant to network security.

16. An apparatus for detecting security attacks and securing a software defined network, said apparatus comprising:
- at least one processor; and
  
  a computer readable storage medium having computer readable program code embodied therewith and executable by the at least one processor, the computer readable program code comprising;
  
  computer readable program code configured to intercept one or more control messages;
  
  computer readable program code configured to extract information from the one or more control messages to create a global network state model;
  
  computer readable program code configured to determine, from the extracted information, presence of at least one prospective modification to the global network state model; and
  
  computer readable program code configured to thereupon determine whether the at least one prospective modification presents a threat to security of the software defined network.

17. A computer program product for detecting security attacks and securing a software defined network, said computer program product comprising:
- a computer readable storage medium having computer readable program code embodied therewith, the computer readable program code comprising;
  
  computer readable program code configured to intercept one or more control messages;
  
  computer readable program code configured to extract information from the one or more control messages to create a global network state model;
  
  computer readable program code configured to determine, from the extracted information, presence of at least one prospective modification to the global network state model; and
  
  computer readable program code configured to thereupon determine whether the at least one prospective modification presents a threat to security of the software defined network.
- View Dependent Claims (18, 19)
- - 18. The computer program product according to claim 17, wherein:
    - said computer readable program code is configured to define a permissible global network state; and
      
      determining whether the at least one prospective modification presents a threat to security comprises recording a deviation from the permissible global network state, and thereupon generating an alert.
  - 19. The computer program product according to claim 17, wherein determining whether the at least one prospective modification presents a threat to security comprises:
    - validating the at least one prospective modification as being secure; and
      
      thereupon permitting passage of the intercepted one or more control messages.

20. A method comprising:
- intercepting one or more control messages flowing to one or more network controllers, the one or more control messages comprising one or more control messages determined to be relevant to network security;
  
  extracting information from the one or more control messages to create a global network state model;
  
  defining a permissible global network state; and
  
  determining whether at least one prospective modification to the global network state model presents a threat to security, via;
  
  recording a deviation from the permissible global network state; and
  
  thereupon generating an alert.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Mann, Vijay, Dhawan, Mohan, Mahajan, Kshiteej S., Poddar, Rishabh

Granted Patent

US 9,497,207 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1441 Countermeasures against mal...

SECURING OF SOFTWARE DEFINED NETWORK CONTROLLERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURING OF SOFTWARE DEFINED NETWORK CONTROLLERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links