ChainPatrol: Balancing Attack Detection and Classification with Performance Overhead for Service Function Chains Using Virtual Trailers

Authors: 

Momen Oqaily and Hinddeep Purohit, CIISE, Concordia University; Yosr Jarraya, Ericsson Security Research; Lingyu Wang, CIISE, Concordia University; Boubakr Nour and Makan Pourzandi, Ericsson Security Research; Mourad Debbabi, CIISE, Concordia University

Abstract: 

Network functions virtualization enables tenants to outsource their service function chains (SFCs) to third-party clouds for better agility and cost-effectiveness. However, outsourcing may limit tenants' ability to directly inspect cloud-level deployments to detect attacks on SFC forwarding paths, such as network function bypass or traffic injection. Existing solutions requiring direct cloud access are unsuitable for outsourcing, and adding a cryptographic trailer to every packet may incur significant performance overhead over large flows. In this paper, we propose ChainPatrol, a lightweight solution for tenants to continuously detect and classify cloud-level attacks on SFCs. Our main idea is to "virtualize'' cryptographic trailers by encoding them as side-channel watermarks, such that they can be transmitted without adding extra bits to packets. We tackle several key challenges like encoding virtual trailers within the limited side channel capacity, minimizing packet delay, and tolerating unexpected network jitters. We implement our solution on Amazon EC2, and our experiments with real-life data and applications demonstrate that ChainPatrol can achieve a better balance between security (e.g., 100% detection accuracy and 70% classification accuracy) and overhead (e.g., almost zero increased traffic and negligible end-to-end delay) than existing works (e.g., up to 45% overhead reduction compared to a state-of-the-art solution).

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {299671,
author = {Momen Oqaily and Hinddeep Purohit and Yosr Jarraya and Lingyu Wang and Boubakr Nour and Makan Pourzandi and Mourad Debbabi},
title = {{ChainPatrol}: Balancing Attack Detection and Classification with Performance Overhead for Service Function Chains Using Virtual Trailers},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {3441--3458},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/oqaily},
publisher = {USENIX Association},
month = aug
}

Presentation Video