UC Davis

1 AbstractAn adversary can be a resourceful entity that can obtain information (i.g. infrastructure design) that is intentionally hidden in order to prevent a vast array of exploitations from occurring. Similarly, an adversary can be seen as a monitoring entity preventing the users from freely accessing the Internet via the network’s design. This leads us to our questions in two fold. Does a reconnaissance methodology exists to infer the load balancing algorithm operating within a network’s infrastructure, and can network sessions be identified by an adversary (monitoring entity) with and without protocol obfuscation? Software-Defined Networking (SDN) was used to construct a network with a load balancing algorithm, because it separates the control plane and the data plane. The control plane performs all of the routing decisions for the network through the use of a special device called a controller. This controller is a very critical aspect of the network so we decided to build an SDN network with multiple controllers with a load balancing algorithm to distribute the processing load. We performed a controller side-channel attack to analyze a packet’s response time in order to 1) determine the number of controllers operating within an SDN network, 2) inherently determine the load balancing algorithm utilized, and 3) identify the OS scheduler as the environment’s bottleneck. We decided to expand the ability to mask information from an adversary or monitoring entity by studying protocol obfuscation. We focused our efforts on protocol obfuscation over encryption because it can be difficult for a monitoring entity to determine the utilization of protocol obfuscation over a connection’s utilization of encryption. To be precise, we obfuscated the SSH protocol through the exchange of PDFs. We examined how a monitoring entity (aka an adversary) can classify a SSH session with and without PDF obfuscation based on the characteristics of the protocol. Throughout our experiments we noticed some inter-packet delay characteristics that constantly appeared within the environments, but the packet size characteristics proved to be a reliable metric for analysis because of the similar patterns seen throughout the environments and network sessions. We argue an obfuscation program has to hide the target data and the target protocol’s characteristics so that a user can completely and holistically hide their network session from a monitoring entity.