Annual Computer Security Applications Conference (ACSAC) 2022

Full Program »

Heimdallr: Fingerprinting SD-WAN Control-Plane Architecture via Encrypted Control Traffic

Software-defined wide area network (SD-WAN) has emerged as a new paradigm for steering a large-scale network flexibly by adopting distributed software-defined network (SDN) controllers. The key to building a logically centralized but physically distributed control-plane is running diverse cluster management protocols to achieve consistency through an exchange of control traffic. Meanwhile, we observe that the control traffic exposes unique time-series patterns and directional relationships due to the operational structure even though the traffic is encrypted, and this pattern can disclose confidential information such as control-plane topology and protocol dependencies, which can be exploited for severe attacks. With this insight, we propose a new SD-WAN fingerprinting system, called Heimdallr. It analyzes periodical and operational patterns of SD-WAN cluster management protocols and the context of flow directions from the collected control traffic utilizing a deep learning-based approach, so that it can classify the cluster management protocols automatically from miscellaneous control traffic datasets. Our evaluation, which is performed in a realistic SD-WAN environment consisting of geographically distant three campus networks and one enterprise network shows that Heimdallr can classify SD-WAN control traffic with ≥ 93%, identify individual protocols with ≥ 80% macro F-1 scores, and finally can infer control-plane topology with ≥ 70% similarity.

Minjae Seo
The Affiliated Institute of ETRI

Jaehan Kim

Eduard Marin
Telefonica Research

Myeongsung You

Taejune Park
Chonnam National University

Seungsoo Lee
Incheon National University

Seungwon Shin

Jinwoo Kim
Kwangwoon University

Paper (ACM DL)



Powered by OpenConf®
Copyright©2002-2023 Zakon Group LLC