Anomaly Detection in Atm-Grade Software Defined Networks

The Federal Aviation Administration (FAA) and Air Navigation Service Providers (ANSPs) around the world are looking to share data and get interconnected with each other as well as data service consumers. This interconnectivity enables new functionality but also new attack vectors.Today, agencies mostly rely on commercial security solutions providing adequate protection for commercial data services but have deficiencies when it comes to the Air Traffic Management (ATM) environment with its requirement for highest resilience, multi-level redundancies, and dynamic environment.This paper introduces a novel approach to create an ATM-grade baseline integrating operational security events (OSE) and alerts (OSA) based on abnormal or malicious network traffic. An assured and trusted baseline is key to detecting atypical or malicious traffic. A testbed has been developed that models the regular ATM-grade IP-network behavior. The sample configuration uses open source stacks ElastiFlow, and SELKS to provide network flow data collection and visualization and demonstrate resilience against hacking attempts via unauthorized communication and protocols between nodes, unauthorized configuration changes via distribution of parameters to network nodes, as well as detection of malicious communication attempts from unauthorized devices on the network. A Software Defined Network (SDN) architecture is chosen as it features a programmable, efficient network configuration improving network performance and monitoring. The OpenFlow protocol is used to provide the control plane in the testbed. Data flows will be modeled as synchronous as well as asynchronous. Vulnerabilities are then identified, attack scenarios defined and applied to the testbed setup. The available SDN platform tools are then used to detect the anomalies. Sets of experiments are performed and the results compared and discussed.