def unmirror_ip_app_from_ids(controller, ovs_node, table_id, ips, application):
if len(application) == 2:
proto_name = application[0]
_, proto_number = ip_proto(proto_name)
port = application[1]
for ip in ips:
does_flow_exist = False
for ip_dir in directions:
for port_dir in directions:
flow_id = 'iippp_{0}_{1}_{2}_{3}_{4}'.format(ip_dir, ip, proto_name, port_dir, port)
if controller.flow_exists_in_config(ovs_node, table_id, flow_id):
controller.delete_config_flow(ovs_node, table_id, flow_id)
if controller.flow_exists_in_operational(ovs_node, table_id, flow_id):
controller.delete_operational_flow(ovs_node, table_id, flow_id)
else:
does_flow_exist = True
break
if does_flow_exist == True:
break
elif len(application) == 1:
proto_name = application[0]
_, proto_number = ip_proto(proto_name)
for ip in ips:
for ip_dir in directions:
flow_id = 'iip_{0}_{1}_{2}'.format(ip_dir, ip, proto_name)
if controller.flow_exists_in_config(ovs_node, table_id, flow_id):
controller.delete_config_flow(ovs_node, table_id, flow_id)
if controller.flow_exists_in_operational(ovs_node, table_id, flow_id):
controller.delete_operational_flow(ovs_node, table_id, flow_id)
else:
break
def mirror_ip_app_to_ids(controller, ovs_node, table_id, lower_priority, higher_priority, ips, application, ovs, ids, tunnels):
tunnel_to_ids = [tunnel['ofport'] for tunnel in tunnels if tunnel['vm'] == ovs and tunnel['remote'] == ids]
assert len(tunnel_to_ids) == 1
tunnel_to_ids = tunnel_to_ids[0]
if len(application) == 2:
proto_name = application[0]
_, proto_number = ip_proto(proto_name)
port = application[1]
for ip in ips:
does_flow_exist = False
for ip_dir in directions:
for port_dir in directions:
flow_id = 'iippp_{0}_{1}_{2}_{3}_{4}'.format(ip_dir, ip, proto_name, port_dir, port)
if not controller.flow_exists_in_operational(ovs_node, table_id, flow_id):
controller.ip_app_output_and_resubmit(ovs_node, table_id, higher_priority, ip_dir, ip, proto_name, proto_number, port_dir, port, tunnel_to_ids, table_id + 1)
else:
does_flow_exist = True
break
if does_flow_exist:
break
elif len(application) == 1:
proto_name = application[0]
_, proto_number = ip_proto(proto_name)
for ip in ips:
does_flow_exist = False
for ip_dir in directions:
flow_id = 'iip_{0}_{1}_{2}'.format(ip_dir, ip, proto_name)
if not controller.flow_exists_in_operational(ovs_node, table_id, flow_id):
controller.ip_proto_output_and_resubmit(ovs_node, table_id, lower_priority, ip_dir, ip, proto_name, proto_number, tunnel_to_ids, table_id + 1)
else:
does_flow_exist = True
break
if does_flow_exist:
break
def block_ip_app(controller, ovs_node, table_id, lower_priority, higher_priority, ips, application):
if len(application) == 2:
proto_name = application[0]
_, proto_number = ip_proto(proto_name)
port = application[1]
for ip in ips:
does_flow_exist = False
for ip_dir in directions:
for port_dir in directions:
flow_id = 'iippp_{0}_{1}_{2}_{3}_{4}'.format(ip_dir, ip, proto_name, port_dir, port)
if not controller.flow_exists_in_operational(ovs_node, table_id, flow_id):
controller.ip_app_drop(ovs_node, table_id, higher_priority, ip_dir, ip, proto_name, proto_number, port_dir, port)
else:
does_flow_exist = True
if does_flow_exist:
break
if does_flow_exist:
break
elif len(application) == 1:
proto_name = application[0]
_, proto_number = ip_proto(proto_name)
for ip in ips:
does_flow_exist = False
for ip_dir in directions:
flow_id = 'iip_{0}_{1}_{2}'.format(ip_dir, ip, proto_name)
if not controller.flow_exists_in_operational(ovs_node, table_id, flow_id):
controller.ip_proto_drop(ovs_node, table_id, lower_priority, ip_dir, ip, proto_name, proto_number)
else:
does_flow_exist = True
if does_flow_exist:
break
if does_flow_exist:
break
def unmirror_app_from_ids(controller, ovs_node, table_id, application):
if len(application) == 2:
proto_name = application[0]
_, proto_number = ip_proto(proto_name)
port = application[1]
for port_dir in directions:
flow_id = 'ppp_{0}_{1}_{2}'.format(proto_name, port_dir, port)
if controller.flow_exists_in_config(ovs_node, table_id, flow_id):
controller.delete_config_flow(ovs_node, table_id, flow_id)
if controller.flow_exists_in_operational(ovs_node, table_id, flow_id):
controller.delete_operational_flow(ovs_node, table_id, flow_id)
else:
break
elif len(application) == 1:
proto_name = application[0]
_, proto_number = ip_proto(proto_name)
flow_id = 'p_{0}'.format(proto_name)
if controller.flow_exists_in_config(ovs_node, table_id, flow_id):
controller.delete_config_flow(ovs_node, table_id, flow_id)
if controller.flow_exists_in_operational(ovs_node, table_id, flow_id):
controller.delete_operational_flow(ovs_node, table_id, flow_id)
def _update_intrusions(self):
intrusion_ips = [[[] for _ in range(self.n_apps)] for __ in range(self.n_ids)]
intrusion_numbers = [[[] for _ in range(self.n_apps)] for __ in range(self.n_ids)]
for i in range(self.n_ids):
intrusions = get_intrusions(self.ids_vms[i]['ip'], flask_port)
for intrusion in intrusions:
src_ip = intrusion[0]
src_port = intrusion[1]
dst_ip = intrusion[2]
dst_port = intrusion[3]
if intrusion[4] in [1, 6, 17]:
proto, proto_number = ip_proto(intrusion[4])
if (proto, src_port) in applications:
app_idx = applications.index([proto, src_port])
elif (proto, dst_port) in applications:
app_idx = applications.index([proto, dst_port])
else:
app_idx = applications.index([proto])
# update recent intrusions
if src_ip not in intrusion_ips[i][app_idx] and src_ip not in self.internal_hosts:
intrusion_ips[i][app_idx].append(src_ip)
intrusion_numbers[i][app_idx].append(1)
elif src_ip in intrusion_ips[i][app_idx] and src_ip not in self.internal_hosts:
idx = intrusion_ips[i][app_idx].index(src_ip)
intrusion_numbers[i][app_idx][idx] += 1
if dst_ip not in intrusion_ips[i][app_idx] and dst_ip not in self.internal_hosts:
intrusion_ips[i][app_idx].append(dst_ip)
intrusion_numbers[i][app_idx].append(1)
elif dst_ip in intrusion_ips[i][app_idx] and dst_ip not in self.internal_hosts:
idx = intrusion_ips[i][app_idx].index(dst_ip)
intrusion_numbers[i][app_idx][idx] += 1
# update all intrusions
if src_ip not in self.intrusion_ips[i][app_idx] and src_ip not in self.internal_hosts:
self.intrusion_ips[i][app_idx].append(src_ip)
self.intrusion_numbers[i][app_idx].append(1)
elif src_ip in self.intrusion_ips[i][app_idx] and src_ip not in self.internal_hosts:
idx = self.intrusion_ips[i][app_idx].index(src_ip)
self.intrusion_numbers[i][app_idx][idx] += 1
if dst_ip not in self.intrusion_ips[i][app_idx] and dst_ip not in self.internal_hosts:
self.intrusion_ips[i][app_idx].append(dst_ip)
self.intrusion_numbers[i][app_idx].append(1)
elif dst_ip in self.intrusion_ips[i][app_idx] and dst_ip not in self.internal_hosts:
idx = self.intrusion_ips[i][app_idx].index(dst_ip)
self.intrusion_numbers[i][app_idx][idx] += 1
return intrusion_ips, intrusion_numbers
def _process_app_samples(self, samples):
x = np.zeros((self.n_apps, 3))
flow_ids = [[] for _ in applications]
for id, features, flags in samples:
if id is not None:
src_port = id[1]
dst_port = id[3]
idx = None
if id[4] in [1, 6, 17]:
proto, proto_number = ip_proto(id[4])
if (proto, src_port) in applications:
idx = applications.index((proto, src_port))
elif (proto, dst_port) in applications:
idx = applications.index((proto, dst_port))
elif (proto,) in applications:
idx = applications.index((proto,))
if idx is not None:
if id not in flow_ids[idx]:
flow_ids[idx].append(id)
x[idx, 0] += 1
x[idx, 1] += 1
x[idx, 2] += features[0]
return x
def init_ovs_tables(controller, ovs_node, ovs_vxlans, ovs_veths, attack_ips,
attack_directions):
# input ofport
in_ofports = [
item['ofport'] for item in ovs_veths if item['tag'] == in_veth_prefix
]
assert len(in_ofports) == 1
in_ofport = in_ofports[0]
# ids vxlan ofports
vxlan_ofports, vxlan_tables = [], []
for vxlan in ovs_vxlans:
ids_name = vxlan['remote']
spl = ids_name.split('_')
ids_idx = int(spl[-1])
table = ids_tables[0] + ids_idx + 1
vxlan_ofports.append(vxlan['ofport'])
vxlan_tables.append(table)
# output ofport
out_ofports = [
item['ofport'] for item in ovs_veths if item['tag'] == out_veth_prefix
]
assert len(out_ofports) == 1
out_ofport = out_ofports[0]
# table 0 (input)
controller.input_resubmit(ovs_node, in_table, priorities['lowest'],
in_ofport, in_table + 1)
for ofport, table in zip(vxlan_ofports, vxlan_tables):
controller.input_resubmit(ovs_node, in_table, priorities['lower'],
ofport, table)
# table 1 (applications)
for app in applications:
proto_name, proto_number = ip_proto(app[0])
if len(app) == 2:
port = app[1]
for dir in ['source', 'destination']:
controller.app_resubmit(ovs_node, app_table,
priorities['lower'], proto_name,
proto_number, dir, port, app_table + 1)
elif len(app) == 1:
controller.proto_resubmit(ovs_node, app_table,
priorities['lowest'], proto_name,
proto_number, app_table + 1)
# table 2 (flags)
for flag in tcp_flags:
controller.tcp_flag_resubmit(ovs_node, flag_table, priorities['lower'],
flag, flag_table + 1)
controller.resubmit(ovs_node, flag_table, priorities['lowest'],
flag_table + 1)
# tables 3 - 6 (ids_tables)
for i in ids_tables:
controller.resubmit(ovs_node, i, priorities['lowest'], i + 1)
# table 7 (attackers before actions)
for ip in attack_ips:
for dir in attack_directions:
controller.ip_resubmit(ovs_node, attacker_in_table,
priorities['lower'], dir, ip,
attacker_in_table + 1)
controller.resubmit(ovs_node, attacker_in_table, priorities['lowest'],
attacker_in_table + 1)
# table 8
controller.resubmit(ovs_node, block_table, priorities['lowest'],
block_table + 1)
# table 9 (attacker after actions)
for ip in attack_ips:
for dir in attack_directions:
controller.ip_resubmit(ovs_node, attacker_out_table,
priorities['lower'], dir, ip, out_table)
controller.resubmit(ovs_node, attacker_out_table, priorities['lowest'],
attacker_out_table + 1)
# table 10 (output)
controller.output(ovs_node, out_table, priorities['lowest'], out_ofport)