Service function chaining (SFC) has a special and powerful ability to define an ordered list of required network services as a virtual chain and makes a network more flexible and manageable. However, there are many vulnerabilities to SFC, such as compromised switches and middlebox-bypass attacks, which can damage the operation and security of the network. In this study, we propose a mechanism that not only detects both middlebox-bypass attacks and compromised switch attacks in multiple service function chains scenario but also prevents such attacks and protects the network. The proposed mechanism uses both probe-based and statistics-based methods to handle the probe packets and collect statistics from middleboxes for detecting any attacks in SFC. After detection, the mechanism changes the network topology to eliminate the compromised switches, while meeting the initial requirements of the service chains. By combining probe-based and statistics-based methods, our proposal overcomes the disadvantages of other proposed solutions and brings about a robust protection to SFC. As the experimental results indicate, the proposed mechanism is an effective and relevant approach for detecting and preventing compromised switches and middlebox-bypass attacks in SFC.

中文翻译：

---

服务功能链中受威胁的交换机和中间箱旁路攻击的有效防御方法

服务功能链（SFC）具有特殊的强大功能，可以将所需网络服务的有序列表定义为虚拟链，并使网络更加灵活和可管理。但是，SFC存在许多漏洞，例如受感染的交换机和中间盒旁路攻击，它们可能会破坏网络的运行和安全性。在这项研究中，我们提出了一种机制，该机制不仅可以在多个服务功能链方案中同时检测出中间箱旁路攻击和受损的交换机攻击，而且还可以防止此类攻击并保护网络。所提出的机制同时使用基于探测的方法和基于统计的方法来处理探测数据包并从中间盒收集统计信息以检测SFC中的任何攻击。在检测到之后，该机制会更改网络拓扑以消除受损的交换机，同时满足服务链的最初要求。通过结合基于探测的方法和基于统计的方法，我们的建议克服了其他建议解决方案的缺点，并为SFC带来了强大的保护。实验结果表明，该机制是一种有效且相关的方法，可用于检测和预防SFC中的交换机损坏和中间箱旁路攻击。