Feilong Tang,Lu Li,Leonard Barolli,Can Tang

DOI: https://doi.org/10.1109/AINA.2017.125

2017-01-01

Abstract:Software defined networking (SDN) provides flexible management for datacenter networks with the flow-level control. Such the fine-grained management, however, consumes large amount of bandwidth between data and control planes, which results in the bottleneck in the scalability of SDN-based datacenters. "The elephant and mouse phenomenon" suggests that there are only very few elephant flows that carry the majority of bytes in datacenters so that it can improve management efficiency to detect and reroute elephant flows while leaving mice flows in data plane leveraging wildcard flow table in OpenFlow. Unfortunately, existing mechanisms for elephant flow detection suffer from high bandwidth consumption and long detection time. In this paper, we propose an efficient sampling and classification approach (ESCA) with the two-phase elephant flow detection. In the first phase, ESCA improves sampling efficiency by estimating the arrival interval of elephant flows and filtering out redundant samples using a filtering flow table. In the second phase, ESCA classifies samples with a new supervised classification algorithm based on correlation among data flows. The mathematical analysis proofs our ESCA outperforms related schemes. Extensive experiment results on real public datacenter traces further demonstrate that our ESCA can provide accurate detection with less sampled packets and shorter detection time.

Xinyue Jiang,Risheng Deng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics53846.2021.00035

2021-01-01

Abstract:The large-scale distributed network has exposed increasing attack surfaces to cyber attackers. In this paper, we present a refined network measurement mechanism, called DDoS Collaborative Mitigation Mechanism (DDoSCCM). Based on former achievements in the programmable network, our work aims at capturing the characters of abnormal traffic and presenting an antedating reaction, constrained by limited resources of the switching ASIC. In-band Network Telemetry (INT) technique achieves real-time monitoring of the network by utilizing the device data acquisition on the data plane. Our work helps the network operator not only to learn the status of the network but also to issue an appropriate mitigation strategy faster and more accurately. DDoSCCM aims at delegating both detection and mitigation processes to the programmable switch. Consequently, the theoretical analysis and experimental results show that DDoSCCM can meet practical requirements and have a certain application value.

Kai Bu,Kaiwen Zhu,Yi Zheng,Yuanyuan Yang,Yutian Yang,Linfeng Cheng

DOI: https://doi.org/10.1016/j.comnet.2018.10.006

IF: 5.493

2018-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) has greatly boosted the productivity of data center networking and cloud computing. It introduces a central controller to take over most functions that otherwise reside in distributed forwarding devices. Such a centralized design, however, tends to make the control channel a bottleneck due to bandwidth fatigue. Only when this bottleneck is addressed can SDN greater benefit networking and computing infrastructures. Existing work saves control channel bandwidth at the expense of losing flow visibility. This paper designs and implements FastLane, a framework for bandwidth-efficient yet throughput-boosting SDN flow setup without sacrificing global flow visibility. FastLane informs only one on-path switch of a flow’s forwarding path while switches themselves cooperate to complete flow setup. FastLane thus keeps minimum traffic for flow setup in the control channel and leaves the rest to the data plane. We optimize the switch selection toward minimizing flow setup latency. To leverage the saved bandwidth for setting up more flows and therefore achieving higher throughput, we propose delegating certain flow setups from ingress to en-route switches. We prototype FastLane by modifying FloodLight controller and Open vSwitch. The results demonstrate FastLane’s benefits to higher SDN throughput with limited switching fabric overhead.

Boyang Zhou,Wen Gao,Chunming Wu,Bin Wang,Ming Jiang,Yansong Wang

DOI: https://doi.org/10.1007/978-3-319-13326-3_39

2014-01-01

Abstract:The Software-Defined Networking (SDN) separates the control plane from the data plane to increase the flexibility. In the data plane, the unavailability of data forwarding is a common problem preventing a switch from configuring a new arrival flow into its flow table. When the burst flows arrived at the switch, the flow table can be consumed, causing the unavailability occurred. However, the problem is more complicated than in Internet due to the limited channel bandwidth for detecting the table usage. Hence, we propose a transparent core layer in the controller. The mechanism of the layer improves the availability in such way, configuring switches adapting to arrival patterns of flows to prevent the resource of switch exceeding its limit. This paper introduces the design and mechanisms of the layer as well as their algorithms. We further use a real flow trace from a Internet core router to evaluate the performance of layer. By emulating on on miniNet-HiFi, the results demonstrate that the layer can smooth the burst flows without making the flow table exceeding its size, without the layer, the switch lost 8% ingress flows. Meanwhile, the control throughput is lowered by 25.8% than before.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Luiza Nacshon,Rami Puzis,Polina Zilberman

DOI: https://doi.org/10.48550/arXiv.1608.03307

2016-12-05

Abstract:OpenFlow is a protocol implementing Software Defined Networking, a new networking paradigm, which segregates packet forwarding and accounting (performed on switches) from the routing decisions and advanced protocols (executed on a central controller). This segregation increases agility and flexibility of a networking infrastructure and reduces its operational expenses. OpenFlow controllers expose standard interfaces to facilitate variety of networking applications. In particular, a monitoring application can use these interfaces to push into the OpenFlow switches rules that collect traffic flow statistics at different aggregation levels. The aggregation level determines the monitoring accuracy and the induced network overhead. In this paper, we propose Floware an OpenFlow application that allows discovery and monitoring of active flows at any required aggregation level. Floware balances the monitoring overhead among many switches in order to reduce its negative effect on network performance. In addition, Floware integrates with monitoring systems based on legacy protocols such as NetFlow. We demonstrate the application with soft switches emulated in Mininet, the Floodlight controller, and the NetFlow Analyzer as a legacy network analysis and intrusion detection system. Evaluation results demonstrate the positive impact of balanced monitoring.

Networking and Internet Architecture

Kai Bu

DOI: https://doi.org/10.1109/INFCOMW.2015.7179433

2015-01-01

Abstract:Software-Defined Networking (SDN) has greatly enriched the flexibility of network management. It introduces a central controller to take over most network functions that otherwise reside in distributed forwarding devices. Such a centralized design, however, tends to make control channel a bottleneck due to bandwidth fatigue. Existing work saves control channel bandwidth at the expense of losing visibility of most or mice flows. This paper proposes FastLane, a framework for bandwidth-efficient SDN flow setup without sacrificing global flow visibility. FastLane advocates that the controller inform only a flow's ingress switch of the flow's forwarding path while switches themselves cooperate to complete flow setup. This way, FastLane keeps minimum traffic for flow setup in control channel and leaves the rest to data plane. The analytical results validate FastLane's higher bandwidth efficiency over traditional SDN, especially for relatively long forwarding paths. For a 3-switch path, FastLane can already save more than a half of bandwidth. The saved bandwidth can embrace more flow setups and thus reduces flow latency.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1109/infocom.2018.8486230

2018-01-01

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. FlowCloak imposes only a 0.3 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Shinan Liu,Ted Shaowang,Gerry Wan,Jeewon Chae,Jonatas Marques,Sanjay Krishnan,Nick Feamster

2024-10-24

Abstract:Network traffic analysis increasingly uses complex machine learning models as the internet consolidates and traffic gets more encrypted. However, over high-bandwidth networks, flows can easily arrive faster than model inference rates. The temporal nature of network flows limits simple scale-out approaches leveraged in other high-traffic machine learning applications. Accordingly, this paper presents ServeFlow, a solution for machine-learning model serving aimed at network traffic analysis tasks, which carefully selects the number of packets to collect and the models to apply for individual flows to achieve a balance between minimal latency, high service rate, and high accuracy. We identify that on the same task, inference time across models can differ by 1.8x - 141.3x, while the inter-packet waiting time is up to 6-8 orders of magnitude higher than the inference time! Based on these insights, we tailor a novel fast-slow model architecture for networking ML pipelines. Flows are assigned to a slower model only when the inferences from the fast model are deemed high uncertainty. ServeFlow is able to make inferences on 76.3% of flows in under 16ms, which is a speed-up of 40.5x on the median end-to-end serving latency while increasing the service rate and maintaining similar accuracy. Even with thousands of features per flow, it achieves a service rate of over 48.5k new flows per second on a 16-core CPU commodity server, which matches the order of magnitude of flow rates observed on city-level network backbones.

Networking and Internet Architecture,Artificial Intelligence

Jorge López,Charalampos Chatzinakis,Marc Cartigny,Claude Poletti

2023-07-22

Abstract:In recent years, computer networks and telecommunications in general have been shifting paradigms to adopt software-centric approaches. Software Defined Networking (SDN) is one of such paradigms that centralizes control and intelligent applications can be defined on top of this architecture. The latter enables the definition of the network behavior by means of software. In this work, we propose an approach for Flow Admission and Routing under Minimal Security Constraints (FARSec) in Software Defined Networks, where network flows must use links which are at least as secure as their required security level. We prove that FARSec can find feasible paths that respect the minimum level of security for each flow. If the latter is not possible FARSec rejects the flow in order not to compromise its security. We show that the computational complexity of the proposed approach is polynomial. Experimental results with semi-random generated graphs confirm the efficiency and correctness of the proposed approach. Finally, we implement the proposed solution using OpenFlow and ONOS -- an SDN open-source controller. We validate its functionality using an emulated network with various security levels.

Networking and Internet Architecture,Cryptography and Security

Nanyang Huang,Qing Li,Dong Lin,Xiaowen Li,Gengbiao Shen,Yong Jiang

DOI: https://doi.org/10.1109/iwqos.2018.8624177

2018-01-01

Abstract:Deploying Software-Defined Networks (SDNs) faces various challenges, and one of them is to implement per-flow control while preserving data plane scalability. Due to the limited rule storage space of commodity SDN switches, achieving flexible control and having a low-latency data plane with a low storage cost are often at odds. Unfortunately, existing SDN architectures fail to implement per-flow control efficiently: they either incur extra delays to packets or pose high storage burden to switches. In this paper, we propose Software-Defined Label Switching (SDLS) to achieve both data plane scalability and per-flow control. SDLS combines central control with label switching to reduce storage burden while maintaining per-flow control. SDLS introduces software switches into the data plane and manages the network in regions for scalability. SDLS is OpenFlow-compatible and employs a hybrid data plane to provide efficient flow setups. We evaluate SDLS by comparing with the state-of-the-art SDN architectures and show that SDLS can rival the best on the latency performance while reducing the number of flow entries and overflows by more than 47%.

Andrés Felipe Murillo Piedrahita,Sandra Rueda,Diogo M. F. Mattos,Otto Carlos M. B. Duarte,Andres Felipe Murillo Piedrahita

DOI: https://doi.org/10.1109/giis.2015.7347185

2015-10-01

Abstract:Most Denial of Service (DoS) attacks intend to generate a traffic pattern that is indistinguishable from legitimate traffic, making it hard to detect an attack. Conventional defenses for these attacks are not scalable, are slow to react or introduce an overhead to each routed packet. In this paper, we present FlowFence, a lightweight and fast denial of service detection and mitigation system for Software Defined Networking (SDN). The FlowFence architecture includes routers running daemons to monitor the average occupation of their interfaces to detect congestion conditions, and an SDN controller that coordinates bandwidth assignment of controlled links. The controller limits the flow transmission rate along a path to prevent users' starvation. The mitigation procedure of starvation state allocates an average bandwidth, while flows exceeding the mean are penalized. The penalization is proportional to the difference between the fair limit and the current bandwidth usage. A system prototype was implemented and evaluated in the Future Internet Testbed with Security (FITS). The results show that the proposal avoids users' starvation of network resources without adding much overhead in the network.

Qi Li,Yunpeng Liu,Zhuotao Liu,Peng Zhang,Chunhui Pang

DOI: https://doi.org/10.1109/icc.2016.7510990

IF: 5.3

2021-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Packet forwarding anomaly is an abnormal network state where flows are forwarded along wrong paths. Current practice of forwarding anomaly detection in Software Defined Networks (SDN) is achieved by sending probing packets or analyzing flow statistics. However, these approaches are not effective and efficient. For example, the probing approaches cannot capture all attacks, and the statistics approaches induce high communication overheads since they collect statistics of all flows. In order to address these issues, we propose a novel scheme called FADE. FADE detects forwarding anomalies by accurately analyzing flow statistics of a minimal set of flows. It generates a small number of dedicated flow rules associated with these flows to accurately measure their statistics. Moreover, it controls the installing and timeout of these dedicated flow rules so that all dedicated flow rules generated for the same flow operate on the same set of packets. Therefore, it achieves high efficiency and accuracy in anomaly detection. We prototype FADE and implement it as an application in Opensource controller, Floodlight, and evaluate the performance by Mininet experiments. The experiment results show that FADE can detect almost all forwarding anomalies and only reduces the throughput by 4%.

Tommaso Bonato,Abdul Kabbani,Daniele De Sensi,Rong Pan,Yanfang Le,Costin Raiciu,Mark Handley,Timo Schneider,Nils Blach,Ahmad Ghalayini,Daniel Alves,Michael Papamichael,Adrian Caulfield,Torsten Hoefler

2024-09-21

Abstract:The increasing demand of machine learning (ML) workloads in datacenters places significant stress on current congestion control (CC) algorithms, many of which struggle to maintain performance at scale. These workloads generate bursty, synchronized traffic that requires both rapid response and fairness across flows. Unfortunately, existing CC algorithms that rely heavily on delay as a primary congestion signal often fail to react quickly enough and do not consistently ensure fairness. In this paper, we propose FASTFLOW, a streamlined sender-based CC algorithm that integrates delay, ECN signals, and optional packet trimming to achieve precise, real-time adjustments to congestion windows. Central to FASTFLOW is the QuickAdapt mechanism, which provides accurate bandwidth estimation at the receiver, enabling faster reactions to network conditions. We also show that FASTFLOW can effectively enhance receiver-based algorithms such as EQDS by improving their ability to manage in-network congestion. Our evaluation reveals that FASTFLOW outperforms cutting-edge solutions, including EQDS, Swift, BBR, and MPRDMA, delivering up to 50% performance improvements in modern datacenter networks.

Networking and Internet Architecture

Rajkumar Kulandaivel,Manikandan Ramachandran,Sathishkumar Veerappampalayam Easwaramoorthy,Jaehyuk Cho

DOI: https://doi.org/10.1371/journal.pone.0308052

IF: 3.7

2024-10-03

PLoS ONE

Abstract:Recent evolution in connected devices modelled a massive stipulation for network traffic resources and classification. Software-defined networking (SDN) enables ML techniques with the Internet of Things (IoT) to automate network traffic. This helps to reduce accuracy and improves latency. Problems by conventional techniques to categorize network traffic acquired from IoT and assign resources can be resolved through SDN solutions. This manuscript proposes a proposed network traffic classification technique on IoT with SDN called Gauss Markov and Flow-balanced Vector Radial Learning (GM-FVRL). With the network traffic features acquired from the IoT devices, SDN-enabled Gauss Markov Correlation-based IoT Network Traffic Feature Extraction is applied to extort relevant network aspects. Next, the flow-balanced radial-based ML model for network traffic categorization uses the relevant extracted network traffic features. With the aid of flow, the balanced radial basis function reduces the influence of noise due to distinct network flow. This helps to improve accuracy and minimize latency. Due to this, better precision and recall is ensured. Performance of our method has been evaluated utilizing a scheme using an SDN traffic dataset. The results show that our method classifies the network traffic with high classification accuracy and minimum latency, ensuring better precision and recall.

multidisciplinary sciences

Ankur Mudgal,Abhishek Verma,Munesh Singh,Kshira Sagar Sahoo,Erik Elmroth,Monowar Bhuyan

DOI: https://doi.org/10.1109/TNSM.2024.3446178

2024-10-19

Abstract:Software Defined Networking (SDN) has evolved to revolutionize next-generation networks, offering programmability for on-the-fly service provisioning, primarily supported by the OpenFlow (OF) protocol. The limited storage capacity of Ternary Content Addressable Memory (TCAM) for storing flow tables in OF switches introduces vulnerabilities, notably the Low-Rate Flow Table Overflow (LOFT) attacks. LOFT exploits the flow table's storage capacity by occupying a substantial amount of space with malicious flow, leading to a gradual degradation in the flow-forwarding performance of OF switches. To mitigate this threat, we propose FloRa, a machine learning-based solution designed for monitoring and detecting LOFT attacks in SDN. FloRa continuously examines and determines the status of the flow table by closely examining the features of the flow table entries. Upon detecting an attack FloRa promptly activates the detection module. The module monitors flow properties, identifies malicious flows, and blacklists them, facilitating their eviction from the flow table. Incorporating novel features such as Packet Arrival Frequency, Content Relevance Score, and Possible Spoofed IP along with Cat Boost employed as the attack detection method. The proposed method reduces CPU overhead, memory overhead, and classification latency significantly and achieves a detection accuracy of 99.49%, which is more than the state-of-the-art methods to the best of our knowledge. This approach not only protects the integrity of the flow tables but also guarantees the uninterrupted flow of legitimate traffic. Experimental results indicate the effectiveness of FloRa in LOFT attack detection, ensuring uninterrupted data forwarding and continuous availability of flow table resources in SDN.

Networking and Internet Architecture

Qiang Xu,Thomas Andrews,Yong Liao,Stanislav Miskovic,Zhuoqing Morley Mao,Mario Baldi,Antonio Nucci

DOI: https://doi.org/10.1145/2637364.2592022

2014-01-01

Abstract:No abstract available.

Andrea Bianco,Paolo Giaccone,Seyedaidin Kelki,Nicolas Mejia Campos,Stefano Traverso,Tianzhu Zhang

DOI: https://doi.org/10.1109/icc.2017.7997297

2017-01-01

Abstract:The novel “stateful” approach in Software Defined Networking (SDN) provides programmable processing capabilities within the switches to reduce the interaction with the SDN controller and thus improve the scalability and the performance of the network. In our work we consider specifically the stateful extension of OpenFlow that was recently proposed, called Open-State, that allows to program simple state machines in almost-standard OpenFlow switches. We consider a reactive traffic control application that reacts to the traffic flows which are identified in real-time by a generic traffic classification engine. We devise an architecture in which an OpenState-enabled switch sends the minimum number of packets to the traffic classifier, in order to minimize the load on the classifier and improve the scalability of the approach. We design two stateful approaches to minimize the memory occupancy in the flow tables of the switches. Finally, we validate experimentally our solutions and estimate the required memory for the flow tables.