Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Gustavo A. Nunez Segura,Sotiris Skaperas,Arsenia Chorti,Lefteris Mamatas,Cintia Borges Margi

DOI: https://doi.org/10.48550/arXiv.2003.12027

2020-03-27

Abstract:Software-defined networking (SDN) is a promising technology to overcome many challenges in wireless sensor networks (WSN), particularly with respect to flexibility and reuse. Conversely, the centralization and the planes' separation turn SDNs vulnerable to new security threats in the general context of distributed denial of service (DDoS) attacks. State-of-the-art approaches to identify DDoS do not always take into consideration restrictions in typical WSNs e.g., computational complexity and power constraints, while further performance improvement is always a target. The objective of this work is to propose a lightweight but very efficient DDoS attack detection approach using change point analysis. Our approach has a high detection rate and linear complexity, so that it is suitable for WSNs. We demonstrate the performance of our detector in software-defined WSNs of 36 and 100 nodes with varying attack intensity (the number of attackers ranges from 5% to 20% of nodes). We use change point detectors to monitor anomalies in two metrics: the data packets delivery rate and the control packets overhead. Our results show that with increasing intensity of attack, our approach can achieve a detection rate close to100% and that the type of attack can also be inferred.

Cryptography and Security,Networking and Internet Architecture

Junfeng Wang,Ping Zhai,Yin Zhang,Lei Shi,Gaoxiang Wu,Xiaobo Shi,Ping Zhou

DOI: https://doi.org/10.1007/978-3-319-69605-8_1

2017-01-01

Abstract:Software-Defined Networking (SDN) is currently hot research area. The current researches on SDN are mainly focused on wired network and data center, while software-defined wireless sensor network (WSN) is put forth in a few researches, but only at stage of putting forth models and concepts. In this paper, we have proposed a new SDN routing scheme in multi-hop wireless network is proposed. The implementation of the protocol is described in detail. We also build model with OPNET and simulate it. The simulation results show that the proposed routing scheme could provide shortest path and disjoint multipath routing for nodes, and its network lifetime is longer than existing algorithms (OLSR, AODV) when traffic load is heavier.

Quan Ren,Tao Hu,Jiangxing Wu,Yuxiang Hu,Lei He,Julong Lan

DOI: https://doi.org/10.1016/j.comnet.2021.108134

IF: 5.493

2021-01-01

Computer Networks

Abstract:SDN improves the flexibility and programmability of the network. However, malicious attacks caused by potential vulnerabilities and backdoors can easily lead to data and rule tampering in the network. To address this problem, this paper proposes an endogenous secure SDN network framework based on multipath resilient routing (MRR). MRR includes multipath comparing forwarding, multipath weighted forwarding, and multipath random forwarding. The framework ensures the correctness of flow rules and data content by dynamically comparing the consistency of multi-heterogeneous path data within a certain period, and multipath can also achieve load balance by weighted forwarding. In the MRR framework, we also present an intermediate information feedback mechanism based on encryption authentication and give a mathematical model to evaluate it. This mechanism can accurately identify and dynamically repair malicious switches. Simulation evaluation and prototype system test show that this framework can achieve high accuracy of flow transmission and high availability of system. At the same time, multipath comparing forwarding will bring some performance costs such as delay, bandwidth, and jitter at initial and attacking time. However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can guarantee 25% multipath comparing forwarding when the bandwidth requirement is 250 M in prototype system.

Zhipeng Yu,Hui Zhu,Rui Xiao,Chao Song,Jian Dong,Hui Li

DOI: https://doi.org/10.1002/ett.3895

IF: 3.6

2020-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:With the development and pervasiveness of Internet of Things (IoT) devices, Software‐Defined Networks (SDN) technology has been deployed to bring great convenience to network transmission. However, SDN over IoT network still faces many challenges on devices data security. Our work demonstrates a novel attack of SDN networks, named Network Harvesting (NH). In NH, an attacker has the ability to steal the users' network privileges without the awareness of victims and the switchers. Furthermore, to solve the above attack, we construct a detection scheme and a defense scheme, named RSDetector and SpoofDefender. RSDetector detects the presence of rogue switches in the network by leveraging the prediction power of machine learning. At the same time, SpoofDefender prevents a number of spoofing attacks including NH by the global control of the SDN networks. In addition, RSDetector and SpoofDefender are also evaluated on ONOS 1.10.4 and Mininet. A good deal of simulation results demonstrate that our proposed schemes have great optimization in reducing communication and computation costs.

Junfeng Wang,Yiming Miao,Ping Zhou,M. Shamim Hossain,Sk Md Mizanur Rahman

DOI: https://doi.org/10.1016/j.jnca.2016.12.007

IF: 7.574

2016-01-01

Journal of Network and Computer Applications

Abstract:SDN has been touted as one of the most promising solutions for future Internet with the innovative design ideas that the control plane is logically centralized and decoupled from the data plane. Current research on SDN mainly focuses on wired network and data center, while software-defined wireless multi-hop network is put forth in a few researches, but only at stage of putting forth models and concepts. In this paper, we propose a novel routing protocol applied SDN in wireless multi-hop network. The implementation of the protocol is given in detail, and OPNET is used to build the model and carry on the simulation experiment. A large number of simulation experiments are performed to compare the key parameters of different networks. Simulation results show that our proposed routing protocol provide shortest path and disjoint multipath routing for nodes, and its network lifetime is longer than existing algorithms (OLSR, AODV) when traffic load reaches a certain value.

Chao Qi,Jiangxing Wu,Hongchao Hu,Guozhen Cheng

DOI: https://doi.org/10.1049/el.2016.2670

2016-01-01

Electronics Letters

Abstract:Modifying flow rule attack posts a huge threat to controllers in network operating system (NOS) for software defined network (SDN) due to its concealment. Based on the previously proposed NOS architecture with multiple controllers which introduce heterogeneity and dynamic to defend above attack effectively, its dynamic segment about dynamically scheduling controllers is explicitly presented. A dynamic-scheduling method is put forward to maximise security gain of NOS during each switch. This algorithm is able to improve NOS security through altering its framework's diversity to maximum degree while considering switching cost and latency simultaneously. Theory analysis and simulation results prove validity and availability of the devised mechanism and its more effective security performance over traditional architectures.

Nhu-Ngoc Dao,Joongheon Kim,Minho Park,Sungrae Cho

DOI: https://doi.org/10.1371/journal.pone.0160375

IF: 3.7

2016-08-05

PLoS ONE

Abstract:The convergent communication network will play an important role as a single platform to unify heterogeneous networks and integrate emerging technologies and existing legacy networks. Although there have been proposed many feasible solutions, they could not become convergent frameworks since they mainly focused on converting functions between various protocols and interfaces in edge networks, and handling functions for multiple services in core networks, e.g., the Multi-protocol Label Switching (MPLS) technique. Software-defined networking (SDN), on the other hand, is expected to be the ideal future for the convergent network since it can provide a controllable, dynamic, and cost-effective network. However, SDN has an original structural vulnerability behind a lot of advantages, which is the centralized control plane. As the brains of the network, a controller manages the whole network, which is attractive to attackers. In this context, we proposes a novel solution called adaptive suspicious prevention (ASP) mechanism to protect the controller from the Denial of Service (DoS) attacks that could incapacitate an SDN. The ASP is integrated with OpenFlow protocol to detect and prevent DoS attacks effectively. Our comprehensive experimental results show that the ASP enhances the resilience of an SDN network against DoS attacks by up to 38%.

Tao Wang,Hongchang Chen,Guozhen Cheng,Yulin Lu

DOI: https://doi.org/10.1155/2018/7545079

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Software-Defined Networking (SDN) has quickly emerged as a promising technology for future networks and gained much attention. However, the centralized nature of SDN makes the system vulnerable to denial-of-services (DoS) attacks, especially for the currently widely deployed multicontroller system. Due to DoS attacks, SDN multicontroller model may additionally face the risk of the cascading failures of controllers. In this paper, we propose SDNManager, a lightweight and fast denial-of-service detection and mitigation system for SDN. It has five components: monitor, forecast engine, checker, updater, and storage service. It typically follows a control loop of reading flow statistics, forecasting flow bandwidth changes based on the statistics, and accordingly updating the network. It is worth noting that the forecast engine employs a novel dynamic time-series (DTS) model which greatly improves bandwidth prediction accuracy. What is more, to further optimize the defense effect, we also propose a controller dynamic scheduling strategy to ensure the global network state optimization and improve the defense efficiency. We evaluate SDNManager through a prototype implementation tested in a real SDN network environment. The results show that SDNManager is effective with adding only a minor overhead into the entire SDN/OpenFlow infrastructure.

Yingmo Jie,Mingchu Li,Cheng Guo,Ling Chen

DOI: https://doi.org/10.1109/ACCESS.2018.2869399

IF: 3.9

2018-01-01

IEEE Access

Abstract:To fight against denial of services (DoS) attacks on vehicular ad hoc networks, which can cause congestion over networks and degrading the user's experience, a lot of detective techniques and schemes have been proposed. However, the complex ones cannot keep pace with the growth of vehicle networks. In this paper, we propose a simple but effective defense strategy scheme inspired by the port-hopping mechanism, which advantage is manifested in that the detection and filtering off of malicious packets launched by attackers can be achieved without any change in existing protocol. First, we design a dynamic defense strategy scheme to puzzle a DoS attacker, where the specific defense strategy will change according to a scheme of time. To mitigate the losses caused by an attacker whose goal is to probe the vulnerable services' ports contained in the UDP/TCP headers between vehicle-to-vehicle or vehicle-to-infrastructure, we add some security services' ports that are valueless to attackers. Second, we give the specific construction of such a defense strategy scheme reflected as a matrix and a security analysis with respect to detecting the probed ports. At last, in comparison with the non-strategy defense scheme, simulations considering some parameters are conducted, which can show that our scheme is an effective defense scheme used for protecting VANETs.

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary

Rui Xiao,Hui Zhu,Chao Song,Ximeng Liu,Jian Dong,Hui Li

DOI: https://doi.org/10.1109/ICCCN.2018.8487340

2018-01-01

Abstract:With the development of virtualization technology and fast expansion of network-scale, SDN has been employed in various cases from campus networks to cloud data center networks. However, SDN networks are also facing some new security issues, relative to the traditional networks. In this work, we demonstrate a novel network isolation attack in SDN networks, called Network Harvesting, that lets an attacker can access to the user's network privileges without the awareness of victim and OpenFlow SDN architecture, which significantly increases persistence. We then present a defense, SpoofDefender, that prevents network isolation attacks or other spoofing attacks by leveraging SDN's data and control plane separation, global network view, and programmatic control of the network, while building upon IEEE 802.1x and encryption. In addition, we also implement SpoofDefender on ONOS 1.10.4 and Mininet with a real network, and extensive simulation results demonstrate that our proposed SpoofDefender is highly effective in terms of computation and communication costs.

Yuling Chen,Jing Sun,Yixian Yang,Tao Li,Xinxin Niu,Huiyu Zhou

DOI: https://doi.org/10.1002/int.22666

IF: 8.993

2021-09-19

International Journal of Intelligent Systems

Abstract:Source location privacy (SLP) protection is an emerging research topic in wireless sensor networks. Because the source location represents the valuable information of the target being monitored and tracked, it is of great practical significance to achieve a high degree of privacy of the source location. Although many studies based on phantom nodes have alleviates the protection of SLP to some extent. It is urgent to solve the problems, such as complicate the ac path between nodes, improve the centralized distribution of phantom nodes near the source nodes and reduce the network communication overhead. In this paper, protection scheme based on sector phantom routing (PSSPR) routing is proposed as a visible approach to address SLP issues. We use the coordinates of the center node V to divide sector domain, which act an important role in generating a new phantom node. The phantom nodes perform specified routing policies to ensure that they can choose various locations. In addition, the directed random route can ensure that data packets avoid the visible range when they move to the sink node hop by hop. Thus, the source location is protected. Theoretical analysis and simulation experiments show that this protocol achieves higher security of source node location with less communication overhead.

computer science, artificial intelligence

Kuan-yin Chen,Anudeep Reddy Junuthula,Ishant Kumar Siddhrau,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/cns.2016.7860467

2016-01-01

Abstract:While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.

Muhammad Umar Farooq Qaisar,Xingfu Wang,Ammar Hawbani,Liang Zhao,Ahmed Y Al-Dubai,Omar Busaileh

DOI: https://doi.org/10.1109/tmc.2022.3158695

IF: 6.075

2022-01-01

IEEE Transactions on Mobile Computing

Abstract:In wireless sensor networks (WSNs), it is inappropriate to use conventional unicast routing due to the broadcast storm problem and spatial diversity of communication-links. Opportunistic-Routing (OR) benefits the low duty-cycled WSNs by prioritizing the multiple candidates for each node instead of selecting one node as in conventional unicast-routing. OR reduces the sender waiting time, but it also suffers from the duplicate packets problem due to multiple candidates waking up simultaneously. The number of candidates should be restricted to counterbalance between the sender waiting time and duplicate packets. In this paper, software-defined networking (SDN) is adapted for the flexible management of WSNs by allowing decoupling of the control plane from the sensor nodes. This study presents SDN-based load-balanced opportunistic-routing for duty-cycled WSNs that addresses two parts. First, the candidates are computed and controlled in the control plane. Second, the metric used to prioritize the candidates considers the average of three distributions, transmission distance distribution, expected number of hops distribution and residual energy distribution so that more traffic is guided through the nodes with higher priority. Simulation results show that our proposed protocol significantly improve network lifetime, routing efficiency, energy consumption, sender waiting time, and duplicate packets as compared with the benchmarks.

computer science, information systems,telecommunications

Adnan Ahmed,Kamalrulnizam Abu Bakar,Muhammad Ibrahim Channa,Abdul Waheed Khan

DOI: https://doi.org/10.1007/s11036-016-0683-y

2016-01-26

Mobile Networks and Applications

Abstract:Nodes in most of the deployments of Wireless Sensor Networks (WSNs) remain un-administered and exposed to variety of security attacks. Characterized by constrained resources and dynamically changing behavior of sensor nodes, reliable data delivery in WSNs is nontrivial. To counter node misbehavior attacks, traditional cryptographic and authentication based solutions have proved to be inappropriate due to high cost and incapability factors. Recently, trust based solutions have appeared to be viable solutions to address nodes’ misbehavior attacks. However, the existing trust based solutions incur high cost in trust estimation and network-wide dissemination which significantly increases traffic congestion and undermines network lifetime. This paper presents a Trust and Energy aware Secure Routing Protocol (TESRP) for WSN that exploits a distributed trust model for discovering and isolating misbehaving nodes. TESRP employs a multi-facet routing strategy that takes into consideration the trust level, residual energy, and hop-counts of neighboring nodes while making routing decisions. This strategy not only ensures data dissemination via trusted nodes but also balances out energy consumption among trusted nodes while traversing through shorter paths. Demonstrated by simulation results in NS-2, TESRP achieves improved performance in terms of energy consumption, throughput and network lifetime as compared to existing solutions.

computer science, information systems,telecommunications, hardware & architecture

Hongsong Chen,Zhongchuan Fu,Chengyao Wang,Zhenzhou Ji,Mingzeng Hu

DOI: https://doi.org/10.2498/cit.1000748

2007-01-01

Abstract:Network processor (NP) is optimized to performnetwork tasks. It uses massive parallel processing architecture to achieve high performance. Ad hoc network is an exciting research aspect due to the characters of self-organization, dynamically topology and temporary network life. However, all the characters make the security problem more serious. Denial-of-Service (DoS) attack is the main puzzle in the security of Ad hoc network. A novel NP-based security scheme is proposed to combat the attack. Security agent is established by a hardware thread in NP. Agent can update itself at some interval by the trustworthiness of the neighbor nodes. Agent can trace the RREQ and RREP messages stream to aggregate the key information and analyze them by intrusion detection algorithm. NS2 simulator is expanded to validate the security scheme. Simulation results show that NP-based security scheme is effective to detect DoS attack.

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.