Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Yunfei Meng,Changbo Ke,Zhiqiu Huang

DOI: https://doi.org/10.1016/j.cose.2024.103850

IF: 5.105

2024-04-19

Computers & Security

Abstract:Software-defined networking (SDN) has been utilized to enforce the security of traditional networks. However, the existing SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane, such as MAC address, IP address or switch ports. These security policies need to be specifically developed by network operators and loaded into the control plane manually. With increasing the scale of underlying network, the existing security policy management mechanisms confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information into the practical flow entries used by Openflow switches automatically, thereby implementing the automatic management of security policies. To achieve this objective, we propose a model transformation based security policy automatic management framework for software-defined networking in this paper. Leveraging its functional modules, the framework can solve the problems of how to find a connected path for each access control rule of security policy model (SPM) in data plane, how to transform the connected path into the system model of flow entries, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the effectiveness and performance of framework, we implement the framework by leveraging POX controller and Mininet emulator. The experimental results illustrate the framework can transform SPM into practical flow entries, synchronously perceive the modifications caused by cutting down one connected path or changing SPM, and continuously keep the data plane holding the security properties defined by SPM at runtime.

computer science, information systems

Yunfei Meng,Changbo Ke,Zhiqiu Huang,Guohua Shen,Chunming Liu,Xiaojie Feng

DOI: https://doi.org/10.48550/arXiv.2301.03790

2023-01-10

Cryptography and Security

Abstract:Software-defined networking (SDN) has been widely utilized to enforce the security of traditional networks, thereby promoting the process of transforming traditional networks into SDN networks. However, SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane. With increasing the scale of underlying network, the current security policy management mechanism will confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information of data plane into the practical flow entries used by the OpenFlow switches automatically, thereby implementing the automation of security policy management. Based on this insight, a practical runtime security policy transformation framework is proposed in this paper. First of all, we specify the security policies used by SDN networks as a system model of security policy (SPM). From the theoretical level, we establish the system model for SDN network and propose a formal method to transform SPM into the system model of flow entries automatically. From the practical level, we propose a runtime security policy transformation framework to solve the problem of how to find a connected path for each relationship of SPM in the data plane, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the feasibility and effectiveness of the framework, we set up an experimental system and implement the framework with POX controller and Mininet emulator.

Ali Nadim Alhaj,Narottam Das Patel,Ajeet Singh,Rohit Kumar Bondugula,Mohsin Furkh Dar,Jameel Ahamed

DOI: https://doi.org/10.1504/ijsnet.2024.141613

2024-09-28

International Journal of Sensor Networks

Abstract:The rapid expansion of networks has given rise to numerous challenges and issues. In recent years, one idea that has captivated researchers is segregating the forwarding and control levels, which emerged with software-defined networking (SDN) frameworks. Despite centralised management and network administration advantages, SDN networks have encountered several issues, with safety and reliability being the most prominent. This paper proposes a comprehensive robust security architecture for SDN networks that consists of modular components. Each module addresses a specific security challenge, and by integrating these security solutions, we aim to establish a cohesive security framework for SDN. Furthermore, we propose a robust security algorithm capable of effectively mitigating critical security attacks such as DDoS, ARP, and MITM. Our approach involves developing a multi-level security algorithm to counteract most DDoS attacks, while also devising a real-time algorithm specifically designed to handle ARP attacks, including request-replay-ARP DoS attacks.

computer science, information systems,telecommunications

Vijay Varadharajan,Kallol Karmakar,Uday Tupakula,Michael Hitchens

DOI: https://doi.org/10.48550/arXiv.1806.02053

2018-06-06

Abstract:As networks expand in size and complexity, they pose greater administrative and management challenges. Software Defined Networks (SDN) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy driven security architecture for securing end to end services across multiple SDN domains. We develop a language based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine grained security policies based on a variety of attributes such as parameters associated with users and devices/switches, context information such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and Controllers in different domains. An important feature of our architecture is its ability to specify path and flow based security policies, which are significant for securing end to end services in SDNs. We describe the design and the implementation of our proposed policy based security architecture and demonstrate its use in scenarios involving both intra and inter-domain communications with multiple SDN Controllers. We analyse the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy based approach and the distribution of corresponding security capabilities intelligently as a service layer that enable flow based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.

Cryptography and Security

Jiaqiang Liu,Yong Li,Huandong Wang,Depeng Jin,Li Su,Lieguang Zeng,Thanos Vasilakos

DOI: https://doi.org/10.1016/j.ins.2015.08.019

IF: 8.1

2015-01-01

Information Sciences

Abstract:Network operators employ a variety of security policies for protecting the data and services. However, deploying these policies in traditional network is complicated and security vulnerable due to the distributed network control and lack of standard control protocol. Software-defined network provides an ideal paradigm to address these challenges by separating control plane and data plane, and exploiting the logically centralized control. In this paper, we focus on taking the advantage of software-defined networking for security policies enforcement. We propose a two layer OpenFlow switch topology designed to implement security policies, which considers the limitation of flow table size in a single switch, the complexity of configuring security policies to these switches, and load balance among these switches. Furthermore, we introduce a safe way to update the configuration of these switches one by one for better load balance when traffic distribution changes. Specifically, we model the update process as a path in a graph, in which each node represents a security policy satisfied configuration, and each edge represents a single step of safely update. Based on this model, we design a heuristic algorithm to find an optimal update path in real time. Simulations of the update scheme show that our proposed algorithm is effective and robust under an extensive range of conditions.

Xie Jun,Xu Feng,Huang Hao

2004-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:MLS (multilevel security) is being widely applied in many security critical systems, but it can't implement many important security policies such as channel-control. In this paper, the concept of trust degree is introduced into the MLS to implement policies like channel-control conveniently. An access control state machine model which enforces the trust degree based multilevel security policy is established, and is proved to be secure for this policy. It is also proved that this model can enforce all static information flow policies. An extension of the model is also offered to support the dynamic change of storage objects' security labels. The model avoids the disadvantage of MLS' not being able to resolve the problem of secure downgrading and not taking integrity into consideration, and at the same time it retains the advantage of easy understanding and use enjoyed by the traditional classified policy models.

Yunfei Meng,Zhiqiu Huang,Guohua Shen,Changbo Ke

DOI: https://doi.org/10.1016/j.cose.2020.102089

2021-01-01

Abstract:<p>Software-defined networking (SDN) has been increasingly utilized to enforce the security of complex networks. However SDN-based security enforcement mechanisms rely heavily on some specific security policies containing underlying network information. Facing the increasingly complex and huge SDN networks, we urgently need a novel security policy management mechanism which can be completely transparent to any underlying network information. That is it can permit network managers to define the high-level security policy model without containing any underlying information, and by means of model transformation, high-level security policy model can be automatically transformed into its corresponding lower-level security policy model containing underlying information. Moreover, we must ensure the system model of data plane updated by the low-level security policy model can hold all of security properties defined in high-level security policy model. Based on these insights, we propose a security policy model transformation and verification approach for SDN in this paper. We first specify the security policies used in SDN networks as a formal security policy model (SPM). Then we establish the system model of SDN's data plane and the mapping rules between the policy objects of SPM and the system objects of system model of data plane. Based on these mapping rules, we propose a security policy model transformation mechanism which transforms SPM into the low-level security policy model, RSPM. In order to verify the system model of data plane updated by RSPM can hold all of security properties defined in SPM, we propose a security policy verification mechanism based on model checking techniques and a group of validation conditions. Finally, we utilize a comprehensive case to illustrate the feasibility of this approach.</p>

computer science, information systems

Xiong Liu,Haiwei Xue,Xiaoping Feng,Yiqi Dai

DOI: https://doi.org/10.1109/iccsn.2011.6013582

2011-01-01

Abstract:The administrator shall implement multilevel security policy in a multilevel security network system. The policy must ensure the information flow from low level host to the same level host or high level host, and prevent the information flow from high level host to low level host, but traditional network is difficult to meet the requirement. This paper proposes a design of multi-level security network switch system. The design adds a module named Filter based on OpenFlow. OpenFlow can control the packets flow of the network, and the Filter can check the packet's content and delay the packets then restrict covert channel. Using OpenFlow and the Filter, the system can implement the multilevel security policy in the scenario of local area network. The experiment verified the feasibility of the design.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108099

IF: 5.493

2021-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. We further explore implementation techniques of packet looping and field swapping that can enable a flow table pipeline on a single TCAM and mitigate packet correlation, respectively. FlowCloak imposes only a 0.01 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Zhiyuan Hu,Mingwen Wang,Xueqiang Yan,Yueming Yin,Zhigang Luo

DOI: https://doi.org/10.1109/icin.2015.7073803

2015-01-01

Abstract:SDN enables the administrators to configure network resources very quickly and to adjust network-wide traffic flow to meet changing needs dynamically. However, there are some challenges for implementing a full-scale carrier SDN. One of the most important challenges is SDN security, which is beginning to receive attention. With new SDN architecture, some security threats are common to traditional networking, but the profile of these threats (including their likelihood and impact and hence their overall risk level) changes. Moreover, there are some new security challenges such as bypassing predefined mandatory policies by overwriting flow entries and data eavesdropping by inserting fraudulent flow entries. This paper is to design open-flow specific security solutions and propose a comprehensive security architecture to provide security services such as enforcing mandatory network policy correctly and receiving network policy securely for SDN in order to solve these common security issues and new security challenges. It can also help the developers to implement security functions to provide security services when developing the SDN controller.

Mahmoud Elzoghbi,Hui He

DOI: https://doi.org/10.1109/wcnc57260.2024.10571341

2024-01-01

Abstract:The rapid evolution of Software-Defined Networks (SDNs) brings numerous benefits to network management and operations but also introduces several security challenges, especially when it comes to discovering hosts. Predominant among these challenges is host hijacking/address spoofing, which can precipitate flow entries overflow in OpenFlow switches' flow tables and lead to Denial of Service (DoS) attacks on the SDN controller. Subsequently, our research offers MTLSAuth, an in-novative technique that integrates the robust principles of Mutual TLS (MTLS) protocol in host discovery and authentication. MTLSAuth is meticulously designed to bolster host authentication within the ever-expanding SDN infrastructures, catering to the increasing demands of modern network environments. Alongside proposing MTLSAuth, our research provides an in-depth analysis and evaluation of host hijacking/address spoofing within SDN networks, shedding light on their profound impact on OpenFlow switches and SDN controller. In a comparative evaluation against established methods, MTLSAuth distinctly outperforms, achieving a notable reduction in host-to-host delay time, with an improvement of 10% to 15% relative to the Port-Knocking approach. Beyond its empirical success, this research elaborates on MTLSAuth's foundational principles and potential applications. As SDNs increasingly form the underpinning of modern networking, solutions like MTLSAuth emerge as vital in establishing a secure, efficient, and resilient network landscape.

Qi Li,Yanyu Chen,Patrick P. C. Lee,Mingwei Xu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2018.2853593

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) utilizes a centralized controller to distribute packet processing rules to network switches. However, rules are often generated by the applications developed by different organizations, so they may conflict with each other in data plane and lead to violations with security rules. The problem is similar to firewall conflicts in IP networks. Rule conflict resolution should incur negligible process delay, such that all rules can he correctly and safely enforced in the data plane in real time. However, since SDN allows users to use more than 35 fields to specify rules (including field transition rules), it is much more complicated to prevent enforcement of SDN rules from violating with security rules than to resolve firewall rule violation, and in particular, field transition rules are enforced. Therefore, it is extremely difficult to resolve such rule conflicts in real time before the rules are installed in SDN data plane. In this paper, we investigate the rule conflict problem in SDN and identify new covert channel attacks due to rule conflicts. To the end, we propose the covert channel defender (CCD) that prevents covert channel attacks by verifying and resolving rule conflicts. Specifically, CCD tracks all rule insertion and modification messages from applications running on the controller. It analyzes the correlation among rules based on multiple packet header fields and resolves any identified rule conflict in real time before rule installation. We implement CCD with the Floodlight controller and evaluate its performance with the real-world Stanford topology. We show that CCD can efficiently detect and prevent rule conflicts in the data plane that may raise covert channels within hundreds of microseconds and brings small overhead to the packet delivery.

Ayush Thakur

2024-09-04

Abstract:Multiprotocol Label Switching (MPLS) is a high-performance telecommunications technology that directs data from one network node to another based on short path labels rather than long network addresses. Its efficiency and scalability have made it a popular choice for large-scale and enterprise networks. However, as MPLS networks grow and evolve, they encounter various security challenges. This paper explores the security implications associated with MPLS networks, including risks such as label spoofing, traffic interception, and denial of service attacks. Additionally, it evaluates advanced mitigation strategies to address these vulnerabilities, leveraging mathematical models and security protocols to enhance MPLS network resilience. By integrating theoretical analysis with practical solutions, this paper aims to provide a comprehensive understanding of MPLS security and propose effective methods for safeguarding network infrastructure.

Cryptography and Security,Artificial Intelligence,Networking and Internet Architecture

Xinming Chen,Beipeng Mu,Zhen Chen

DOI: https://doi.org/10.1109/cmc.2011.94

2011-01-01

Abstract:Malicious attacks are frequently launched to make specified network service unavailable, compromising end hosts for political or business purpose. Though network security appliances are widely deployed to resist these attacks, there is a lack of dynamic and collaborative platform to flexibly configure and manage all the security elements. In this paper, we present NetSecu, a platform based on Java and Click Router, which can dynamically enable, disable and configure security elements such as firewall, IPS and AV. Furthermore, a collaborate module is implemented to integrate individual NetSecu platform into a Secure Overlay Network, providing collaborative traffic control against DDoS attack. Equipped with collaborate module, NetSecu platforms are organized in a tree hierarchy where each level node is registered to its father node. A Central Management Site acts as the root node for large scale deployment. The policy is distributed from higher level to lower level NetSecu nodes, while security events are aggregated from lower level to higher level. Performance evaluation shows that our NetSecu system can achieve line rate with and without security function. Finally we deploy the NetSecu platform in multiple sites, where our design is fully demonstrated and tested.

Hamidreza Almasi,Hossein Ajorloo

DOI: https://doi.org/10.48550/arXiv.1610.05062

2017-03-11

Abstract:Presence of a logically centralized controller in software-defined networks enables smart and fine-grained management of network traffic. Generally, traffic management includes measurement, analysis and control of traffic in order to improve resource utilization. This is done by inspecting corresponding performance requirements using metrics such as packet delay, jitter, loss rate and bandwidth utilization from global network view. There has been many works regarding traffic management of software-defined networks and how it could help to efficiently allocate resources. However, the vast majority of these solutions are bounded to indirect information retrieved within the border of ingress and egress switches. This means that the three stage loop of measurement, analysis and control is performed on switches in between this border while the traffic flowing in network originates from applications on end hosts. In this work, we present a framework for incorporating network applications into the task of traffic management using the concept of software-defined networking. We demonstrate how this could help applications to receive desired level of quality of service by implementing a prototype of an API for flow bandwidth reservation using OpenFlow and OVSDB protocols.

Networking and Internet Architecture

XIA Lei,HUANG Hao,YU Shu-ying,WANG Zhi-qiang

2007-01-01

Abstract:Increasing diversity and complexity of the computing environments result in various security requirements.MLS security policy only aims at confidentiality assurance,in less consideration of integrity assurance and weakness in channel control.To handle that the trusted subjects have many security shortcomings of MLS model,a multi-policy views security model(MPVSM)was presented.Based on the MLS model,MPVSM combined the domain and type attributes to the model,to enforce the channel control policy,make permission management more fine-grained and enhance the ability to confine the permission of the trusted subjects.MPVSM was also able to enforce multi-policy views in operating system in a flexible way.The implementation of the MPVSM model in our prototype trusted operating system Nutos was also introduced.

Felipe S. Dantas Silva,Emidio P. Neto,Rodrigo S. S. Nunes,Cristian H. M. Souza,Augusto J. V. Neto,Túlio Pascoal

DOI: https://doi.org/10.1007/s10922-023-09746-z

2023-07-08

Journal of Network and Systems Management

Abstract:Over the last decade, Software-Defined Networking (SDN) has become increasingly popular in computer network infrastructures. However, due to its relatively recent implementation, protective measures still need to be fully developed. One significant security concern with SDN is its vulnerability to scanning attacks, which can escalate to more severe attacks like Denial-of-Service (DoS) attacks. Recently, Moving Target Defense (MTD) techniques have been used to address scanning attacks. Still, they can negatively impact network performance due to the reliance on delay tactics that increase network latency. This article introduces the MTD Adaptive Delay System (MADS) to provide feasible MTD-based protection against scanning attacks without compromising the network service parameters, especially regarding Quality of Service (QoS). Unlike existing methods that continually apply delays to all traffic packets, MADS-based delays are only triggered and applied to packets when the victim network is under attack based on the intensity of the traffic commonly used in scanning attacks. MADS' performance was evaluated and compared to state-of-the-art MTD-based defenses, and it was found to cause less network degradation while maintaining the same efficiency as MTD-based techniques against scanning attacks. Furthermore, MADS had a shorter average latency time (99.4% lower) and better average throughput (4.87% higher) than the two baseline MTD-based solutions. Additionally, MADS did not produce Bad TCP packets compared to baseline works under the same attack scenarios.

computer science, information systems,telecommunications

Abdallah Mustafa Abdelrahman,Joel J. P. C. Rodrigues,Mukhtar M. E. Mahmoud,Kashif Saleem,Ashok Kumar Das,Valery Korotaev,Sergei A. Kozlov

DOI: https://doi.org/10.1002/dac.4706

2020-12-15

International Journal of Communication Systems

Abstract:Software‐defined networking (SDN) is an agile, modern networking approach that facilitates innovations in the networking paradigm. The abstracted and centralized network operating system facilitates the network management and reduces operational expenditure (OPEX). The open nature and simplicity of the data‐forwarding plane dramatically reduces capital expenditure (CAPEX) by leveraging commodity servers and switches. SDN also lends itself very well to address major cloud computing issues and complement cloud services, especially in terms of network virtualization and networking as a service (NaaS). As a new technology, SDN does involve certain security challenges, which include distributed denial of service (DDoS) threats, build and run time injected malware, insider (tenant) attacks, and security holes resulting from controller misconfigurations. These are severe threats that can cripple an entire network. It is crucial to address the SDN vulnerabilities to ensure its successful deployment in private data center networks, on cloud platforms and beyond. Some security solutions leverage the built‐in features of SDN, such as its controller software component, while other solutions provide external SDN applications running above the controller. This study reviews the security solutions for the vulnerabilities of state‐of‐the‐art SDN controllers and the available countermeasures. Furthermore, an in‐depth analysis of the SDN features that support security is presented, and some unresolved research issues on SDN controllers are identified.

telecommunications,engineering, electrical & electronic