Fei Yu,XiaoPing Dai,Yue Shen,Huang Huang,Miaoliang Zhu

DOI: https://doi.org/10.1109/ICSSSM.2005.1500110

2005-01-01

Abstract:The problem in network security presently is how to get real-time intrusion detection and alert. In the paper, we design Intrusion Detection System architecture and arithmetic again, meanwhile put forward an improved pattern matching arithmetic based on protocol analysis and theorization machine on Frete. New architecture can use network processor to collect and analyze data in network bottom, which enhance the speed and efficiency in Detection System.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Fei He,Yaxuan Qi,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/glocom.2010.5684122

2010-01-01

Abstract:Inline stateful and deep inspection for network intrusion prevention system (NIPS) is progressively challenging to cope with the fast growing volume and ever increasing complexity of network traffic. Traditional cluster-based architectures provide a solution for scalable and high performance NIPS, but with some common limitations. This paper proposed yet another cluster-based architecture (YACA) with a stateful traffic splitter. As an architectural approach for building a high performance NIPS, we present a novel design of stateful traffic splitter. The performance of its network processor implemented prototype demonstrates that such a design is suitable for the proposed architecture.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Xu Bo,He Fei,Xue Yibo,Li Jun

DOI: https://doi.org/10.1016/s1007-0214(09)70003-3

2009-01-01

Abstract:Today's firewalls and security gateways are required to not only block unauthorized accesses by authenticating packet headers, but also inspect flow payloads against malicious intrusions. Deep inspection emerges as a seamless integration of packet classification for access control and pattern matching for intrusion prevention. The two function blocks are linked together via well-designed session lookup schemes. This paper presents an architecture-aware session lookup scheme for deep inspection on network processors (NPs). Test results show that the proposed session data structure and integration approach can achieve the OC-48 line rate (2.5 Gbps) with inline stateful content inspection on the Intel IXP2850 NP. This work provides an insight into application design and implementation on NPs and principles for performance tuning of NP-based programming such as data allocation, task partitioning, latency hiding, and thread synchronization.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Baojun Zhang,Xuezeng Pan,Jiebing Wang

DOI: https://doi.org/10.1109/fskd.2007.348

2007-01-01

Abstract:The current network is complicated due to the high- throughput and the multiformity of actions. A hybrid intru- sion detection system (HIDSFCN) is proposed in this study to satisfy the current network. It combines the advantages of all kinds of IDS and put forwards our own solvents to those key problems in current research. Experiment results demonstrate that our HIDSFCN is of high performance and good practicability.

Xiang Wang,Yaxuan Qi,Baohua Yang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/icpads.2009.109

2009-01-01

Abstract:Network intrusion prevention system (NIPS) becomes more complex due to the rapid growth of network bandwidth and requirement of network security. However existing solutions, either hardware-based or software-based cannot obtain a good tradeoff between performance and flexibility. In this paper, we propose a parallel NIPS architecture using emerging network services processor. To resolve the problems and bottlenecks of high-speed processing, we investigate the main design aspects which have dramatic impacts on most parallel network security system implementations: efficient and flexible pipeline and parallel processing, flow-level packet-order preserving, and latency hiding of deep packet inspection. To these key points, we address several optimizations and modifications with an architecture-aware design principle to guarantee high performance and flexibility of the NIPS on a network services processor implementation. Performance evaluation shows that, our prototype NIPS on Cavium OCTEON3860 processor can reach line-rate stateful inspection and multi-Gbps deep inspection performance.

Guangfeng Guo,Junxing Zhang,Zhanfei Ma

DOI: https://doi.org/10.2298/csis200206049g

2021-01-01

Computer Science and Information Systems

Abstract:As traditional networks, the software-defined campus network also suffers from intrusion attacks. Current solutions for intrusion prevention cannot meet the requirements of the campus network. Existing methods of attack traceback are either limited to specific protocols or incur high overhead. To protect the data center (DC) of the campus network from internal and external attacks, we propose an Intrusion Prevention System (IPS) based on the coordinated control between the detection engine, the attack traceback agent, and the software-defined control plane. Our solution includes a novel algorithm to infer the best switch port for defending different attacks of varied scales based on the inverse HSA (Header Space Analysis) and the global view of the software-defined controller. The proposed scheme can effectively and timely block the malicious traffic not only protecting victim hosts from attacks but also preventing the whole network from suffering unwanted transmission burden. The proposed IPS is deployed on the bypass of the DC switch and collects network traffic by port mirroring. Compared with the traditional serial deployment, the new design helps defend the DC internal attacks, reduce the probability of network congestion, and avoid the single point of failure. The experimental results show that the overhead of our IPS is very low, which enables it to meet the real-time requirements. The average defense time is between 10 and 14 ms for the data center internal attacks of different scales. For external attacks, the maximum defense time is about 76 ms for a large-scale network with 100 switches.

computer science, information systems, software engineering

Qianli Zhang,Xing Li

1999-01-01

Abstract:In order to present large-scale malicious attacks on an ISP network to maintain network services, we have designed a method to record key packets classified by sessions. Session is the service provided above the IP layer. We define a TCP connection a session, a UDP packet exchange a session, or echo and echo response of ICMP to be a session. The research of network attack/intrusion/information collection has shown that most of the illegal action performed would have something special ongoing in such sessions. For example, winnuke will send OOB packets to the 139 port of a host; most of the platform detection will use strange packets too. Not only the strange packets itself, but the sequence of such packets going through the network indicate the attack. For example, teardrop will transmit packets that have abnormal fragment offset in the second packet, then cause some platform to crash. Some patterns of sessions will be created by flood based attack/information collection. For example, the SYN flood will create a pile SYN-SYN ACK-RST packets in the network, and most of scan tools will create several kind of patterns in the network, all of these patterns indicate the failure of the connection, these include SYN-SYN ACK-RST and SYN-RST and SYNICMP Unreachable message. Based on this thought, we have designed the session-state transition analysis. We will define some packets as the indication of the session state. The happening of such packets causes the change of the session state. When comparing with the predefined rules, we will detect most of the DOS attacks. Another approach is to store these session states transition patterns into a database; thus we can calculate the happening rates of some specific patterns. Compared with the average level, abnormal high happening rates often indicate the possible attack or information collection. For example, we can collect a site’s all sessions' SYN-SYN ACK-RST pattern to decide whether a normal scan had happened. The implementation includes four parts. The first is the data collection part, which collects and unwraps packets passing through the network; the second part is the signature matching part, which will match the packet signature, to filter only the specified packets; the third part will cluster such pa ckets into sessions, and store the session specific signature chain and check whether a rule based match is satisfied; the fourth part will flush the session data into a database, and check whether a statistical based anomaly has happened. Using such kind of techniques has several basic advantages. The first is not to violate privacy, since we are interested in only packet header to know whether a state has changed, to inspect header only also make this implementation efficient and fit for a large scale network. The other advantage is to avoid the headache to set the threshold of a statistical approach. Most scan detection tools (For example, gabriel) will calculate the burst of connections. New scan technique has appeared to avoid burst of connections, for example, slow scan and stealthy scan. Set a proper threshold is much more difficult for a large-scale network. For rule based analysis, since we use the state transition to detect intrusion, we could predict the happening of some attacks in a premature stage. The future approach includes the content analysis based IDS, especially the remote buffer overflow detection. This part of research is underway.

Zhang Peng,Chen Xiangning,Ge Yun,Jin Lin

DOI: https://doi.org/10.1049/cje.2016.06.004

IF: 1.019

2016-01-01

Chinese Journal of Electronics

Abstract:After studying the routing and forwarding process of network stream and the implementation of SDN, we propose a retractable management model for flow table. A structure with parallel tables and synthesis processing is proposed according to the feature of SDN and traditional network. The parallel tables share the same storage resources. Thanks to the separation of data plane and control plane, control plane owns more computing resources than traditional device. It evaluates the role of nodes and the action of network flows, makes adjustment according to the historical and current information and streamlines flow tables by consolidating and simplifying old flow entries. Through simulation, it is proved that the realized method can defend offensive traffic while ensuring the safety of accessing and forwarding, especially existing blocking attack.

N Maheswaran,S Bose,Buvaneswari Natarajan

DOI: https://doi.org/10.1080/00051144.2024.2372749

IF: 1.79

2024-07-13

Automatika

Abstract:The advancements made in Software-Defined Networking (SDN) technology seem quite promising, with potential wide application in managing and controlling the latest network infrastructures. SDN technology decouples the control plane from the data plane, enabling effective and flexible network management. However, this dynamic phenomenon brings new security challenges. With the increasing dynamism and programmable nature of networks, conventional security protocols may not sufficient to protect against advanced and sophisticated attacks. Although Intrusion Detection Systems (IDSs) have been extensively applied for identifying and preventing security threats in traditional network environments, IDS models designed specifically for traditional network requirements may not be adequate for SDN environments. These issues may stem from the static nature of conventional networks, contrasting with the dynamicity of advanced SDN networks, and the traditional IDS's inability to adapt to the dynamic nature of SDN. To address these challenges, the current research proposes a novel Deep Hybrid IDS model to enhance network security in SDN environments and prevent attacks using Scapy. The proposed model detects signature-based attacks by integrating Gated Recurrent Units (GRU) and Long Short-Term Memory (LSTM) for real-time simulated datasets, achieving an accuracy of 97.8%, which is comparatively better than existing models.

automation & control systems,engineering, electrical & electronic

Shuyong Zhu,Jun Bi,Chen Sun

2014-01-01

Abstract:Software Defined Networking (SDN) is a new network architecture where network control is decoupled from forwarding and is directly programmable. However, existing techniques provide limited support for stateful forwarding in SDN data plane. Relying on the controller for all state maintaining gives rise to scalability and performance issues. In this paper, we present Stateful Forwarding Abstraction (SFA) in SDN data plane. And we design a co-processing unit in SDN switches named Forwarding Processor (FP). It can deal with state information in data plane and its instructions can be flexibly extended to meet application requirements. Through SFA, we implement stateful network processing on the datapath which covers a full range of Layer 4 to Layer 7 services. We validate its performance based on IPsec. The experiment result proves that the forwarding efficiency is greatly improved.

Haiguang Lai,Shengwen Cai,Hao Huang,Junyuan Xie,Hui Li

DOI: https://doi.org/10.1007/978-3-540-24852-1_32

2004-01-01

Abstract:The process speed of network-based intrusion detection systems (NIDSs) is still low compared with the speed of networks. As a result, few NIDS is applicable in a high-speed network. A parallel NIDS for high-speed networks is presented in this paper. By dividing the overall traffic into small slices, several sensors can analyze the traffic concurrently and significantly increase the process speed. For most attacks, our partition algorithm ensures that a single slice contains all the evidence necessary to detect a specific attack, making sensor-to-sensor interaction unnecessary, Meanwhile, by making use of the character of the network traffic, the algorithm can also dynamically balance all sensors' loads. To keep the system as simple as possible, a specific sensor is used to detect the scan and the DoS attack. Although only one sensor is used for this kind of attacks, we argue that our system can still provide high process ability....

Arjun Singh,Preeti Mishra,P. Vinod,Avantika Gaur,Mauro Conti

DOI: https://doi.org/10.1007/s10586-024-04444-0

2024-05-01

Cluster Computing

Abstract:The evolving behavior of the attacks may affect the decision boundaries of the trained machine learning models. The issue has not been well investigated, especially with hypervisor-based security solutions where virtual machine (VM)'s network artifacts are introspected and analyzed. In this paper, we proposed a sustainable and explainable flow-filtering-based concept drift-driven network intrusion detection approach, called 'SFC-NIDS' which introspects network activities by analyzing VM traffic profile. The VM traffic is captured and pre-processed at the hypervisor to extract important network artifacts. The redundant and trivial network flows have been filtered using the proposed gradient descent-based flow filtering mechanism and validated using explainability. SFC-NIDS employs auto-encoders to reconstruct the traffic features to capture additional patterns. Afterward, the 1D-convolution neural network has been employed to learn and detect malicious attack flows. The model's sustainability is ensured by integrating the drift detection mechanism with the decision model to retrain it with evolving attack patterns. The approach has been validated with virtual network traffic artifacts collected at the hypervisor and provides 98.9% accuracy, 99.03%, and F1-Score. In addition, the approach has also been validated using the KDD99 dataset, showcasing an accuracy of 99.97% and an F1-Score of 99.98%.

computer science, information systems, theory & methods

Dmitrii Kuvaiskii,Somnath Chakrabarti,Mona Vij

DOI: https://doi.org/10.48550/arXiv.1802.00508

2018-02-01

Networking and Internet Architecture

Abstract:Network Function Virtualization (NFV) promises the benefits of reduced infrastructure, personnel, and management costs by outsourcing network middleboxes to the public or private cloud. Unfortunately, running network functions in the cloud entails security challenges, especially for complex stateful services. In this paper, we describe our experiences with hardening the king of middleboxes - Intrusion Detection Systems (IDS) - using Intel Software Guard Extensions (Intel SGX) technology. Our IDS secured using Intel SGX, called SEC-IDS, is an unmodified Snort 3 with a DPDK network layer that achieves 10Gbps line rate. SEC-IDS guarantees computational integrity by running all Snort code inside an Intel SGX enclave. At the same time, SEC-IDS achieves near-native performance, with throughput close to 100 percent of vanilla Snort 3, by retaining network I/O outside of the enclave. Our experiments indicate that performance is only constrained by the modest Enclave Page Cache size available on current Intel SGX Skylake based E3 Xeon platforms. Finally, we kept the porting effort minimal by using the Graphene-SGX library OS. Only 27 Lines of Code (LoC) were modified in Snort and 178 LoC in Graphene-SGX itself.

Qizhao Zhou,Junqing Yu,Dong Li

DOI: https://doi.org/10.1016/j.comnet.2021.108075

IF: 5.493

2021-07-01

Computer Networks

Abstract:<p>We consider the problem of source address validation implementation (SAVI) in a Software-Defined Network (SDN) environment. The integration of SAVI and SDN can further address the challenges in a typical architecture such as the complexity of SAVI's deployment and the acquisition of security data in the access layer. A key aspect of this campaign consists of filtering forged packets and verifying the authenticity of the source address. A common strategy is to create bindings between the IP address of a node and a property of the host's network attachment. However, problem still accompany with the deployment of SAVI, including the performance cost of the SDN controller caused by the redundant validation process, especially in the case of an overflow of the flow table and other anomalous conditions in the network. Our contribution in this paper is to design and implement a dynamic framework for lightweight SAVI based on SDN (D-SAVI), which is an enhancement of SDN setups to allow proper source address validation on downstream network ingress ports, without incurring a large performance overhead. Initially, we proposed a fine-grained dual-level structure to match flow entry flexibly to complete the dynamic deployment of SAVI. A priority-based validation mechanism was added for further efficiency optimization. We then designed a state partition and transition module to optimize network performance under anomalous conditions, especially the communication performance between the controllers and switches in the SDN-based networks with a global view. Consequently, under the premise of network security, D-SAVI could filter out, with better packet forwarding efficiency, packets that do not match existing binding relationships. The experimental results demonstrate that our implementation provides source address verification with less resource consumption than existing methods.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Andrea Bianco,Paolo Giaccone,Seyedaidin Kelki,Nicolas Mejia Campos,Stefano Traverso,Tianzhu Zhang

DOI: https://doi.org/10.1109/icc.2017.7997297

2017-01-01

Abstract:The novel “stateful” approach in Software Defined Networking (SDN) provides programmable processing capabilities within the switches to reduce the interaction with the SDN controller and thus improve the scalability and the performance of the network. In our work we consider specifically the stateful extension of OpenFlow that was recently proposed, called Open-State, that allows to program simple state machines in almost-standard OpenFlow switches. We consider a reactive traffic control application that reacts to the traffic flows which are identified in real-time by a generic traffic classification engine. We devise an architecture in which an OpenState-enabled switch sends the minimum number of packets to the traffic classifier, in order to minimize the load on the classifier and improve the scalability of the approach. We design two stateful approaches to minimize the memory occupancy in the flow tables of the switches. Finally, we validate experimentally our solutions and estimate the required memory for the flow tables.

Michael Hilker,Christoph Schommer

DOI: https://doi.org/10.48550/arXiv.0805.0849

2008-05-07

Abstract:Current network protection systems use a collection of intelligent components - e.g. classifiers or rule-based firewall systems to detect intrusions and anomalies and to secure a network against viruses, worms, or trojans. However, these network systems rely on individuality and support an architecture with less collaborative work of the protection components. They give less administration support for maintenance, but offer a large number of individual single points of failures - an ideal situation for network attacks to succeed. In this work, we discuss the required features, the performance, and the problems of a distributed protection system called SANA. It consists of a cooperative architecture, it is motivated by the human immune system, where the components correspond to artificial immune cells that are connected for their collaborative work. SANA promises a better protection against intruders than common known protection systems through an adaptive self-management while keeping the resources efficiently by an intelligent reduction of redundant tasks. We introduce a library of several novel and common used protection components and evaluate the performance of SANA by a proof-of-concept implementation.

Cryptography and Security,Multiagent Systems