Yi Shen,Chunming Wu,Qiumei Cheng,Dezhang Kong

DOI: https://doi.org/10.1109/hpcc-smartcity-dss50907.2020.00122

2020-01-01

Abstract:Software-Defined Networking (SDN) is an emerging network platform, which decouples the control and data planes. As the most popular southbound protocol and standard, OpenFlow converts network forwarding policies to rule entries and stores them in the flow table. However, the capacity of the flow table is restricted, which can lead to table-overflow if the space is inefficiently used. In this paper, we propose an adaptive flow table management scheme (AFTM) on the control plane, which combines assigning dynamic timeout and proactive eviction to manage the limited flow table resources. The timeout assignment module and the proactive eviction module are not independent parts but work collaboratively. The timeout assignment module sets suitable timeouts for rule entries according to flow characteristics, so that entries of short-lived flows are quickly removed while entries of flows with large packet intervals are retained. When the table space is insufficient, the proactive eviction module removes rule entries to protect the flow table from table-overflow. In our design, the eviction thresholds and parameters in both modules can be adaptively adjusted according to the network load. Experimental results show that AFTM can effectively manage the flow table resource and reduce the number of packet drop rates by up to 81% compared with existing schemes.

Ling Chen,Wei Liu,Gencai Chen

DOI: https://doi.org/10.1109/CSCWD.2006.253173

2006-01-01

Abstract:In this paper, an adaptive-filtering policy for distributed virtual environments (DVEs) was brought forward. It took advantages of two traditional filtering policies (static-filtering policy and equidistance-transmission policy) and could adaptively select the fittest filtering policy corresponding to current motion characteristic of the virtual object in DVEs. An experiment was designed to compare this filtering policy with the two traditional filtering policies on task performance. Objective (task completion time, state updates transmitted and state updates per second) and subjective (filtering quality) evaluations were recorded in the experiment. The experiment results show that if mean state updates per second is equal or greater than 20 in the task, SUT and SUPS can be decreased by adaptive-filtering policy without task performance affected obviously. However, if mean state updates per second is around 10 in the task, accompanied with SUT and SUPS decreased by adaptive-filtering policy, task performance also deteriorated badly

Guangwu Hu,Jianping Wu,Ke Xu,Wenlong Chen

DOI: https://doi.org/10.1109/ICCCN.2011.6005783

2011-01-01

Abstract:In current network, as we all know, packets delivered by routers only rely on destination-address-directed forwarding, but their source addresses are not checked. Consequently, this incurs many serious network security breach events which are hard to trackback. Under this situation, a switch (we call it SAVI switch) followed SAVI (Source Address Validation Improvement) framework proposed by IETF was invented which dedicates to resolving this problem in user local subnet. SAVI switch is a direct and very effective anti-spoofing device, but because it just steps into a phase of industrialization and for economical and incremental deployment reasons, these switches are not fully covered in domain. This results in two issues at the same time: 1)how to filter out and abandon those packets whose source IP addresses belong to SAVI switches coverage, but actually not, otherwise, this will severely compromise the SAVI switch access users' motivation and SAVI's promotion. 2) how to traceback those packets' source router-the first hop routers of spoofed packets. In this paper, we present SAVT, a practical and smart scheme for source address validation and traceback in campus network for all outbound packets, it just need less 25% routers as filter router can resolve those two questions in most condition. Experiments illustrate our proposal keeps the promise of practicality, stability and efficiency.

Shu Yang,Mingwei Xu,Dan Wang,Jianping Wu

DOI: https://doi.org/10.1109/ICCCN.2012.6289219

2012-01-01

Abstract:Source address filtering is used as an important mechanism to prevent malicious traffic. Currently, most networks store filters in hardware such as TCAM, which has limited capacity, high power consumption and high cost. Although software can accommodate large number of filters, it needs multiple accesses to memory on the border router, which bears much more additional burden than other routers.In this paper, we propose a software-based mechanism for source address filtering. In our mechanism, we only need to check a few bits in source addresses on each router, rather than checking all bits on the ingress router. Through cooperation among routers, our mechanism ensures that malicious traffic will be filtered in the network.We formulate this problem as finding a cooperative scheme such that the loads on all routers are optimally balanced. We show that the problem can be optimally solved by dynamic programming. We evaluate our algorithms using comprehensive simulations with BRITE generated topologies and real world topologies. We conduct a case study on China Education and Research Network 2 (CERNET2) configurations, a large IPv6 network. Compared to checking 128-bit IP addresses on ingress routers, our algorithm checks at most 40 bits on each router.

Guang Yao,Jun Bi,Peiyao Xiao

DOI: https://doi.org/10.1016/j.comnet.2012.08.018

IF: 5.493

2013-01-01

Computer Networks

Abstract:Filtering out traffic with forged source address on routers can significantly improve the security of Internet. However, despite intermittent IP spoofing attacks, existing filtering mechanisms inspect each packet all the time, consuming considerable resource on routers even there is no spoofing at all. This article considers the requirement for a solution performing IP spoofing filtering with agility, which consumes resource in proportional to the size of attack. A novel IP spoofing filtering mechanism named Virtual Anti-Spoofing Edge (VASE) is proposed in this article. VASE uses sampling and on-demand filter configuration to reduce unnecessary overhead in peace time. The evaluation based on simulation shows VASE has obvious advantages over commonly used mechanisms in various scenarios. VASE is fully compatible with current IP spoofing filtering practices and can be implemented with commodity routers. In the campus network of Tsinghua University, VASE is providing real benefits.

Bo Xu,Guangyu Zhou,Yibo Xue,Jun Li

2008-01-01

Abstract:Packet filtering plays an important role in network devices such as firewalls, routers, security gateways and intrusion detection systems. Numerous schemes have been proposed to improve packet filtering techniques. Many previous works struggled to utilize the characteristics of filtering rule-sets as optimization heuristics. However, there are rarely efforts excavating network traffic characteristics. This paper focuses on analyzing the statistical characteristics of network traffic and imposing it to optimize packet filtering algorithms. Contribution of the paper includes two aspects: first, the skewness and time correlation in real-life traffic is presented to illustrate network traffic statistics; second, an adaptive packet filtering algorithm, AHSM, is proposed based on HSM algorithm for improving average packet filtering speed. AHSM takes traffic statistics as heuristics and constructs statistical search trees for single field searching. Experimental results show that the optimized algorithm reduces 20%∼50% of the single field matching overhead compared with the HSM algorithm and improves the overall performance by 35%∼45%, while retaining the same memory usage.

Shu Yang,Mingwei Xu,Dan Wang,Jianping Wu

DOI: https://doi.org/10.1145/2079327.2079328

2011-01-01

Abstract:To prevent network infrastructure from malicious traffic, such as DDoS attack and scanning, source filtering is widely used in the network. There are different ways to store the filters, e.g., a blacklist of source addresses. Among them, TCAM-based is used as the de facto, because of its wire speed performance. Unfortunately, TCAM is a scarce resource because it's limited by small capacity, high power consumption and high cost. To save storage space, some TCAM-based solutions even block part of the legitimate traffic for better aggregation. Another choice is software based solutions, which have larger storage space compared to hardware based solutions. However, they require multiple accesses for a single lookup, which causes latency.

Lishui Chen,Yongqi Zhang,Yazhe Tang

DOI: https://doi.org/10.1109/iccis53528.2021.9646059

2021-01-01

Abstract:In SDN network, the fine grained flow matching mechanism makes number of flow entries extremely huge so that flow tables have become the bottleneck of large-scale deployment of SDN. To solve this problem, one of the known solutions is to make a hybrid flow table structure that utilizes both TCAM and other memory, such as SRAM. The motivation is to store flow entries with many wildcards or frequently used in TCAM and to store other flow entries especially those need fine grained matching in other memory to get a cheaper, high capacity flow table with acceptable matching speed. This paper follows the hybrid flow table architecture and focuses mainly on how to make high capacity and accepted matching speed flow tables. We use a Bloom Filter pipeline to store flow entries, design and implement an intermediate adaptation layer between controllers and Openflow switches to transform the corresponding messages. The experiments results show that the flow table space can be effectively reduced to 33 bits for one flow entry, and the packet matching time can be substantially reduced compared with CPqD software switch.

Yang Lin,Zhu Jin,Xie Wanqing,Tan Xiaobin

DOI: https://doi.org/10.1109/chicc.2014.6895874

2014-01-01

Abstract:Although Adaptive RED (ARED) algorithms, which can adjust RED's parameters adaptively are broadly researched to deal with dynamic network scenarios, including bursty traffic and varying link state, unstability is still a constraint against the improvement of efficiency. In this paper, TCP/RED system is considered as a feedback system where equilibrium exists. Through analyzing the proposed system, the adverse effects of busty traffic and varying link state are studied respectively. We also point out that, exist ARED algorithms are low-efficiency because there is equilibrium drifting during adjustment in these algorithms. Therefore, we propose a stable tuning manner for RED parameters which can keep the equilibrium point fixed faced with bursty traffic. In our proposed algorithm, the target queue size is set along with the measured equilibrium point in real time, and the adjustment method for RED parameters is by tuning the slope of the packet dropping probability. This method can keep the equilibrium point in avoidance of equilibrium point drifting under various traffic conditions. Numerical results in NS3 prove our algorithm is more stable and efficient.

Qizhao Zhou,Junqing Yu,Dong Li

DOI: https://doi.org/10.1016/j.comnet.2021.108075

IF: 5.493

2021-07-01

Computer Networks

Abstract:<p>We consider the problem of source address validation implementation (SAVI) in a Software-Defined Network (SDN) environment. The integration of SAVI and SDN can further address the challenges in a typical architecture such as the complexity of SAVI's deployment and the acquisition of security data in the access layer. A key aspect of this campaign consists of filtering forged packets and verifying the authenticity of the source address. A common strategy is to create bindings between the IP address of a node and a property of the host's network attachment. However, problem still accompany with the deployment of SAVI, including the performance cost of the SDN controller caused by the redundant validation process, especially in the case of an overflow of the flow table and other anomalous conditions in the network. Our contribution in this paper is to design and implement a dynamic framework for lightweight SAVI based on SDN (D-SAVI), which is an enhancement of SDN setups to allow proper source address validation on downstream network ingress ports, without incurring a large performance overhead. Initially, we proposed a fine-grained dual-level structure to match flow entry flexibly to complete the dynamic deployment of SAVI. A priority-based validation mechanism was added for further efficiency optimization. We then designed a state partition and transition module to optimize network performance under anomalous conditions, especially the communication performance between the controllers and switches in the SDN-based networks with a global view. Consequently, under the premise of network security, D-SAVI could filter out, with better packet forwarding efficiency, packets that do not match existing binding relationships. The experimental results demonstrate that our implementation provides source address verification with less resource consumption than existing methods.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Honggang Zhang,Don Towsley,C. V. Hollot,Vishal Misra

DOI: https://doi.org/10.1145/885651.781068

2003-01-01

ACM SIGMETRICS Performance Evaluation Review

Abstract:Congestion control in TCP/AQM networks is expected to perform well for a wide-range of conditions, but recent advances in modeling and analysis indicate that present AQM schemes need an extra dose of adaptability to cope. This paper answers the call and proposes a self-tuning structure wherein AQM parameters are automatically tuned in response to on-line estimation of link capacity and traffic load. This approach is applicable to any AQM scheme that is parameterizable in terms of link capacity and TCP load. In this paper, we will describe this self-tuning structure, illustrate its application to PI and RED AQMs, provide stability analysis, and conduct ns simulations to compare with both fixed AQM schemes and the recently proposed adaptive RED.

Jie Li,Jun Bi,Jianping Wu

DOI: https://doi.org/10.1109/icccn.2013.6614204

2013-01-01

Abstract:While making the Internet totally trustworthy is intractable, making as trustworthy as possible is a crucial problem. Within this landscape, authentication of the IP source address remains one important topic in need of further study. However, most source address validation methods are difficult to implement in practice because of deployment difficulties. This research designs an efficient inter-domain distributed source address validation solution (CatchIt). By employing a novel routing choice notification scheme, CatchIt makes the deployed ASes intelligent by allowing them cooperate to acquire the valid incoming path information of packets. With such knowledge, the deployed ASes can accurately authenticate the source address without the need for any modifications to the de facto routing protocol and packet structure. Moreover, CatchIt helps the deployed ASes proactively and quickly filter spoofed packets before they imperil the network. CatchIt also avoids any false positive, even under partial deployment. Our evaluation also shows that CatchIt is effective and accurate when catching spoofed packets while incurring a low overhead; CatchIt maintains an early deploy and rapidly benefit incremental deployment incentive mechanism.

Guolong Chen,Guangwu Hu,Yong Jiang,Chaoqin Zhang

DOI: https://doi.org/10.1109/iscc.2016.7543774

2016-01-01

Abstract:Current Internet packet forwarding only relies on destination IP address and thus neglects the validation of packet's IP source address for Internet accountability, which incurs many cyber-security threats. State-of-the-art solutions either have issues in spoofing packet filtering accuracy, e.g., false positive and false negative, or encounter scalability and deployment problems, i.e., end-host TCP/IP stack or router modification. In this article, we propose SAVSH, a practical IP source address validation scheme for Software Defined Networking (SDN) hybrid networks. SAVSH takes advantage of the SDN architecture which possesses global topological view and central control pattern, so that it can locate nodes for the SDN switch replacement and deploy filtering rules onto them with desirable IP prefix-level filtering accuracy. In the meantime, SAVSH also takes network dynamics (e.g., topology changes) into account. Finally, the established prototype experiment and typical topology simulations demonstrate SAVSH not only possesses desirable performance, but also owns the capability that trades the maximal validation effect with the minimal SDN switch deployment cost, which is up to more than 90% prefix coverage benefit to 15% deployment cost on average.

Zheng Li,Mo-Yuen Chow

DOI: https://doi.org/10.1109/isie.2007.4375073

2007-01-01

Abstract:A networked supervisory control system is one type of networked control systems (NCS) in which a supervisor monitors and analyzes remote plants via communication network. This paper proposes an adaptive multiple sampling rate scheduling (AMSRS) methodology with digital filters in the signal process steps of the control loop to maintain the transmitted measurement signals' fidelity in order to help supervisor's decision making under normal and faulty operating conditions. Specifications of digital filters are chosen according to the system's frequency domain characteristics to bound the signal sampling and reconstruction errors as well as conserve available resource. A networked high throughput screening (HTS) process supervisory control system is used as a case study in this paper to demonstrate the effectiveness of using digital filters in the sampling rate scheduling method. A comparison between using the digital filter and previous zero-order hold approach (Z. Li and M.-Y. Chow, 2006) in signal reconstruction shows that digital filters can further reduce the reconstruction error. Furthermore, the use of filters extensively reduces the amount of consuming bandwidth (resource) in signal sampling and transmission (e.g., 40% and 56% bandwidth saved by two types of digital filters in specific case), and improves the system performance bounded by the limited resources.

Xu He,Jiahao Cao,Shu Wang,Kun Sun,Lisong Xu,Qi Li

DOI: https://doi.org/10.1109/infocom48880.2022.9796882

2022-01-01

Abstract:To bypass network censorship, Shadowsocks is often deployed on long-distance transnational networks; however, such proxy networks are usually plagued by high latency, high packet loss rate, and unstable bandwidth. Most existing tuning solutions rely on hand-tuned heuristics, which cannot work well in the volatile Shadowsocks networks due to the labor intensive and time-consuming properties. In this paper, we propose Auter, which automatically tunes multi-layer buffer parameters with reinforcement learning (RL) to improve the performance of Shadowsocks in long-distance networks. The key insight behind Auter is that different network environments require different sizes of buffers to achieve sufficiently good performance. Hence, Auter continuously learns a tuning policy from volatile network states and dynamically alter sizes of multi-buffers for high network performance. We prototype Auter and evaluate its effectiveness under various real networks. Our experimental results show that Auter can effectively improve network performance, up to 40.5% throughput increase in real networks. Besides, we demonstrate that Auter outperforms all the existing tuning schemes.

Jinyuan Zhang,Xuanbo Huang,Jian Li,Kaiping Xue,Qibin Sun,Jun Lu

DOI: https://doi.org/10.1109/hpsr54439.2022.9831366

2022-01-01

Abstract:In Software-Defined Networking (SDN), the controllers implement flexible and scalability networking policies by installing different flow rules. Each rule matches a specific class of flows, instructs the switches to execute actions, and then expires when they finish their tasks. OpenFlow introduces the timeout mechanism to manage these flow rules. However, finding a reasonable timeout value becomes a difficult problem for the network managers. When a relatively small timeout value is given to an elephant flow, the rule expires early, introducing extra cost for the controller and long latency for the matching flow, respectively. On the contrary, a large timeout value for a mice flow makes a rule occupy the switch memory too long, wasting the caching memory and causing the flow table prone to overflow. Therefore, it is necessary to allocate appropriate timeouts for different flows dynamically. In this paper, we achieve this goal with real-time traffic monitoring and heuristic algorithms. By considering different network loads and designing corresponding dynamic timeout algorithms for different scenarios, we make full use of the advantages of SDN to improve the utilization rate of the switch memory and save the controller resources. Further, we implement our scheme in a simulation SDN platform and evaluate the algorithms with the public datasets. Experiments show that our scheme has low control overhead and is memory efficient compared with current mechanisms.

Changqing An,Hui Wang,Jiahai Yang

DOI: https://doi.org/10.1109/iscc.2011.5983917

2011-01-01

Abstract:In this paper, we present SAVI-MIB, a management information base (MIB) designed to support configuration and monitoring of SAVI protocol which can provide fine granularity source address validation. Objects are defined to meet the detailed management requirement of local networks and accommodate different scenarios. SAVI-MIB is implemented in switches and deployed in some campus networks. Objects of SAVI-MIB are retrieved and used to help find configuration errors in SAVI deployment and profile behavior of end hosts. SAVI-MIB can also be used in parameter optimization, auto configuration, anomaly detection, etc.

Xingyu Ma,Chengchen Hu,Junchen Jiang,Jing Wang

DOI: https://doi.org/10.1109/LCN.2011.6115368

2011-01-01

Abstract:Flow size statistics is a fundamental task of passive measurement. In order to bound the estimation error of passive measurement for both small and large flows, previous probabilistic counter updating algorithms used linear or nonlinear sampling function to automatically adjust the sampling rate. However, each of these methods employed a pre-set and fixed sampling function during the measurement period. As a result, the performance would vary for different flow distributions. In this paper, we propose a Smart Selection Sampling (S3) approach, which can tune the sampling function to reach a comparatively lower relative error. The key component of S3 is a heuristic algorithm leveraging the flow distribution information to determine a better sampling function so as to achieve better measurement accuracy. Experiments under real trace and synthetic traces demonstrate that S3 is more accurate than the previous work if given the same memory sizes to accommodate flow statistics counters.

Hui Ma,Xing Li,Hewu Li,Peiyun Zhang,Shixin Luo,Cong Yuan

DOI: https://doi.org/10.1109/WCNC.2004.1311660

2004-01-01

Abstract:The dynamic character of complex and variable network environment, the key problem, puzzles the corresponding protocols design for wireless LANs. However, the distributed coordination function (DCF) of IEEE 802.11 MAC protocol, which is carrier sense multiple access with collision avoidance (CSMA/CA) using constant parameters, could not perform well when network environment changes. Thus many researchers try to optimize IEEE 802.11 DCF. However early dynamic optimization mechanisms for the protocol mostly depend on measuring the number of "competing" stations accurately. The problem of them is that the algorithms are too complex to apply in reality. In our research, we find that system performance approaches optimization with the same protocol parameters, when the number of competing stations changes within a certain range dynamically. Therefore, we propose a self-adaptive optimization mechanism, DOOR (dynamic optimization on range), for the IEEE 802.11 DCF. DOOR uses filter to estimate the range of competing station number and adjusts the protocol parameters to optimize system performance effectively. The detailed analytical model and performance evaluation for the new mechanism are given. Moreover, the measurement method and parameters of filter are introduced. At last, the elaborate numerical results show that our mechanism could not only achieve much higher throughput and lower delay than the standard IEEE 802.11 DCF along with the change of competing stations, but also improve the stability of system performance based on reasonably partitioned ranges.