Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Zhuge Bin,Wang Baoxia,Wang Yining,Wu Chunming,Yao Minhui

DOI: https://doi.org/10.11959/j.issn.1000-0801.2015207

2015-01-01

Abstract:Firstly，the concept of SDN applications was proposed from the perspective of users payment for allocating network resources.Secondly，with the comparison between traditional desktop application programming and network programming，the advantage of SDN programming was described.Thirdly，the concept of software defined price （SDP）was introduced.Based on the characteristics of SDN applications，the framework of SDP-based SDN application so as to apply to the OpenDaylight open source project was designed.Finally，an implementation of creating a virtual tenant network based on SDP was showed.The results of experiment present that the users can choose their desired virtual tenant according to the mechanism of SDP.

Xitao Wen,Yan Chen,Chengchen Hu,Chao Shi,Yi Wang

DOI: https://doi.org/10.1145/2491185.2491212

2013-01-01

Abstract:ABSTRACTThe OpenFlow (OF) paradigm embraces third-party development efforts, and therefore suffers from potential trust issue on OF applications (apps). The abuse of such trust could lead to various types of attacks impacting the entire network. In this paper, we propose PermOF, a fine-grained permission system, as the first line of defense, in order to apply minimum privilege on apps. We summarize a set of 18 permissions to be enforced at the API entry of the controller. To accommodate the isolation requirements, we propose a customized isolation mechanism, which achieves comprehensive resource isolation and access control.

Boyang Zhou,Chunming Wu,Xiaoyan Hong,Ming Jiang

DOI: https://doi.org/10.1109/ICC.2014.6883789

2014-01-01

Abstract:Programming a network for innovative services or for function improvements has never been easier using Software-Defined Networking (SDN). However, the programming tasks can also be significantly complicated by the asynchrony of data plane states and complexities of service control states. In order to reduce the complexity for programming a network service in Distributed Control Plane of SDN, we propose a proGRAmming Control (GRACE) layer as a generic solution, which provides two key features, namely, reconfigurability and reusability. Their implementations deal with aforementioned challenges, thus to achieve the consistency of the data plane states and the reusability of the service control states at the distributed controllers. This paper introduces the reconfigurability and reusability with their design goals and their impact on the programmability of DCP. We further use two popular network services, ICN (Information-Centric Networking) and CDN (Content Distribution Networks) to illustrate these concepts. NS-3 simulations and PlanetLab emulations are conducted to show the advantage of using the GRACE layer for ICN and CDN. Results show that the ICN Interest delay is reduced by 19.6% and CDN request delay is reduced by 81% in extremely harsh network conditions.

Kuan-Yin Chen,Sen Liu,Yang Xu,Ishant Kumar Siddhrau,Siyu Zhou,Zehua Guo,H. Jonathan Chao

DOI: https://doi.org/10.1109/tnet.2021.3105187

2021-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) is increasingly popular in today's information technology industry, but existing SDN control plane is insufficiently scalable to support on-demand, high-frequency flow requests. Weaknesses along SDN control paths can be exploited by malicious third parties to launch distributed denial-of-service (DDoS) attacks against the SDN control plane. Recently proposed solutions only partially solve the problem, by protecting either the SDN network edges or the centralized controller. We propose SDNShield, a solution based on emerging network function virtualization (NFV) technologies, which enforces more comprehensive defense against potential DDoS attacks on SDN control plane. SDNShield incorporates a three-stage overload control scheme. The first stage statistically identifies legitimate flows with low complexity and performance overhead. The second stage further performs in-depth TCP handshake verification to ensure good flows are eventually served. The third stage intellectually salvages the misclassified legitimate flows that are falsely dropped from the first two stages. Prototype tests and real data-driven simulation results show that SDNShield can achieve high resilience against brute-force attacks, and maintain good flow-level service quality at the same time.

Kuan-yin Chen,Anudeep Reddy Junuthula,Ishant Kumar Siddhrau,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/cns.2016.7860467

2016-01-01

Abstract:While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.

Xue Leng,Kaiyu Hou,Yan Chen,Kai Bu,Libin Song

DOI: https://doi.org/10.1016/j.comnet.2019.05.022

2018-01-01

Abstract:SDN-based cloud has the merit of allowing more flexibility in network management, however, the security of network accessing and the correctness of network configuration in SDN-based cloud have not been effectively addressed yet. In this paper, SDNKeeper, a generic and fine-grained policy enforcement system in SDN-based cloud is proposed, which can defend against unauthorized attacks and avoid network resource misconfiguration. With the usage of SDNKeeper, numerous flexible network management policies can be created by administrators, which give administrators the discretionary room on controlling the network resources. To be specific, SDNKeeper can reject any unauthorized network access request at Northbound Interface (NBI), which located between application plane and control plane. Moreover, compared with other traditional policy-based access control systems, SDNKeeper is totally application-transparent and lightweight, which is easy to implement, deploy and runtime configure. Based on the prototype implementation and evaluation, we conclude that SDNKeeper can perform access control accurately with negligible computation overhead whilst the throughput degradation is still within the acceptable range.

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Tao Hu,Zhen Zhang,Peng Yi,Dong Liang,Ziyong Li,Quan Ren,Yuxiang Hu,Julong Lan

DOI: https://doi.org/10.1016/j.jpdc.2020.09.006

IF: 4.542

2021-01-01

Journal of Parallel and Distributed Computing

Abstract:<p>Cloud computing provides scalable network services and makes network management more flexible by combining Software-Defined Networking (SDN). Through the northbound interface (e.g., REST API) offered by the SDN controller, users can easily deploy diversified applications to access the network resources. However, exploiting the openness of the northbound interface, malicious applications abuse APIs to launch hostile attacks, which poses serious threats to the network. In this paper, we propose SEAPP, a secure application management framework based on REST API access control. Our main idea is to granularly manage application permissions and encrypt REST API calls to defend against malicious attacks. SEAPP includes two components: 1) permissions detection engine identifies the facticity of application permissions by analyzing permission manifests and byte codes and further identifies the legality of permissions with constructed sensitive API list; 2) registration authorization engine executes encrypted registration between applications and controller by virtue of NTRU algorithm and authorizes applications to call the requested REST APIs based on their risk levels after securely authenticating them. Besides, SEAPP is a lightweight logic architecture between application plane and control plane and supports quick deployment and reconfiguration in runtime. Both theoretical analysis and evaluation results show the security and effectiveness of SEAPP. Besides, SEAPP introduces negligible CPU and memory overheads.</p>

computer science, theory & methods

Junfei Li,Jiangxing Wu,Xin Lu

DOI: https://doi.org/10.1109/compcomm.2018.8781034

2018-01-01

Abstract:The centralized control of Software-Defined Networking (SDN) brings innovation and convenience to the network, but many current SDN controllers also have some security bugs that are easily exploited by attackers. Once the master controller which has sufficient management rights is compromised, entire network can be damaged. For this, we propose a mechanism of democratic supervision in SDN, which adds a proxy between the control plane and the data plane to monitor whether the master controller is abnormal. The proxy sends OpenFlow requests from the switch to multiple diverse controllers and collects flow entries that they respond to. Then it compares these flow entries to judge whether the behavior of the master controller is different from that of other controllers. However, flow entries with the same function may be different in number or content, so we need to analyze their forwarding semantics to compare them, instead of simply comparing their contents. The advantage of this supervision mechanism is that it allows the controller to defend against many known or unknown attacks without debugging all its vulnerabilities. Experimental results show that it is effective in detecting malicious behavior, and it is also efficient under a certain scale of networks.

Qi Li,Yanyu Chen,Patrick P. C. Lee,Mingwei Xu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2018.2853593

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) utilizes a centralized controller to distribute packet processing rules to network switches. However, rules are often generated by the applications developed by different organizations, so they may conflict with each other in data plane and lead to violations with security rules. The problem is similar to firewall conflicts in IP networks. Rule conflict resolution should incur negligible process delay, such that all rules can he correctly and safely enforced in the data plane in real time. However, since SDN allows users to use more than 35 fields to specify rules (including field transition rules), it is much more complicated to prevent enforcement of SDN rules from violating with security rules than to resolve firewall rule violation, and in particular, field transition rules are enforced. Therefore, it is extremely difficult to resolve such rule conflicts in real time before the rules are installed in SDN data plane. In this paper, we investigate the rule conflict problem in SDN and identify new covert channel attacks due to rule conflicts. To the end, we propose the covert channel defender (CCD) that prevents covert channel attacks by verifying and resolving rule conflicts. Specifically, CCD tracks all rule insertion and modification messages from applications running on the controller. It analyzes the correlation among rules based on multiple packet header fields and resolves any identified rule conflict in real time before rule installation. We implement CCD with the Floodlight controller and evaluate its performance with the real-world Stanford topology. We show that CCD can efficiently detect and prevent rule conflicts in the data plane that may raise covert channels within hundreds of microseconds and brings small overhead to the packet delivery.

Chao Qi,Jiangxing Wu,Guozhen Cheng,Jianjian Ai,Shuo Zhao

DOI: https://doi.org/10.1109/cc.2017.8068772

2017-01-01

China Communications

Abstract:Current SDN controllers suffer from a series of potential attacks. For example, malicious flow rules may lead to system disorder by introducing unexpected flow entries. In this paper, we propose Mcad-SA, an aware decision-making security architecture with multiple controllers, which could coordinate heterogeneous controllers internally as a "big" controller. This architecture includes an additional plane, the scheduling plane, which consists of transponder, sensor, decider and scheduler. Meanwhile it achieves the functions of communicating, supervising and scheduling between data and control plane. In this framework, we adopt the vote results from the majority of controllers to determine valid flow rules distributed to switches. Besides, an aware dynamic scheduling（ADS） mechanism is devised in scheduler to intensify security of Mcad-SA further. Combined with perception, ADS takes advantage of heterogeneity and redundancy of controllers to enable the control plane operate in a dynamic, reliable and unsteady state, which results in significant difficulty of probing systems and executing attacks. Simulation results demonstrate the proposed methods indicate better security resilience over traditional architectures as they have lower failure probability when facing attacks.

Menghao Zhang,Guanyu Li,Lei Xu,Jiasong Bai,Mingwei Xu,Guofei Gu,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2020.3040773

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-Defined Networking (SDN) continues to be deployed spanning from enterprise data centers to cloud computing with the proliferation of various SDN-enabled hardware switches and dynamic control plane applications. However, state-of-the-art SDN-enabled hardware switches have rather limited downlink message processing capability, especially for Flow-Mod and Statistic Query, which may not suffice the huge need of dynamic control plane applications. In this paper, we systematically study the interactions between the control plane applications and the data plane switches, and present two new attacks, namely Control Plane Reflection Attacks, to exploit the limited processing capability of SDN-enabled hardware switches. The reflection attacks adopt direct and indirect data plane events to force the control plane to issue massive expensive downlink messages towards SDN switches. Moreover, we propose a two-phase probing-triggering attack strategy, which makes the reflection attacks much more efficient and powerful. Experiments on a testbed with 3 different physical OpenFlow switches demonstrate that the attacks can lead to catastrophic results such as hurting the establishment of new flows and even disruption of connection between SDN controller and switches. To mitigate such attacks, we present several countermeasures from different perspectives. In particular, we propose a novel, systematical defense framework, SwitchGuard, to detect anomalies of downlink messages and prioritize these messages based on a novel monitoring granularity, i.e., host-application pair (HAP). Implementations and evaluations demonstrate that SwitchGuard can effectively reduce the latency for legitimate hosts and applications under the control plane reflection attacks with only minor overheads.

Kai Bu,Minyu Weng,Junze Bao,Zhenchao Lin,Zhikui Xu

DOI: https://doi.org/10.1109/icdcsw.2016.16

2016-01-01

Abstract:This paper explores a RIGHT framework for reliable policy enforcement in Software-Defined Networking (SDN). Current SDN uses overlapping rules with common matching packets. Even if a packet's expectant rule is inactive, it might hit another rule and experience incorrect yet unnoticed processing. This leads to inconsistency between control plane and data plane, that is, unreliable policy enforcement. RIGHT advocates three adaptations to respectively mitigate, detect, and correct packet processing errors. It is challenging for RIGHT to maintain both accuracy and efficiency. We explore lightweight modifications to current SDN policy enforcement toward better reliability. For example, we decouple rules and priorities through tagging to mitigate matching ambiguity. We also use exact-match rules to efficiently, correctly process packets in the same micro-flow. RIGHT can remedy mis-forwarded packets as well. We expect that a comprehensive design and deployment of RIGHT helps ensure correct per-packet processing in real time for SDN.

Menghao Zhang,Guanyu Li,Lei Xu,Jun Bi,Guofei Gu,Jiasong Bai

DOI: https://doi.org/10.1007/978-3-030-00470-5_8

2018-01-01

Abstract:Software-Defined Networking (SDN) continues to be deployed spanning from enterprise data centers to cloud computing with emerging of various SDN-enabled hardware switches. In this paper, we present Control Plane Reflection Attacks to exploit the limited processing capability of SDN-enabled hardware switches. The reflection attacks adopt direct and indirect data plane events to force the control plane to issue massive expensive control messages towards SDN switches. Moreover, we propose a two-phase probing-triggering attack strategy to make the reflection attacks much more efficient, stealthy and powerful. Experiments on a testbed with physical OpenFlow switches demonstrate that the attacks can lead to catastrophic results such as hurting establishment of new flows and even disruption of connections between SDN controller and switches. To mitigate such attacks, we propose a novel defense framework called SWGuard. In particular, SWGuard detects anomalies of downlink messages and prioritizes these messages based on a novel monitoring granularity, i.e., host-application pair (HAP). Implementations and evaluations demonstrate that SWGuard can effectively reduce the latency for legitimate hosts and applications under Control Plane Reflection Attacks with only minor overheads.

Quan Ren,Zehua Guo,Jiangxing Wu,Tao Hu,Lu Jie,Yuxiang Hu,Lei He

DOI: https://doi.org/10.1109/tnsm.2022.3163198

2022-01-01

Abstract:In this paper, we propose a resilient control plane based on endogenous security for Software-Defined Networking (SDN) named SDN-ESRC to prevent vulnerability backdoor attacks. SDN-ESRC uses a set of heterogeneous controllers (e.g., RYU, OpenDayLight, ONOS) to compose the control plane and dynamically and adaptively selects several heterogeneous controller instances from the controller set to detect and correct the malicious control messages. The design of SDN-ESRC faces two challenges: (1) increasing network update delay due to multi-controller comparison and (2) maintaining high controllable security. To address the first challenge, SDN-ESRC adopts the master modification mode to reduce the network update delay and identify malicious control messages. To address the second challenge, SDN-ESRC introduces the comparison modification mode to ensure high availability in real time. We propose an evaluation model for SDN-ESRC and theoretically analyze the SDN-ESRC’s endogenous security performance under three typical backdoor attack scenarios. We implement SDN-ESRC in a prototype system and conduct simulations and experiments. The results show that SDN-ESRC can improve the backdoor damage attack security up to 98.3%, the backdoor random attack security up to 99.99%, and the backdoor coordinated attack security up to 82% at the cost of increasing network update delay less than 8.3%.

Chao Qi,Jiangxing Wu,Hongchao Hu,Guozhen Cheng,Wenyan Liu,Jianjian Ai,Chao Yang

DOI: https://doi.org/10.1109/INFCOMW.2016.7562109

2016-01-01

Abstract:Modifying flow rule attack is a type of attack against controllers in SDN, leading to severe influence on network. In this paper, we propose Mcad-SA, an aware decision-making security architecture with multi-controller, to deal with it. It schedules the controllers in a dynamic and random way and adopts the vote results from the majority of controllers to determine valid flow rules. Theory analysis proves its validity.

Jiahao Cao,Renjie Xie,Kun Sun,Qi Li,Guofei Gu,Mingwei Xu

DOI: https://doi.org/10.14722/ndss.2020.23040

2020-01-01

Abstract:Software-Defined Networking (SDN) greatly meets the need in industry for programmable, agile, and dynamic networks by deploying diversified SDN applications on a centralized controller. However, SDN application ecosystem inevitably introduces new security threats since compromised or malicious applications can significantly disrupt network operations. Thus, a number of effective security enhancement systems have been developed to defend against potential attacks from SDN applications. In this paper, we identify a new vulnerability on flow rule installation in SDN, namely, buffered packet hijacking, which can be exploited by malicious applications to launch effective attacks bypassing all existing defense systems. The root cause of this vulnerability lies in that SDN systems do not check the inconsistency between buffer IDs and match fields when an application attempts to install flow rules. Thus, a malicious application can manipulate buffer IDs to hijack buffered packets even though they do not match any installed flow rules. We design effective attacks exploiting this vulnerability to disrupt all three SDN layers, i.e., application layer, data plane layer, and control layer. First, by modifying buffered packets and resending them to controllers, a malicious application can poison other applications. Second, by manipulating forwarding behaviors of buffered packets, a malicious application can not only disrupt TCP connections of flows but also make flows bypass network security policies. Third, by copying massive buffered packets to controllers, a malicious application can saturate the bandwidth of SDN control channels and their computing resources. We demonstrate the feasibility and effectiveness of these attacks with both theoretical analysis and experiments in a real SDN testbed. Finally, we develop a lightweight defense system that can be readily deployed in existing SDN controllers as a patch.

Zhang Peng,Chen Xiangning,Ge Yun,Jin Lin

DOI: https://doi.org/10.1049/cje.2016.06.004

IF: 1.019

2016-01-01

Chinese Journal of Electronics

Abstract:After studying the routing and forwarding process of network stream and the implementation of SDN, we propose a retractable management model for flow table. A structure with parallel tables and synthesis processing is proposed according to the feature of SDN and traditional network. The parallel tables share the same storage resources. Thanks to the separation of data plane and control plane, control plane owns more computing resources than traditional device. It evaluates the role of nodes and the action of network flows, makes adjustment according to the historical and current information and streamlines flow tables by consolidating and simplifying old flow entries. Through simulation, it is proved that the realized method can defend offensive traffic while ensuring the safety of accessing and forwarding, especially existing blocking attack.