Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Haifeng Zhou,Chunming Wu,Chengyu Yang,Pengfei Wang,Qi Yang,Zhouhao Lu,Qiumei Cheng

DOI: https://doi.org/10.1109/TNET.2018.2859483

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:A software-defined network (SDN) is increasingly deployed in many practical settings, bringing new security risks, e.g., SDN controller and switch hijacking. In this paper, we propose a real-time method to detect compromised SDN devices in a reliable way. The proposed method aims at solving the detection problem of compromised SDN devices when both the controller and the switch are trustless, and ...

Junchi Xing,Jingling Cai,Boyang Zhou,Chunming Wu

DOI: https://doi.org/10.1109/iscc47284.2019.8969595

2019-01-01

Abstract:Recently, link flooding attacks (LFA) have been observed as a serious threat for cutting off the Internet connectivity through congesting critical links. A LFA typically utilizes legitimate and low-rate flows, which makes it extremely hard to be detected and, subsequently, to be mitigated. In this paper, we present LF-Shield, that is a deep convolutional neural network (ConvNet) based countermeasure to accurately detect and efficiently mitigate LFAs using software-defined network (SDN) paradigm. LF-Shield can identify malicious bots that launch LFA flows by extracting end-hosts' traffic features and afterwards, classifying the type of end-hosts based on deep ConvNet. Then, LF-Shield mitigates LFAs without affecting legitimate end-hosts through blocking the classified malicious bots and limiting the bandwidths of inactive or newly-accessed end-hosts. A LF-Shield prototype is implemented for evaluating its performance by several experiments. The experimental results demonstrate that LF-Shield can identify malicious bots with an accuracy of 96.4% and mitigate LFAs with the 93.1% reduction in link degradation ratio, with negligible impact on legitimate end-hosts.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1109/infocom.2018.8486230

2018-01-01

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. FlowCloak imposes only a 0.3 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108099

IF: 5.493

2021-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. We further explore implementation techniques of packet looping and field swapping that can enable a flow table pipeline on a single TCAM and mitigate packet correlation, respectively. FlowCloak imposes only a 0.01 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Xin Wang,Neng Gao,Lingchen Zhang,Zongbin Liu,Lei Wang

DOI: https://doi.org/10.1007/978-3-319-50011-9_35

2016-01-01

Abstract:Software-Defined Networking (SDN) is a new paradigm that offers services and applications great power to manage network. Based on the consideration that the entire network visibility is the foundation of SDN, many attacks emerge in poisoning the network visibility, which lead to severe damage. Meanwhile, many defense approaches are proposed to patch the controller. It is noticed that powerful adversaries can bypass existing approaches to poison topology information and attack security protocols. In this paper, we present a method that the adversary can attack security protocols under existing approaches (e.g. TopoGuard, SPHINX). We also investigate a number of security protocols that may be compromised by our MITM attacks and propose an approach to detect the existence of the adversary. Our evaluation shows that the defense solution can effectively detect the fake link in normal environment. We hope our research can attract more attention on SDN security.

Yadong Zhou,Kaiyue Chen,Junjie Zhang,Junyuan Leng,Yazhe Tang

DOI: https://doi.org/10.1155/2018/4760632

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:As the most competitive solution for next-generation network, SDN and its dominant implementation OpenFlow are attracting more and more interests. But besides convenience and flexibility, SDN/OpenFlow also introduces new kinds of limitations and security issues. Of these limitations, the most obvious and maybe the most neglected one is the flow table capacity of SDN/OpenFlow switches. In this paper, we proposed a novel inference attack targeting at SDN/OpenFlow network, which is motivated by the limited flow table capacities of SDN/OpenFlow switches and the following measurable network performance decrease resulting from frequent interactions between data and control plane when the flow table is full. To the best of our knowledge, this is the first proposed inference attack model of this kind for SDN/OpenFlow. We implemented an inference attack framework according to our model and examined its efficiency and accuracy. The evaluation results demonstrate that our framework can infer the network parameters (flow table capacity and usage) with an accuracy of 80% or higher. We also proposed two possible defense strategies for the discovered vulnerability, including routing aggregation algorithm and multilevel flow table architecture. These findings give us a deeper understanding of SDN/OpenFlow limitations and serve as guidelines to future improvements of SDN/OpenFlow.

Rui Xiao,Hui Zhu,Chao Song,Ximeng Liu,Jian Dong,Hui Li

DOI: https://doi.org/10.1109/ICCCN.2018.8487340

2018-01-01

Abstract:With the development of virtualization technology and fast expansion of network-scale, SDN has been employed in various cases from campus networks to cloud data center networks. However, SDN networks are also facing some new security issues, relative to the traditional networks. In this work, we demonstrate a novel network isolation attack in SDN networks, called Network Harvesting, that lets an attacker can access to the user's network privileges without the awareness of victim and OpenFlow SDN architecture, which significantly increases persistence. We then present a defense, SpoofDefender, that prevents network isolation attacks or other spoofing attacks by leveraging SDN's data and control plane separation, global network view, and programmatic control of the network, while building upon IEEE 802.1x and encryption. In addition, we also implement SpoofDefender on ONOS 1.10.4 and Mininet with a real network, and extensive simulation results demonstrate that our proposed SpoofDefender is highly effective in terms of computation and communication costs.

Shibo Luo,Hongkai Wang,Jun Wu,Jianhua Li,Longhua Guo,Bei Pei

DOI: https://doi.org/10.1109/VTCSpring.2016.7504274

2016-01-01

Abstract:Software-defined Home Networks (SDHN) is a key development trend of smart home. Security is still an important issue in SDHN. In this paper, a multi-stage attack mitigation mechanism is proposed for SDHN using Software-Defined Networking (SDN) and Network Function Virtualization (NFV). Firstly, an evidence-driven security assessment method using SDN factors and NFV-based detection is designed to perform security assessment along with observed security events. Secondly, an attack mitigation countermeasure selection method is proposed. The evaluation shows that the proposed mechanism is effective for multi-stage attack mitigation in SDHN.

Di Wu,Jie Li,Sajal K. Das,Jinsong Wu,Yusheng Ji,Zhetao Li

DOI: https://doi.org/10.1109/icc.2018.8422448

2018-01-01

Abstract:Software-Defined networking (SDN), as a new paradigm, fixes the shortage that traditional network does not support the dynamic, scalable computing and storage needs of more computing environments. SDN, however, also faces security problems such as vulnerable to DDoS attacks. DDoS attacks are well-known and powerful attacks. DDoS detection and DDoS traffic separation for SDN environments are still an open research issue. DDoS attacks in SDN environments will not only bring damage to target server, but also takes exact impact on SDN system. In this paper, we identify a new type DDoS attack, specifically aiming SDN environment, which is harder to be detected. We propose a novel real-time DDoS detection scheme for SDN environment, by using Principal Component Analysis (PCA) scheme to analyze the network status on traffic packets data. We separate the network into different parts, to reduce the total calculation burden. We compare our scheme with sample entropy, showed our scheme achieves better detecting ability for DDoS attacks.

Zhipeng Yu,Hui Zhu,Rui Xiao,Chao Song,Jian Dong,Hui Li

DOI: https://doi.org/10.1002/ett.3895

IF: 3.6

2020-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:With the development and pervasiveness of Internet of Things (IoT) devices, Software‐Defined Networks (SDN) technology has been deployed to bring great convenience to network transmission. However, SDN over IoT network still faces many challenges on devices data security. Our work demonstrates a novel attack of SDN networks, named Network Harvesting (NH). In NH, an attacker has the ability to steal the users' network privileges without the awareness of victims and the switchers. Furthermore, to solve the above attack, we construct a detection scheme and a defense scheme, named RSDetector and SpoofDefender. RSDetector detects the presence of rogue switches in the network by leveraging the prediction power of machine learning. At the same time, SpoofDefender prevents a number of spoofing attacks including NH by the global control of the SDN networks. In addition, RSDetector and SpoofDefender are also evaluated on ONOS 1.10.4 and Mininet. A good deal of simulation results demonstrate that our proposed schemes have great optimization in reducing communication and computation costs.

Dan Tang,Yudong Yan,Siqi Zhang,Jingwen Chen,Zheng Qin

DOI: https://doi.org/10.1109/jsac.2021.3126053

IF: 16.4

2022-01-01

IEEE Journal on Selected Areas in Communications

Abstract:Software-Defined Networking (SDN) is an emerging network architecture. The decoupled data and control plane provides programmability for efficient network management. However, the centralized control mode of SDN also exposes unique vulnerabilities. Low-rate Denial of Service (LDoS) has a lower attack rate than ordinary DDoS attacks with the characteristics of periodicity and concealment, which is among one of the severe threats to SDN. In this paper, we propose a lightweight, real-time framework Performance and Features (P&F) to detect and mitigate LDoS attacks with SDN. We implement LDoS attacks in SDN, extract traffic features with OpenFlow, and classify the features into two categories. By analyzing the performance (P) of normal traffic under attack state, P&F determines whether LDoS attacks take effect based on machine learning. Meanwhile, P&F tries to locate attack sources and victims according to flow features (F) of LDoS attacks based on time-frequency analysis. According to detection and locating results, P&F sets corresponding mitigation schemes. Experimental results show that P&F has a high detection rate and low false positive rate for detecting LDoS attacks. P&F can deploy on controllers to achieve real-time attack detection and mitigation with low system cost, which can defend against LDoS attacks effectively.

telecommunications,engineering, electrical & electronic

Qi Li,Xiaoyue Zou,Qun Huang,Jing Zheng,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2018.2810880

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Like traditional IP networking, the emerging Software-Defined Networking (SDN) technology is vulnerable to sophisticated attacks against packets and their forwarding behaviors. However, existing proposals of packet forwarding verification for IP networking cannot be directly applied to the current SDN deployment due to the limited functionalities and resources in commercial off-the-shelf (COTS) SDN switches. We propose DynaPFV, a dynamic packet forwarding verification mechanism that is capable of detecting various sophisticated attacks against packet forwarding. DynaPFV leverages the controllability of SDN to examine both packets and flow statistics across a network of switches to detect violation of packet integrity and forwarding behaviors. To mitigate the verification overhead, DynaPFV dynamically adjusts the rates of packet sampling and flow statistics collection based on the prior detection results in order to preserve the verification accuracy. Furthermore, DynaPFV makes changes to the SDN controller only, and is directly deployable atop COTS SDN switches without modifications. We conduct theoretical analysis on the trade-off between performance and accuracy in our dynamic verification approach. We further prototype DynaPFV using the open-source Floodlight controller, and evaluate our DynaPFV prototype using Mininet simulations and hardware testbed experiments. DynaPFV achieves over 97 percent of verification accuracy only with less than 5 percent of throughput degradation and less than 10 percent of additional forwarding delays.

Kuan-Yin Chen,Sen Liu,Yang Xu,Ishant Kumar Siddhrau,Siyu Zhou,Zehua Guo,H. Jonathan Chao

DOI: https://doi.org/10.1109/tnet.2021.3105187

2021-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) is increasingly popular in today's information technology industry, but existing SDN control plane is insufficiently scalable to support on-demand, high-frequency flow requests. Weaknesses along SDN control paths can be exploited by malicious third parties to launch distributed denial-of-service (DDoS) attacks against the SDN control plane. Recently proposed solutions only partially solve the problem, by protecting either the SDN network edges or the centralized controller. We propose SDNShield, a solution based on emerging network function virtualization (NFV) technologies, which enforces more comprehensive defense against potential DDoS attacks on SDN control plane. SDNShield incorporates a three-stage overload control scheme. The first stage statistically identifies legitimate flows with low complexity and performance overhead. The second stage further performs in-depth TCP handshake verification to ensure good flows are eventually served. The third stage intellectually salvages the misclassified legitimate flows that are falsely dropped from the first two stages. Prototype tests and real data-driven simulation results show that SDNShield can achieve high resilience against brute-force attacks, and maintain good flow-level service quality at the same time.

Hancun Sun,Xu Chen,Yantian Luo,Wei Feng,Yunfei Chen,Ning Ge

DOI: https://doi.org/10.1109/icct59356.2023.10419782

2023-01-01

Abstract:Link flooding attack (LFA) is a kind of stealthy distributed denial of service (DDoS) attack that has been commonly exploited by attackers to disconnect victims from the Internet by congesting critical links on the paths. With the development of 5G, a massive number of insecure Internet of Things (IoT) devices have been connected to the network, which significantly increases the risk of LFA. Detecting and mitigating LFA is difficult since malicious traffic is of low speed and protocol confirming from legitimate traffic. Traditional LFA detection methods face the challenge of high complexity. Due to the numerous attack sources of LFA, the mainstream traffic engineering-based mitigation methods introduce high signaling communication costs. To over-come these challenges, we propose a novel LFA defense system in software defined networking (SDN) architecture that consists of a distributed relative entropy-based LFA detection method and an optimized rerouting method for LFA mitigation. This framework is lightweight to implement. It can not only reduce the communication overhead of signaling transmission in mitigation, but also avoid the cascading congestion of other links after rerouting. We verify our detection and mitigation method in an experimental testbed. Numerical results show that our method can detect and mitigate LFAs effectively with low cost.

Yinghao Su,Dapeng Xiong,Kechang Qian,Yu Wang

DOI: https://doi.org/10.3390/electronics13040807

IF: 2.9

2024-02-20

Electronics

Abstract:The widespread adoption of software-defined networking (SDN) technology has brought revolutionary changes to network control and management. Compared to traditional networks, SDN enhances security by separating the control plane from the data plane and replacing the traditional network architecture with a more flexible one. However, due to its inherent architectural flaws, SDN still faces new security threats. This paper expounds on the architecture and security of SDN, analyzes the vulnerabilities of SDN architecture, and introduces common distributed denial of service (DDoS) attacks within the SDN architecture. This article also provides a review of the relevant literature on DDoS attack detection and mitigation in the current SDN environment based on the technologies used, including statistical analysis, machine learning, policy-based, and moving target defense techniques. The advantages and disadvantages of these technologies, in terms of deployment difficulty, accuracy, and other factors, are analyzed. Finally, this study summarizes the SDN experimental environment and DDoS attack traffic generators and datasets of the reviewed literature and the limitations of current defense methods and suggests potential future research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Kuan-yin Chen,Anudeep Reddy Junuthula,Ishant Kumar Siddhrau,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/cns.2016.7860467

2016-01-01

Abstract:While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.