Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Junchi Xing,Haifeng Zhou,Jinfan Shen,Kai Zhu,Yansong Wang,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/ICT.2018.8464855

2018-01-01

Abstract:Distributed Denial-of-Service (DDoS) attack has been a "nightmare" for cloud. A countermeasure is to establish an Intrusion Detection and Prevention System (IDPS) for cloud. Nevertheless, current IDPSes fail to achieve the detection and prevention in a flexible and lightweight way. In this paper, we propose a novel scheme of IDPS for overcoming the above problem, termed as Auto-scaling IDPS (AsIDPS). AsIDPS is based on Software-Defined Networking (SDN) and Docker container technologies. It first detects abnormal traffic based on the flow statistics collected in SDN switches in real-time. By the SDN controller, the abnormal traffic will be directed to the created Docker containers with Snort running on them for further detection and clean-up. Particularly, the Docker containers can be automatically scaled out or scaled down on demand. The Snort will also deliver an alert to the SDN controller if it detects attack traffic so as to perform a countermeasure if necessary. Benefitting from the flexible network management offered by SDN and the lightweight Docker container, AsIDPS is able to build a flexible and lightweight defense against DDoS attack in cloud. Based on our prototype implementation, we validate the effectiveness of AsIDPS in defending DDoS attack, and also verify its flexibility and lightweight.

Shumian Yang,Lianhai Wang,Dawei Zhao,Xiaohui Han,Shuhui Zhang

DOI: https://doi.org/10.22323/1.300.0033

2018-01-01

Abstract:Software definition networking is a revolutionary network architecture, which realizes the separation of the control plane and data plane of a network. While providing the centralized controllability and the software programmability, the network itself is encountering many security problems. In order to solve the problem of security threats in SDN networks, there are different layers of unique security challenges and the relevant research on SDN security problems. This paper introduces the depth learning technology into the field of security threat detection in SDN, and propose a security threat detection framework based on depth learning.The framework is based on the research on model establishment, abnormal behavior recognition and decision algorithm design. The software system based on physical memory analysis is under development in SDN. The system verifies the feasibility of this framework, and to finally generate the work plan on SDN infrastructure.

Shasha Zhang,Shuyu Song,Fan Yang,Rongpeng Li,Zhifeng Zhao,Honggang Zhang

DOI: https://doi.org/10.1145/3300061.3343365

2019-01-01

Abstract:Software-defined security (SDS) overcomes the limitations of traditional security mechanisms, which brings significant merits for design, deployment and management. However, existing researches are usually limited to some independent algorithms, while not able to apply multiple algorithms to accommodate various types of attack in actual deployment. In this paper, we propose and implement a novel SDS framework, which aims to flexibly deploy a variety of security functions and artificial intelligence (AI) algorithms to automatically learn ongoing threats and proactively protect the network from attacks.

Wajid Rafique,Maqbool Khan,Nadeem Sarwar,Wanchun Dou

DOI: https://doi.org/10.1007/978-3-030-30146-0_6

2019-01-01

Abstract:Managing the huge IoT infrastructure poses a vital challenge to the network community. Software Defined Networking (SDN), due to its characteristics of centralized network management has been considered as an optimal choice to manage IoT. Edge computing brings cloud recourses near the IoT to localize the cloud demands. Consequently, SDN, IoT, and edge computing can be combined into a framework to create a resourceful SDIoT-Edge architecture to efficiently orchestrate cloud services and utilize resource-limited IoT devices in a flexible way. Besides a wide adoption of IoT, the vulnerabilities present in this less secure infrastructure can be exploited by the adversaries to attack the OpenFlow channel using Distributed Denial of Service (DDoS) attacks. DDoS on OpenFlow channel have the ability to disrupt the whole network hence, providing security for the OpenFlow channel is a key challenge in SDIoT-Edge. We propose a security framework called SDIoT-Edge Security (SIESec) against the security vulnerabilities present in this architecture. SIESec prototype employs machine learning-based classification strategy, blacklist integration, and contextual network flow filtering to efficiently defend against the DDoS attacks. We perform extensive simulations using Floodlight controller and Mininet network emulator. Our results proclaim that SIESec provides extensive security against OpenFlow channel DDoS attacks and pose a very less overhead on the network.

Fan Yang,Shasha Zhang,Shuyu Song,Rongpeng Li,Zhifeng Zhao,Honggang Zhang

DOI: https://doi.org/10.1145/3321408.3321610

2019-01-01

Abstract:In this paper, we propose an IntelligentSDS testbed, which is based on a novel Software Defined Security (SDS) framework powered with Artificial Intelligence. In particular, IntelligentSDS aims to flexibly deploy multiple security agents to white-box devices, so as to automatically learn ongoing threats and proactively protect the network. In particular, we discuss the design and realization of OpenStack-based intelligentSDS cloud, software-defined firewall, intelligent autodetection and defense system, and honeynet.

Zhaowen Lin,Dan Tao,Zhenji Wang

DOI: https://doi.org/10.3390/s17040920

2017-04-21

Abstract:For a Software Defined Network (SDN), security is an important factor affecting its large-scale deployment. The existing security solutions for SDN mainly focus on the controller itself, which has to handle all the security protection tasks by using the programmability of the network. This will undoubtedly involve a heavy burden for the controller. More devastatingly, once the controller itself is attacked, the entire network will be paralyzed. Motivated by this, this paper proposes a novel security protection architecture for SDN. We design a security service orchestration center in the control plane of SDN, and this center physically decouples from the SDN controller and constructs SDN security services. We adopt virtualization technology to construct a security meta-function library, and propose a dynamic security service composition construction algorithm based on web service composition technology. The rule-combining method is used to combine security meta-functions to construct security services which meet the requirements of users. Moreover, the RETE algorithm is introduced to improve the efficiency of the rule-combining method. We evaluate our solutions in a realistic scenario based on OpenStack. Substantial experimental results demonstrate the effectiveness of our solutions that contribute to achieve the effective security protection with a small burden of the SDN controller.

Fang Miao,Wenjie Fan,Wenhui Yang,Yan Xie

DOI: https://doi.org/10.1145/3309074.3309093

2019-01-01

Abstract:DOSA (Data-Oriented Security Architecture, or Data Ownership-based Security Architecture) is an architecture for data protection and application in an open Internet environment. DOSA combines data with ownership by using digital certification authentication (CA) and public key infrastructure (PKI). The DOSA is simply described as one body with two wings. The one body is that the data must be combined with ownership. The one wing is that the data should be innately registered. Another wing is that the data should be innately encrypted with the data owner's public key. To share data and make data applicable, DOSA also establishes the authorization of data ownership for data sharing, the recording of data operation for data history tracing, the data behaviour analysis for the discovery of illegal use of data, and the data usage statistics for the assessment of data value, etc. Therefore, data can be securely shared and used in an open environment with ownership authorization. At the same time, data ownership is clarified; the interests of the data owner can be guaranteed.

Junyi Deng,Zhiyi Fang,Yongbo Ma,Peng Xu,Xingchao An

DOI: https://doi.org/10.1109/wicom.2009.5302399

2009-01-01

Abstract:As an open architecture, SOA (Service-Oriented Architecture) provides developers with more freedom. However, its security problem goes from bad to worse. By taken a bank transfer with proxy as an example, this paper analyzed the security issue of SDO (Service Data Object) data model and proposed an mechanism to make sure that the integrity, confidentiality and non-repudiation of SDO data model are preserved by applying encryption/decryption, digest, digital signature and so on. Finally, by applying WIN and WPS tools, this mechanism was developed and its performance was evaluated.

Deze Zeng,Lin Gu,Shengli Pan,Song Guo

DOI: https://doi.org/10.1007/978-3-030-32942-6

2020-01-01

Abstract:The newly emerged software defined system (SDS) promises a new information system resource allocation and management way. The main concept of SDS is to separate the control plane from the data plane in various subsystems, e.g., sensing, communication, networking, and computation. By such means, various resources of the information system are virtualized and therefore can be managed in a more friendly and flexible manner. It is widely believed that SDS is able to lower the barrier for system and application innovation, and will become an inevitable trend towards the future generation of the information system. In this chapter, we first identify the emergence and then give an overview as well as the main concepts of SDS. Regarding that many enabling technologies are already available to realize the vision of SDS, we also present a brief summarization of the main enabling technologies for SDS and identify their key characteristics.

Haosu Cheng,Jianwei Liu,Jian Mao,Mengmeng Wang,Jie Chen

DOI: https://doi.org/10.1007/978-3-319-94268-1_6

2018-01-01

Abstract:Software-defined Networking (SDN) is a representative next generation network architecture, which allows network administrators to programmatically initialize, control, change and manage network behavior dynamically via open interfaces. However, SDN brings new security problems, e.g., controller hijacking, black-hole, unauthorized data modification, etc. It is desirable to develop a unified platfom to enhance the security property and facilitate the security configuration and evaluation. In this paper, we propose OSCO (Open Security-enhanced Compatible OpenFlow) platform, a platform based on Raspberry Pi Single Board Computer (SBC) hardware and SDN network architecture, which supports highly configurable cryptographic algorithm modules, security protocols, flexible hardware extensions and virtualized SDN networks. Furthermore, we present an enhanced OpenFlow protocol to improve the security in SDN data plane. We implement and evaluate the prototype system and the experiment results show that our system conducted security functions with relatively low computational and networking performance overheads.

Alejandro Molina Zarca,Miloud Bagaa,Jorge Bernal Bernabe,Tarik Taleb,Antonio F Skarmeta

DOI: https://doi.org/10.3390/s20133622

2020-06-27

Abstract:IoT systems can be leveraged by Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies, thereby strengthening their overall flexibility, security and resilience. In this sense, adaptive and policy-based security frameworks for SDN/NFV-aware IoT systems can provide a remarkable added value for self-protection and self-healing, by orchestrating and enforcing dynamically security policies and associated Virtual Network Functions (VNF) or Virtual network Security Functions (VSF) according to the actual context. However, this security orchestration is subject to multiple possible inconsistencies between the policies to enforce, the already enforced management policies and the evolving status of the managed IoT system. In this regard, this paper presents a semantic-aware, zero-touch and policy-driven security orchestration framework for autonomic and conflict-less security orchestration in SDN/NFV-aware IoT scenarios while ensuring optimal allocation and Service Function Chaining (SFC) of VSF. The framework relies on Semantic technologies and considers the security policies and the evolving IoT system model to dynamically and formally detect any semantic conflict during the orchestration. In addition, our optimized SFC algorithm maximizes the QoS, security aspects and resources usage during VSF allocation. The orchestration security framework has been implemented and validated showing its feasibility and performance to detect the conflicts and optimally enforce the VSFs.

Biao Han,Xiangrui Yang,Zhigang Sun,Jinfeng Huang,Jinshu Su

DOI: https://doi.org/10.1155/2018/9649643

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Distributed Denial of Service (DDoS) attacks are one of the biggest concerns for security professionals. Traditional middle-box based DDoS attack defense is lack of network-wide monitoring flexibility. With the development of software-defined networking (SDN), it becomes prevalent to exploit centralized controllers to defend against DDoS attacks. However, current solutions suffer with serious southbound communication overhead and detection delay. In this paper, we propose a cross-plane DDoS attack defense framework in SDN, called OverWatch, which exploits collaborative intelligence between data plane and control plane with high defense efficiency. Attack detection and reaction are two key procedures of the proposed framework. We develop a collaborative DDoS attack detection mechanism, which consists of a coarse-grained flow monitoring algorithm on the data plane and a fine-grained machine learning based attack classification algorithm on the control plane. We propose a novel defense strategy offloading mechanism to dynamically deploy defense applications across the controller and switches, by which rapid attack reaction and accurate botnet location can be achieved. We conduct extensive experiments on a real-world SDN network. Experimental results validate the efficiency of our proposed OverWatch framework with high detection accuracy and real-time DDoS attack reaction, as well as reduced communication overhead on SDN southbound interface.

Dong-Hong Xu,Yong Qi,Di Hou,Gong-Zhen Wang,Ying Chen

DOI: https://doi.org/10.1109/cit.2008.4594759

2008-01-01

Abstract:There is a pressing need for secure services composition in agenda transactions. Orchestration and choreography language provide basic services and interaction, collaboration, and negotiation standards among services, but they don't give any secure manners or secure operation styles and specifications. Despite the interest of such security mechanisms, a formal module of them is still lacking. For giving a general guide to implement secure orchestration and secure choreography, we give a formal approach for carrying out this goal. To those targets, we address those by designing an extension of the Spi calculus with Secure Global Calculus. The Spi calculus precisely identifies orchestration secure properties of each principal from a local viewpoint. The secure global calculus describes an interaction secure choreography scenario from a vantage point of view. We called our framework SpiG4WSC calculus. We believe that the combination of strong practical needs for dynamic secure Web services composition and the theoretical foundations will lead to a bridge between practice and theories.

Yunfei Meng,Changbo Ke,Zhiqiu Huang,Guohua Shen,Chunming Liu,Xiaojie Feng

DOI: https://doi.org/10.48550/arXiv.2301.03790

2023-01-10

Cryptography and Security

Abstract:Software-defined networking (SDN) has been widely utilized to enforce the security of traditional networks, thereby promoting the process of transforming traditional networks into SDN networks. However, SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane. With increasing the scale of underlying network, the current security policy management mechanism will confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information of data plane into the practical flow entries used by the OpenFlow switches automatically, thereby implementing the automation of security policy management. Based on this insight, a practical runtime security policy transformation framework is proposed in this paper. First of all, we specify the security policies used by SDN networks as a system model of security policy (SPM). From the theoretical level, we establish the system model for SDN network and propose a formal method to transform SPM into the system model of flow entries automatically. From the practical level, we propose a runtime security policy transformation framework to solve the problem of how to find a connected path for each relationship of SPM in the data plane, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the feasibility and effectiveness of the framework, we set up an experimental system and implement the framework with POX controller and Mininet emulator.

YF Xu,L Korba,LH Wang,Q Hao,WM Shen,S Lang

DOI: https://doi.org/10.1109/indin.2003.1300269

2003-01-01

Abstract:In today's globalized business world, outsourcing, joint ventures, and cross-border collaborations have led to work environments that are geographically distributed across organizational and national boundaries. There are critical research needs to develop highly secured collaborative work environments and security solutions for deployment, configuration, monitoring, and device control of interoperating services. We present a well-shaped security framework for distributed system control with a focus on device-level system control, monitoring and services reconfiguration in open and dynamic environments. The characteristics of portability, reconfigurability, interoperability, and interchangeability of these new environments are considered as key factors to produce new security risks and challenges. By adopting public key cryptography, software agent and XML binding technologies, the major security problems of authenticity, integrity, confidentiality, and safe execution are addressed in this framework. The core modules for secure task delivery and execution are presented in detail.

Gaetano Francesco Pittalà,Lorenzo Rinieri,Amir Al Sadi,Gianluca Davoli,Andrea Melis,Marco Prandini,Walter Cerroni

DOI: https://doi.org/10.1016/j.comnet.2024.110397

IF: 5.493

2024-04-10

Computer Networks

Abstract:The Edge Computing paradigm is increasingly gaining traction in modern telecommunication scenarios, as it enables the offloading of computational tasks from end devices to a variety of nodes located in close proximity to them. This approach is essential for meeting the ever-stricter Quality of Service requirements imposed by modern applications. Concurrently, the advent of Data Plane Programmability allows for unmatched flexibility on the networking plane, supporting processing of multiple protocols in a logically centralized fashion with simple in-line computation, and offering the possibility to offload additional services to networking equipment. Reaping those benefits necessitates heedful management of resources and infrastructure. This, in turn, calls for the introduction of a service orchestration entity, capable of taking advantage of device heterogeneity to enable efficient and swift service provisioning. This work delves into the potential of introducing an orchestration system able to cope with the challenges of offloading security tasks at the Edge. This effort involves developing and implementing novel architectural components that capitalize on the heterogeneous nature of the Edge infrastructure as well as of the Programmable Data Plane as a potential tool for service offloading. To establish the feasibility and performance of this approach, an industrial scenario is considered, where the integrity of data from legacy devices must be ensured. Following an evaluation of the hashing performance of the Programmable Data Plane in comparison to general-purpose devices, a simulation study is conducted on the overall orchestration system, demonstrating the viability of the proposed approach.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yunfei Meng,Changbo Ke,Zhiqiu Huang

DOI: https://doi.org/10.1016/j.cose.2024.103850

IF: 5.105

2024-04-19

Computers & Security

Abstract:Software-defined networking (SDN) has been utilized to enforce the security of traditional networks. However, the existing SDN-based security enforcement mechanisms rely heavily on the security policies containing the underlying information of data plane, such as MAC address, IP address or switch ports. These security policies need to be specifically developed by network operators and loaded into the control plane manually. With increasing the scale of underlying network, the existing security policy management mechanisms confront more and more challenges. The security policy transformation for SDN networks is to research how to transform the high-level security policy without containing the underlying information into the practical flow entries used by Openflow switches automatically, thereby implementing the automatic management of security policies. To achieve this objective, we propose a model transformation based security policy automatic management framework for software-defined networking in this paper. Leveraging its functional modules, the framework can solve the problems of how to find a connected path for each access control rule of security policy model (SPM) in data plane, how to transform the connected path into the system model of flow entries, as well as how to generate the practical flow entries according to the system model of flow entries. In order to validate the effectiveness and performance of framework, we implement the framework by leveraging POX controller and Mininet emulator. The experimental results illustrate the framework can transform SPM into practical flow entries, synchronously perceive the modifications caused by cutting down one connected path or changing SPM, and continuously keep the data plane holding the security properties defined by SPM at runtime.

computer science, information systems

Yi Liu,Hong-qi Zhang,Jiang Liu,Ying-jie Yang

DOI: https://doi.org/10.1155/2017/9534754

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Security functions are usually deployed on proprietary hardware, which makes the delivery of security service inflexible and of high cost. Emerging technologies such as software-defined networking and network function virtualization go in the direction of executing functions as software components in virtual machines or containers provisioned in standard hardware resources. They enable network to provide customized security service by deploying Security Service Chain (SSC), which refers to steering flow through multiple security functions in a particular order specified by individual user or application. However, SSC Deployment Problem (SSC-DP) needs to be solved. It is a challenging problem for various reasons, such as the heterogeneity of instances in terms of service capacity and resource demand. In this paper, we propose an SSC-based approach to deliver security service to users without worrying about physical locations of security functions. For SSC-DP, we present a three-phase method to solve it while optimizing network and security resource allocation. The presented method allows network to serve a large number of flows and minimizes the latency seen by flows. Comparative experiments on the fat-tree and Waxman topologies show that our method performs better than other heuristics under a wide range of network conditions.

Xiao Liu,Yuxin Liu,Houbing Song,Anfeng Liu

DOI: https://doi.org/10.1109/mcom.2017.1700090

IF: 9.03

2017-01-01

IEEE Communications Magazine

Abstract:This article argues that a big data network joint SDN, together with cloud and fog computing platforms, can build a service chain network. In SDN, the purpose is to reduce a large amount of redundant data and response time. We propose a novel Big Data Orchestration as a Service (BDOaaS) as the networking framework, which can dynamically orchestrate big data into services in SDN. In BDOaaS networking, the data center distributes software to all devices in the distributed network, which can orchestrate big data into services in the distributed network; the services- oriented network model is formed. Thus, the network load and response time is reduced. The BDOaaS framework and various components of BDOaaS as well as operation mechanisms are discussed in detail. Simulation results are presented to show the effectiveness of the proposed BDOaaS framework. In addition, we discuss a number of challenges in implementing the proposed framework in next generation networks.