Shumian Yang,Lianhai Wang,Dawei Zhao,Xiaohui Han,Shuhui Zhang

DOI: https://doi.org/10.22323/1.300.0033

2018-01-01

Abstract:Software definition networking is a revolutionary network architecture, which realizes the separation of the control plane and data plane of a network. While providing the centralized controllability and the software programmability, the network itself is encountering many security problems. In order to solve the problem of security threats in SDN networks, there are different layers of unique security challenges and the relevant research on SDN security problems. This paper introduces the depth learning technology into the field of security threat detection in SDN, and propose a security threat detection framework based on depth learning.The framework is based on the research on model establishment, abnormal behavior recognition and decision algorithm design. The software system based on physical memory analysis is under development in SDN. The system verifies the feasibility of this framework, and to finally generate the work plan on SDN infrastructure.

Haifeng Zhou,Chunming Wu,Chengyu Yang,Pengfei Wang,Qi Yang,Zhouhao Lu,Qiumei Cheng

DOI: https://doi.org/10.1109/TNET.2018.2859483

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:A software-defined network (SDN) is increasingly deployed in many practical settings, bringing new security risks, e.g., SDN controller and switch hijacking. In this paper, we propose a real-time method to detect compromised SDN devices in a reliable way. The proposed method aims at solving the detection problem of compromised SDN devices when both the controller and the switch are trustless, and ...

Shanshan Bian,Peng Zhang,Zheng Yan

DOI: https://doi.org/10.4108/eai.18-6-2016.2264176

2016-01-01

Abstract:Software-Defined Networking (SDN) has gained special attention in both academia and industry. It is a new network architecture framework for networking, which decouples the network control plane from the data plane at physical topology. SDN promotes centralization of network control and introduces the ability to program the network. However, the development of the SDN is constrained by various security concerns, e.g., the central management of SDN is ideal for security attack. In this paper, we investigate potential security threats and specify security requirements accordingly. Existing security solutions in SDN are seriously reviewed and evaluated based on the specified security requirements in order to figure out open issues and motivate future research efforts.

Pengfei Zhai,Yanbo Song,Xiaoming Zhu,Lihui Cao,Jiaming Zhang,Chungang Yang

DOI: https://doi.org/10.1109/iccc49849.2020.9238872

2020-01-01

Abstract:Software Defined Network (SDN) is a new type of network architecture solution, and its innovation lies in decoupling traditional network system into a control plane, a data plane, and an application plane. It logically implements centralized control and management of the network,and SDN is considered to represent the development trend of the network in the future. However, SDN still faces many security challenges. Currently, the number of insecure devices is huge. Distributed Denial of Service (DDoS) attacks are one of the major network security threats.This paper focuses on the detection and mitigation of DDoS attacks in SDN. Firstly, we explore a solution to detect DDoS using Renyi entropy, and we use exponentially weighted moving average algorithm to set a dynamic threshold to adapt to changes of the network. Second, to mitigate this threat,we analyze the historical behavior of each source IP address and score it to determine the malicious source IP address,and use OpenFlow protocol to block attack source.The experimental results show that the scheme studied in this paper can effectively detect and mitigate DDoS attacks.

Zhaogang Shu,Jiafu Wan,Di Li,Jiaxiang Lin,Athanasios V. Vasilakos,Muhammad Imran

DOI: https://doi.org/10.1007/s11036-016-0676-x

2016-01-01

Mobile Networks and Applications

Abstract:In recent years, Software-Defined Networking (SDN) has been a focus of research. As a promising network architecture, SDN will possibly replace traditional networking, as it brings promising opportunities for network management in terms of simplicity, programmability, and elasticity. While many efforts are currently being made to standardize this emerging paradigm, careful attention needs to be also paid to security at this early design stage. This paper focuses on the security aspects of SDN. We begin by discussing characteristics and standards of SDN. On the basis of these, we discuss the security features as a whole and then analyze the security threats and countermeasures in detail from three aspects, based on which part of the SDN paradigm they target, i.e., the data forwarding layer, the control layer and the application layer. Countermeasure techniques that could be used to prevent, mitigate, or recover from some of such attacks are also described, while the threats encountered when developing these defensive mechanisms are highlighted.

Ihsan H. Abdulqadder,Deqing Zou,Israa T. Aziz,Bin Yuan

DOI: https://doi.org/10.1155/2018/1308678

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Software Defined Network is a promising network paradigm which has led to several security threats in SDN applications that involve user flows, switches, and controllers in the network. Threats as spoofing, tampering, information disclosure, Denial of Service, flow table overloading, and so on have been addressed by many researchers. In this paper, we present novel SDN design to solve three security threats: flow table overloading is solved by constructing a star topology-based architecture, unsupervised hashing method mitigates link spoofing attack, and fuzzy classifier combined with L1-ELM running on a neural network for isolating anomaly packets from normal packets. For effective flow migration Discrete-Time Finite-State Markov Chain model is applied. Extensive simulations using OMNeT++ demonstrate the performance of our proposed approach, which is better at preserving holding time than are other state-of-the-art works from the literature.

computer science, information systems,telecommunications

Ihsan H. Abdulqadder,Deqing Zou,Israa T. Aziz,Bin Yuan

DOI: https://doi.org/10.1109/icct.2017.8359852

2017-01-01

Abstract:Software Defined Networking (SDN) support several administrators for quicker access of resources due to its manageability, cost-effectiveness and adaptability. Even though SDN is beneficial it also exists with security based challenges due to many vulnerable threats. Participation of such threats increases their impact and risk level. In this paper a multi-level security mechanism is proposed over SDN architecture design. In each level the flow packet is analyzed using different metric and finally it reaches a secure controller for processing. Benign flow packets are differentiated from non-benign flow by means of the packet features. Initially routers verify user, secondly policies are verified by using dual-fuzzy logic design and thirdly controllers are authenticated using signature based authentication before assigning flow packets. This work aims to enhance entire security of developed SDN environment. SDN architecture is implemented in OMNeT++ simulation tool that supports OpenFlow switches and controllers. Finally experimental results show better performances in following performance metrics as throughput, time consumption and jitter.

Yinghao Su,Dapeng Xiong,Kechang Qian,Yu Wang

DOI: https://doi.org/10.3390/electronics13040807

IF: 2.9

2024-02-20

Electronics

Abstract:The widespread adoption of software-defined networking (SDN) technology has brought revolutionary changes to network control and management. Compared to traditional networks, SDN enhances security by separating the control plane from the data plane and replacing the traditional network architecture with a more flexible one. However, due to its inherent architectural flaws, SDN still faces new security threats. This paper expounds on the architecture and security of SDN, analyzes the vulnerabilities of SDN architecture, and introduces common distributed denial of service (DDoS) attacks within the SDN architecture. This article also provides a review of the relevant literature on DDoS attack detection and mitigation in the current SDN environment based on the technologies used, including statistical analysis, machine learning, policy-based, and moving target defense techniques. The advantages and disadvantages of these technologies, in terms of deployment difficulty, accuracy, and other factors, are analyzed. Finally, this study summarizes the SDN experimental environment and DDoS attack traffic generators and datasets of the reviewed literature and the limitations of current defense methods and suggests potential future research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Ihsan H. Abdulqadder,Deqing Zou,Israa T. Aziz,Bin Yuan,Weiming Li

DOI: https://doi.org/10.1109/access.2018.2797214

IF: 3.9

2018-01-01

IEEE Access

Abstract:A software-defined network (SDN) is a technology that supports computer network administrators. However, the centralized control plane architecture of SDNs makes them vulnerable to harmful security threats. In this paper, we propose a secure cloud (SecSDN-cloud) architecture that includes user authentication, routing, attack resistance, and third-party monitoring. The goal of this paper is to design an SDN-cloud environment with integrated security that can resist three different attack types: flow table overloading, control plane saturation, and Byzantine attacks. A novel digital signature with chaotic secure hashing is used for user authentication, followed by an enhanced particle swarm optimization multi-class routing protocol to improve the quality of service. Controllers are assigned to switches by integrating an enhanced genetic algorithm with a modified cuckoo search algorithm. The malicious flow identification includes the analysis of five-tuples constructed from features extracted from packets. We implemented the proposed SecSDN-cloud in the OMNeT++ simulator and evaluated its performance in terms of packet loss, end-to-end delay, throughput, latency, and bandwidth.

BAI Jiasong,ZHANG Menghao,BI Jun

DOI: https://doi.org/10.19729/j.cnki.1673-5188.2018.04.002

2019-01-01

Abstract:Software defined networking（SDN）has attracted significant attention from both academia and industry by its ability to reconfigure network devices with logically centralized applications.However,some critical security issues have also been introduced along with the benefits,which put an obstruction to the deployment of SDN.One root cause of these issues lies in the limited resources and capability of devices involved in the SDN architecture,especially the hardware switches lied in the data plane.In this paper,we analyze the vulnerability of SDN and present two kinds of SDN-targeted attacks:1)data-to-control plane saturation attack which exhausts resources of all SDN components,including control plane,data plane,and the in-between downlink channel and2)control plane reflection attack which only attacks the data plane and gets conducted in a more efficient and hidden way.Finally,we propose the corresponding defense frameworks to mitigate such attacks.

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Shibo Luo,Mianxiong Dong,Kaoru Ota,Jun Wu,Jianhua Li

DOI: https://doi.org/10.3390/s151229887

IF: 3.9

2015-01-01

Sensors

Abstract:Software-Defined Networking-based Mobile Networks (SDN-MNs) are considered the future of 5G mobile network architecture. With the evolving cyber-attack threat, security assessments need to be performed in the network management. Due to the distinctive features of SDN-MNs, such as their dynamic nature and complexity, traditional network security assessment methodologies cannot be applied directly to SDN-MNs, and a novel security assessment methodology is needed. In this paper, an effective security assessment mechanism based on attack graphs and an Analytic Hierarchy Process (AHP) is proposed for SDN-MNs. Firstly, this paper discusses the security assessment problem of SDN-MNs and proposes a methodology using attack graphs and AHP. Secondly, to address the diversity and complexity of SDN-MNs, a novel attack graph definition and attack graph generation algorithm are proposed. In order to quantify security levels, the Node Minimal Effort (NME) is defined to quantify attack cost and derive system security levels based on NME. Thirdly, to calculate the NME of an attack graph that takes the dynamic factors of SDN-MN into consideration, we use AHP integrated with the Technique for Order Preference by Similarity to an Ideal Solution (TOPSIS) as the methodology. Finally, we offer a case study to validate the proposed methodology. The case study and evaluation show the advantages of the proposed security assessment mechanism.

Lina WANG,Fei WANG,Weijie LIU

DOI: https://doi.org/10.14188/j.1671-8836.2019.02.004

2019-01-01

Abstract:Software-defined networks (SDN) increase the flexibility of network programming through logically centralized network control, but the subsequent security threats that are exploited by attackers will directly compromise the entire network architecture.According to the characteristics of SDN, security threats were classified into four types including intrusion attacks, anomaly attacks, DDoS and DoS attacks and spoofing attacks. Since the DDoS and DoS attacks are more targeted and harmful in the SDN environment than in traditional networks, the principles, methods and effects of attacks were mainly formulated. In addition, the existing countermeasures were reviewed according to the type of attacks. Finally, the future research directions and development trends were proposed according to the shortcomings of the existing technology.

Deyun Gao,Zehui Liu,Ying Liu,Chuan Heng Foh,Ting Zhi,Han-Chieh Chao

DOI: https://doi.org/10.1007/s00500-018-3407-3

IF: 3.732

2018-01-01

Soft Computing

Abstract:Software-defined networking (SDN) is the key outcome of extensive research efforts over the past few decades toward transforming the Internet to a more programmable, configurable, and manageable infrastructure. At the same time, SDN will surely become a new target of cyber attackers. In this paper, we point out one of the critical vulnerabilities in SDNs, the capacity of controller, which is most likely to be attacked. Due to the logical centralized management, the breakdown of a controller may disrupt a whole SDN network, which can be easily occurred by Packet-In messages flooding attack (a network-level DDoS attack). To provide a robust environment in SDN, we propose an effective detection method, which has low overhead and high accuracy. We first classify the potential switches that are compromised using Bayesian Network, which is a supervised learning algorithm. Then, we deploy the anomaly detection on the vulnerable switches to detect the Packet-In messages flooding attack based on fuzzy c-means. Extensive simulations and testbed-based experiments show that the proposed solution can defeat the Packet-In messages flooding attack with low overhead and high accuracy.

Heng Zhang,Zhiping Cai,Qiang Liu,Qingjun Xiao,Yangyang Li,Chak-Fong Cheang

DOI: https://doi.org/10.1155/2018/2459154

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Software-defined networking (SDN) is one of the most prevailing networking paradigms in current and next-generation networks. Basically, the highly featured separation of control and data planes makes SDN a proper solution towards many practical problems that challenge legacy networks, for example, energy efficiency, dynamic network configuration, agile network measurement, and flexible network deployment. Although the SDN and its applications have been extensively studied for several years, the research of SDN security is still in its infancy. Typically, the SDN suffers from architecture defect and OpenFlow protocol loopholes such as single controller problem, deficiency of communication verification, and network resources constraint. Hence, network measurement is a fundamental technique of protecting SDN against the above security threats. Specifically, network measurement aims to understand and quantify a variety of network behaviors to facilitate network management and monitoring, anomaly detection, network troubleshooting, and the establishment of security mechanisms. In this paper, we present a systematic survey on security-aware measurement technology in SDN. In particular, we first review the basic architecture of SDN and corresponding security challenges. Then, we investigate two performance measurement techniques in SDN, namely, link latency and available bandwidth measurements. After that, we further provide a general overview of topology measurement in SDN including intradomain and interdomain topology discovering techniques. Finally, we list three interesting future directions of security-aware measurement in SDN followed by giving conclusion remarks.

Heyu Wang,Yixuan Li

DOI: https://doi.org/10.1109/access.2024.3375395

IF: 3.9

2024-03-19

IEEE Access

Abstract:Software Defined network (SDN), as a new network architecture, is the direction of future network development. By decoupling the control plane and data plane of the network, the control and management of network resources can be improved. However, SDN centralized controllers become the target of malicious attacks, prone to the risk of single point of failure, of which DDoS attacks are the main attack behavior. Through extensive literature investigation, this paper systematically reviews the latest progress of DDoS attack detection in SDN environment. Firstly, the SDN architecture and corresponding DDoS attacks are described, and the commonly used data sets and evaluation indicators are summarized. Secondly, the data preprocessing technology is summarized, and the data dimensionality reduction technology is introduced in detail. Then, at the level of detection technology, it focuses on the advantages and disadvantages of detection algorithms based on statistical analysis, machine learning and deep learning. Finally, the challenges of current research are analyzed, and the future development direction is forecasted. In order to provide reference for future research and development, at the same time, it is of great significance to improve the safety of SDN products in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shibo Luo,Jun Wu,Jianhua Li,Longhua Guo

DOI: https://doi.org/10.1109/tce.2016.7514720

2016-01-01

IEEE Transactions on Consumer Electronics

Abstract:Software-defined Home Networks (SDHN) is a key development trend of smart home which is proposed to realize multi-home visual sharing. With the improved openness and programming ability, SDHN faces increased network threat than traditional home networks. Especially, because of the diversity and heterogeneity of smart home products, multi-stage attack is more convenient to be performed in SDHN. To mitigate multi-stage attack in SDHN, some significant problems are needed to be addressed. The first problem is security assessment along with attack events. The second one is countermeasure selection problem based on security assessment result and security policy. The third one is attack mitigation countermeasure deployment problem according to current network context to meet the countermeasure decision instantly. In this paper, a multi-stage attack mitigation mechanism is proposed for SDHN using Software-Defined Networking (SDN) and Network Function Virtualization (NFV). Firstly, an evidence-driven security assessment method using SDN factors and NFV-based detection is designed to perform security assessment along with observed security events. Secondly, an attack mitigation countermeasure selection method is proposed. The evaluation shows that the proposed mechanism is effective for multi-stage attack mitigation in SDHN1.

Rudong Zhao,Songjie Wei,Milin Ren

DOI: https://doi.org/10.1109/ctceec.2017.8455172

2017-01-01

Abstract:This paper proposes a Distributed Denial of Service (DDoS) attack detection and defense system based on Software Defined Networks (SDN) architecture. The system is composed of a monitoring module, a detection module and a reaction module. The monitoring module is designed to raise alerts by analyzing Packet_In messages. It detects and reports anomalies to the detection module for further evaluation, which overcomes the disadvantages of slow response and large overhead of periodic trigger detection. The reaction module can trace back attack traffic flows to quickly and accurately identify malicious hosts. The use of a SDN controller brings in a global view of the network topology in the monitoring and detection procedures for the access layer switch and reduces the processing range. This paper extends the OpenFlow protocol so that a flow entry can record and track the flow path information, which improves the efficiency and accuracy of attack traffic traceability. Simulation experiments show that the proposed scheme has a relatively faster response to DDoS attack with less processing pressure imposed on the controller.

Tao Han,Syed Rooh Ullah Jan,Zhiyuan Tan,Muhammad Usman,Mian Ahmad Jan,Rahim Khan,Yongzhao Xu

DOI: https://doi.org/10.1002/cpe.5300

2019-04-17

Concurrency and Computation: Practice and Experience

Abstract:Software Defined Network (SDN) and Network Virtualization (NV) are emerged paradigms that simplified the control and management of the next generation networks, most importantly, Internet of Things (IoT), Cloud Computing, and Cyber‐Physical Systems. The Internet of Things (IoT) includes a diverse range of a vast collection of heterogeneous devices that require interoperable communication, scalable platforms, and security provisioning. Security provisioning to an SDN‐based IoT network poses a real security challenge leading to various serious security threats due to the connection of various heterogeneous devices having a wide range of access protocols. Furthermore, the logical centralized controlled intelligence of the SDN architecture represents a plethora of security challenges due to its single point of failure. It may throw the entire network into chaos and thus expose it to various known and unknown security threats and attacks. Security of SDN controlled IoT environment is still in infancy and thus remains the prime research agenda for both the industry and academia. This paper comprehensively reviews the current state‐of‐the‐art security threats, vulnerabilities, and issues at the control plane. Moreover, this paper contributes by presenting a detailed classification of various security attacks on the control layer. A comprehensive state‐of‐the‐art review of the latest mitigation techniques for various security breaches is also presented. Finally, this paper presents future research directions and challenges for further investigation down the line.

Zhipeng Yu,Hui Zhu,Rui Xiao,Chao Song,Jian Dong,Hui Li

DOI: https://doi.org/10.1002/ett.3895

IF: 3.6

2020-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:With the development and pervasiveness of Internet of Things (IoT) devices, Software‐Defined Networks (SDN) technology has been deployed to bring great convenience to network transmission. However, SDN over IoT network still faces many challenges on devices data security. Our work demonstrates a novel attack of SDN networks, named Network Harvesting (NH). In NH, an attacker has the ability to steal the users' network privileges without the awareness of victims and the switchers. Furthermore, to solve the above attack, we construct a detection scheme and a defense scheme, named RSDetector and SpoofDefender. RSDetector detects the presence of rogue switches in the network by leveraging the prediction power of machine learning. At the same time, SpoofDefender prevents a number of spoofing attacks including NH by the global control of the SDN networks. In addition, RSDetector and SpoofDefender are also evaluated on ONOS 1.10.4 and Mininet. A good deal of simulation results demonstrate that our proposed schemes have great optimization in reducing communication and computation costs.