Shumian Yang,Lianhai Wang,Dawei Zhao,Xiaohui Han,Shuhui Zhang

DOI: https://doi.org/10.22323/1.300.0033

2018-01-01

Abstract:Software definition networking is a revolutionary network architecture, which realizes the separation of the control plane and data plane of a network. While providing the centralized controllability and the software programmability, the network itself is encountering many security problems. In order to solve the problem of security threats in SDN networks, there are different layers of unique security challenges and the relevant research on SDN security problems. This paper introduces the depth learning technology into the field of security threat detection in SDN, and propose a security threat detection framework based on depth learning.The framework is based on the research on model establishment, abnormal behavior recognition and decision algorithm design. The software system based on physical memory analysis is under development in SDN. The system verifies the feasibility of this framework, and to finally generate the work plan on SDN infrastructure.

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Haifeng Zhou,Chunming Wu,Chengyu Yang,Pengfei Wang,Qi Yang,Zhouhao Lu,Qiumei Cheng

DOI: https://doi.org/10.1109/TNET.2018.2859483

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:A software-defined network (SDN) is increasingly deployed in many practical settings, bringing new security risks, e.g., SDN controller and switch hijacking. In this paper, we propose a real-time method to detect compromised SDN devices in a reliable way. The proposed method aims at solving the detection problem of compromised SDN devices when both the controller and the switch are trustless, and ...

Haifeng Zhou,Chunming Wu,Qiumei Cheng,Qianjun Liu

DOI: https://doi.org/10.1109/tnet.2017.2689240

2017-01-01

IEEE/ACM Transactions on Networking

Abstract:Maintaining service availability during an inter-domain route update is a challenge in both conventional networks and software-defined networks (SDNs). In the update process, asynchronous reconfigurations to border forwarding devices in different domains will incur transient anomalies with numerous packet losses and service disruptions. Based on current SDN inter-domain routing mechanisms, we in this paper propose a lossless and seamless method for SDN inter-domain route updates. This method is lightweight, and it has no requirement to add extra switch functionality or to extend SDN southbound protocols. The primary idea of this method is to achieve a lossless inter-domain route update by communications and collaborations among relevant domains. Motivated by this idea, we first identify three different domain categories for the update, i.e., domains only on the new inter-domain route, domains on both the old and new inter-domain routes, and domains only on the old inter-domain route. We further find that the transient anomalies are able to be avoided by reconfiguring the related border switches of the three categories of domains in order. Four update steps are then designed to keep the orderly update. Furthermore, we present the theoretical proof of the effectiveness of this method. Finally, based on our prototype implementation, the proposed method is also validated by simulation studies, and the simulation results indicate that this method succeeds in avoiding packet loss and maintaining service availability during the update.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Arnaud Dethise,Marco Chiesa,Marco Canini

DOI: https://doi.org/10.1145/3232565.3232570

2018-06-26

Abstract:Software-Defined-eXchanges (SDXes) promise to tackle the timely quest of bringing improving the inter-domain routing ecosystem through SDN deployment. Yet, the naive deployment of SDN on the Internet raises concerns about the correctness of the inter-domain data-plane. By allowing operators to deflect traffic from the default BGP route, SDN policies are susceptible of creating permanent forwarding loops invisible to the control-plane. In this paper, we propose a system, called Prelude, for detecting SDN-induced forwarding loops between SDXes with high accuracy without leaking the private routing information of network operators. To achieve this, we leverage Secure Multi-Party Computation (SMPC) techniques to build a novel and general privacy-preserving primitive that detects whether any subset of SDN rules might affect the same portion of traffic without learning anything about those rules. We then leverage that primitive as the main building block of a distributed system tailored to detect forwarding loops among any set of SDXes. We leverage the particular nature of SDXes to further improve the efficiency of our SMPC solution. The number of valid SDN rules, i.e., not creating loops, rejected by our solution is 100x lower than previous privacy-preserving solutions, and also provides better privacy guarantees. Furthermore, our solution naturally provides network operators with some hindsight on the cost of the deflected paths.

Networking and Internet Architecture

Tao Yu,Yuchen Zhang,Diyue Chen,Hongyan Cui,Jilong Wang

DOI: https://doi.org/10.23919/jcc.2019.07.008

2019-01-01

China Communications

Abstract:Routing loops can cause packet loss and long delay problems in the traditional network. Even in future networks - Software-Defined Networks, with loop-free implementation mechanism, it still suffers loop problems. In this paper, we propose an architecture to solve the loop problem in SDN. Unlike the existing passive routing loop detection algorithm, this algorithm processes based on the SDN loop-free characteristic, by auditing third-party network forwarding rules' modification requests to avoids loop generation, thus avoid the network loop problems. Testbed is built to simulate our proposed algorithm. The evaluation shows that the loop audit algorithm proposed in this paper has better performance in extra spatial utilization and smaller number of extra interactions between SDN controller and switches.

Qi Li,Xiaoyue Zou,Qun Huang,Jing Zheng,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2018.2810880

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Like traditional IP networking, the emerging Software-Defined Networking (SDN) technology is vulnerable to sophisticated attacks against packets and their forwarding behaviors. However, existing proposals of packet forwarding verification for IP networking cannot be directly applied to the current SDN deployment due to the limited functionalities and resources in commercial off-the-shelf (COTS) SDN switches. We propose DynaPFV, a dynamic packet forwarding verification mechanism that is capable of detecting various sophisticated attacks against packet forwarding. DynaPFV leverages the controllability of SDN to examine both packets and flow statistics across a network of switches to detect violation of packet integrity and forwarding behaviors. To mitigate the verification overhead, DynaPFV dynamically adjusts the rates of packet sampling and flow statistics collection based on the prior detection results in order to preserve the verification accuracy. Furthermore, DynaPFV makes changes to the SDN controller only, and is directly deployable atop COTS SDN switches without modifications. We conduct theoretical analysis on the trade-off between performance and accuracy in our dynamic verification approach. We further prototype DynaPFV using the open-source Floodlight controller, and evaluate our DynaPFV prototype using Mininet simulations and hardware testbed experiments. DynaPFV achieves over 97 percent of verification accuracy only with less than 5 percent of throughput degradation and less than 10 percent of additional forwarding delays.

Yangyang Wang,Jun Bi,Keyao Zhang

DOI: https://doi.org/10.1007/s11432-015-1057-7

2017-01-01

Science China Information Sciences

Abstract:SDN provides an approach to create desired network forwarding plane by programming applications. For a large-scale SDN network comprised of multiple domains and running multiple controller applications, it is difficult to measure and diagnose the problems of flow tables in data plane. Tracing the forwarding path of SDN is one of effective way for data plane state measurement. Previously proposed methods for debugging SDN were applied to a single administrative domain. There is less effort to trace the flow entries of the data plane in large-scale multi-domain SDN networks. In this paper, we propose a method of software defined data plane tracing in large-scale multi-domain SDN networks. Our method can trace forwarding paths, and get the matched flow entries and other customized trace information. We present the designs compatible with OpenFlow 1.0 and 1.3 switches. The performance and deployment effect are evaluated by simulation test and analysis. It shows that our method has better performance than traditional IP traceroute, and its deployment at about 20% of AS nodes can enable 70% of AS paths to be traceable.

Junfei Li,Jiangxing Wu,Xin Lu

DOI: https://doi.org/10.1109/compcomm.2018.8781034

2018-01-01

Abstract:The centralized control of Software-Defined Networking (SDN) brings innovation and convenience to the network, but many current SDN controllers also have some security bugs that are easily exploited by attackers. Once the master controller which has sufficient management rights is compromised, entire network can be damaged. For this, we propose a mechanism of democratic supervision in SDN, which adds a proxy between the control plane and the data plane to monitor whether the master controller is abnormal. The proxy sends OpenFlow requests from the switch to multiple diverse controllers and collects flow entries that they respond to. Then it compares these flow entries to judge whether the behavior of the master controller is different from that of other controllers. However, flow entries with the same function may be different in number or content, so we need to analyze their forwarding semantics to compare them, instead of simply comparing their contents. The advantage of this supervision mechanism is that it allows the controller to defend against many known or unknown attacks without debugging all its vulnerabilities. Experimental results show that it is effective in detecting malicious behavior, and it is also efficient under a certain scale of networks.

Yangyang Wang,Jun Bi,Pingping Lin,Yikai Lin,Keyao Zhang

DOI: https://doi.org/10.1007/s12243-016-0513-z

2016-01-01

Annals of Telecommunications

Abstract:Software-defined networking (SDN) scheme decouples network control plane and data plane, which can improve the flexibility of traffic management in networks. OpenFlow is a promising implementation instance of SDN scheme and has been applied to enterprise networks and data center networks in practice. However, it has less effort to spread SDN control scheme over the Internet to conquer the ossification of inter-domain routing. In this paper, we further innovate to the SDN inter-domain routing inspired by the OpenFlow protocol. We apply SDN flow-based routing control to inter-domain routing and propose a fine-granularity inter-domain routing mechanism, named SDI (Software Defined Inter-domain routing). It enables inter-domain routing to support the flexible routing policy by matching multiple fields of IP packet header. We also propose a method to reduce redundant flow entries for inter-domain settings. And, we implement a prototype and deploy it on a multi-domain testbed.

Niels L. M. van Adrichem,Farabi Iqbal,Fernando A. Kuipers

DOI: https://doi.org/10.48550/arXiv.1605.09350

2016-05-31

Abstract:The past century of telecommunications has shown that failures in networks are prevalent. Although much has been done to prevent failures, network nodes and links are bound to fail eventually. Failure recovery processes are therefore needed. Failure recovery is mainly influenced by (1) detection of the failure, and (2) circumvention of the detected failure. However, especially in SDNs where controllers recompute network state reactively, this leads to high delays. Hence, next to primary rules, backup rules should be installed in the switches to quickly detour traffic once a failure occurs. In this work, we propose algorithms for computing an all-to-all primary and backup network forwarding configuration that is capable of circumventing link and node failures. Omitting the high delay invoked by controller recomputation through preconfiguration, our proposal's recovery delay is close to the detection time which is significantly below the 50 ms rule of thumb. After initial recovery, we recompute network configuration to guarantee protection from future failures. Our algorithms use packet-labeling to guarantee correct and shortest detour forwarding. The algorithms and labeling technique allow packets to return to the primary path and are able to discriminate between link and node failures. The computational complexity of our solution is comparable to that of all-to-all-shortest paths computations. Our experimental evaluation on both real and generated networks shows that network configuration complexity highly decreases compared to classic disjoint paths computations. Finally, we provide a proof-of-concept OpenFlow controller in which our proposed configuration is implemented, demonstrating that it readily can be applied in production networks.

Networking and Internet Architecture

Qi Li,Yunpeng Liu,Zhuotao Liu,Peng Zhang,Chunhui Pang

DOI: https://doi.org/10.1109/tpds.2021.3068135

IF: 5.3

2021-11-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Data centers, the critical infrastructure underpinning Cloud computing, often employ Software-Defined Networks (SDN) to manage cluster, wide-area and enterprise networks. As the network forwarding in SDN is dynamically programmed by controllers, it is crucial to ensure that the controller intent is correctly translated into underlying forwarding rules. Therefore, detecting and locating forwarding anomalies in SDN is a fundamental problem in production networks. Existing research proposals, roughly categorized into probing-based, packet piggybacking-based, and flow statistics analysis-based, either impose significant overhead or do not provide sufficient coverage for certain forwarding anomalies. In this article, we propose ${sf FADE}$FADE, a controllable and passive measuring scheme to simultaneously deliver detection efficiency and accuracy. ${sf FADE}$FADE first analyzes the entire network topology and flow rules, and then computes a minimal set of flows that can cover all forwarding rules. For each selected network flow, ${sf FADE}$FADE decides the optimal number of monitoring positions on its path (much less than total number of hops), and installs dedicated rules to collect flow statistics. ${sf FADE}$FADE controls the installation and expiration of these rules, along with unique flow labels, to guarantee the accuracy of collected statistics, based on which ${sf FADE}$FADE algorithmically decides whether a forwarding anomaly is detected, and if so it further locates the anomaly. On top of ${sf FADE}$FADE, we propose ${sf iFADE}$iFADE (a more scalable version of ${sf FADE}$FADE) to further optimize the usage and deployment of dedicated measurement rules. ${sf iFADE}$iFADE achieves over 40 percent rule reduction compared with ${sf FADE}$FADE . We implement a prototype of both

computer science, theory & methods,engineering, electrical & electronic

Heyu Chang,Xiaobing Zhang,Nianwen Si,Ping Wu

DOI: https://doi.org/10.1016/j.cose.2024.103906

IF: 5.105

2024-05-28

Computers & Security

Abstract:By decoupling the control plane and the data plane, Software Defined Networking (SDN) has reshaped the ossified network architecture and improved the programmability of the network. However, SDN is also susceptible to malicious injection, tampering, dropping and hijacking attacks against forwarding packets, and the SDN architecture cannot perceive the real behavior of switches in the data plane. Packet forwarding verification and exception localization are recognized as effective and promising methods, enabling reliable packet delivery in the data plane and allowing the controller in SDN to identify abnormal links. While existing mechanisms embed the linear-scale cryptographic tags into the packet header space as the transmission path lengthens to realize packet verification and exception localization, which cannot achieve a feasible tradeoff between efficiency and security. Leveraging the central controllability of SDN, we propose a lightweight packet forwarding verification mechanism. This mechanism splits the runtime of a flow into consecutive epochs by address hopping. The switches in the data plane forward packets based on hopping address, collecting the information of packets forwarded in a compact data structure, namely traffic sketch. The controller verifies traffic sketches and localizes exception in the epoch. We further prototype the proposed mechanism based on simulation network. The analysis and experiments demonstrate that the cost of proposed scheme is lower than the similar mechanisms, introducing no more than 9% additional forwarding delay and less than 8% throughput degradation.

computer science, information systems

Heyu Wang,Yixuan Li

DOI: https://doi.org/10.1109/access.2024.3375395

IF: 3.9

2024-03-19

IEEE Access

Abstract:Software Defined network (SDN), as a new network architecture, is the direction of future network development. By decoupling the control plane and data plane of the network, the control and management of network resources can be improved. However, SDN centralized controllers become the target of malicious attacks, prone to the risk of single point of failure, of which DDoS attacks are the main attack behavior. Through extensive literature investigation, this paper systematically reviews the latest progress of DDoS attack detection in SDN environment. Firstly, the SDN architecture and corresponding DDoS attacks are described, and the commonly used data sets and evaluation indicators are summarized. Secondly, the data preprocessing technology is summarized, and the data dimensionality reduction technology is introduced in detail. Then, at the level of detection technology, it focuses on the advantages and disadvantages of detection algorithms based on statistical analysis, machine learning and deep learning. Finally, the challenges of current research are analyzed, and the future development direction is forecasted. In order to provide reference for future research and development, at the same time, it is of great significance to improve the safety of SDN products in the future.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yinghao Su,Dapeng Xiong,Kechang Qian,Yu Wang

DOI: https://doi.org/10.3390/electronics13040807

IF: 2.9

2024-02-20

Electronics

Abstract:The widespread adoption of software-defined networking (SDN) technology has brought revolutionary changes to network control and management. Compared to traditional networks, SDN enhances security by separating the control plane from the data plane and replacing the traditional network architecture with a more flexible one. However, due to its inherent architectural flaws, SDN still faces new security threats. This paper expounds on the architecture and security of SDN, analyzes the vulnerabilities of SDN architecture, and introduces common distributed denial of service (DDoS) attacks within the SDN architecture. This article also provides a review of the relevant literature on DDoS attack detection and mitigation in the current SDN environment based on the technologies used, including statistical analysis, machine learning, policy-based, and moving target defense techniques. The advantages and disadvantages of these technologies, in terms of deployment difficulty, accuracy, and other factors, are analyzed. Finally, this study summarizes the SDN experimental environment and DDoS attack traffic generators and datasets of the reviewed literature and the limitations of current defense methods and suggests potential future research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Pingping Lin,Jun Bi,Stephen Wolff,Yangyang Wang,Anmin Xu,Ze Chen,Hongyu Hu,Yikai Lin

DOI: https://doi.org/10.1109/MCOM.2015.7045408

IF: 9.03

2015-01-01

IEEE Communications Magazine

Abstract:SDN is considered to be a promising way to re-architect the Internet. However, the Internet is managed by owners of different administrative domains, so the centralized control model of SDN must be extended to account for inter-domain traffic. Thus, this article proposes a WE-Bridge mechanism to enable different SDN administrative domains to peer and cooperate. Based on WE-Bridge, we further designed two innovative inter-domain routing applications as use cases. To verify our design, we implemented the WE-Bridge and the two use cases by building an international testbed on which WE-Bridge, together with the two use cases, are deployed. The testbed is composed of four SDN networks: CERNET, Internet 2 in USA, CSTNET, and SURFnet.

Shou-Yi WANG,Qi LI,Yun ZHANG

DOI: https://doi.org/10.11897/SP.J.1016.2019.00176

2019-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Software-Defined Networking (SDN) simplifies network management by separating control and data planes, and has been received much attention recently.However, SDN cannot ensure correctness of packet forwarding in the networks, e.g., the packets in SDN can be dropped, tampered with, or faked, which may be incurred by false forwarding rule enforcement or attacks.SDN has a simple packet forwarding mechanism in its data plane so that the forwarding verification techniques in the traditional IP networks cannot be applied in SDN.Therefore, it is challenging to verify packet forwarding and ensure correctness of packet forwarding in SDN.The existing studies verify packet forwarding in SDN by verifying packets hop-by-hop or periodically comparing flow statistics of all flows, which incurs significant computation and communication overhead.In this paper, we present LPV (Lightweight Packet Forwarding Verification), a system provides the ability of verifying SDN data plane forwarding.The goal of LPV is to provide a reliable and practical mechanism to detect and defend against wrong packet forwarding.To this end, we develop a lightweight forwarding verification approach to detecting forwarding anomalies and locating malicious switches by leveraging the Packet-in mechanism and the flow statistics maintained in switches.LPV samples packets delivered by ingress and egress switches according to dedicated flow rules, and reports the message authentication code (MAC) values of packets and the statistics of the corresponding flows by Packet-in messages.Thereby, the controllers can detect malicious forwarding behaviors by comparing the MAC values of the packets and the statistics of the flows.Moreover, LPV can locate the switches that perform the malicious packet forwarding behaviors, e.g., malicious packet modification and packet dropping, by analyzing the correlations of the information, i.e., the Packet-in messages and flow statistics.By enforcing the sample mechanism, LPV significantly reduces the computation cost, and communication and storage overheads, which incurred by packet processing in switches and controllers.In particular, by randomly sampling packets according to the flow rules, LPV ensures the consistency of packet processing performed by different switches.Adversaries cannot easily infer which packets are sampled so that they cannot interfere with the verification.We implement a prototype of LPV with open source OpenFlow controllers, i.e., Floodlight, and open source OpenFlow switches, i.e., ofsoftware13, and evaluate the performance by Mininet experiments.The experimental results show that LPV detects various forwarding anomalies, while introducing negligible overhead, i.e., around 10％average delays in packet forwarding and less than 10％communication overhead.