Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Wajid Rafique,Lianyong Qi,Ibrar Yaqoob,Muhammad Imran,Raihan Ur Rasool,Wanchun Dou

DOI: https://doi.org/10.1109/comst.2020.2997475

IF: 35.6

2020-01-01

IEEE Communications Surveys & Tutorials

Abstract:Millions of sensors continuously produce and transmit data to control real-world infrastructures using complex networks in the Internet of Things (IoT). However, IoT devices are limited in computational power, including storage, processing, and communication resources, to effectively perform compute-intensive tasks locally. Edge computing resolves the resource limitation problems by bringing computation closer to the edge of IoT devices. Providing distributed edge nodes across the network reduces the stress of centralized computation and overcomes latency challenges in the IoT. Therefore, edge computing presents low-cost solutions for compute-intensive tasks. Software-Defined Networking (SDN) enables effective network management by presenting a global perspective of the network. While SDN was not explicitly developed for IoT challenges, it can, however, provide impetus to solve the complexity issues and help in efficient IoT service orchestration. The current IoT paradigm of massive data generation, complex infrastructures, security vulnerabilities, and requirements from the newly developed technologies make IoT realization a challenging issue. In this research, we provide an extensive survey on SDN and the edge computing ecosystem to solve the challenge of complex IoT management. We present the latest research on Software-Defined Internet of Things orchestration using Edge (SDIoT-Edge) and highlight key requirements and standardization efforts in integrating these diverse architectures. An extensive discussion on different case studies using SDIoT-Edge computing is presented to envision the underlying concept. Furthermore, we classify state-of-the-art research in the SDIoT-Edge ecosystem based on multiple performance parameters. We comprehensively present security and privacy vulnerabilities in the SDIoT-Edge computing and provide detailed taxonomies of multiple attack possibilities in this paradigm. We highlight the lessons learned based on our findings at the end of each section. Finally, we discuss critical insights toward current research issues, challenges, and further research directions to efficiently provide IoT services in the SDIoT-Edge paradigm.

Abdullah Al Hayajneh,Zakirul Alam Bhuiyan,Ian McAndrew,Md Zakirul Alam Bhuiyan

DOI: https://doi.org/10.3390/computers9010008

2020-02-07

Computers

Abstract:There has been an increase in the usage of Internet of Things (IoT), which has recently become a rising area of interest as it is being extensively used for numerous applications and devices such as wireless sensors, medical devices, sensitive home sensors, and other related IoT devices. Due to the demand to rapidly release new IoT products in the market, security aspects are often overlooked as it takes time to investigate all the possible vulnerabilities. Since IoT devices are internet-based and include sensitive and confidential information, security concerns have been raised and several researchers are exploring methods to improve the security among these types of devices. Software defined networking (SDN) is a promising computer network technology which introduces a central program named ‘SDN Controller’ that allows overall control of the network. Hence, using SDN is an obvious solution to improve IoT networking performance and overcome shortcomings that currently exist. In this paper, we (i) present a system model to effectively use SDN with IoT networks; (ii) present a solution for mitigating man-in-the-middle attacks against IoT that can only use HTTP, which is a critical attack that is hard to defend; and (iii) implement the proposed system model using Raspberry Pi, Kodi Media Center, and Openflow Protocol. Our system implementation and evaluations show that the proposed technique is more resilient to cyber-attacks.

Mimi Cherian,Satishkumar L. Varma

DOI: https://doi.org/10.1007/s10922-023-09749-w

2023-06-18

Journal of Network and Systems Management

Abstract:The IoT network is unique due to heterogeneous IoT nodes and resource-constrained devices; the approach for securing IoT networks needs to be different from the security measures implemented for traditional network communication. In IoT networks, various security vulnerabilities are exploited by an attacker to generate a variety of DDoS attacks. In this paper, the authors propose a unique approach for securing IoT networks using an SDN-enabled framework that incorporates a dynamic counter-based approach and deep learning models. The aim is to detect and mitigate various security vulnerabilities that attackers exploit to generate DDoS attacks in IoT networks. Specifically, the proposed framework is tested using the CICDDoS2019 dataset to identify reflection attacks and exploitation attacks in TCP, UDP, and ICMP. The framework is also analyzed by varying network parameters such as the number of IoT attack nodes and payload to measure the performance of the SDN controller workload, CPU utilization, and attack detection time. The experimental results demonstrate that the proposed framework can efficiently detect and mitigate DDoS attacks while utilizing CPU resources effectively and in a shorter time compared to existing approaches.

computer science, information systems,telecommunications

Seema Begum,Nianmin Yao,Syed Bilal Hussain Shah,Thompson Stephan,Xingwang Li

DOI: https://doi.org/10.1504/ijahuc.2021.119099

2021-01-01

International Journal of Ad Hoc and Ubiquitous Computing

Abstract:The massive spike in security threats is one of the greatest security problems facing the internet of things (IoT). Many IoT gadgets do not have any protection features, and even the ones they have are mostly primitive and can thus easily be subject to attacks. Compromising one or more infrastructure components will theoretically lead to the vulnerability of the IoT network's entire infrastructure. The software defined networking (SDN) poses many possibilities in this sense and offers the ability to address those difficulties. In this paper, the proposed solution may not resolve all the challenges; however, it overcomes a particular challenge concerning software defined networking (SDN) without any modification to the present network architecture. The proposed secure solution allows SDN to work as an integrated and programmable controller for smart cities. According to various studies, IoT and SDN's integration allows unlocking several routes that provide security and making smart cities a reality with SDN. The SDN-based IoT network is studied in this paper, and it further proposes an effective IoT-based security system with the help of SDN-IoT design.

Tong Xu,Deyun Gao,Ping Dong,Hongke Zhang,Chuan Heng Foh,Han-Chieh Chao

DOI: https://doi.org/10.1109/access.2017.2666270

IF: 3.9

2017-01-01

IEEE Access

Abstract:Recently, the Internet of Things (IoT) is attracting significant attention from both academia and industry. To connect the huge amount of IoT devices effectively, software-defined networking (SDN) is considered as a promising way because of its centralized network management and programmable routing logic. However, due to the limited resources in both the data plane and the control plane, SDN is vulnerable to the new-flow attack, which can disable the SDN-based IoT by exhausting the switches or the controller. Therefore, in this paper, we propose a smart security mechanism (SSM) to defend against the new-flow attack. The SSM uses the standard southbound and northbound interfaces of SDN, and it includes a low-cost method that monitors the new-flow attack by reusing the asynchronous messages on the control link. The monitor method can differentiate the new-flow attack from the normal flow burst by checking the hit rate of the flow entries. Based on the monitoring result, the SSM uses a dynamic access control method to mitigate the new-flow attack by perceiving the behavior of the security middleware in the IoT. The dynamic access control method can intercept the attack flows at their access switch. Extensive simulations and testbed-based experiments are conducted and the corresponding results verify the feasibility of our claims.

Minghui Dai,Zhou Su,Ruidong Li,Yuntao Wang,Jianbing Ni,Dongfeng Fang

DOI: https://doi.org/10.1109/mnet.011.2000068

IF: 10.294

2020-01-01

IEEE Network

Abstract:The rise of the intelligent Internet of Things (IoT) promotes the development of emerging technologies and industries with the integration of edge computing and cloud computing. This integrated paradigm becomes a promising prospect to continuously expand the service capabilities of IoT. However, edge-driven intelligent IoT systems raises serious security issues as the systems are prone to be compromised by malicious attacks. In this article, an edge-driven security framework is investigated for intelligent IoT systems. First, we introduce the architecture of edge-driven intelligent IoT, and present typical edge-driven intelligent IoT applications. Second, we point out the security threats in edge-driven intelligent IoT in terms of attack behaviors of adversaries. Third, we develop a case study of edge-driven intelligent IoT from the security perspective. Finally, we discuss future research directions in this emerging area.

Aliya Tabassum,Wadha Lebda

DOI: https://doi.org/10.48550/arXiv.1912.01712

2019-11-26

Cryptography and Security

Abstract:Internet of Things (IoT) is the interconnection of heterogeneous smart devices through the Internet with diverse application areas. The huge number of smart devices and the complexity of networks has made it impossible to secure the data and communication between devices. Various conventional security controls are insufficient to prevent numerous attacks against these information-rich devices. Along with enhancing existing approaches, a peripheral defence, Intrusion Detection System (IDS), proved efficient in most scenarios. However, conventional IDS approaches are unsuitable to mitigate continuously emerging zero-day attacks. Intelligent mechanisms that can detect unfamiliar intrusions seems a prospective solution. This article explores popular attacks against IoT architecture and its relevant defence mechanisms to identify an appropriate protective measure for different networking practices and attack categories. Besides, a security framework for IoT architecture is provided with a list of security enhancement techniques.

Xiaoliang Wang,Ke Xu,Wenlong Chen,Qi Li,Meng Shen,Bo Wu

DOI: https://doi.org/10.1109/mnet.011.1900380

IF: 10.294

2020-01-01

IEEE Network

Abstract:The rapid development of the Internet of Things (IoT) has made impressive achievements, raising a heated discussion about IoT big data, in which data security and privacy issues are key concerns. Due to the ubiquity of IoT, IoT big data has not only brought convenience to people's daily lives, but also increased the potential attack surfaces for cybercriminals. At the same time, considering the characteristics of resource constraints and heterogeneity, with traditional network security solutions it can be difficult to achieve ideal results in the IoT environment, which further exacerbates the challenges faced by IoT big data security. In this case, the advantages introduced by software defined networking (SDN) have the potential to meet the challenges of IoT security risks. To this aim, we propose an ID-based SDN secure network architecture called IBSDN. Different from the traditional SDN solution, IBSDN is committed to providing IoT with endogenous trusted services on the network side by embedding unforgeable terminal identities in the data stream. This network-level trusted service can prevent IoT terminals from consuming restricted resources for the sake of security, providing greater scalability and manageability for network security monitoring.

Deepak Puthal,Laurence T. Yang,Schahram Dustdar,Zhenyu Wen,Song Jun,Aad van Moorsel,Rajiv Ranjan

DOI: https://doi.org/10.1145/3351882

2020-01-01

ACM Transactions on Cyber-Physical Systems

Abstract:The Internet of Things (IoT) is becoming a backbone of sensing infrastructure to several mission-critical applications such as smart health, disaster management, and smart cities. Due to resource-constrained sensing devices, IoT infrastructures use Edge datacenters (EDCs) for real-time data processing. EDCs can be either static or mobile in nature, and this article considers both of these scenarios. Generally, EDCs communicate with IoT devices in emergency scenarios to evaluate data in real-time. Protecting data communications from malicious activity becomes a key factor, as all the communication flows through insecure channels. In such infrastructures, it is a challenging task for EDCs to ensure the trustworthiness of the data for emergency evaluations. The current communication security pattern of “communication before authentication” leaves a “black hole” for intruders to become part of communication processes without authentication. To overcome this issue and to develop security infrastructures for IoT and distributed Edge datacenters, this article proposes a user-centric security solution. The proposed security solution shifts from a network-centric approach to a user-centric security approach by authenticating users and devices before communication is established. A trusted controller is initialized to authenticate and establishes the secure channel between the devices before they start communication between themselves. The centralized controller draws a perimeter for secure communications within the boundary. Theoretical analysis and experimental evaluation of the proposed security model show that it not only secures the communication infrastructure but also improves the overall network performance.

Xinbin Zuo,Xue Pang,Pengping Zhang,Junsan Zhang,Tao Dong,Peiying Zhang

DOI: https://doi.org/10.1109/comcomap51192.2020.9398887

2020-01-01

Abstract:With the improvement of people’s living standards, more and more network users access the network, including a large number of infrastructure, these devices constitute the Internet of things(IoT). With the rapid expansion of devices in the IoT, the data transmission between the IoT has become more complex, and the security issues are facing greater challenges. SDN as a mature network architecture, its security has been affirmed by the industry, it separates the data layer from the control layer, thus greatly improving the security of the network. In this paper, we apply the SDN to the IoT, and propose a IoT network architecture based on SDN. In this architecture, we not only make use of the security features of SDN, but also deploy different security modules in each layer of SDN to integrate, analyze and plan various data through the IoT, which undoubtedly improves the security performance of the network. In the end, we give a comprehensive introduction to the system and verify its performance.

Wajid Rafique,Xin He,Zifan Liu,Yuhu Sun,Wanchun Dou

DOI: https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00080

2019-01-01

Abstract:Managing the Internet of Things (IoT) infrastructure has become a critical challenge due to an enormous increase in the connected devices and the lack of available security solutions. Software-Defined Networking (SDN) has been extensively involved in network infrastructure management. Moreover, numerous recent studies demonstrate the use of SDN for managing IoT networks. In SDN, policy consistency and security of the data plane is maintained through Waypoint Enforcement (WPE) which ensures that the traffic traverses policy nodes/switches to implement high-level network requirements. Previous studies on SDN primarily secure SDN infrastructure against traditional Distributed Denial of Service (DDoS) attacks. However, we investigate Crossfire Attack (CFA), which is a novel DDoS attack capable of interrupting communication of data plane switches using low-rate legitimate traffic. CFA has the potential to isolate policy switch from the rest of the data plane devices which introduces many security anomalies and routing inconsistencies. We first demonstrate how CFA is lethal on policy switch attacks and then present the design and implementation of a novel CFA countermeasure called CFADefense, which employs link selection, attack detection, and malicious flows interception modules. CFADefense has been developed as an application at the application layer of the open-source Floodlight controller. Our evaluation demonstrates that CFADefense accurately detects and efficiently mitigates CFA and poses minimal overhead on the controller in dealing with this attack.

Manish Snehi,Abhinav Bhandari,Jyoti Verma

DOI: https://doi.org/10.1016/j.cose.2024.103702

IF: 5.105

2024-01-12

Computers & Security

Abstract:Introduction The convergence of the Internet of Anything (IoX), software-defined communication layer, and sophisticated cloud platform has steered the dawn of the fourth industrial revolution era (Industry 4.0). The technological leap forward has given shelter to the umbrella of cyber-physical systems such as Smart Grids, Agriculture, and Healthcare. The exponential growth of vulnerable spots (the Internet of Things) in multi-layer cyber-physical systems is involuntarily contributing to malignant IoT-generated denial-of-service attacks. The IoT devices manifest a high degree of diversity in traffic patterns, and a single dataset is insufficient to cover fiducial attack scenarios. In addition, the research community is pressing to overcome other roadblocks, such as an optimal architecture for solution efficacy, performance issues, and the need for comprehensive validation of the proposed solutions. Methods The paper offers a five-stage defense framework for building a mitigation against IoT-based DDoS attacks. The article brings forth an amalgamated dataset concocted from InSDN, BoT-IoT, and UNSW-Sydney datasets and a simulated dataset for IoT-DDoS to the research community. The paper employs a multi-stage Stack-Ensembled framework at the heart of the solution pillared on physical devices' behavioral attributes, resulting in a universal defense approach. The experiment leverages fog computing with distributed computational nodes to reduce response latency. Furthermore, the paper implements attack-detection-as-a-service on top of the Docker framework for a cost-effective, reusable, and portable framework. The novel design of the framework presents a light mitigation scheme to the SDN controller, ensuring a negligible impact on the controller's performance. Results and Discussion The hand-crafted feature selection process reduced the features by 80%, demonstrating a high accuracy of 99.99% with benchmark datasets, 98.84% accuracy in the simulation environment, and collateral damage of 1.52%. The experiment observes encouraging values for vital performance parameters that researchers often miss to discuss. Furthermore, the paper thoroughly analyzes IoT-DDoS mitigation framework performance parameters.

computer science, information systems

José Cecílio,Alan Oliveira de Sá,André Souto

2024-04-10

Abstract:With the proliferation of Internet of Things (IoT) devices, ensuring secure communications has become imperative. Due to their low cost and embedded nature, many of these devices operate with computational and energy constraints, neglecting the potential security vulnerabilities that they may bring. This work-in-progress is focused on designing secure communication among remote servers and embedded IoT devices to balance security robustness and energy efficiency. The proposed approach uses lightweight cryptography, optimizing device performance and security without overburdening their limited resources. Our architecture stands out for integrating Edge servers and a central Name Server, allowing secure and decentralized authentication and efficient connection transitions between different Edge servers. This architecture enhances the scalability of the IoT network and reduces the load on each server, distributing the responsibility for authentication and key management.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Sohaib A. Latif,Fang B. Xian Wen,Celestine Iwendi,Li-li F. Wang,Syed Muhammad Mohsin,Zhaoyang Han,Shahab S. Band

DOI: https://doi.org/10.1016/j.comcom.2021.09.029

IF: 5.047

2022-01-01

Computer Communications

Abstract:Internet of things (IoT) is one of the most emerging technologies nowadays and it is one of the key enablers of industrial cyber physical system (CPSs). It has started to participate in almost every aspect of our social life, ranging from financial transactions to the healthcare system, communication to national security, battlefield to smart homes, and so on. However, the wide deployment of IoT suffers certain issues as well, such as interoperability, compatibility, heterogeneity, large amount of data, processing of heterogeneous data etc. Among others, energy efficiency and security are the utmost prominent issues. Scarce computing resources of IoT devices put hindrances on information sharing across edge or IoT network. Indeed, unintentional or malicious interference with IoT data may lead to severe concerns. In this study, the researcher exploits the potential benefits of a blockchain system and integrates it with software-defined networking (SDN) while justifying energy and security issues. More in detail, the researcher proposed a new routing protocol with the cluster structure for IoT networks using blockchain-based architecture for SDN controller. The proposed architecture obviates proof-of-work (PoW) with private and public blockchains for Peer-to-Peer (P2P) communication between SDN controllers and IoT devices. In addition to this, distributed trust-based authentication mechanism makes blockchain even more adoptive for IoT devices with limited resources. The experimental results show that the proposed cluster structure based routing protocol outperforms the state-of-the-art Ad-hoc On-demand Distance Vector (AODV), Destination-Sequenced Distance Vector (DSDV), Secure Mobile Sensor Network (SMSN), Energy efficient secured cluster based distributed fault diagnosis (EESCFD), and Ad-hoc On-demand Multipath Distance Vector (AOMDV), in terms of energy consumption, network throughput, and packet latency. Proposed protocol help overcome the issues especially, energy management and security of the next generation industrial cyber physical systems.

computer science, information systems,telecommunications,engineering, electrical & electronic

N Bhagyasree,Nischal M R,Pavan Kumar,K Surendra

DOI: https://doi.org/10.48175/ijarsct-2863

2022-03-19

Abstract:The IoT connects many of the home appliances in the world, from intelligent thermostats to intelligent vehicles. By the end of 2015, we had 9 billion connected stuff. The Gartner forecast shows that the number of devices in the network will exceed 50 billion by 2020. Most of the connected devices in the existing network are based on obsolete security infrastructure and encryption, while many do not have provisions for remote updating of these devices. Taking into account the number of IoT devices, from off-shelf motion monitoring to machine tools, it is not possible to check which functions end up with any specific service or product. In short, this is the problem: you can't trust the integrity of the security of the device and determine exactly where the data is processed and stored. The SDN architecture is designed to increase the routing and networking performance of the existing networks by isolating the control plane from the data plane. The basic concept of Software Defined Networking can be applied to IoT Multi networks; however, the standard SDN implementations for wired networks are not directly suitable for distributed and ad-hoc mesh networks, which are common in IoT systems. However, the SDN architecture changes the pattern of communication of the IoT network, leading to a new approach to the manifestation of the Securities IoT network. Centralized data layer control and control layer not only simplifies data package management, but also increases safety. As mentioned above, the amount of data that flows into these systems is significant. Proper management of traffic and load balancing will help to simplify the data flow in some ways. The total system's power consumption may be reduced by the central station, which requires less power than the distributed control. To sum up, introducing SDN into IoT will help IoT and stimulate IoT in people's regular lives.

Muhammad Aslam,Dengpan Ye,Aqil Tariq,Muhammad Asad,Muhammad Hanif,David Ndzi,Samia Allaoua Chelloug,Mohamed Abd Elaziz,Mohammed A A Al-Qaness,Syeda Fizzah Jilani

DOI: https://doi.org/10.3390/s22072697

2022-03-31

Abstract:The development of smart network infrastructure of the Internet of Things (IoT) faces the immense threat of sophisticated Distributed Denial-of-Services (DDoS) security attacks. The existing network security solutions of enterprise networks are significantly expensive and unscalable for IoT. The integration of recently developed Software Defined Networking (SDN) reduces a significant amount of computational overhead for IoT network devices and enables additional security measurements. At the prelude stage of SDN-enabled IoT network infrastructure, the sampling based security approach currently results in low accuracy and low DDoS attack detection. In this paper, we propose an Adaptive Machine Learning based SDN-enabled Distributed Denial-of-Services attacks Detection and Mitigation (AMLSDM) framework. The proposed AMLSDM framework develops an SDN-enabled security mechanism for IoT devices with the support of an adaptive machine learning classification model to achieve the successful detection and mitigation of DDoS attacks. The proposed framework utilizes machine learning algorithms in an adaptive multilayered feed-forwarding scheme to successfully detect the DDoS attacks by examining the static features of the inspected network traffic. In the proposed adaptive multilayered feed-forwarding framework, the first layer utilizes Support Vector Machine (SVM), Naive Bayes (NB), Random Forest (RF), k-Nearest Neighbor (kNN), and Logistic Regression (LR) classifiers to build a model for detecting DDoS attacks from the training and testing environment-specific datasets. The output of the first layer passes to an Ensemble Voting (EV) algorithm, which accumulates the performance of the first layer classifiers. In the third layer, the adaptive frameworks measures the real-time live network traffic to detect the DDoS attacks in the network traffic. The proposed framework utilizes a remote SDN controller to mitigate the detected DDoS attacks over Open Flow (OF) switches and reconfigures the network resources for legitimate network hosts. The experimental results show the better performance of the proposed framework as compared to existing state-of-the art solutions in terms of higher accuracy of DDoS detection and low false alarm rate.

Ihsan H. Abdulqadder,Deqing Zou,Israa T. Aziz,Bin Yuan,Weiming Li

DOI: https://doi.org/10.1109/access.2018.2797214

IF: 3.9

2018-01-01

IEEE Access

Abstract:A software-defined network (SDN) is a technology that supports computer network administrators. However, the centralized control plane architecture of SDNs makes them vulnerable to harmful security threats. In this paper, we propose a secure cloud (SecSDN-cloud) architecture that includes user authentication, routing, attack resistance, and third-party monitoring. The goal of this paper is to design an SDN-cloud environment with integrated security that can resist three different attack types: flow table overloading, control plane saturation, and Byzantine attacks. A novel digital signature with chaotic secure hashing is used for user authentication, followed by an enhanced particle swarm optimization multi-class routing protocol to improve the quality of service. Controllers are assigned to switches by integrating an enhanced genetic algorithm with a modified cuckoo search algorithm. The malicious flow identification includes the analysis of five-tuples constructed from features extracted from packets. We implemented the proposed SecSDN-cloud in the OMNeT++ simulator and evaluated its performance in terms of packet loss, end-to-end delay, throughput, latency, and bandwidth.

Hao Wu,Aiqin Hou,Weike Nie,Chase Wu

DOI: https://doi.org/10.1109/icnc57223.2023.10074226

2023-01-01

Abstract:As a new network paradigm, software-defined networking (SDN) technology has been increasingly adopted. Unfortunately, SDN-enabled networks are more prone to threats from DDoS attacks than traditional networks due to the nature of centralized management. We propose an integrated defense framework to detect and mitigate various types of DDoS attacks in SDN-enabled networks. The proposed framework deploys two technical modules in the control plane of SDN for defending against high-rate and low-rate DDoS attacks, respectively. The former module consists of three components, which watch out for suspicious traffic, detect attacks using ensemble learning, and intercept malicious packets, respectively. The latter module is designed specifically to defend against the Slow Ternary Content Addressable Memory (TCAM) exhaustion attack (Slow-TCAM) using a new Alleviative Threat for TCAM (ATFT) algorithm. The proposed framework is implemented and tested in simulated networks using Mininet and further evaluated on the CICDDoS2019 dataset. Experimental results illustrate the superior performance of the proposed framework in defending against different types of DDoS attacks in comparison with other state-of-the-art algorithms.

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.