Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Dong ZHANG,Jun-jie GUO,Chun-ming WU

DOI: https://doi.org/10.3969/j.issn.0372-2112.2017.03.027

2017-01-01

Abstract:Software defined networking (SDN) is a style of computer networking that separates the control plane from the data plane,shifting the control plane to a centralized controller in order to achieve network flexibility and openness.The controller placement is a key prerequisite to successful SDN.The current study examines the hierarchically distributed control plane controller placement problem,utilizing a multi-level k-way switch partition algorithm to divide large scale network topology.We also fix the traditional SDN controller placement problem,changing zoning and intra-domain controller placement by reducing the edge-cut in order to lower the number of inter-domain flows.Simulation results show that the multilevel k-way switch partition algorithm can effectively reduce control flow overhead and flow set-up time,compared with the other traditional algorithms.

Haifeng Zhou,Chunming Wu,Chengyu Yang,Pengfei Wang,Qi Yang,Zhouhao Lu,Qiumei Cheng

DOI: https://doi.org/10.1109/TNET.2018.2859483

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:A software-defined network (SDN) is increasingly deployed in many practical settings, bringing new security risks, e.g., SDN controller and switch hijacking. In this paper, we propose a real-time method to detect compromised SDN devices in a reliable way. The proposed method aims at solving the detection problem of compromised SDN devices when both the controller and the switch are trustless, and ...

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Quan Ren,Zehua Guo,Jiangxing Wu,Tao Hu,Lu Jie,Yuxiang Hu,Lei He

DOI: https://doi.org/10.1109/tnsm.2022.3163198

2022-01-01

Abstract:In this paper, we propose a resilient control plane based on endogenous security for Software-Defined Networking (SDN) named SDN-ESRC to prevent vulnerability backdoor attacks. SDN-ESRC uses a set of heterogeneous controllers (e.g., RYU, OpenDayLight, ONOS) to compose the control plane and dynamically and adaptively selects several heterogeneous controller instances from the controller set to detect and correct the malicious control messages. The design of SDN-ESRC faces two challenges: (1) increasing network update delay due to multi-controller comparison and (2) maintaining high controllable security. To address the first challenge, SDN-ESRC adopts the master modification mode to reduce the network update delay and identify malicious control messages. To address the second challenge, SDN-ESRC introduces the comparison modification mode to ensure high availability in real time. We propose an evaluation model for SDN-ESRC and theoretically analyze the SDN-ESRC’s endogenous security performance under three typical backdoor attack scenarios. We implement SDN-ESRC in a prototype system and conduct simulations and experiments. The results show that SDN-ESRC can improve the backdoor damage attack security up to 98.3%, the backdoor random attack security up to 99.99%, and the backdoor coordinated attack security up to 82% at the cost of increasing network update delay less than 8.3%.

Huan-zhao Wang,Peng Zhang,Lei Xiong,Xin Liu,Cheng-chen Hu

DOI: https://doi.org/10.1631/fitee.1500321

IF: 2.526

2016-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Controllers play a critical role in software-defined networking (SDN). However, existing single-controller SDN architectures are vulnerable to single-point failures, where a controller’s capacity can be saturated by flooded flow requests. In addition, due to the complicated interactions between applications and controllers, the flow setup latency is relatively large. To address the above security and performance issues of current SDN controllers, we propose distributed rule store (DRS), a new multi-controller architecture for SDNs. In DRS, the controller caches the flow rules calculated by applications, and distributes these rules to multiple controller instances. Each controller instance holds only a subset of all rules, and periodically checks the consistency of flow rules with each other. Requests from switches are distributed among multiple controllers, in order to mitigate controller capacity saturation attack. At the same time, when rules at one controller are maliciously modified, they can be detected and recovered in time. We implement DRS based on Floodlight and evaluate it with extensive emulation. The results show that DRS can effectively maintain a consistently distributed rule store, and at the same time can achieve a shorter flow setup time and a higher processing throughput, compared with ONOS and Floodlight.

Chao Qi,Jiangxing Wu,Hongchao Hu,Guozhen Cheng

DOI: https://doi.org/10.1049/el.2016.2670

2016-01-01

Electronics Letters

Abstract:Modifying flow rule attack posts a huge threat to controllers in network operating system (NOS) for software defined network (SDN) due to its concealment. Based on the previously proposed NOS architecture with multiple controllers which introduce heterogeneity and dynamic to defend above attack effectively, its dynamic segment about dynamically scheduling controllers is explicitly presented. A dynamic-scheduling method is put forward to maximise security gain of NOS during each switch. This algorithm is able to improve NOS security through altering its framework's diversity to maximum degree while considering switching cost and latency simultaneously. Theory analysis and simulation results prove validity and availability of the devised mechanism and its more effective security performance over traditional architectures.

Menghao Zhang,Guanyu Li,Lei Xu,Jiasong Bai,Mingwei Xu,Guofei Gu,Jianping Wu

DOI: https://doi.org/10.1109/tnet.2020.3040773

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-Defined Networking (SDN) continues to be deployed spanning from enterprise data centers to cloud computing with the proliferation of various SDN-enabled hardware switches and dynamic control plane applications. However, state-of-the-art SDN-enabled hardware switches have rather limited downlink message processing capability, especially for Flow-Mod and Statistic Query, which may not suffice the huge need of dynamic control plane applications. In this paper, we systematically study the interactions between the control plane applications and the data plane switches, and present two new attacks, namely Control Plane Reflection Attacks, to exploit the limited processing capability of SDN-enabled hardware switches. The reflection attacks adopt direct and indirect data plane events to force the control plane to issue massive expensive downlink messages towards SDN switches. Moreover, we propose a two-phase probing-triggering attack strategy, which makes the reflection attacks much more efficient and powerful. Experiments on a testbed with 3 different physical OpenFlow switches demonstrate that the attacks can lead to catastrophic results such as hurting the establishment of new flows and even disruption of connection between SDN controller and switches. To mitigate such attacks, we present several countermeasures from different perspectives. In particular, we propose a novel, systematical defense framework, SwitchGuard, to detect anomalies of downlink messages and prioritize these messages based on a novel monitoring granularity, i.e., host-application pair (HAP). Implementations and evaluations demonstrate that SwitchGuard can effectively reduce the latency for legitimate hosts and applications under the control plane reflection attacks with only minor overheads.

Chao Qi,Jiangxing Wu,Guozhen Cheng,Jianjian Ai,Shuo Zhao

DOI: https://doi.org/10.1109/cc.2017.8068772

2017-01-01

China Communications

Abstract:Current SDN controllers suffer from a series of potential attacks. For example, malicious flow rules may lead to system disorder by introducing unexpected flow entries. In this paper, we propose Mcad-SA, an aware decision-making security architecture with multiple controllers, which could coordinate heterogeneous controllers internally as a "big" controller. This architecture includes an additional plane, the scheduling plane, which consists of transponder, sensor, decider and scheduler. Meanwhile it achieves the functions of communicating, supervising and scheduling between data and control plane. In this framework, we adopt the vote results from the majority of controllers to determine valid flow rules distributed to switches. Besides, an aware dynamic scheduling（ADS） mechanism is devised in scheduler to intensify security of Mcad-SA further. Combined with perception, ADS takes advantage of heterogeneity and redundancy of controllers to enable the control plane operate in a dynamic, reliable and unsteady state, which results in significant difficulty of probing systems and executing attacks. Simulation results demonstrate the proposed methods indicate better security resilience over traditional architectures as they have lower failure probability when facing attacks.

Tao Wang,Hongchang Chen,Guozhen Cheng,Yulin Lu

DOI: https://doi.org/10.1155/2018/7545079

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Software-Defined Networking (SDN) has quickly emerged as a promising technology for future networks and gained much attention. However, the centralized nature of SDN makes the system vulnerable to denial-of-services (DoS) attacks, especially for the currently widely deployed multicontroller system. Due to DoS attacks, SDN multicontroller model may additionally face the risk of the cascading failures of controllers. In this paper, we propose SDNManager, a lightweight and fast denial-of-service detection and mitigation system for SDN. It has five components: monitor, forecast engine, checker, updater, and storage service. It typically follows a control loop of reading flow statistics, forecasting flow bandwidth changes based on the statistics, and accordingly updating the network. It is worth noting that the forecast engine employs a novel dynamic time-series (DTS) model which greatly improves bandwidth prediction accuracy. What is more, to further optimize the defense effect, we also propose a controller dynamic scheduling strategy to ensure the global network state optimization and improve the defense efficiency. We evaluate SDNManager through a prototype implementation tested in a real SDN network environment. The results show that SDNManager is effective with adding only a minor overhead into the entire SDN/OpenFlow infrastructure.

Jin Wang,Liping Wang,Ruiqing Wang

DOI: https://doi.org/10.3390/e25081210

IF: 2.738

2023-08-15

Entropy

Abstract:Software defined networking (SDN) improves the flexibility and programmability of the network by separating the control plane and the data plane and effectively realizes the global control of the network infrastructure. However, the centralized structure design of SDN exposes the controller to potential threats. Attackers have used the active flow table delivery mode to launch distributed denial of service (DDoS) attacks on the SDN controller, resulting in the controller failure and seriously affecting the network performance. To overcome this problem, this paper proposes a defense framework called CC-Guard. The framework consists of four modules: attack detection triggering, switch migration, anomaly detection, and mitigation. Among them, the attack detection trigger module improves the system's timely response to DDoS attacks. The switch migration module effectively unclogs the controller congestion problem and provides convenience for network flow transmission. The anomaly detection module uses a coarse-grained method for two-stage detection, which improves the detection accuracy. The mitigation module uses the idea of cross-domain cooperation of the controller to clear the abnormal flow in the blacklist. Experimental results show that our proposed CC-Guard has real-time DDoS attack defense capability and high detection accuracy, as well as efficient network resource utilization.

physics, multidisciplinary

Deze Zeng,Lin Gu,Shengli Pan,Song Guo

DOI: https://doi.org/10.1007/978-3-030-32942-6_4

2020-01-01

Abstract:Software defined network (SDN) is a newly emerging network architecture with the core concept of separating the control plane and data plane. Centralized controller is introduced to manage and configure network equipments to realize flexible control of network traffic and provide a good platform for application-oriented network innovation. It thus be able to improve network resource utilization, simplify network management, reduce operating cost, and promote innovation and evolution. Routing is always a major concern in network management. When SDN devices (e.g., OpenFlow switches) are introduced, routing becomes different. The flow table is usually implemented in expensive and power-hungry Ternary Content Addressable Memory (TCAM), which is thus capacity-limited. How to optimize the network performance in the consideration of limited TCAM capacity is therefore significant. For example, multi-path routing (MPR) has been widely regarded as a promising method to promote the network performance. But MPR is at the expense of additional forwarding rule, imposing burden on the limited flow table. On the other hand, a logical centralized programmable controller manages the whole SDN by installing rules onto switches. It is widely regarded that one controller is restricted on both performance and scalability. To address these limitations, pioneering researchers advocate deploying multiple controllers in SDNs where each controller is in charge of a set of switches. This raises the switch-controller association problem on a switch shall be managed by which controller. In this chapter, we first investigate how to schedule MPR with joint consideration of forwarding rule placement. Then, we study a minimum cost switch-controller association (MC-SCA) problem on how to minimize the number of controllers needed in an SDN while guaranteeing the flow setup time.

Kuan-yin Chen,Anudeep Reddy Junuthula,Ishant Kumar Siddhrau,Yang Xu,H. Jonathan Chao

DOI: https://doi.org/10.1109/cns.2016.7860467

2016-01-01

Abstract:While the software-defined networking (SDN) paradigm is gaining much popularity, current SDN infrastructure has potential bottlenecks in the control plane, hindering the network's capability of handling on-demand, fine-grained flow level visibility and controllability. Adversaries can exploit these vulnerabilities to launch distributed denial-of-service (DDoS) attacks against the SDN infrastructure. Recently proposed solutions either scale up the SDN control plane or filter out forged traffic, but not both. We propose SDNShield, a combined solution towards more comprehensive defense against DDoS attacks on SDN control plane. SDNShield deploys specialized software boxes to improve the scalability of ingress SDN switches to accommodate control plane workload surges. It further incorporates a two-stage filtering scheme to protect the centralized controller. The first stage statistically distinguishes legitimate flows from forged ones, and the second stage recovers the false positives of the first stage with in-depth TCP handshake verification. Prototype tests and dataset-driven evaluation results show that SDNShield maintains higher resilience than existing solutions under varying attack intensity.

Jie GAO,Jiangxing WU,Yuxiang HU,Junfei LI

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017.08.2281

2017-01-01

Journal of Computer Applications

Abstract:Great convenience has been brought by the centralized control plane of Software-Defined Network (SDN),but a lot of security risks have been introduced into it as well.In the light of single point failure,unknown vulnerabilities and back doors,static configuration and other security problems of the controller,a secure architecture for SDN based on Byzantine protocol was proposed,in which the Byzantine protocol was executed between controllers and each switching device was controlled by a controller view and control messages were decided by several controllers.Furthermore,the dynamics and heterogeneity were introduced into the proposed structure,so that the attack chain was broken and the capabilities of network active defense were enhanced;moreover,based on the quantification of the controller heterogeneity,a two-stage algorithm was designed to seek for the controller view,so that the availability of the network and the security of the controller view were ensured.Simulation results show that compared with the traditional structure,the proposed structure is more resistant to attacks.

Liang Xie,Zhifeng Zhao,Yifan Zhou,Gang Wang,Qianlan Ying,Honggang Zhang

DOI: https://doi.org/10.1109/wcsp.2014.6992181

2014-01-01

Abstract:Software Defined Network (SDN) is undergoing an increasingly high popularity among various schemes of networking deployment. The main advantage of SDN lies in its flexibility in controlling network traffic, which arises from decoupling the control plane and the data plane of network devices. However, despite of the valuable merits of SDN, the outage of data forwarding should not be ignored. The drawback mainly results from the length limitation of switch flow tables, the congestion between controllers and switches, and the deficiency of the controller capacity, which are all closely related to the timeout mechanism of flow table. In our study, the deficiency of SDN system will be analyzed explicitly. Moreover, we propose an adaptive control mechanism aiming at optimizing the idle timeout reset of flow tables and cooperation between controllers and switches. Our mechanism achieves higher matching ratio of flow tables as well as alleviates the congestion in the control channel, enabling more fluent data forwarding in SDN.

Zheng,Xu Mingwei,Li Qi,Zhang Yun

DOI: https://doi.org/10.7544/issn1000-1239.2018.20160740

2018-01-01

Journal of Computer Research and Development

Abstract:Software-defined networking (SDN) is a new network paradigm.Unlike the conventional network,SDN separates the control plane from the data plane.The function of the data plane is enabled in switches while only the controller provides the functions of the control plane.The controller learns topologies of the whole networks and makes the traffic forwarding decisions.However,recent studies show that there exist some serious vulnerabilities in topology management services of the current SDN controller designs,which mainly exists in host tracking service and link discovery service.Attackers can exploit these vulnerabilities to poison the network topology information in the SDN controllers.What's more,attackers can even make the whole network down.Fortunately,researchers have paid some attention to this serious problem and proposed their defense solution.However,the existing countermeasures can be easily evaded by the attackers.In this paper,we propose an effective approach called SecTopo,to defend against the network topology poisoning attacks.Our evaluation on SecTopo in the Floodlight controller shows that the defense solution can effectively secure network topology with a minor impact on normal operations of OpenFlow controllers.

Zhiyuan Hu,Mingwen Wang,Xueqiang Yan,Yueming Yin,Zhigang Luo

DOI: https://doi.org/10.1109/icin.2015.7073803

2015-01-01

Abstract:SDN enables the administrators to configure network resources very quickly and to adjust network-wide traffic flow to meet changing needs dynamically. However, there are some challenges for implementing a full-scale carrier SDN. One of the most important challenges is SDN security, which is beginning to receive attention. With new SDN architecture, some security threats are common to traditional networking, but the profile of these threats (including their likelihood and impact and hence their overall risk level) changes. Moreover, there are some new security challenges such as bypassing predefined mandatory policies by overwriting flow entries and data eavesdropping by inserting fraudulent flow entries. This paper is to design open-flow specific security solutions and propose a comprehensive security architecture to provide security services such as enforcing mandatory network policy correctly and receiving network policy securely for SDN in order to solve these common security issues and new security challenges. It can also help the developers to implement security functions to provide security services when developing the SDN controller.

Jiaqiang Liu,Yong Li,Huandong Wang,Depeng Jin,Li Su,Lieguang Zeng,Thanos Vasilakos

DOI: https://doi.org/10.1016/j.ins.2015.08.019

IF: 8.1

2015-01-01

Information Sciences

Abstract:Network operators employ a variety of security policies for protecting the data and services. However, deploying these policies in traditional network is complicated and security vulnerable due to the distributed network control and lack of standard control protocol. Software-defined network provides an ideal paradigm to address these challenges by separating control plane and data plane, and exploiting the logically centralized control. In this paper, we focus on taking the advantage of software-defined networking for security policies enforcement. We propose a two layer OpenFlow switch topology designed to implement security policies, which considers the limitation of flow table size in a single switch, the complexity of configuring security policies to these switches, and load balance among these switches. Furthermore, we introduce a safe way to update the configuration of these switches one by one for better load balance when traffic distribution changes. Specifically, we model the update process as a path in a graph, in which each node represents a security policy satisfied configuration, and each edge represents a single step of safely update. Based on this model, we design a heuristic algorithm to find an optimal update path in real time. Simulations of the update scheme show that our proposed algorithm is effective and robust under an extensive range of conditions.

Xuan-Bo Huang,Kai-Ping Xue,Yi-Tao Xing,Ding-Wen Hu,Ruidong Li,Qi-Bin Sun

DOI: https://doi.org/10.1007/s11390-022-1495-0

IF: 1.871

2022-01-01

Journal of Computer Science and Technology

Abstract:Software-defined networking (SDN) decouples the data and control planes. However, attackers can lead catastrophic results to the whole network using manipulated flooding packets, called the data-to-control-plane saturation attacks. The existing methods, using centralized mitigation policies and ignoring the buffered attack flows, involve extra network entities and make benign traffic suffer from long network recovery delays. For these purposes, we propose LFSDM, a saturation attack detection and mitigation system, which solves these challenges by leveraging three new techniques: 1) using linear discriminant analysis (LDA) and extracting a novel feature called control channel occupation rate (CCOR) to detect the attacks, 2) adopting the distributed mitigation agents to reduce the number of involved network entities and, 3) cleaning up the buffered attack flows to enable fast recovery. Experiments show that our system can detect the attacks timely and accurately. More importantly, compared with the previous work, we save 81% of the network recovery delay under attacks ranging from 1 000 to 4 000 packets per second (PPS) on average, and 87% of the network recovery delay under higher attack rates with PPS ranging from 5 000 to 30 000.

Nhu-Ngoc Dao,Joongheon Kim,Minho Park,Sungrae Cho

DOI: https://doi.org/10.1371/journal.pone.0160375

IF: 3.7

2016-08-05

PLoS ONE

Abstract:The convergent communication network will play an important role as a single platform to unify heterogeneous networks and integrate emerging technologies and existing legacy networks. Although there have been proposed many feasible solutions, they could not become convergent frameworks since they mainly focused on converting functions between various protocols and interfaces in edge networks, and handling functions for multiple services in core networks, e.g., the Multi-protocol Label Switching (MPLS) technique. Software-defined networking (SDN), on the other hand, is expected to be the ideal future for the convergent network since it can provide a controllable, dynamic, and cost-effective network. However, SDN has an original structural vulnerability behind a lot of advantages, which is the centralized control plane. As the brains of the network, a controller manages the whole network, which is attractive to attackers. In this context, we proposes a novel solution called adaptive suspicious prevention (ASP) mechanism to protect the controller from the Denial of Service (DoS) attacks that could incapacitate an SDN. The ASP is integrated with OpenFlow protocol to detect and prevent DoS attacks effectively. Our comprehensive experimental results show that the ASP enhances the resilience of an SDN network against DoS attacks by up to 38%.