Shumian Yang,Lianhai Wang,Dawei Zhao,Xiaohui Han,Shuhui Zhang

DOI: https://doi.org/10.22323/1.300.0033

2018-01-01

Abstract:Software definition networking is a revolutionary network architecture, which realizes the separation of the control plane and data plane of a network. While providing the centralized controllability and the software programmability, the network itself is encountering many security problems. In order to solve the problem of security threats in SDN networks, there are different layers of unique security challenges and the relevant research on SDN security problems. This paper introduces the depth learning technology into the field of security threat detection in SDN, and propose a security threat detection framework based on depth learning.The framework is based on the research on model establishment, abnormal behavior recognition and decision algorithm design. The software system based on physical memory analysis is under development in SDN. The system verifies the feasibility of this framework, and to finally generate the work plan on SDN infrastructure.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Haifeng Zhou,Chunming Wu,Chengyu Yang,Pengfei Wang,Qi Yang,Zhouhao Lu,Qiumei Cheng

DOI: https://doi.org/10.1109/TNET.2018.2859483

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:A software-defined network (SDN) is increasingly deployed in many practical settings, bringing new security risks, e.g., SDN controller and switch hijacking. In this paper, we propose a real-time method to detect compromised SDN devices in a reliable way. The proposed method aims at solving the detection problem of compromised SDN devices when both the controller and the switch are trustless, and ...

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Peng Zhang,Hao Li,Chengchen Hu,Liujia Hu,Lei Xiong,Ruilong Wang,Yuemei Zhang

DOI: https://doi.org/10.1145/2999572.2999605

2016-01-01

Abstract:How to debug large networks is always a challenging task. Software Defined Network (SDN) offers a centralized con- trol platform where operators can statically verify network policies, instead of checking configuration files device-by-device. While such a static verification is useful, it is still not enough: due to data plane faults, packets may not be forwarded according to control plane policies, resulting in network faults at runtime. To address this issue, we present VeriDP, a tool that can continuously monitor what we call control-data plane consistency, defined as the consistency between control plane policies and data plane forwarding behaviors. We prototype VeriDP with small modifications of both hardware and software SDN switches, and show that it can achieve a verification speed of 3 μs per packet, with a false negative rate as low as 0.1%, for the Stanford backbone and Internet2 topologies. In addition, when verification fails, VeriDP can localize faulty switches with a probability as high as 96% for fat tree topologies.

Heyu Chang,Xiaobing Zhang,Nianwen Si,Ping Wu

DOI: https://doi.org/10.1016/j.cose.2024.103906

IF: 5.105

2024-05-28

Computers & Security

Abstract:By decoupling the control plane and the data plane, Software Defined Networking (SDN) has reshaped the ossified network architecture and improved the programmability of the network. However, SDN is also susceptible to malicious injection, tampering, dropping and hijacking attacks against forwarding packets, and the SDN architecture cannot perceive the real behavior of switches in the data plane. Packet forwarding verification and exception localization are recognized as effective and promising methods, enabling reliable packet delivery in the data plane and allowing the controller in SDN to identify abnormal links. While existing mechanisms embed the linear-scale cryptographic tags into the packet header space as the transmission path lengthens to realize packet verification and exception localization, which cannot achieve a feasible tradeoff between efficiency and security. Leveraging the central controllability of SDN, we propose a lightweight packet forwarding verification mechanism. This mechanism splits the runtime of a flow into consecutive epochs by address hopping. The switches in the data plane forward packets based on hopping address, collecting the information of packets forwarded in a compact data structure, namely traffic sketch. The controller verifies traffic sketches and localizes exception in the epoch. We further prototype the proposed mechanism based on simulation network. The analysis and experiments demonstrate that the cost of proposed scheme is lower than the similar mechanisms, introducing no more than 9% additional forwarding delay and less than 8% throughput degradation.

computer science, information systems

Kai Lei,KeKe Li,Junlin Huang,Weichao Li,Jie Xing,Yi Wang

DOI: https://doi.org/10.1109/icc.2018.8422613

2018-01-01

Abstract:Software Defined Networking (SDN) simplifies network management by separating the control plane from the data plane in performance networks. However, the actual packet behaviors, conforming to the rules in the data plane flow tables, may violate the original policies in the controller due to the inconsistency between the data plane and control plane. To address this problem, we propose 2MVeri, a new framework for measuring the control-data plane consistency, defined as the consistency between the control plane policies and data plane rules. 2MVeri uses a Bloom filter and a two-dimensional vector as a tag which is inserted in the packet header and is updated in each switch that the packet traverses. By exploiting path information compressed in the tag, 2MVeri can verify the control-data plane consistency. Moreover, when verification fails, 2MVeri can localize the faulty switch. Evaluations conducted on a datacenter network with the fat tree topology k=4 demonstrate that 2MVeri achieves 100% accuracy in consistency verification and high fault localization performance.

Arash Shaghaghi,Mohamed Ali Kaafar,Rajkumar Buyya,Sanjay Jha

DOI: https://doi.org/10.48550/arXiv.1804.00262

2018-04-01

Abstract:Software-Defined Network (SDN) radically changes the network architecture by decoupling the network logic from the underlying forwarding devices. This architectural change rejuvenates the network-layer granting centralized management and re-programmability of the networks. From a security perspective, SDN separates security concerns into control and data plane, and this architectural recomposition brings up exciting opportunities and challenges. The overall perception is that SDN capabilities will ultimately result in improved security. However, in its raw form, SDN could potentially make networks more vulnerable to attacks and harder to protect. In this paper, we focus on identifying challenges faced in securing the data plane of SDN - one of the least explored but most critical components of this technology. We formalize this problem space, identify potential attack scenarios while highlighting possible vulnerabilities and establish a set of requirements and challenges to protect the data plane of SDNs. Moreover, we undertake a survey of existing solutions with respect to the identified threats, identifying their limitations and offer future research directions.

Cryptography and Security

Peng Zhang,Hao Li,Chengchen Hu,Liujia Hu,Lei Xiong

DOI: https://doi.org/10.1145/2881025.2881038

2016-01-01

Abstract:Software defined networks provide new opportunities for automating the process of network debugging. Many tools have been developed to verify the correctness of network configurations on the control plane. However, due to software bugs and hardware faults of switches, the correctness of control plane may not readily translate into that of data plane. To bridge this gap, we present VeriDP, which can monitor "whether actual forwarding behaviors are complying with network configurations". Given that policies are well-configured, operators can leverage VeriDP to monitor the correctness of the network data plane. In a nutshell, VeriDP lets switches tag packets that they forward, and report tags together with headers to the verification server before the packets leave the network. The verification server pre-computes all header-to-tag mappings based on the configuration, and checks whether the reported tags agree with the mappings. We prototype VeriDP with both software and hardware OpenFlow switches, and use emulation to show that VeriDP can detect common data plane fault including black holes and access violations, with a minimal impact on the data plane.

José Reyes,Jorge López,Djamal Zeghlache

DOI: https://doi.org/10.48550/arXiv.1906.03144

2019-06-07

Abstract:In this paper, we propose an approach that relies on distributed traffic generation and monitoring to identify the operational data-paths in a given Software Defined Networking (SDN) driven data-plane. We show that under certain assumptions, there exist necessary and sufficient conditions for formally guaranteeing that all operational data-paths are discovered using our approach. In order to provide reliable communication within the SDN driven data-planes, assuring that the implemented data-paths are the requested (and expected) ones is necessary. This requires discovering the actual operational (running) data-paths in the data-plane. In SDN, different applications may configure different coexisting data-paths, the resulting data-paths a specific network flow traverses may not be the intended ones. Furthermore, the SDN components may be defected or compromised. We focus on discovering the operational data-paths on SDN driven data-planes. However, the proposed approach is applicable to any data-plane where the operational data-paths must be verified and / or certified. A data-path discovery toolkit has been implemented. We describe the corresponding set of tools, and showcase the obtained experimental results that reveal inconsistencies in well-known SDN applications.

Networking and Internet Architecture

Qi Li,Xiaoyue Zou,Qun Huang,Jing Zheng,Patrick P. C. Lee

DOI: https://doi.org/10.1109/tdsc.2018.2810880

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Like traditional IP networking, the emerging Software-Defined Networking (SDN) technology is vulnerable to sophisticated attacks against packets and their forwarding behaviors. However, existing proposals of packet forwarding verification for IP networking cannot be directly applied to the current SDN deployment due to the limited functionalities and resources in commercial off-the-shelf (COTS) SDN switches. We propose DynaPFV, a dynamic packet forwarding verification mechanism that is capable of detecting various sophisticated attacks against packet forwarding. DynaPFV leverages the controllability of SDN to examine both packets and flow statistics across a network of switches to detect violation of packet integrity and forwarding behaviors. To mitigate the verification overhead, DynaPFV dynamically adjusts the rates of packet sampling and flow statistics collection based on the prior detection results in order to preserve the verification accuracy. Furthermore, DynaPFV makes changes to the SDN controller only, and is directly deployable atop COTS SDN switches without modifications. We conduct theoretical analysis on the trade-off between performance and accuracy in our dynamic verification approach. We further prototype DynaPFV using the open-source Floodlight controller, and evaluate our DynaPFV prototype using Mininet simulations and hardware testbed experiments. DynaPFV achieves over 97 percent of verification accuracy only with less than 5 percent of throughput degradation and less than 10 percent of additional forwarding delays.

Jiangyuan Yao,Zhiliang Wang,Xia Yin,Xingang Shi,Jianping Wu

DOI: https://doi.org/10.1109/ICNP.2014.37

2014-01-01

Abstract:Existing tools for Software-Defined Networking (SDN) data plane testing can be classified into two classes: white box and black-box. For the former, all or part of source codes should be accessed. But for testers outside the manufacturers, the accessing of source code is impossible or very difficult in most cases, especially for hardware devices. For the latter, test cases are manually developed, which cannot ensure the coverage. In this paper, we present a model based black-box systematic testing method for SDN data plane. We propose a new model, Pipelined Extended Finite State Machine (Pi-EFSM), to specify the multiple-level pipeline of SDN data plane. For the Pi-EFSM model, we present a 3-phase systematic test generation approach. By using a hierarchical test generation strategy, the proposed test generation method can alleviate state space explosion to some extent. Our test generation method can achieve the systematic coverage towards the elements of the model. We apply our method in the testing of Open Flow switches (specification version 1.3.0). We build a Pi-EFSM model for Open Flow switches and derive the executable test sequences. Some implementation faults and specification confusions are exposed when we test two switches, Open switch 2.1.0 and CPqD Open Flow 1.3 Software Switch.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Xuan-Bo Huang,Kai-Ping Xue,Yi-Tao Xing,Ding-Wen Hu,Ruidong Li,Qi-Bin Sun

DOI: https://doi.org/10.1007/s11390-022-1495-0

IF: 1.871

2022-01-01

Journal of Computer Science and Technology

Abstract:Software-defined networking (SDN) decouples the data and control planes. However, attackers can lead catastrophic results to the whole network using manipulated flooding packets, called the data-to-control-plane saturation attacks. The existing methods, using centralized mitigation policies and ignoring the buffered attack flows, involve extra network entities and make benign traffic suffer from long network recovery delays. For these purposes, we propose LFSDM, a saturation attack detection and mitigation system, which solves these challenges by leveraging three new techniques: 1) using linear discriminant analysis (LDA) and extracting a novel feature called control channel occupation rate (CCOR) to detect the attacks, 2) adopting the distributed mitigation agents to reduce the number of involved network entities and, 3) cleaning up the buffered attack flows to enable fast recovery. Experiments show that our system can detect the attacks timely and accurately. More importantly, compared with the previous work, we save 81% of the network recovery delay under attacks ranging from 1 000 to 4 000 packets per second (PPS) on average, and 87% of the network recovery delay under higher attack rates with PPS ranging from 5 000 to 30 000.

DOI: https://doi.org/10.33103/uot.ijccce.23.3.6

2023-09-28

Abstract:Traditional network abilities have a drastic shortage in the current networking world. Software-Defined Networking (SDN) is a revival development in the networking domain that provides separation of control and data planes, enlarges the data plane granularity, and simplifies the network devices. All these factors accelerate and automate the evolution of new services. However, when the SDN network topology becomes large, it poses new challenges in security, traffic management, and scalability due to the vast amounts of traffic data generated and the need for additional controllers to manage the significant number of networking devices. On the other hand, big data has become an attractive trend that can enhance network performance in general, specifically SDN. Both SDN and big data have gained great attraction from industry and academia. Traditionally, these two subjects have been studied separately in most of the preceding works. However, big data can impact the design and implementation of SDN thoroughly. This paper presents how big data can support SDN in various aspects, including intrusion detection, traffic monitoring, and controller scalability and resiliency. We suggest several approaches toward deeper cooperation between big data and SDN. Index Term – SDN, big data, Spark, graph database, traffic engineering, intrusion detection.

Qi Li,Yanyu Chen,Patrick P. C. Lee,Mingwei Xu,Kui Ren

DOI: https://doi.org/10.1109/tnet.2018.2853593

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:Software-defined networking (SDN) utilizes a centralized controller to distribute packet processing rules to network switches. However, rules are often generated by the applications developed by different organizations, so they may conflict with each other in data plane and lead to violations with security rules. The problem is similar to firewall conflicts in IP networks. Rule conflict resolution should incur negligible process delay, such that all rules can he correctly and safely enforced in the data plane in real time. However, since SDN allows users to use more than 35 fields to specify rules (including field transition rules), it is much more complicated to prevent enforcement of SDN rules from violating with security rules than to resolve firewall rule violation, and in particular, field transition rules are enforced. Therefore, it is extremely difficult to resolve such rule conflicts in real time before the rules are installed in SDN data plane. In this paper, we investigate the rule conflict problem in SDN and identify new covert channel attacks due to rule conflicts. To the end, we propose the covert channel defender (CCD) that prevents covert channel attacks by verifying and resolving rule conflicts. Specifically, CCD tracks all rule insertion and modification messages from applications running on the controller. It analyzes the correlation among rules based on multiple packet header fields and resolves any identified rule conflict in real time before rule installation. We implement CCD with the Floodlight controller and evaluate its performance with the real-world Stanford topology. We show that CCD can efficiently detect and prevent rule conflicts in the data plane that may raise covert channels within hundreds of microseconds and brings small overhead to the packet delivery.

Alex Horn,Ali Kheradmand,Mukul R. Prasad

DOI: https://doi.org/10.48550/arXiv.1702.07375

2017-02-24

Abstract:Real-time network verification promises to automatically detect violations of network-wide reachability invariants on the data plane. To be useful in practice, these violations need to be detected in the order of milliseconds, without raising false alarms. To date, most real-time data plane checkers address this problem by exploiting at least one of the following two observations: (i) only small parts of the network tend to be affected by typical changes to the data plane, and (ii) many different packets tend to share the same forwarding behaviour in the entire network. This paper shows how to effectively exploit a third characteristic of the problem, namely: similarity among forwarding behaviour of packets through parts of the network, rather than its entirety. We propose the first provably amortized quasi-linear algorithm to do so. We implement our algorithm in a new real-time data plane checker, Delta-net. Our experiments with SDN-IP, a globally deployed ONOS software-defined networking application, and several hundred million IP prefix rules generated using topologies and BGP updates from real-world deployed networks, show that Delta-net checks a rule insertion or removal in approximately 40 microseconds on average, a more than 10X improvement over the state-of-the-art. We also show that Delta-net eliminates an inherent bottleneck in the state-of-the-art that restricts its use in answering Datalog-style "what if" queries.

Networking and Internet Architecture,Logic in Computer Science

Yusu Zhao,Pengfei Zhang,Yongkun Wang,Yaohui Jin

DOI: https://doi.org/10.1109/TNSM.2017.2763187

2018-01-01

IEEE Transactions on Network and Service Management

Abstract:Data plane network issues, caused by software bugs or hardware failures inside network devices, usually manifest themselves as failed rules, which can be verified by the comparison between actual and desired network behavior. Previous efforts implement this leveraging end-to-end active probing, which falls short on timely locating the exact failure points and identifying responsible rules. With th...

Jnanamurthy H K,Vijay Varadharajan

DOI: https://doi.org/10.48550/arXiv.2004.04425

2020-04-09

Abstract:In cloud computing, software-defined network (SDN) gaining more attention due to its advantages in network configuration to improve network performance and network monitoring. SDN addresses an issue of static architecture in traditional networks by allowing centralised control of a network system. SDN contains centralised network intelligence module which separates a process of forwarding packets (data plane) from packet routing process (control plane). It is essential to ensure the correctness of SDN due to secure data transmitting in it. In this paper. Model-checking is chosen to verify an SDN network. The Computation Tree Logic (CTL) and Linear Temporal Logic (LTL) used as a specification to express properties of an SDN. Then complete SDN structure is defined formally along with its Kripke structure. Finally, temporal properties are analysed against the SDN Kripke model to assure the properties of SDN is correct.

Software Engineering

Yusu Zhao,Pengfei Zhang,Yongkun Wang,Yaohui Jin

DOI: https://doi.org/10.1109/lcomm.2017.2701369

IF: 3.5529

2024-01-01

IEEE Communications Letters

Abstract:Network issues on data plane manifest themselves as failed rules, which can be verified by the comparison between actual and desired network behavior. Previous efforts implement this leveraging end-to-end active probing, which falls short on timely locating the exact failure points and identifying responsible rules. With the help of the out-band channel in softwaredefined network (SDN), per hop active probing can be employed to perform per device or even per rule network behavior comparison. Therefore, we present SERVE, an SDN-enabled rule verification framework that automatically identifies data plane network issues with periodic per rule network behavior comparison. By modeling network devices as multi-rooted trees with respect to pipeline processing, probes can be generated from a per device perspective in a timely manner. We evaluate the performance of SERVE and validate its effectiveness and timeliness on a small deployment with typical use cases.