Haifeng Zhou,Chunming Wu,Ming Jiang,Boyang Zhou,Wen Gao,Tingting Pan,Min Huang

DOI: https://doi.org/10.1109/mcom.2015.7081074

IF: 9.03

2015-01-01

IEEE Communications Magazine

Abstract:The past few years have witnessed revolutionary advances in network technology. Along with new techniques such as SDN come lots of new network security challenges. Conventional network security mechanisms are incompetent to overcome these challenges, since they are built on a static network configuration that facilitates attackers in finding the weaknesses of a network. In this article, we conceive a novel conceptual network security mechanism, the evolving defense mechanism (EDM), to resolve current and future security problems. EDM is based on a bio-inspired idea of network configuration variations. According to the security requirements of the system, the user, and the network security state, EDM selects an efficient network configuration variation strategy to prevent corresponding security threats. Combined with SDN implementation, EDM resolves security problems from a new angle and is capable of evolving with new network security technology. We sketch a way to implement EDM and present its reference framework, which serves as an ecosystem and coexisting environment for various kinds of network configuration variations. The proposed mechanism avoids the deficiency of conventional mechanisms and has potential to cope with emerging security threats.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Cai Liang,Yang Xiao-hu,Dong Jin-xiang

DOI: https://doi.org/10.1631/jzus.2003.0287

2003-01-01

Journal of Zhejiang University SCIENCE A

Abstract:Database Security and Protection System (DSPS) is a security platform for fighting malicious DBMS. The security and performance are critical to DSPS. The authors suggested a key management scheme by combining the server group structure to improve availability and the key distribution structure needed by proactive security. This paper detailed the implementation of proactive security in DSPS. After thorough performance analysis, the authors concluded that the performance difference between the replicated mechanism and proactive mechanism becomes smaller and smaller with increasing number of concurrent connections; and that proactive security is very useful and practical for large, critical applications.

Jordi Paillisse,Marc Portoles,Albert Lopez,Alberto Rodriguez-Natal,David Iacobacci,Johnson Leong,Victor Moreno,Albert Cabellos,Fabio Maino,Sanjay Hooda

DOI: https://doi.org/10.48550/arXiv.2010.15236

2021-02-20

Abstract:Enterprise Networks, over the years, have become more and more complex trying to keep up with new requirements that challenge traditional solutions. Just to mention one out of many possible examples, technologies such as Virtual LANs (VLANs) struggle to address the scalability and operational requirements introduced by Internet of Things (IoT) use cases. To keep up with these challenges we have identified four main requirements that are common across modern enterprise networks: (i) scalable mobility, (ii) endpoint segmentation, (iii) simplified administration, and (iv) resource optimization. To address these challenges we designed SDA (Software Defined Access), a solution for modern enterprise networks that leverages Software-Defined Networking (SDN) and other state of the art techniques. In this paper we present the design, implementation and evaluation of SDA. Specifically, SDA: (i) leverages a combination of an overlay approach with an event-driven protocol (LISP) to dynamically adapt to traffic and mobility patterns while preserving resources, and (ii) enforces dynamic endpoint groups for scalable segmentation with low operational burden. We present our experience with deploying SDA in two real-life scenarios: an enterprise campus, and a large warehouse with mobile robots. Our evaluation shows that SDA, when compared with traditional enterprise networks, can (i) reduce overall data plane forwarding state up to 70% thanks to a reactive protocol using a centralized routing server, and (ii) reduce by an order of magnitude the handover delays in scenarios of massive mobility with respect to other approaches. Finally, we discuss lessons learned while deploying and operating SDA, and possible optimizations regarding the use of an event-driven protocol and group-based segmentation.

Networking and Internet Architecture

Vijay Varadharajan,Kallol Karmakar,Uday Tupakula,Michael Hitchens

DOI: https://doi.org/10.48550/arXiv.1806.02053

2018-06-06

Abstract:As networks expand in size and complexity, they pose greater administrative and management challenges. Software Defined Networks (SDN) offer a promising approach to meeting some of these challenges. In this paper, we propose a policy driven security architecture for securing end to end services across multiple SDN domains. We develop a language based approach to design security policies that are relevant for securing SDN services and communications. We describe the policy language and its use in specifying security policies to control the flow of information in a multi-domain SDN. We demonstrate the specification of fine grained security policies based on a variety of attributes such as parameters associated with users and devices/switches, context information such as location and routing information, and services accessed in SDN as well as security attributes associated with the switches and Controllers in different domains. An important feature of our architecture is its ability to specify path and flow based security policies, which are significant for securing end to end services in SDNs. We describe the design and the implementation of our proposed policy based security architecture and demonstrate its use in scenarios involving both intra and inter-domain communications with multiple SDN Controllers. We analyse the performance characteristics of our architecture as well as discuss how our architecture is able to counteract various security attacks. The dynamic security policy based approach and the distribution of corresponding security capabilities intelligently as a service layer that enable flow based security enforcement and protection of multitude of network devices against attacks are important contributions of this paper.

Cryptography and Security

Igor Ivkić,Dominik Thiede,Nicholas Race,Matthew Broadbent,Antonios Gouglidis

DOI: https://doi.org/10.1007/978-3-031-68165-3_4

2024-08-21

Abstract:Cloud computing has grown in importance in recent years which has led to a significant increase in Data Centre (DC) network requirements. A major driver of this change is virtualisation, which allows computing resources to be deployed on a large scale. However, traditional DCs, with their network topology and proliferation of network endpoints, are struggling to meet the flexible, centrally managed requirements of cloud computing applications. Software-Defined Networks (SDN) promise to offer a solution to these growing networking requirements by separating control functions from data routing. This shift adds more flexibility to networks but also introduces new security issues. This article presents a framework for evaluating security of SDN architectures. In addition, through an experimental study, we demonstrate how this framework can identify the threats and vulnerabilities, calculate their risks and severity, and provide the necessary measures to mitigate them. The proposed framework helps administrators to evaluate SDN security, address identified threats and meet network security requirements.

Cryptography and Security,Networking and Internet Architecture

Ali Nadim Alhaj,Narottam Das Patel,Ajeet Singh,Rohit Kumar Bondugula,Mohsin Furkh Dar,Jameel Ahamed

DOI: https://doi.org/10.1504/ijsnet.2024.141613

2024-09-28

International Journal of Sensor Networks

Abstract:The rapid expansion of networks has given rise to numerous challenges and issues. In recent years, one idea that has captivated researchers is segregating the forwarding and control levels, which emerged with software-defined networking (SDN) frameworks. Despite centralised management and network administration advantages, SDN networks have encountered several issues, with safety and reliability being the most prominent. This paper proposes a comprehensive robust security architecture for SDN networks that consists of modular components. Each module addresses a specific security challenge, and by integrating these security solutions, we aim to establish a cohesive security framework for SDN. Furthermore, we propose a robust security algorithm capable of effectively mitigating critical security attacks such as DDoS, ARP, and MITM. Our approach involves developing a multi-level security algorithm to counteract most DDoS attacks, while also devising a real-time algorithm specifically designed to handle ARP attacks, including request-replay-ARP DoS attacks.

computer science, information systems,telecommunications

Shasha Zhang,Shuyu Song,Fan Yang,Rongpeng Li,Zhifeng Zhao,Honggang Zhang

DOI: https://doi.org/10.1145/3300061.3343365

2019-01-01

Abstract:Software-defined security (SDS) overcomes the limitations of traditional security mechanisms, which brings significant merits for design, deployment and management. However, existing researches are usually limited to some independent algorithms, while not able to apply multiple algorithms to accommodate various types of attack in actual deployment. In this paper, we propose and implement a novel SDS framework, which aims to flexibly deploy a variety of security functions and artificial intelligence (AI) algorithms to automatically learn ongoing threats and proactively protect the network from attacks.

S Pradeep,Yogesh Kumar Sharma,Umesh Kumar Lilhore,Sarita Simaiya,Abhishek Kumar,Sachin Ahuja,Martin Margala,Prasun Chakrabarti,Tulika Chakrabarti

DOI: https://doi.org/10.1038/s41598-023-44701-7

2023-10-13

Abstract:Software-defined networking (SDN) has significantly transformed the field of network management through the consolidation of control and provision of enhanced adaptability. However, this paradigm shift has concurrently presented novel security concerns. The preservation of service path integrity holds significant importance within SDN environments due to the potential for malevolent entities to exploit network flows, resulting in a range of security breaches. This research paper introduces a model called "EnsureS", which aims to enhance the security of SDN by proposing an efficient and secure service path validation approach. The proposed approach utilizes a Lightweight Service Path Validation using Batch Hashing and Tag Verification, focusing on improving service path validation's efficiency and security in SDN environments. The proposed EnsureS system utilizes two primary techniques in order to validate service pathways efficiently. Firstly, the method utilizes batch hashing in order to minimize computational overhead. The proposed EnsureS algorithm enhances performance by aggregating packets through batches rather than independently; the hashing process takes place on each one in the service pathway. Additionally, the implementation of tag verification enables network devices to efficiently verify the authenticity of packets by leveraging pre-established trust relationships. EnsureS provides a streamlined and effective approach for validating service paths in SDN environments by integrating these methodologies. In order to assess the efficacy of the Proposed EnsureS, a comprehensive series of investigations were conducted within a simulated SDN circumstance. The efficacy of Proposed EnsureS was then compared to that of established methods. The findings of our study indicate that the proposed EnsureS solution effectively minimizes computational overhead without compromising on the established security standards. The implementation successfully reduces the impact of different types of attacks, such as route alteration and packet spoofing, increasing SDN networks' general integrity.

Roberto Doriguzzi-Corin

DOI: https://doi.org/10.48550/arXiv.2004.02876

2020-04-04

Networking and Internet Architecture

Abstract:With the recent trend of "network softwarisation", enabled by emerging technologies such as Software-Defined Networking (SDN) and Network Function Virtualisation (NFV), system administrators of data centres and enterprise networks have started replacing dedicated hardware-based middleboxes with virtualised network functions running on servers and end hosts. This radical change has facilitated the provisioning of advanced and flexible network services, ultimately helping system administrators and network operators to cope with the rapid changes in service requirements and networking workloads. This thesis investigates the challenges of provisioning network security services in "softwarised" networks, where the security of residential and business users can be provided by means of sets of software-based network functions running on high performance servers or on commodity compute devices. The study is approached from the perspective of the telecom operator, whose goal is to protect the customers from network threats and, at the same time, maximize the number of provisioned services, and thereby revenue. Specifically, the overall aim of the research presented in this thesis is proposing novel techniques for optimising the resource usage of software-based security services, hence for increasing the chances for the operator to accommodate more service requests while respecting the desired level of network security of its customers. In this direction, the contributions of this thesis are the following: (i) a solution for the dynamic provisioning of security services that minimises the utilisation of computing and network resources, and (ii) novel methods based on Deep Learning and Linux kernel technologies for reducing the CPU usage of software-based security network functions, with specific focus on the defence against Distributed Denial of Service (DDoS) attacks.

Jinwoo Kim,Minjae Seo,Seungsoo Lee,Jaehyun Nam,Vinod Yegneswaran,Phillip Porras,Guofei Gu,Seungwon Shin

DOI: https://doi.org/10.1016/j.comnet.2024.110203

IF: 5.493

2024-01-26

Computer Networks

Abstract:Over the last 15 years, Software-Defined Networking (SDN) has gained widespread support from both research communities and the industry owing to its open nature and programmability. This paradigm empowers stakeholders, including researchers, practitioners, and developers, to craft innovative networking services using robust APIs and a global network view, free from reliance on vendor-dependent control planes. However, the flexible architecture of SDN has introduced a plethora of security challenges absent in traditional network environments. While many surveys have presented existing attacks, there has been a lack of systematization of attacks from a penetration perspective, which is crucial for understanding attacks and their root causes. This paper aims to analyze previous literature that has disclosed attack cases in SDN, scrutinizing their vulnerabilities, penetration routes, and root causes. Additionally, we provide an in-depth and comprehensive discussion of the underlying problems associated with these attacks and present defenses proposed by researchers to mitigate them, analyzing how the root causes are remedied. Through this study, we aim to illuminate existing security issues within the current SDN architecture, prompting a reevaluation of various security problems and providing a future research guideline for SDN security.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yi Liu,Hong-qi Zhang,Jiang Liu,Ying-jie Yang

DOI: https://doi.org/10.1155/2017/9534754

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Security functions are usually deployed on proprietary hardware, which makes the delivery of security service inflexible and of high cost. Emerging technologies such as software-defined networking and network function virtualization go in the direction of executing functions as software components in virtual machines or containers provisioned in standard hardware resources. They enable network to provide customized security service by deploying Security Service Chain (SSC), which refers to steering flow through multiple security functions in a particular order specified by individual user or application. However, SSC Deployment Problem (SSC-DP) needs to be solved. It is a challenging problem for various reasons, such as the heterogeneity of instances in terms of service capacity and resource demand. In this paper, we propose an SSC-based approach to deliver security service to users without worrying about physical locations of security functions. For SSC-DP, we present a three-phase method to solve it while optimizing network and security resource allocation. The presented method allows network to serve a large number of flows and minimizes the latency seen by flows. Comparative experiments on the fat-tree and Waxman topologies show that our method performs better than other heuristics under a wide range of network conditions.

Guofei Gu,David Ott,Kun Sun GMU,Ehab Al-Shaer,Alvaro Cardenas,Yan Chen,William Enck,Hongxin Hu,Dennis Moreau,Cristina Nita-Rotaru,Don Porter,Mike Reiter,Sandra Scott-Hayward,Srinivasan Seshan

2018-01-01

Abstract:Recent years have seen a dramatic and rapid paradigm shift in computing from static control systems (often implemented in hardware), to dynamic, easily-reconfigurable, software-defined systems. The researchers and practitioners have just begun to scratch the surface of how the ever-increasing software-defined everything (SD-X) changes the landscape of cybersecurity. On one hand, a software-defined world adds potentially new attack surfaces that deserve new research investigation. On the other hand, considering the fact that everything can be defined by the software, now we can have a new playground to redesign the security mechanisms and services. With programmable security, we can also better embrace the new advances in big data and AI to provide more intelligent and adaptive security for the software-defined world. We believe the opportunity is ripe for academics to make foundational contributions, collaboratively with industry, to shape the next 5 years of research in this new space, SPS (Software-defined Programmable Security). Emerging data centers, cloud networks, IoT and edge computing also provide a fertile playground to consider disruptive software-defined programmable security designs. While many research directions are interesting, this report outlines a few high-priority areas:

Abdallah Mustafa Abdelrahman,Joel J. P. C. Rodrigues,Mukhtar M. E. Mahmoud,Kashif Saleem,Ashok Kumar Das,Valery Korotaev,Sergei A. Kozlov

DOI: https://doi.org/10.1002/dac.4706

2020-12-15

International Journal of Communication Systems

Abstract:Software‐defined networking (SDN) is an agile, modern networking approach that facilitates innovations in the networking paradigm. The abstracted and centralized network operating system facilitates the network management and reduces operational expenditure (OPEX). The open nature and simplicity of the data‐forwarding plane dramatically reduces capital expenditure (CAPEX) by leveraging commodity servers and switches. SDN also lends itself very well to address major cloud computing issues and complement cloud services, especially in terms of network virtualization and networking as a service (NaaS). As a new technology, SDN does involve certain security challenges, which include distributed denial of service (DDoS) threats, build and run time injected malware, insider (tenant) attacks, and security holes resulting from controller misconfigurations. These are severe threats that can cripple an entire network. It is crucial to address the SDN vulnerabilities to ensure its successful deployment in private data center networks, on cloud platforms and beyond. Some security solutions leverage the built‐in features of SDN, such as its controller software component, while other solutions provide external SDN applications running above the controller. This study reviews the security solutions for the vulnerabilities of state‐of‐the‐art SDN controllers and the available countermeasures. Furthermore, an in‐depth analysis of the SDN features that support security is presented, and some unresolved research issues on SDN controllers are identified.

telecommunications,engineering, electrical & electronic

Jaspreet Singh,Yahuza Bello,Ahmed Refaey,Amr Mohamed

DOI: https://doi.org/10.48550/arXiv.2007.01246

2020-07-03

Abstract:The rise in embedded and IoT device usage comes with an increase in LTE usage as well. About 70\% of an estimated 18 billion IoT devices will be using cellular LTE networks for efficient connections. This introduces several challenges such as security, latency, scalability, and quality of service, for which reason Edge Computing or Fog Computing has been introduced. The edge is capable of offloading resources to the edge to reduce workload at the cloud. Several security challenges come with Multi-access Edge Computing (MEC) such as location-based attacks, the man in the middle attacks, and sniffing. This paper proposes a Software-Defined Perimeter (SDP) framework to supplement MEC and provide added security. The SDP is capable of protecting the cloud from the edge by only authorizing authenticated users at the edge to access services in the cloud. The SDP is implemented within a Mobile Edge LTE network. Delay analysis of the implementation is performed, followed by a DoS attack to demonstrate the resilience of the proposed SDP. Further analyses such as CPU usage and Port Scanning were performed to verify the efficiency of the proposed SDP. This analysis is followed by concluding remarks with insight into the future of the SDP in MEC.

Networking and Internet Architecture,Numerical Analysis

N Maheswaran,S Bose,Buvaneswari Natarajan

DOI: https://doi.org/10.1080/00051144.2024.2372749

IF: 1.79

2024-07-13

Automatika

Abstract:The advancements made in Software-Defined Networking (SDN) technology seem quite promising, with potential wide application in managing and controlling the latest network infrastructures. SDN technology decouples the control plane from the data plane, enabling effective and flexible network management. However, this dynamic phenomenon brings new security challenges. With the increasing dynamism and programmable nature of networks, conventional security protocols may not sufficient to protect against advanced and sophisticated attacks. Although Intrusion Detection Systems (IDSs) have been extensively applied for identifying and preventing security threats in traditional network environments, IDS models designed specifically for traditional network requirements may not be adequate for SDN environments. These issues may stem from the static nature of conventional networks, contrasting with the dynamicity of advanced SDN networks, and the traditional IDS's inability to adapt to the dynamic nature of SDN. To address these challenges, the current research proposes a novel Deep Hybrid IDS model to enhance network security in SDN environments and prevent attacks using Scapy. The proposed model detects signature-based attacks by integrating Gated Recurrent Units (GRU) and Long Short-Term Memory (LSTM) for real-time simulated datasets, achieving an accuracy of 97.8%, which is comparatively better than existing models.

automation & control systems,engineering, electrical & electronic

Anand J.V.

DOI: https://doi.org/10.36548/jucct.2019.2.005

2019-12-30

Journal of Ubiquitous Computing and Communication Technologies

Abstract:Nowadays the technological advancements have made the internet ubiquitous and linked a wide group of people to be through it, paving way for a network transferal, causing the applications to be shifted from its local servers to the cloud ecosystem. The shifting of the computer applications led to entailment of enormous network connectivity that caused difficulties in the operations of the network. The software defined networks emerged as capable solution for the managing the difficulties arising due to the paradigm shift, and enriched the network operators with high flexibility programming in accessing as well as controlling the multiple routing paths. However the security and the sustainability in the SDN is still an open issue. So the paper looks forward to design and develop a secure and a sustainable software defined networks. The proposed method is simulated with the NS2 to verify the enhanced quality of service provided in terms of security, throughput and the Packet drop rate.

Yinghao Su,Dapeng Xiong,Kechang Qian,Yu Wang

DOI: https://doi.org/10.3390/electronics13040807

IF: 2.9

2024-02-20

Electronics

Abstract:The widespread adoption of software-defined networking (SDN) technology has brought revolutionary changes to network control and management. Compared to traditional networks, SDN enhances security by separating the control plane from the data plane and replacing the traditional network architecture with a more flexible one. However, due to its inherent architectural flaws, SDN still faces new security threats. This paper expounds on the architecture and security of SDN, analyzes the vulnerabilities of SDN architecture, and introduces common distributed denial of service (DDoS) attacks within the SDN architecture. This article also provides a review of the relevant literature on DDoS attack detection and mitigation in the current SDN environment based on the technologies used, including statistical analysis, machine learning, policy-based, and moving target defense techniques. The advantages and disadvantages of these technologies, in terms of deployment difficulty, accuracy, and other factors, are analyzed. Finally, this study summarizes the SDN experimental environment and DDoS attack traffic generators and datasets of the reviewed literature and the limitations of current defense methods and suggests potential future research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Felipe S. Dantas Silva,Emidio P. Neto,Rodrigo S. S. Nunes,Cristian H. M. Souza,Augusto J. V. Neto,Túlio Pascoal

DOI: https://doi.org/10.1007/s10922-023-09746-z

2023-07-08

Journal of Network and Systems Management

Abstract:Over the last decade, Software-Defined Networking (SDN) has become increasingly popular in computer network infrastructures. However, due to its relatively recent implementation, protective measures still need to be fully developed. One significant security concern with SDN is its vulnerability to scanning attacks, which can escalate to more severe attacks like Denial-of-Service (DoS) attacks. Recently, Moving Target Defense (MTD) techniques have been used to address scanning attacks. Still, they can negatively impact network performance due to the reliance on delay tactics that increase network latency. This article introduces the MTD Adaptive Delay System (MADS) to provide feasible MTD-based protection against scanning attacks without compromising the network service parameters, especially regarding Quality of Service (QoS). Unlike existing methods that continually apply delays to all traffic packets, MADS-based delays are only triggered and applied to packets when the victim network is under attack based on the intensity of the traffic commonly used in scanning attacks. MADS' performance was evaluated and compared to state-of-the-art MTD-based defenses, and it was found to cause less network degradation while maintaining the same efficiency as MTD-based techniques against scanning attacks. Furthermore, MADS had a shorter average latency time (99.4% lower) and better average throughput (4.87% higher) than the two baseline MTD-based solutions. Additionally, MADS did not produce Bad TCP packets compared to baseline works under the same attack scenarios.

computer science, information systems,telecommunications