Rui Xiao,Hui Zhu,Chao Song,Ximeng Liu,Jian Dong,Hui Li

DOI: https://doi.org/10.1109/ICCCN.2018.8487340

2018-01-01

Abstract:With the development of virtualization technology and fast expansion of network-scale, SDN has been employed in various cases from campus networks to cloud data center networks. However, SDN networks are also facing some new security issues, relative to the traditional networks. In this work, we demonstrate a novel network isolation attack in SDN networks, called Network Harvesting, that lets an attacker can access to the user's network privileges without the awareness of victim and OpenFlow SDN architecture, which significantly increases persistence. We then present a defense, SpoofDefender, that prevents network isolation attacks or other spoofing attacks by leveraging SDN's data and control plane separation, global network view, and programmatic control of the network, while building upon IEEE 802.1x and encryption. In addition, we also implement SpoofDefender on ONOS 1.10.4 and Mininet with a real network, and extensive simulation results demonstrate that our proposed SpoofDefender is highly effective in terms of computation and communication costs.

Haifeng Zhou,Chunming Wu,Chengyu Yang,Pengfei Wang,Qi Yang,Zhouhao Lu,Qiumei Cheng

DOI: https://doi.org/10.1109/TNET.2018.2859483

2018-01-01

IEEE/ACM Transactions on Networking

Abstract:A software-defined network (SDN) is increasingly deployed in many practical settings, bringing new security risks, e.g., SDN controller and switch hijacking. In this paper, we propose a real-time method to detect compromised SDN devices in a reliable way. The proposed method aims at solving the detection problem of compromised SDN devices when both the controller and the switch are trustless, and ...

Yi Shen,Chunming Wu,Dezhang Kong,Mingliang Yang

DOI: https://doi.org/10.1109/icc40277.2020.9149276

2020-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of the most severe threats to the current network security. As a new network architecture, Software-Defined Networking (SDN) draws notable attention from both industry and academia. The characteristics of SDN such as centralized management and flow-based traffic monitoring make it an ideal platform to defend against DDoS attacks. When designing a network intrusion detection system (NIDS) in SDN, how to obtain fine-grained flow information with minimal overhead to the SDN architecture is a problem to be solved. In this paper, we propose TPDD, a two-phase DDoS detection system to detect DDoS attacks in SDN. In the first phase, we utilize the characteristics of SDN to collect coarse-grained flow information from the core switches and locate the potential victim. Then we monitor the edge switches located close to the potential victim to obtain finer-grained traffic information in the second phase. The collection method of each phase fully considers the impact on the bandwidth between the controller and switches. Without modifying the existing flow rules, the collection module can obtain sufficient information about traffic. By using entropy-based and machine learning-based methods, the detection module can effectively detect anomalies and identify whether the potential victim marked in the first phase is the target of attacks. Experimental results show that TPDD can effectively detect DDoS attacks with little overhead.

Dezhang Kong,Yi Shen,Xiang Chen,Qiumei Cheng,Hongyan Liu,Dong Zhang,Xuan Liu,Shuangxi Chen,Chunming Wu

DOI: https://doi.org/10.1109/tnet.2022.3203561

2023-01-01

IEEE/ACM Transactions on Networking

Abstract:The topology discovery service in Software-Defined Networking (SDN) provides the controller with a global view of the substrate network topology, allowing for central management of the entire network. Unfortunately, emerging topology attacks can poison the network topology and result in unforeseeable disasters. Although researchers have made great efforts to mitigate this problem, security hazards still exist. In this paper, we propose Invisible Assailant Attack (IAA), the first combination topology attack capable of injecting and maintaining fake links even when 12 existing defense strategies are deployed simultaneously. IAA consists of 14 attack phases that apply multiple attack strategies. Attackers skillfully disguise the attack traffic in each phase so that it looks like normal network traffic, and perform these phases in a well-planned sequence, thereby bypassing existing defenses step by step. To mitigate this attack, we propose a Route Path Verification (RPV) mechanism that orchestrates multiple defense strategies to identify fake links. According to the experiments, RPV can successfully detect IAA with low overhead: its detection completes within 1 ms while its per-flow storage consumption is only a few KB.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Tianfang Yu,Lanlan Rui,Xuesong Qiu

DOI: https://doi.org/10.1155/2021/5097267

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:In traditional networks, DDoS attacks are often launched in the network layer or the transport layer. Researchers had explored this problem in depth and put forward plenty of solutions. However, these solutions are only suitable for scenarios such as a single link or victim side network and could not analyse traffic distribution from the angle of the global network. Also, the TCP/IP network architecture lacks abilities to quickly conduct resource deployment and traffic scheduling. When DDoS attacks occur, victims usually could not respond in time. With the superiorities of centralized control mode and global topological view, Software-Defined Networking (SDN) provides a new way to get over the above issues. In this paper, we adopt a combination of diverse technologies to design SDNDefender, a SDN-based DDoS detection and defense mechanism, which is composed of two core components aiming to counter the most popular DDoS attacks including IP spoofing attack and TCP SYN flood attack. We carry out quantitative simulation experiments for evaluating SDNDefender from many metrics. The experimental results show that in contrast to other DDoS defense algorithms, SDNDefender not only efficiently validates spoofed packets and withstands well-known attacks but also defends unknown attacks according to the target’s available resources. Besides, SDNDefender could significantly reduce TCP half-open connections and improve detection accuracy, alleviating attack influences that exhaust the server’s resources and network bandwidth.

Shang Gao,Zhe Peng,Bin Xiao,Aiqun Hu,Yubo Song,Kui Ren

DOI: https://doi.org/10.1109/tnet.2020.2983976

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:The introduction of software-defined networking (SDN) has emerged as a new network paradigm for network innovations. By decoupling the control plane from the data plane in traditional networks, SDN provides high programmability to control and manage networks. However, the communication between the two planes can be a bottleneck of the whole network. SDN-aimed DoS attacks can cause long packet delay and high packet loss rate by using massive table-miss packets to jam links between the two planes. To detect and mitigate SDN-aimed DoS attacks, this paper presents FloodDefender, an efficient and protocol-independent defense framework for SDN/OpenFlow networks. FloodDefender stands between the controller platform and other controller apps, and conforms to the OpenFlow policy without additional devices. The detection module in FloodDefender utilizes new frequency features to precisely identify SDN-aimed DoS attacks. The mitigation module uses three new techniques to efficiently mitigate attack traffic: table-miss engineering to prevent the communication bandwidth from being exhausted; packet filter to filter out attack traffic and save computational resources of the control plane; and flow rule management to eliminate most of useless flow entries in the switch flow table. Our evaluation on a prototype implementation of FloodDefender shows that the defense framework can precisely identify and efficiently mitigate the SDN-aimed DoS attacks with very little overhead.

Deyun Gao,Zehui Liu,Ying Liu,Chuan Heng Foh,Ting Zhi,Han-Chieh Chao

DOI: https://doi.org/10.1007/s00500-018-3407-3

IF: 3.732

2018-01-01

Soft Computing

Abstract:Software-defined networking (SDN) is the key outcome of extensive research efforts over the past few decades toward transforming the Internet to a more programmable, configurable, and manageable infrastructure. At the same time, SDN will surely become a new target of cyber attackers. In this paper, we point out one of the critical vulnerabilities in SDNs, the capacity of controller, which is most likely to be attacked. Due to the logical centralized management, the breakdown of a controller may disrupt a whole SDN network, which can be easily occurred by Packet-In messages flooding attack (a network-level DDoS attack). To provide a robust environment in SDN, we propose an effective detection method, which has low overhead and high accuracy. We first classify the potential switches that are compromised using Bayesian Network, which is a supervised learning algorithm. Then, we deploy the anomaly detection on the vulnerable switches to detect the Packet-In messages flooding attack based on fuzzy c-means. Extensive simulations and testbed-based experiments show that the proposed solution can defeat the Packet-In messages flooding attack with low overhead and high accuracy.

Tong Xu,Deyun Gao,Ping Dong,Hongke Zhang,Chuan Heng Foh,Han-Chieh Chao

DOI: https://doi.org/10.1109/access.2017.2666270

IF: 3.9

2017-01-01

IEEE Access

Abstract:Recently, the Internet of Things (IoT) is attracting significant attention from both academia and industry. To connect the huge amount of IoT devices effectively, software-defined networking (SDN) is considered as a promising way because of its centralized network management and programmable routing logic. However, due to the limited resources in both the data plane and the control plane, SDN is vulnerable to the new-flow attack, which can disable the SDN-based IoT by exhausting the switches or the controller. Therefore, in this paper, we propose a smart security mechanism (SSM) to defend against the new-flow attack. The SSM uses the standard southbound and northbound interfaces of SDN, and it includes a low-cost method that monitors the new-flow attack by reusing the asynchronous messages on the control link. The monitor method can differentiate the new-flow attack from the normal flow burst by checking the hit rate of the flow entries. Based on the monitoring result, the SSM uses a dynamic access control method to mitigate the new-flow attack by perceiving the behavior of the security middleware in the IoT. The dynamic access control method can intercept the attack flows at their access switch. Extensive simulations and testbed-based experiments are conducted and the corresponding results verify the feasibility of our claims.

Shibo Luo,Hongkai Wang,Jun Wu,Jianhua Li,Longhua Guo,Bei Pei

DOI: https://doi.org/10.1109/VTCSpring.2016.7504274

2016-01-01

Abstract:Software-defined Home Networks (SDHN) is a key development trend of smart home. Security is still an important issue in SDHN. In this paper, a multi-stage attack mitigation mechanism is proposed for SDHN using Software-Defined Networking (SDN) and Network Function Virtualization (NFV). Firstly, an evidence-driven security assessment method using SDN factors and NFV-based detection is designed to perform security assessment along with observed security events. Secondly, an attack mitigation countermeasure selection method is proposed. The evaluation shows that the proposed mechanism is effective for multi-stage attack mitigation in SDHN.

Pengfei Zhai,Yanbo Song,Xiaoming Zhu,Lihui Cao,Jiaming Zhang,Chungang Yang

DOI: https://doi.org/10.1109/iccc49849.2020.9238872

2020-01-01

Abstract:Software Defined Network (SDN) is a new type of network architecture solution, and its innovation lies in decoupling traditional network system into a control plane, a data plane, and an application plane. It logically implements centralized control and management of the network,and SDN is considered to represent the development trend of the network in the future. However, SDN still faces many security challenges. Currently, the number of insecure devices is huge. Distributed Denial of Service (DDoS) attacks are one of the major network security threats.This paper focuses on the detection and mitigation of DDoS attacks in SDN. Firstly, we explore a solution to detect DDoS using Renyi entropy, and we use exponentially weighted moving average algorithm to set a dynamic threshold to adapt to changes of the network. Second, to mitigate this threat,we analyze the historical behavior of each source IP address and score it to determine the malicious source IP address,and use OpenFlow protocol to block attack source.The experimental results show that the scheme studied in this paper can effectively detect and mitigate DDoS attacks.

Rudong Zhao,Songjie Wei,Milin Ren

DOI: https://doi.org/10.1109/ctceec.2017.8455172

2017-01-01

Abstract:This paper proposes a Distributed Denial of Service (DDoS) attack detection and defense system based on Software Defined Networks (SDN) architecture. The system is composed of a monitoring module, a detection module and a reaction module. The monitoring module is designed to raise alerts by analyzing Packet_In messages. It detects and reports anomalies to the detection module for further evaluation, which overcomes the disadvantages of slow response and large overhead of periodic trigger detection. The reaction module can trace back attack traffic flows to quickly and accurately identify malicious hosts. The use of a SDN controller brings in a global view of the network topology in the monitoring and detection procedures for the access layer switch and reduces the processing range. This paper extends the OpenFlow protocol so that a flow entry can record and track the flow path information, which improves the efficiency and accuracy of attack traffic traceability. Simulation experiments show that the proposed scheme has a relatively faster response to DDoS attack with less processing pressure imposed on the controller.

Yunfei Meng,Zhiqiu Huang,Senzhang Wang,Guohua Shen,Changbo Ke

DOI: https://doi.org/10.48550/arXiv.2003.06834

2020-03-18

Abstract:To effectively tackle the security threats towards the Internet of things, we propose a SOM-based DDoS defense mechanism using software-defined networking (SDN) in this paper. The main idea of the mechanism is to deploy a SDN-based gateway to protect the device services in the Internet of things. The gateway provides DDoS defense mechanism based on SOM neural network. By means of SOM-based DDoS defense mechanism, the gateway can effectively identify the malicious sensing devices in the IoT, and automatically block those malicious devices after detecting them, so that it can effectively enforce the security and robustness of the system when it is under DDoS attacks. In order to validate the feasibility and effectiveness of the mechanism, we leverage POX controller and Mininet emulator to implement an experimental system, and further implement the aforementioned security enforcement mechanisms with Python. The final experimental results illustrate that the mechanism is truly effective under the different test scenarios.

Networking and Internet Architecture,Neural and Evolutionary Computing

Jin Wang,Liping Wang

DOI: https://doi.org/10.3390/s22218287

IF: 3.9

2022-10-29

Sensors

Abstract:With the development of Software Defined Networking (SDN), its security is becoming increasingly important. Since SDN has the characteristics of centralized management and programmable, attackers can easily take advantage of the security vulnerabilities of SDN to carry out distributed denial of service (DDoS) attacks, which will cause the memory of controllers and switches to be occupied, network bandwidth and server resources to be exhausted, affecting the use of normal users. To solve this problem, this paper designs and implements an online attack detection and mitigation SDN defense system. The SDN defense system consists of two modules: anomaly detection module and mitigation module. The anomaly detection model uses a lightweight hybrid deep learning method—Convolutional Neural Network and Extreme Learning Machine (CNN-ELM) for anomaly detection of traffic. The mitigation model uses IP traceback to locate the attacker and effectively filters out abnormal traffic by sending flow rule commands from the controller. Finally, we evaluate the SDN defense system. The experimental results show that the SDN defense system can accurately identify and effectively mitigate DDoS attack flows in real-time.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Ihsan H. Abdulqadder,Deqing Zou,Israa T. Aziz,Bin Yuan,Weiming Li

DOI: https://doi.org/10.1109/access.2018.2797214

IF: 3.9

2018-01-01

IEEE Access

Abstract:A software-defined network (SDN) is a technology that supports computer network administrators. However, the centralized control plane architecture of SDNs makes them vulnerable to harmful security threats. In this paper, we propose a secure cloud (SecSDN-cloud) architecture that includes user authentication, routing, attack resistance, and third-party monitoring. The goal of this paper is to design an SDN-cloud environment with integrated security that can resist three different attack types: flow table overloading, control plane saturation, and Byzantine attacks. A novel digital signature with chaotic secure hashing is used for user authentication, followed by an enhanced particle swarm optimization multi-class routing protocol to improve the quality of service. Controllers are assigned to switches by integrating an enhanced genetic algorithm with a modified cuckoo search algorithm. The malicious flow identification includes the analysis of five-tuples constructed from features extracted from packets. We implemented the proposed SecSDN-cloud in the OMNeT++ simulator and evaluated its performance in terms of packet loss, end-to-end delay, throughput, latency, and bandwidth.

Jie Cui,Mingjun Wang,Yonglong Luo,Hong Zhong

DOI: https://doi.org/10.1016/j.future.2019.02.037

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Software-defined networking (SDN) provides a promising architecture for future networks, and can provide advantages as central control programmability and global view. However, it faces numerous security challenges. Distributed denial of service (DDoS) is a security threat to SDN. Most existing schemes only perform DDoS attack detection and do not address how to defend and recover after detecting DDoS. In this paper, a DDoS attack detection and defense mechanism based on cognitive-inspired computing with dual address entropy is proposed. The flow table characteristics of the switch are extracted, and a DDoS attack model is built by incorporating the support vector machine classification algorithm. This mechanism can realize real-time detection and defense at the preliminary stage of the DDoS attack and can restore normal communication in time. The experiment shows that our mechanism not only detects attacks quickly but also has a high detection rate and low false positive rate. More importantly, it can take appropriate defense and recovery measures in the time after the attack has been identified.

Yunhe Cui,Lianshan Yan,Saifei Li,Huanlai Xing,Wei Pan,Jian Zhu,Xiaoyang Zheng

DOI: https://doi.org/10.1016/j.jnca.2016.04.005

IF: 7.574

2016-06-01

Journal of Network and Computer Applications

Abstract:In order to overcome Distributed Denial of Service (DDoS) in Software Defined Networking (SDN), this paper proposes a mechanism consisting of four modules, namely attack detection trigger, attack detection, attack traceback and attack mitigation. The trigger of attack detection mechanism is introduced for the first time to respond more quickly against DDoS attack and reduce the workload of controllers and switches. In the meantime, the DDoS attack detection method based on neural network is implemented to detect attack. Furthermore, an attack traceback method taking advantages of the characteristics of SDN is also proposed. Meanwhile, a DDoS mitigation mechanism including attack blocking and flow table cleaning is presented. The proposed mechanism is evaluated on SDN testbed. Experimental results show that the proposed mechanism can quickly initiate the attack detection with less than one second and accurately trace the attack source. More importantly, it can block the attack in source and release the occupied resources of switches.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Di Wu,Jie Li,Sajal K. Das,Jinsong Wu,Yusheng Ji,Zhetao Li

DOI: https://doi.org/10.1109/icc.2018.8422448

2018-01-01

Abstract:Software-Defined networking (SDN), as a new paradigm, fixes the shortage that traditional network does not support the dynamic, scalable computing and storage needs of more computing environments. SDN, however, also faces security problems such as vulnerable to DDoS attacks. DDoS attacks are well-known and powerful attacks. DDoS detection and DDoS traffic separation for SDN environments are still an open research issue. DDoS attacks in SDN environments will not only bring damage to target server, but also takes exact impact on SDN system. In this paper, we identify a new type DDoS attack, specifically aiming SDN environment, which is harder to be detected. We propose a novel real-time DDoS detection scheme for SDN environment, by using Principal Component Analysis (PCA) scheme to analyze the network status on traffic packets data. We separate the network into different parts, to reduce the total calculation burden. We compare our scheme with sample entropy, showed our scheme achieves better detecting ability for DDoS attacks.

Zhijie Fan,Ya Xiao,Amiya Nayak,Chengxiang Tan

DOI: https://doi.org/10.1007/s12083-017-0604-2

IF: 3.488

2017-01-01

Peer-to-Peer Networking and Applications

Abstract:Software Defined Network (SDN) is a network framework which can be controlled and defined by software programming, and OpenFlow is the basic protocol in SDN that defines the communication protocol between SDN control plane and data plane. With the deployment of SDN in reality, many security threats and issues are of great concern. In this paper, we propose a security situation awareness approach for SDN. This approach focuses on the attacks like network scanning attack, OpenFlow flooding attack, switch compromised attack and ARP attack in both data plane and control plane. Based on the features of these attacks, we use multiple observations hidden Markov model (HMM) to quantify the network status and then get the security situation assessment values for SDN. The proposed approach can also detect these four attacks and predict the network status based on HMM when given a sequence of observed feature values. We build a test scenario to simulate our approach with Ryu controller and OpenFlow switch and prove the feasibility of this approach.

Shibo Luo,Jun Wu,Jianhua Li,Longhua Guo

DOI: https://doi.org/10.1109/tce.2016.7514720

2016-01-01

IEEE Transactions on Consumer Electronics

Abstract:Software-defined Home Networks (SDHN) is a key development trend of smart home which is proposed to realize multi-home visual sharing. With the improved openness and programming ability, SDHN faces increased network threat than traditional home networks. Especially, because of the diversity and heterogeneity of smart home products, multi-stage attack is more convenient to be performed in SDHN. To mitigate multi-stage attack in SDHN, some significant problems are needed to be addressed. The first problem is security assessment along with attack events. The second one is countermeasure selection problem based on security assessment result and security policy. The third one is attack mitigation countermeasure deployment problem according to current network context to meet the countermeasure decision instantly. In this paper, a multi-stage attack mitigation mechanism is proposed for SDHN using Software-Defined Networking (SDN) and Network Function Virtualization (NFV). Firstly, an evidence-driven security assessment method using SDN factors and NFV-based detection is designed to perform security assessment along with observed security events. Secondly, an attack mitigation countermeasure selection method is proposed. The evaluation shows that the proposed mechanism is effective for multi-stage attack mitigation in SDHN1.