Shumian Yang,Lianhai Wang,Dawei Zhao,Xiaohui Han,Shuhui Zhang

DOI: https://doi.org/10.22323/1.300.0033

2018-01-01

Abstract:Software definition networking is a revolutionary network architecture, which realizes the separation of the control plane and data plane of a network. While providing the centralized controllability and the software programmability, the network itself is encountering many security problems. In order to solve the problem of security threats in SDN networks, there are different layers of unique security challenges and the relevant research on SDN security problems. This paper introduces the depth learning technology into the field of security threat detection in SDN, and propose a security threat detection framework based on depth learning.The framework is based on the research on model establishment, abnormal behavior recognition and decision algorithm design. The software system based on physical memory analysis is under development in SDN. The system verifies the feasibility of this framework, and to finally generate the work plan on SDN infrastructure.

Haifeng Zhou,Chunming Wu,Ming Jiang,Boyang Zhou,Wen Gao,Tingting Pan,Min Huang

DOI: https://doi.org/10.1109/mcom.2015.7081074

IF: 9.03

2015-01-01

IEEE Communications Magazine

Abstract:The past few years have witnessed revolutionary advances in network technology. Along with new techniques such as SDN come lots of new network security challenges. Conventional network security mechanisms are incompetent to overcome these challenges, since they are built on a static network configuration that facilitates attackers in finding the weaknesses of a network. In this article, we conceive a novel conceptual network security mechanism, the evolving defense mechanism (EDM), to resolve current and future security problems. EDM is based on a bio-inspired idea of network configuration variations. According to the security requirements of the system, the user, and the network security state, EDM selects an efficient network configuration variation strategy to prevent corresponding security threats. Combined with SDN implementation, EDM resolves security problems from a new angle and is capable of evolving with new network security technology. We sketch a way to implement EDM and present its reference framework, which serves as an ecosystem and coexisting environment for various kinds of network configuration variations. The proposed mechanism avoids the deficiency of conventional mechanisms and has potential to cope with emerging security threats.

Quan Ren,Zehua Guo,Jiangxing Wu,Tao Hu,Lu Jie,Yuxiang Hu,Lei He

DOI: https://doi.org/10.1109/tnsm.2022.3163198

2022-01-01

Abstract:In this paper, we propose a resilient control plane based on endogenous security for Software-Defined Networking (SDN) named SDN-ESRC to prevent vulnerability backdoor attacks. SDN-ESRC uses a set of heterogeneous controllers (e.g., RYU, OpenDayLight, ONOS) to compose the control plane and dynamically and adaptively selects several heterogeneous controller instances from the controller set to detect and correct the malicious control messages. The design of SDN-ESRC faces two challenges: (1) increasing network update delay due to multi-controller comparison and (2) maintaining high controllable security. To address the first challenge, SDN-ESRC adopts the master modification mode to reduce the network update delay and identify malicious control messages. To address the second challenge, SDN-ESRC introduces the comparison modification mode to ensure high availability in real time. We propose an evaluation model for SDN-ESRC and theoretically analyze the SDN-ESRC’s endogenous security performance under three typical backdoor attack scenarios. We implement SDN-ESRC in a prototype system and conduct simulations and experiments. The results show that SDN-ESRC can improve the backdoor damage attack security up to 98.3%, the backdoor random attack security up to 99.99%, and the backdoor coordinated attack security up to 82% at the cost of increasing network update delay less than 8.3%.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Gao Wen,Zhou Boyang,Wu Chunming,Zhou Haifeng,Jiang Ming,Hong Xiaoyan

DOI: https://doi.org/10.1049/cje.2015.07.035

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:In the Software-defined networking（SDN）,when multiple control domains are used in control services,the transient state problem can occur causing the service flow interruption when border switches are updated asynchronously. We analyze the uniqueness of this problem for SDN, and propose a light-weight protocol for safe reconfiguration of the border switches in order to improve the availability of the services running in SDN. Our solution is designed as a generic supervision layer added in the control plane to support different types of services. To demonstrate the benefits, we implement a prototype of Informationcentric networks（ICN） with the protocol, and conduct experiments using Planet Lab. The results show the ICN service can continuously serve high volume requests for contents despite the congestions built by the heavy background traffic. The performance gains in terms of the mean and standard deviation of the content retrieve delay are40.5% and 21.56%.

Han Qin,Jiaming Weng,Dong Liu,Donglian Qi,Yufei Wang

DOI: https://doi.org/10.17775/cseejpes.2020.04550

IF: 6.014

2024-01-01

CSEE Journal of Power and Energy Systems

Abstract:With the help of advanced information technology, real-time monitoring and control levels of cyber-physical distribution systems (CPDS) have been significantly improved. However due to the deep integration of cyber and physical systems, attackers could still threaten the stable operation of CPDS by launching cyber-attacks, such as denial-of-service (DoS) attacks. Thus, it is necessary to study the CPDS risk assessment and defense resource allocation methods under DoS attacks. This paper analyzes the impact of DoS attacks on the physical system based on the CPDS fault self-healing control. Then, considering attacker and defender strategies and attack damage, a CPDS risk assessment framework is established. Furthermore, risk assessment and defense resource allocation methods, based on the Stackelberg dynamic game model, are proposed under conditions in which the cyber and physical systems are launched simultaneously. Finally, a simulation based on an actual CPDS is performed, and the calculation results verify the effectiveness of the algorithm.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Quan Ren,Jiangxing Wu,Lei He

DOI: https://doi.org/10.1049/cje.2020.05.001

IF: 1.019

2020-01-01

Chinese Journal of Electronics

Abstract:Cyberspace mimic domain name system（CMDNS） adopts dynamic heterogeneous redundant architecture with strategic decision mechanism to control the effectiveness of uncertain disturbance.There is lack of methods to evaluate the availability and awareness security of CMDNS.To further describe and analyze the characteristics of CMDNS accurately, the Generalized stochastic Petri net（GSPN） is used to model the attack disturbance and defense of mimic Domain name system（DNS）, and the availability and awareness security of Dissimilar redundancy system（DRS） and mimic DNS under different disturbance intensities are compared.We compared the different effect of local service query and real network query on the average response delay.The results show that the introduction of mimic architecture will inevitably pay the corresponding delay cost which increase 9.3% compared with traditional local DNS, but it has little effect on the service which only increases by 1.9% compared with the DNS transmission delay at the network communication level.

Lei He,Quan Ren,Bolin Ma,Weili Zhang,Jiangxing Wu

DOI: https://doi.org/10.23919/jcc.2021.00.011

2022-01-01

China Communications

Abstract:With the rapid development of information technology, the cyberspace security problem is increasingly serious. Kinds of dynamic defense technology have emerged such as moving target defense and mimic defense. This paper aims to describe the architecture and analyze the performance of Cyberspace Mimic DNS based on generalized stochastic Petri net. We propose a general method of anti-attacking analysis. For general attack and special attack model, the available probability, escaped probability and non-special awareness probability are adopted to quantitatively analyze the system performance. And we expand the GSPN model to adjust to engineering practice by specifying randomness of different output vectors. The result shows that the proposed method is effective, and Mimic system has high anti-attacking performance. To deal with the special attack, we can integrate the traditional defense mechanism in engineering practice. Besides, we analyze the performance of mimic DNSframework based on multi-ruling proxy and input-output desperation, the results represent we can use multi ruling or high-speed cache servers to achieve the consistent cost of delay, throughput compared with single authorized DNS, it can effectively solve 10% to 20% performance loss caused by general ruling proxy.

Chao Qi,Jiangxing Wu,Guozhen Cheng,Jianjian Ai,Shuo Zhao

DOI: https://doi.org/10.1155/2018/4123736

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Security evaluation of SDN architectures is of critical importance to develop robust systems and address attacks. Focused on a novel-proposed dynamic SDN framework, a game-theoretic model is presented to analyze its security performance. This model can represent several kinds of players' information, simulate approximate attack scenarios, and quantitatively estimate systems' reliability. Andwe explore several typical game instances defined by system's capability, players' objects, and strategies. Experimental results illustrate that the system's detection capability is not a decisive element to security enhancement as introduction of dynamism and redundancy into SDNcan significantly improve security gain and compensate for its detection weakness. Moreover, we observe a range of common strategic actions across environmental conditions. And analysis reveals diverse defense mechanisms adopted in dynamic systems have different effect on security improvement. Besides, the existence of equilibrium in particular situations further proves the novel structure's feasibility, flexibility, and its persistent ability against long-term attacks.

Yonghui Huang,Yan Ma,Zhaowen Lin,Shuyue Wang,Bowen Xie

DOI: https://doi.org/10.1142/s0218126622500426

2021-01-01

Abstract:By endowing network with the ability of reliable scheduling of security resources, it can realize the dynamic deployment of security resources as well as the efficient configuration of protection resources, and further can quickly respond to network security threats and emergencies timely. Furthermore, due to the network is increasingly complex, it is of great importance to make it reliable by invoking appropriate security resources. However, the security mechanism and response speed of traditional network based on security domain division, network boundary protection are hard to meet the requirements of the virtual network. In this paper, we propose the SDN-empowered reliable and dynamic scheduling scheme for security resources. In the scheme, we use network security resource virtualization technology to virtualize and modularize network security software and hardware resources; at the SDN control layer, we propose meta-security function combination technology to provide on-demand customization for various security applications’ security service; by using role-based conflict detection and conflict resolution technology, we can detect and handle security rule conflicts. The experiments show that the scheme is reliable and efficient with low latency and great throughput.

Xinming Chen,Beipeng Mu,Zhen Chen

DOI: https://doi.org/10.1109/cmc.2011.94

2011-01-01

Abstract:Malicious attacks are frequently launched to make specified network service unavailable, compromising end hosts for political or business purpose. Though network security appliances are widely deployed to resist these attacks, there is a lack of dynamic and collaborative platform to flexibly configure and manage all the security elements. In this paper, we present NetSecu, a platform based on Java and Click Router, which can dynamically enable, disable and configure security elements such as firewall, IPS and AV. Furthermore, a collaborate module is implemented to integrate individual NetSecu platform into a Secure Overlay Network, providing collaborative traffic control against DDoS attack. Equipped with collaborate module, NetSecu platforms are organized in a tree hierarchy where each level node is registered to its father node. A Central Management Site acts as the root node for large scale deployment. The policy is distributed from higher level to lower level NetSecu nodes, while security events are aggregated from lower level to higher level. Performance evaluation shows that our NetSecu system can achieve line rate with and without security function. Finally we deploy the NetSecu platform in multiple sites, where our design is fully demonstrated and tested.

Levent Altay,Kubra Kalkan,Gurkan Gur,Fatih Alagoz

DOI: https://doi.org/10.1109/jsac.2018.2869997

IF: 16.4

2018-10-01

IEEE Journal on Selected Areas in Communications

Abstract:Software-defined networking (SDN) is a communication paradigm that brings cost efficiency and flexibility through software-defined functions resident on centralized controllers. Although SDN applications are introduced in a limited scope with related technologies still under development, operational SDN networks already face major security threats. Therefore, comprehensive and efficient solutions are crucial. Especially, large-scale security threats such as distributed-denial-of-service (DDoS) attacks are jeopardizing safety and availability of data and services in these systems. A DDoS attack is aimed at making resources unavailable to legitimate users via overloading systems with excessive superfluous traffic from distributed sources. In this paper, we describe and evaluate a joint entropy-based security scheme (JESS) to enhance the SDN security with the aim of a reinforced SDN architecture against DDoS attacks. In particular, our proposed model devises a statistical solution to detect and mitigate these hazards. To the best of our knowledge, JESS is the first model that utilizes joint entropy for DDoS detection and mitigation in the SDN environment. Since it relies on a statistical model, it mitigates not only known attacks but also unfamiliar types in an efficient manner.

telecommunications,engineering, electrical & electronic

Quan Ren,Tao Hu,Jiangxing Wu,Yuxiang Hu,Lei He,Julong Lan

DOI: https://doi.org/10.1016/j.comnet.2021.108134

IF: 5.493

2021-01-01

Computer Networks

Abstract:SDN improves the flexibility and programmability of the network. However, malicious attacks caused by potential vulnerabilities and backdoors can easily lead to data and rule tampering in the network. To address this problem, this paper proposes an endogenous secure SDN network framework based on multipath resilient routing (MRR). MRR includes multipath comparing forwarding, multipath weighted forwarding, and multipath random forwarding. The framework ensures the correctness of flow rules and data content by dynamically comparing the consistency of multi-heterogeneous path data within a certain period, and multipath can also achieve load balance by weighted forwarding. In the MRR framework, we also present an intermediate information feedback mechanism based on encryption authentication and give a mathematical model to evaluate it. This mechanism can accurately identify and dynamically repair malicious switches. Simulation evaluation and prototype system test show that this framework can achieve high accuracy of flow transmission and high availability of system. At the same time, multipath comparing forwarding will bring some performance costs such as delay, bandwidth, and jitter at initial and attacking time. However, when the appropriate forwarding mode and reasonable period T are selected, the proportion of delay introduced by comparing and ruling can be less than 10%, and the average bandwidth of mixed forwarding is almost the same as traditional multipaths', such as we can guarantee 25% multipath comparing forwarding when the bandwidth requirement is 250 M in prototype system.

Chao Qi,Jiangxing Wu,Hongchang Chen,Hongtao Yu,Hongchao Hu,Guozhen Cheng

DOI: https://doi.org/10.1109/VTCSpring.2017.8108542

2017-01-01

Abstract:Security evaluation of diverse SDN frameworks is of significant importance to design resilient systems and deal with attacks. Focused on SDN scenarios, a game-theoretic model is proposed to analyze their security performance in existing SDN architectures. The model can describe specific traits in different structures, represent several types of information of players (attacker and defender) and quantitatively calculate systems' reliability. Simulation results illustrate dynamic SDN structures have distinct security improvement over static ones. Besides, effective dynamic scheduling mechanisms adopted in dynamic systems can enhance their security further.

Zhiyong Shan,Vinod Namboodiri

DOI: https://doi.org/10.24297/ijct.v20i.8841

2020-09-10

Abstract:In recent years, the emerged network worms and attacks have distributive characteristics, which can spread globally in a short time. Security management crossing network to co-defense network-wide attacks and improve the efficiency of security administration is urgently needed. This paper proposes a hierarchical distributed network security management system (HD-NSMS), which can centrally manage security across networks. First describes the system in macrostructure and microstructure; then discusses three key problems when building HD-NSMS: device model, alert mechanism, and emergency response mechanism; at last, it describes the implementation of HD-NSMS. The paper is valuable for implementing NSMS in that it derives from a practical network security management system (NSMS).

English Else

Anand J.V.

DOI: https://doi.org/10.36548/jucct.2019.2.005

2019-12-30

Journal of Ubiquitous Computing and Communication Technologies

Abstract:Nowadays the technological advancements have made the internet ubiquitous and linked a wide group of people to be through it, paving way for a network transferal, causing the applications to be shifted from its local servers to the cloud ecosystem. The shifting of the computer applications led to entailment of enormous network connectivity that caused difficulties in the operations of the network. The software defined networks emerged as capable solution for the managing the difficulties arising due to the paradigm shift, and enriched the network operators with high flexibility programming in accessing as well as controlling the multiple routing paths. However the security and the sustainability in the SDN is still an open issue. So the paper looks forward to design and develop a secure and a sustainable software defined networks. The proposed method is simulated with the NS2 to verify the enhanced quality of service provided in terms of security, throughput and the Packet drop rate.

Ali Nadim Alhaj,Narottam Das Patel,Ajeet Singh,Rohit Kumar Bondugula,Mohsin Furkh Dar,Jameel Ahamed

DOI: https://doi.org/10.1504/ijsnet.2024.141613

2024-09-28

International Journal of Sensor Networks

Abstract:The rapid expansion of networks has given rise to numerous challenges and issues. In recent years, one idea that has captivated researchers is segregating the forwarding and control levels, which emerged with software-defined networking (SDN) frameworks. Despite centralised management and network administration advantages, SDN networks have encountered several issues, with safety and reliability being the most prominent. This paper proposes a comprehensive robust security architecture for SDN networks that consists of modular components. Each module addresses a specific security challenge, and by integrating these security solutions, we aim to establish a cohesive security framework for SDN. Furthermore, we propose a robust security algorithm capable of effectively mitigating critical security attacks such as DDoS, ARP, and MITM. Our approach involves developing a multi-level security algorithm to counteract most DDoS attacks, while also devising a real-time algorithm specifically designed to handle ARP attacks, including request-replay-ARP DoS attacks.

computer science, information systems,telecommunications

Shiang-Jiun Chen,Chin-Shen Fang,Tzu-Yun Wang,I-Wei Chiang

DOI: https://doi.org/10.1109/ICKII58656.2023.10332769

2023-08-11

Abstract:Under the Software-Defined Networking (SDN) framework, Low Earth Orbit (LEO) operates with its multiple architectures, including Cross-Domain Controller Architecture, Inter-Domain Controller Architecture, and so on. For cross-domain controller structure, the security of the east-west protocol is considered, including the protocols and sources in its secure design. For the inter-domain controller, the south-north bound protocol and software are used. we proposed a method to build a treatment model to provide a mechanism for the abnormal behavior. On these two architectures, we employed a series of security analysis methods and countermeasures. Regarding the security analysis methods, we used software composite analysis (SCA), static application security testing (SAST), and dynamic application security testing (DAST) to assess the potential threats and attack vectors, and then build a threat model. East-west and south-north (application layer) protocols were considered in building the threat model. With this model, the monitor mechanism was established for the abnormal activities. The security performance was evaluated.

Engineering,Computer Science

Xiangjun Meng,Zhifeng Zhao,Rongpeng Li,Honggang Zhang

DOI: https://doi.org/10.1109/wcsp.2017.8171066

2017-01-01

Abstract:Honeynet is deployed to trap attackers and learn their behavior patterns and motivations. Conventional honeynet is implemented by dedicated hardware and software. It suffers from inflexibility, high CAPEX and OPEX. There have been several virtualized honeynet architectures to solve those problems. But they lack a standard operating environment and common architecture for dynamic scheduling and adaptive resource allocation. Software Defined Security (SDS) framework has a centralized control mechanism and intelligent decision making ability for different security functions. In this paper, we present a new intelligent honeynet architecture based on SDS framework. It implements security functions over Network Function Virtualization Infrastructure (NFVI). Under uniform and intelligent control, security functional modules can be dynamically deployed and collaborated to complete different tasks. It migrates resources according to the workloads of each honeypot and power off unused modules. Simulation results show that intelligent honeynet has a better performance in conserving resources and reducing energy consumption. The new architecture can fit the needs of future honeynet development and deployment.