Shumian Yang,Lianhai Wang,Dawei Zhao,Xiaohui Han,Shuhui Zhang

DOI: https://doi.org/10.22323/1.300.0033

2018-01-01

Abstract:Software definition networking is a revolutionary network architecture, which realizes the separation of the control plane and data plane of a network. While providing the centralized controllability and the software programmability, the network itself is encountering many security problems. In order to solve the problem of security threats in SDN networks, there are different layers of unique security challenges and the relevant research on SDN security problems. This paper introduces the depth learning technology into the field of security threat detection in SDN, and propose a security threat detection framework based on depth learning.The framework is based on the research on model establishment, abnormal behavior recognition and decision algorithm design. The software system based on physical memory analysis is under development in SDN. The system verifies the feasibility of this framework, and to finally generate the work plan on SDN infrastructure.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Wenmao LIU,Xiaofeng QIU,Pengcheng CHEN,Xutao WEN,Xinxin HE,Dongsheng WANG,Jun LI

DOI: https://doi.org/10.3778/j.issn.1673-9418.1407061

2015-01-01

Abstract:Current OpenFlow specifications provide limited access to packet details, making it inefficient to deploy security applications. Moreover, current security solutions become less flexible as software defined-networking (SDN) develops. This paper proposes a distributed software-defined security architecture (SDSA), which offloads heavy security processing from SDN controller to a dedicated security controller and security APPs, providing both flow and packet level protections against various attacks in the SDN and virtual environment. This paper gives the global view and knowledge of flows, IaaS assets and devices, which can make accurate decisions and ensures devices to execute security rules instantly. The architecture simplifies security device logic greatly by separating security data and control planes, the detection and protection are automated with standardized control messages, making the secu-rity reaction fast. The experiments demonstrate that SDSA can detect DoS attack, port scan and abnormal high traffic with low cost and little overhead.

Chao Qi,Jiangxing Wu,Hongchang Chen,Hongtao Yu,Hongchao Hu,Guozhen Cheng

DOI: https://doi.org/10.1109/VTCSpring.2017.8108542

2017-01-01

Abstract:Security evaluation of diverse SDN frameworks is of significant importance to design resilient systems and deal with attacks. Focused on SDN scenarios, a game-theoretic model is proposed to analyze their security performance in existing SDN architectures. The model can describe specific traits in different structures, represent several types of information of players (attacker and defender) and quantitatively calculate systems' reliability. Simulation results illustrate dynamic SDN structures have distinct security improvement over static ones. Besides, effective dynamic scheduling mechanisms adopted in dynamic systems can enhance their security further.

Pingyue Yue,Jianping An,Jiankang Zhang,Jia Ye,Gaofeng Pan,Shuai Wang,Pei Xiao,Lajos Hanzo

2023-07-19

Abstract:Low Earth Orbit (LEO) satellites undergo a period of rapid development driven by ever-increasing user demands, reduced costs, and technological progress. Since there is a paucity of literature on the security and reliability issues of LEO Satellite Communication Systems (SCSs), we aim to fill this knowledge gap. Specifically, we critically appraise the inherent characteristics of LEO SCSs and elaborate on their security and reliability requirements. In light of this, we further discuss their vulnerabilities, including potential security attacks launched against them and reliability risks, followed by outlining the associated lessons learned. Subsequently, we discuss the corresponding security and reliability enhancement solutions, unveil a range of trade-offs, and summarize the lessons gleaned. Furthermore, we shed light on several promising future research directions for enhancing the security and reliability of LEO SCSs, such as integrated sensing and communication, computer vision aided communications, as well as challenges brought about by mega-constellation and commercialization. Finally, we summarize the lessons inferred and crystallize the take-away messages in our design guidelines.

Signal Processing

Chao Qi,Jiangxing Wu,Guozhen Cheng,Jianjian Ai,Shuo Zhao

DOI: https://doi.org/10.1155/2018/4123736

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Security evaluation of SDN architectures is of critical importance to develop robust systems and address attacks. Focused on a novel-proposed dynamic SDN framework, a game-theoretic model is presented to analyze its security performance. This model can represent several kinds of players' information, simulate approximate attack scenarios, and quantitatively estimate systems' reliability. Andwe explore several typical game instances defined by system's capability, players' objects, and strategies. Experimental results illustrate that the system's detection capability is not a decisive element to security enhancement as introduction of dynamism and redundancy into SDNcan significantly improve security gain and compensate for its detection weakness. Moreover, we observe a range of common strategic actions across environmental conditions. And analysis reveals diverse defense mechanisms adopted in dynamic systems have different effect on security improvement. Besides, the existence of equilibrium in particular situations further proves the novel structure's feasibility, flexibility, and its persistent ability against long-term attacks.

Ali Nadim Alhaj,Narottam Das Patel,Ajeet Singh,Rohit Kumar Bondugula,Mohsin Furkh Dar,Jameel Ahamed

DOI: https://doi.org/10.1504/ijsnet.2024.141613

2024-09-28

International Journal of Sensor Networks

Abstract:The rapid expansion of networks has given rise to numerous challenges and issues. In recent years, one idea that has captivated researchers is segregating the forwarding and control levels, which emerged with software-defined networking (SDN) frameworks. Despite centralised management and network administration advantages, SDN networks have encountered several issues, with safety and reliability being the most prominent. This paper proposes a comprehensive robust security architecture for SDN networks that consists of modular components. Each module addresses a specific security challenge, and by integrating these security solutions, we aim to establish a cohesive security framework for SDN. Furthermore, we propose a robust security algorithm capable of effectively mitigating critical security attacks such as DDoS, ARP, and MITM. Our approach involves developing a multi-level security algorithm to counteract most DDoS attacks, while also devising a real-time algorithm specifically designed to handle ARP attacks, including request-replay-ARP DoS attacks.

computer science, information systems,telecommunications

Shuaijie Li,Chaojie Zhang,Chengli Zhao,Chengyi Xia

DOI: https://doi.org/10.1063/5.0194027

2024-03-01

Abstract:Low earth orbit (LEO) satellite constellations have emerged as a promising architecture integrated with ground networks, which can offer high-speed Internet services to global users. However, the security challenges faced by satellite networks are increasing, with the potential for a few satellite failures to trigger cascading failures and network outages. Therefore, enhancing the robustness of the network in the face of cascading failures is of utmost importance. This paper aims to explore the robustness of LEO satellite networks when encountering cascading failures and then proposes a modeling method based on virtual nodes and load capacity. In addition, considering that the ground station layout and the number of connected satellites together determine the structure of the final LEO satellite network, we here propose an improved ground station establishment method that is more suitable for the current network model. Finally, the robustness of the LEO satellite networks is deeply studied under two different attacks and cost constraints. Simulations of LEO satellite networks with different topologies show that the maximum load attacks have a destructive impact on the network, which can be mitigated by adjusting the topology and parameters to ensure normal network operation. The current model and related results provide practical insights into the protection of LEO satellite networks, which can mitigate cascading risks and enhance the robustness of LEO systems.

Peicong Wu,Kanglian Zhao,Wenfeng Li,Zhifeng Liu,Zheng Sun

DOI: https://doi.org/10.1007/978-981-13-9409-6_119

2020-01-01

Abstract:With the exploitation of space technology, low earth orbit (LEO) constellations for global communications are becoming an increasingly attractive research topic. To provide programmability in LEO communications constellations, software defined networking (SDN) is an ideal choice over the traditional distributed IP architecture. In this paper, we addressed an onboard architecture where controllers and switches are both placed on the LEO satellites and supported by two different communication systems, one wide-beam radio frequency (RF) system and one free space optical system, to physically decouple the control plane and the forwarding plane. Simulated annealing algorithm is adopted to further determine the placement of the controllers to optimize the average flow setup time with weighted regional user data traffic rates. The performance of the proposed scheme is verified in an IRIDIUM-alike constellation through computer simulations with failure recovery time and flow setup time compared to other LEO SDN architectures.

Vincent Lenders,Franklyn Sciberras,Martin Strohmeier,Johannes Willbold

DOI: https://doi.org/10.1109/AERO58975.2024.10521192

2024-03-02

Abstract:The security of satellite and space systems has become a pressing concern in recent years as various high-profile incidents involving satellite-based internet access have been observed in the context of the war in Ukraine. An increase in threat level is partly due to a) rapid advancements in affordable software-defined communications equipment, which have made it easier for attackers to gain communication capabilities with orbital assets and b) the increasing adoption of commercial off-the-shelf hardware and software components in spacecraft enhancing affordability and exposing potential vulnerabilities more easily. A recent study revealed that satellite software typically lacks sufficient protection against unauthorized access. However, it remains unclear how this inherent lack of security is critical to other satellites in orbit as no public work exists on cybersecurity reconnaissance. Hence, to date, identifying non-standard commands and assessing potential vulnerabilities are deemed challenging steps for attackers to perform.In light of this current state, this paper analyzes how attackers may conduct reconnaissance on satellites’ capabilities without targeting the ground segment. We develop strategies that attackers may employ to evaluate satellites’ capabilities using a satellite implementation that adheres to the ECSS-standardized Telecommand on top of a CCSDS protocol stack. Our considered strategies encompass enumeration methods to identify the subset of the standard implemented, including non-standardized functionalities. Additionally, we present strategies to analyze implementation-specific aspects of CCSDS’ Space Data Link Security (SDLS) Protocol, which serves as the primary security protocol within the CCSDS protocol family. Our strategies test the potential for timing side channels, fault-message-based enumeration, and payload length enumeration testing. To evaluate the effectiveness of our strategies, we apply them to a real-world satellite and measure their success rate.

Engineering,Political Science,Computer Science

Chengjie Li,Xiaochao Sun,Zhen Zhang

DOI: https://doi.org/10.1109/access.2021.3104875

IF: 3.9

2021-01-01

IEEE Access

Abstract:In satellite communication systems, satellite power and processing capacities are limited, which means that storage and security are also constrained. Satellite communication channels are extremely vulnerable to hackers and external interference signals. Protecting satellite networks from illegal information access and use can be extremely challenging. In this paper, an architecture composed of satellite and ground equipment is developed that integrates communication network authentication and privacy protection structures. In the proposed scheme, the communication, registration, authentication, and revocation of information are achieved through stages to improve communication security. The satellite forwards the collected information to a ground base station, which has a strong data processing capacity. The ground base station records all the key parameters in the distributed blockchain, and all malicious node certificates are removed from the system. To further enhance data transmission security, the key is transferred using an asymmetric encryption algorithm. To measure the robustness of using the proposed network architecture, under the same attack condition, an invulnerability analysis is performed. After conducting simulation experiments, the results show that the proposed scheme greatly improves communication security and protection.

Olfa Ben Yahia,William Ferguson,Sumit Chakravarty,Nesrine Benchoubane,Gunes Karabulut Kurt,Gürkan Gür,Gregory Falco

2024-11-20

Abstract:The rapid evolution of communication technologies, compounded by recent geopolitical events such as the Viasat cyberattack in February 2022, has highlighted the urgent need for fast and reliable satellite missions for military and civil security operations. Consequently, this paper examines two Earth observation (EO) missions: one utilizing a single low Earth orbit (LEO) satellite and another through a network of LEO satellites, employing a secure-by-component design strategy. This approach begins by defining the scope of technical security engineering, decomposing the system into components and data flows, and enumerating attack surfaces. Then it proceeds by identifying threats to low-level components, applying secure-by-design principles, redesigning components into secure blocks in alignment with the Space Attack Research & Tactic Analysis (SPARTA) framework, and crafting shall statements to refactor the system design, with a particular focus on improving the security of the link segment.

Cryptography and Security,Signal Processing

Quan Ren,Zehua Guo,Jiangxing Wu,Tao Hu,Lu Jie,Yuxiang Hu,Lei He

DOI: https://doi.org/10.1109/tnsm.2022.3163198

2022-01-01

Abstract:In this paper, we propose a resilient control plane based on endogenous security for Software-Defined Networking (SDN) named SDN-ESRC to prevent vulnerability backdoor attacks. SDN-ESRC uses a set of heterogeneous controllers (e.g., RYU, OpenDayLight, ONOS) to compose the control plane and dynamically and adaptively selects several heterogeneous controller instances from the controller set to detect and correct the malicious control messages. The design of SDN-ESRC faces two challenges: (1) increasing network update delay due to multi-controller comparison and (2) maintaining high controllable security. To address the first challenge, SDN-ESRC adopts the master modification mode to reduce the network update delay and identify malicious control messages. To address the second challenge, SDN-ESRC introduces the comparison modification mode to ensure high availability in real time. We propose an evaluation model for SDN-ESRC and theoretically analyze the SDN-ESRC’s endogenous security performance under three typical backdoor attack scenarios. We implement SDN-ESRC in a prototype system and conduct simulations and experiments. The results show that SDN-ESRC can improve the backdoor damage attack security up to 98.3%, the backdoor random attack security up to 99.99%, and the backdoor coordinated attack security up to 82% at the cost of increasing network update delay less than 8.3%.

Xuan-Bo Huang,Kai-Ping Xue,Yi-Tao Xing,Ding-Wen Hu,Ruidong Li,Qi-Bin Sun

DOI: https://doi.org/10.1007/s11390-022-1495-0

IF: 1.871

2022-01-01

Journal of Computer Science and Technology

Abstract:Software-defined networking (SDN) decouples the data and control planes. However, attackers can lead catastrophic results to the whole network using manipulated flooding packets, called the data-to-control-plane saturation attacks. The existing methods, using centralized mitigation policies and ignoring the buffered attack flows, involve extra network entities and make benign traffic suffer from long network recovery delays. For these purposes, we propose LFSDM, a saturation attack detection and mitigation system, which solves these challenges by leveraging three new techniques: 1) using linear discriminant analysis (LDA) and extracting a novel feature called control channel occupation rate (CCOR) to detect the attacks, 2) adopting the distributed mitigation agents to reduce the number of involved network entities and, 3) cleaning up the buffered attack flows to enable fast recovery. Experiments show that our system can detect the attacks timely and accurately. More importantly, compared with the previous work, we save 81% of the network recovery delay under attacks ranging from 1 000 to 4 000 packets per second (PPS) on average, and 87% of the network recovery delay under higher attack rates with PPS ranging from 5 000 to 30 000.

Yuan Gao,Hong Ao,Quan Zhou,Zenghui Feng,Weigui Zhou,Yi Li,Xiang-Yang Li

DOI: https://doi.org/10.1109/wispnet.2017.8300047

2017-01-01

Abstract:It has practical significance to carry out research on physical layer security in satellite communication under the condition that our country has paid high attention to technology research on integrated space-terrestrial network information security. This paper addresses multiservice satellite communication using physical layer security, proposes a novel design subject to different speed and data transfer rate demand among fixed, portable, vehicle, shipborne and airborne receivers. For fixed receivers, this paper proposes a resource optimization method of satellite communication using physical layer security subject to different data transfer rate demand in many receivers. For portable, vehicle and shipborne receivers at low speed, this paper uses mean physical layer secrecy capacity to characterize the secure performance of satellite communication using physical layer security. For airborne receivers at high speed, this paper analyzes the impact of the high-speed relative motion between the satellite and the receiver on channel model, which is combined with mean physical layer secrecy capacity to characterize the secure performance of satellite communication using physical layer security.

Deepa Vickramasingam,Sivakumar Bangar

DOI: https://doi.org/10.12720/jcm.18.4.267-273

2023-04-01

Journal of Communications

Abstract:It is expected that 5G networks would require both great dependability and stability as fundamental requirements. The introduction of a satellite component into LTE (long term evolution) networks has emerged as an attractive solution for meeting these requirements. This will enable the provision of backup interoperability to essential base stations and the routing of traffic away from crowded locations. During peak hours, the demand for their terrestrial links must be increased or even adopted in the case of anticipated breakdown or repair. Integrated spaceterrestrial networks have shown to be an advantageous design due to its broad coverage and high precision. Designing a network routing plan is not a straightforward process when the complex relative motion of low-earth-orbit (LEO) satellites and unmanned aircraft systems (UAS) is considered (UAS). To be more explicit, the major difficulty is discovering how to locate acceptable connections in timevarying network settings to offer reliable and effective UAS data transmission. This study begins with a motion analysis of satellites and UASs to discover which access satellites are most suited for usage with UASs. This is done in order to resolve the aforementioned problem. In order to provide an effective and reliable intersatellite link (ISL) deployment between access satellites, double exponential smoothing (DES) is afterwards proposed as an alternative to traditional routing. This is required to guarantee the timely delivery of UAS data. The simulation results demonstrate that the proposed DES approach is both feasible and effective. A time series-based method known as DES is used to compute the port information in an adjustable manner, and an algorithm known as SVM (Support Vector Machine) is utilized to determine if a Distributed Denial of Service (DDoS) attack has really occurred. Experiments that are typical demonstrate that the UAS may greatly reduce the controller's workload while maintaining dependable detection accuracy.

Wenbo Wu,Cheng Tan,Kangcheng Yang,Zhishu Shen,Qiushi Zheng,Jiong Jin

2024-11-09

Abstract:Low Earth Orbit (LEO) satellite networks are increasingly essential for space-based artificial intelligence (AI) applications. However, as commercial use expands, LEO satellite networks face heightened cyberattack risks, especially through satellite-to-satellite communication links, which are more vulnerable than ground-based connections. As the number of operational satellites continues to grow, addressing these security challenges becomes increasingly critical. Traditional approaches, which focus on sending models to ground stations for validation, often overlook the limited communication windows available to LEO satellites, leaving critical security risks unaddressed. To tackle these challenges, we propose a sharded blockchain-based federated learning framework for LEO networks, called SBFL-LEO. This framework improves the reliability of inter-satellite communications using blockchain technology and assigns specific roles to each satellite. Miner satellites leverage cosine similarity (CS) and Density-Based Spatial Clustering of Applications with Noise (DBSCAN) to identify malicious models and monitor each other to detect inaccurate aggregated models. Security analysis and experimental results demonstrate that our approach outperforms baseline methods in both model accuracy and energy efficiency, significantly enhancing system robustness against attacks.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Arusa Kanwal,Mohammad Nizamuddin,Waseem Iqbal,Waqas Aman,Yawar Abbas,Shynar Mussiraliyeva

DOI: https://doi.org/10.1109/access.2024.3390968

IF: 3.9

2024-04-27

IEEE Access

Abstract:Software Defined Networking (SDN) has emerged as a new paradigm for managing heterogeneous networks ranging from enterprises to home network via decoupling the control plane from the data plane. In the traditional networking landscape, these two planes are tightly bound together inside a single appliance. The logically centralized and distributed control plane and programmability offer a great opportunity to improve network security, such as by implementing new mechanisms to detect and mitigate various threats, and also enable security as a service in an SDN paradigm. Due to the ever increasing and fast development of SDN, this paper provides an extensive survey of SDN controllers, SDN-related security threats, and solutions to mitigate the security threats. This study provides a comprehensive survey of 53 SDN controllers from different aspects, including language, architecture, organization, open source, scalability, consistency, reliability, API used, library, and their description. We have also provided a detailed security analysis of SDN architecture with an extensive classification of security threats endangering its different architectural components and the solutions to effectively mitigate them. This paper also identifies challenges and promising future directions on SDN deployment, standardization, implementation, and security issues that should be addressed in this field.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chao Qi,Jiangxing Wu,Hongchao Hu,Guozhen Cheng

DOI: https://doi.org/10.1049/el.2016.2670

2016-01-01

Electronics Letters

Abstract:Modifying flow rule attack posts a huge threat to controllers in network operating system (NOS) for software defined network (SDN) due to its concealment. Based on the previously proposed NOS architecture with multiple controllers which introduce heterogeneity and dynamic to defend above attack effectively, its dynamic segment about dynamically scheduling controllers is explicitly presented. A dynamic-scheduling method is put forward to maximise security gain of NOS during each switch. This algorithm is able to improve NOS security through altering its framework's diversity to maximum degree while considering switching cost and latency simultaneously. Theory analysis and simulation results prove validity and availability of the devised mechanism and its more effective security performance over traditional architectures.