Biblio

Wireless Sensor networks can be composed of smart buildings, smart homes, smart grids, and smart mobility, and they can even interconnect all these fields into a large-scale smart city network. Software-Defined Networking is an ideal technology to realize Internet-of-Things (IoT) Network and WSN network requirements and to efficiently enhance the security of these networks. Software defines Networking (SDN) is used to support IoT and WSN related networking elements, additional security concerns rise, due to the elevated vulnerability of such deployments to specific types of attacks and the necessity of inter-cloud communication any IoT application would require. This work is a study of different security mechanisms available in SDN for IoT and WSN network secure communication. This work also formulates the problems when existing methods are implemented with different networks parameters.

Internet always remains the target for the cyberattacks, and attackers are getting equipped with more potent tools due to the advancement of technology to preach the security of the Internet. Industries and organizations are sponsoring many projects to avoid these kinds of problems. As a result, SDN (Software Defined Network) architecture is becoming an acceptable alternative for the traditional IP based networks which seems a better approach to defend the Internet. However, SDN is also vulnerable to many new threats because of its architectural concept. SDN might be a primary target for DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks due to centralized control and linking of data plane and control plane. In this paper, the we propose a novel technique for detection of DDoS attacks using information theory metric. We compared our approach with widely used Intrusion Detection Systems (IDSs) based on Shannon entropy and Renyi entropy, and proved that our proposed methodology has more power to detect malicious flows in SDN based networks. We have used precision, detection rate and FPR (False Positive Rate) as performance parameters for comparison, and validated the methodology using a topology implemented in Mininet network emulator.

Deep learning (DL) is an emerging technology that is being used in many areas due to its effectiveness. One of its major applications is attack detection and prevention of backdoor attacks. Sampling-based measurement approaches in the software-defined network of an Internet of Things (IoT) network often result in low accuracy, high overhead, higher memory consumption, and low attack detection. This study aims to review and analyse papers on DL-based network prediction techniques against the problem of Distributed Denial of service attack (DDoS) in a secure software network. Techniques and approaches have been studied, that can effectively predict network traffic and detect DDoS attacks. Based on this review, major components are identified in each work from which an overall system architecture is suggested showing the basic processes needed. Major findings are that the DL is effective against DDoS attacks more than other state of the art approaches.

Advanced persistent threat (APT) attackers usually conduct a large number of network reconnaissance before a formal attack to discover exploitable vulnerabilities in the target network and system. The static configuration in traditional network systems provides a great advantage for adversaries to find network targets and launch attacks. To reduce the effectiveness of adversaries' continuous reconnaissance attacks, this paper develops a moving target defense (MTD) enhanced cyber deception defense system based on software-defined networks (SDN). The system uses virtual network topology to confuse the target network and system information collected by adversaries. Also Besides, it uses IP address randomization to increase the dynamics of network deception to enhance its defense effectiveness. Finally, we implemented the system prototype and evaluated it. In a configuration where the virtual network topology scale is three network segments, and the address conversion cycle is 30 seconds, this system delayed the adversaries' discovery of vulnerable hosts by an average of seven times, reducing the probability of adversaries successfully attacking vulnerable hosts by 83%. At the same time, the increased system overhead is basically within 10%.

Software-Defined Networking (SDN) simplifies network management by separating the control plane from the data forwarding plane. However, the plane separation technology introduces many new loopholes in the SDN data plane. In order to facilitate taking proactive measures to reduce the damage degree of network security events, this paper proposes a security situation prediction method based on particle swarm optimization algorithm and long-short-term memory neural network for network security events on the SDN data plane. According to the statistical information of the security incident, the analytic hierarchy process is used to calculate the SDN data plane security situation risk value. Then use the historical data of the security situation risk value to build an artificial neural network prediction model. Finally, a prediction model is used to predict the future security situation risk value. Experiments show that this method has good prediction accuracy and stability.

The increase of cyber attacks in both the numbers and varieties in recent years demands to build a more sophisticated network intrusion detection system (NIDS). These NIDS perform better when they can monitor all the traffic traversing through the network like when being deployed on a Software-Defined Network (SDN). Because of the inability to detect zero-day attacks, signature-based NIDS which were traditionally used for detecting malicious traffic are beginning to get replaced by anomaly-based NIDS built on neural networks. However, recently it has been shown that such NIDS have their own drawback namely being vulnerable to the adversarial example attack. Moreover, they were mostly evaluated on the old datasets which don't represent the variety of attacks network systems might face these days. In this paper, we present Reconstruction from Partial Observation (RePO) as a new mechanism to build an NIDS with the help of denoising autoencoders capable of detecting different types of network attacks in a low false alert setting with an enhanced robustness against adversarial example attack. Our evaluation conducted on a dataset with a variety of network attacks shows denoising autoencoders can improve detection of malicious traffic by up to 29% in a normal setting and by up to 45% in an adversarial setting compared to other recently proposed anomaly detectors.

Software-defined networks (SDN), through their programmability, significantly increase network resilience by enabling dynamic reconfiguration of network topologies in response to faults and potentially malicious attacks detected in real-time. Another key trend in network softwarization is cloud-native software, which, together with SDN, will be an integral part of the core of future 5G networks. In SDN, the control plane forms the "brain" of the software-defined network and is typically implemented as a set of distributed controller replicas to avoid a single point of failure. Distributed consensus algorithms are used to ensure agreement among the replicas on key data even in the presence of faults. Security is also a critical concern in ensuring that attackers cannot compromise the SDN control plane; byzantine fault tolerance algorithms can provide protection against compromised controller replicas. However, while reliability/availability and security form key attributes of resilience, they are typically modeled separately in SDN, without consideration of the potential impacts of their interaction. In this paper we present an initial framework for a model that unifies reliability, availability, and security considerations in distributed consensus. We examine – via simulation of our model – some impacts of the interaction between accidental faults and malicious attacks on SDN and suggest potential mitigations unique to cloud-native software.

Denial of service (DoS) is a process of injecting malicious packets into the network. Intrusion detection system (IDS) is a system used to investigate malicious packets in the network. Software-defined network (SDN) physically separates control plane and data plane. The control plane is moved to a centralized controller, and it makes a decision in the network from a global view. The combination between IDS and SDN allows the prevention of malicious packets to be more efficient due to the advantage of the global view in SDN. IDS needs to communicate with switches to have an access to all end-to-end traffic in the network. The high traffic in the link between switches and IDS results in congestion. The congestion between switches and IDS delays the detection and prevention of malicious traffic. To address this problem, we propose a historical database (Hdb), a scheme to reduce the traffic between switches and IDS, based on the historical information of a sender. The simulation shows that in the average, 54.1% of traffic mirrored to IDS is reduced compared to the conventional schemes.

Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Recently, data protection has become increasingly important in cloud environments. The cloud platform has global user information, rich storage resource allocation information, and a fuller understanding of data attributes. At the same time, there is an urgent need for data access control to provide data security, and software-defined network, as a ready-made facility, has a global network view, global network management capabilities, and programable network rules. In this paper, we present an approach, named High-Performance Software-Defined Data Access Network (HP-SDDAN), providing software-defined data access network architecture, global data attribute management and attribute-based data access network. HP-SDDAN combines the excellent features of cloud platform and software-defined network, and fully considers the performance to implement software-defined data access network. In evaluation, we verify the effectiveness and efficiency of HP-SDDAN implementation, with only 1.46% overhead to achieve attribute-based data access control of attribute-based differential privacy.

Up to now, Software-defined network (SDN) has been developing for many years and various controller implementations have appeared. Most of these controllers contain the normal business logic as well as security defense function. This makes the business logic on the controller tightly coupled with the security function, which increases the burden of the controller and is not conducive to the evolution of the controller. To address this problem, we propose a proactive security framework PSA, which decouples the business logic and security function of the controller, and deploys the security function in the proactive security layer which lies between the data plane and the control plane, so as to provide a unified security defense framework for different controller implementations. Based on PSA, we design a security defense application for the data-to-control plane saturation attack, which overloads the infrastructure of SDN networks. We evaluate the prototype implementation of PSA in the software environments. The results show that PSA is effective with adding only minor overhead into the entire SDN infrastructure.

Compared to ordinary Internet applications, the transfer of scientific data flows often has higher requirements for network performance. The network security devices and systems often affect the efficiency of scientific data transfer. As a new type of network architecture, Software-defined Networking (SDN) decouples the data plane from the control plane. Its programmability allows users to customize the network transfer path and makes the network more intelligent. The Science DMZ model is a private network for scientific data flow transfer, which can improve performance under the premise of ensuring network security. This paper combines SDN with Science DMZ, designs and implements an SDN-based traffic scheduling algorithm considering the load of link. In addition to distinguishing scientific data flow from common data flow, the algorithm further distinguishes the scientific data flows of different applications and performs different traffic scheduling of scientific data for specific link states. Experiments results proved that the algorithm can effectively improve the transmission performance of scientific data flow.

Software-Defined Network (SDN) is the dynamic network technology to address the issues of traditional networks. It provides centralized view of the whole network through decoupling the control planes and data planes of a network. Most SDN-based security services globally detect and block a malicious host based on IP address. However, the IP address is not verified during the forwarding process in most cases and SDN-based security service may block a normal host with forged IP address in the whole network, which means false-positive. In this paper, we introduce an attack scenario that uses forged packets to make the security service consider a victim host as an attacker so that block the victim. We also introduce cost-effective risk avoidance strategy.

Larger companies need more sites in the wide area network (WAN). However, internet service providers cannot obtain sufficient capacity to handle peak traffic, causing a terrible delay. The software-defined network (SDN) allows to own more programmability, adaptability, and application-aware, but scalability is a critical problem for merging both. This paper proposes a solution based on Protocol-Oblivious Forwarding (POF). It is a higher degree of decoupling control and data planes. The control plane uses fields unrelated to the protocol to unify packet match and route, and the data plane uses a set of general flow instructions in fast forwarding. As a result, we only save three flow tables on the forwarding paths so that each packet keeps a pipeline in the source route header to mark the next output ports. This solution can support a constant delay while the network expands.

With the recent advances in software-defined networking (SDN), the multi-tenant data centers provide more efficient and flexible cloud platform to their subscribers. However, as the number, scale, and diversity of distributed denial-of-service (DDoS) attack is dramatically escalated in recent years, the availability of those platforms is still under risk. We note that the state-of-art DDoS protection architectures did not fully utilize the potential of SDN and network function virtualization (NFV) to mitigate the impact of attack traffic on data center network. Therefore, in this paper, we exploit the flexibility of SDN and NFV to propose FlexProtect, a flexible distributed DDoS protection architecture for multi-tenant data centers. In FlexProtect, the detection virtual network functions (VNFs) are placed near the service provider and the defense VNFs are placed near the edge routers for effectively detection and avoid internal bandwidth consumption, respectively. Based on the architecture, we then propose FP-SYN, an anti-spoofing SYN flood protection mechanism. The emulation and simulation results with real-world data demonstrates that, compared with the traditional approach, the proposed architecture can significantly reduce 46% of the additional routing path and save 60% internal bandwidth consumption. Moreover, the proposed detection mechanism for anti-spoofing can achieve 98% accuracy.

Intrusion Prevention System (IPS) is a tool for securing networks from any malicious packet that could be sent from specific host. IPS can be installed on SDN network that has centralized logic architecture, so that IPS doesnt need to be installed on lots of nodes instead it has to be installed alongside the controller as center of logic network. IPS still has a flaw and that is the block duration would remain the same no matter how often a specific host attacks. For this reason, writer would like to make a system that not only integrates IPS on the SDN, but also designs an adaptive IPS by utilizing a fuzzy logic that can decide how long blocks are based on the frequency variable and type of attacks. From the results of tests that have been done, SDN network that has been equipped with adaptive IPS has the ability to detect attacks and can block the attacker host with the duration based on the frequency and type of attacks. The final result obtained is to make the SDN network safer by adding 0.228 milliseconds as the execute time required for the fuzzy algorithm in one process.

In recent years, cyber security oriented research is paying much close attention on Vehicular Adhoc NETworks (VANETs). However, existing vehicular networks do not meet current security requirements. Typically for dynamic networks, maximal decentralization and rapidly changing topology of moving hosts form a number of security issues associated with ensuring access control of hosts, security policy enforcement, and resistance of the routing methods. To solve these problems generally, the paper reviews SDN (software defined networks) based network security architectures of VANET. The following tasks are solved in our work: composing of network security architectures for SDN-VANET (architecture with the central control and shared security servers, decentralized (zoned) architecture, hierarchical architecture); implementation of these architectures in virtual modeling environment; and experimental study of effectiveness of the suggested architectures. With large-scale vehicular networks, architectures with multiple SDN controllers are most effective. In small networks, the architecture with the central control also significantly outperforms the traditional VANET architecture. For the suggested architectures, three control modes are discussed in the paper: central, distributed and hybrid modes. Unlike common architectures, all of the proposed security architectures allow us to establish a security policy in m2m-networks and increase resistance capabilities of self-organizing networks.