Biblio

The rapid growth of the Internet is, in part, powered by the broad participation of numerous vendors building network components. All these network devices require that they be properly configured and maintained, which creates a challenge for system administrators of complex networks with a growing variety of heterogeneous devices. This challenge is true for today's networks, as well as for the networking architectures of the future, such as Named Data Networking (NDN). This paper gives a preliminary design of an NDNconf framework, an adaptation of a recently developed NETCONF protocol, to realize unified configuration and management for NDN. The presented design is built leveraging the benefits provided by NDN, including the structured naming shared among network and application layers, stateful data retrieval with name-based interest forwarding, in-network caching, data-centric security model, and others. Specifically, the configuration data models, the heart of NDNconf, the elements of the models and models themselves are represented as secured NDN data, allowing fetching models, fetching configuration data that correspond to elements of the model, and issuing commands using the standard Interest-Data exchanges. On top of that, the security of models, data, and commands are realized through native data-centric NDN mechanisms, providing highly secure systems with high granularity of control.

Enterprise networks are increasingly moving towards Software Defined Networking, which is becoming a major trend in the networking arena. With the increased popularity of SDN, there is a greater need for security measures for protecting the enterprise networks. This paper focuses on the design and implementation of an integrated security architecture for SDN based enterprise networks. The integrated security architecture uses a policy-based approach to coordinate different security mechanisms to detect and counteract a range of security attacks in the SDN. A distinguishing characteristic of the proposed architecture is its ability to deal with dynamic changes in the security attacks as well as changes in trust associated with the network devices in the infrastructure. The adaptability of the proposed architecture to dynamic changes is achieved by having feedback between the various security components/mechanisms in the architecture and managing them using a dynamic policy framework. The paper describes the prototype implementation of the proposed architecture and presents security and performance analysis for different attack scenarios. We believe that the proposed integrated security architecture provides a significant step towards achieving a secure SDN for enterprises.

The Internet of things networks is vulnerable to many DOS attacks. Among them, Blackhole attack is one of the severe attacks as it hampers communication among network devices. In general, the solutions presented in the literature for Blackhole detection are not efficient. In addition, the existing approaches do not factor-in, the consumption in resources viz. energy, bandwidth and network lifetime. Further, these approaches are also insensitive to the mechanism used for selecting a parent in on Blackhole formation. Needless to say, a blackhole node if selected as parent would lead to orchestration of this attack trivially and hence it is an important factor in selection of a parent. In this paper, we propose SIEWE (Strainer based Intrusion Detection of Blackhole in 6LoWPAN for the Internet of Things) - an Intrusion detection mechanism to identify Blackhole attack on Routing protocol RPL in IoT. In contrast to the Watchdog based approaches where every node in network runs in promiscuous mode, SIEWE filters out suspicious nodes first and then verifies the behavior of those nodes only. The results that we obtain, show that SIEWE improves the Packet Delivery Ratio (PDR) of the system by blacklisting malicious Blackhole nodes.

The growing trend toward information technology increases the amount of data travelling over the network links. The problem of detecting anomalies in data streams has increased with the growth of internet connectivity. Software-Defined Networking (SDN) is a new concept of computer networking that can adapt and support these growing trends. However, the centralized nature of the SDN design is challenged by the need for an efficient method for traffic monitoring against traffic anomalies caused by misconfigured devices or ongoing attacks. In this paper, we propose a new model for traffic behavior monitoring that aims to ensure trusted communication links between the network devices. The main objective of this model is to confirm that the behavior of the traffic streams matches the instructions provided by the SDN controller, which can help to increase the trust between the SDN controller and its covered infrastructure components. According to our preliminary implementation, the behavior monitoring unit is able to read all traffic information and perform a validation process that reports any mismatching traffic to the controller.

The consistency checking of network security policy is an important issue of network security field, but current studies lack of overall security strategy modeling and entire network checking. In order to check the consistency of policy in distributed network system, a security policy model is proposed based on network topology, which checks conflicts of security policies for all communication paths in the network. First, the model uniformly describes network devices, domains and links, abstracts the network topology as an undirected graph, and formats the ACL (Access Control List) rules into quintuples. Then, based on the undirected graph, the model searches all possible paths between all domains in the topology, and checks the quintuple consistency by using a classifying algorithm. The experiments in campus network demonstrate that this model can effectively detect the conflicts of policy globally in the distributed network and ensure the consistency of the network security policies.

Hash tables form a core component of many algorithms as well as network devices. Because of their large size, they often require a combined memory model, in which some of the elements are stored in a fast memory (for example, cache or on-chip SRAM) while others are stored in much slower memory (namely, the main memory or off-chip DRAM). This makes the implementation of real-life hash tables particularly delicate, as a suboptimal choice of the hashing scheme parameters may result in a higher average query time, and therefore in a lower throughput. In this paper, we focus on multiple-choice hash tables. Given the number of choices, we study the tradeoff between the load of a hash table and its average lookup time. The problem is solved by analyzing an equivalent problem: the expected maximum matching size of a random bipartite graph with a fixed left-side vertex degree. Given two choices, we provide exact results for any finite system, and also deduce asymptotic results as the fast memory size increases. In addition, we further consider other variants of this problem and model the impact of several parameters. Finally, we evaluate the performance of our models on Internet backbone traces, and illustrate the impact of the memories speed difference on the choice of parameters. In particular, we show that the common intuition of entirely avoiding slow memory accesses by using highly efficient schemes (namely, with many fast-memory choices) is not always optimal.
 

The OpenFlow architecture is a proposal from the Clean Slate initiative to define a new Internet architecture where the network devices are simple, and the control and management plane is performed by a centralized controller. The simplicity and centralization architecture makes it reliable and inexpensive. However, this architecture does not provide mechanisms to detect conflicting in flows, allowing that unreachable flows can be configured in the network elements, and the network may not behave as expected. This paper proposes an approach to conflict detection using first-order logic to define possible antagonisms and employ an inference engine to detect conflicting flows before the OpenFlow controller implement in the network elements.