Biblio

The vast proliferation of the connected devices makes the operation of the traditional networks so complex and drops the network performance, particularly, failure cases. In fact, a novel solution is proposed to enable the management of the network resources and services named software defined network (SDN). SDN splits the data plane and the control plane by centralizing all the control plane on one common platform. Further, SDN makes the control plane programmable by offering high flexibility for the network management and monitoring mostly in failure cases. However, the main challenge in SDN is security that is presented as the first barrier for its development. Security in SDN is presented at various levels and forms, particularly, the communication between the data plane and control plane that presents a weak point in SDN framework. In this article, we suggest a new security framework focused on the combination between the trust and awareness concepts (TAS-SDN) for a dynamic southbound communication SDN. Further, TAS-SDN uses trust levels to establish a secure communication between the control plane and data plane. As a result, we discuss the implementation and the performance of TAS-SDN which presents a promote security solution in terms of time execution, complexity and scalability for SDN.

Military networks consist of heterogeneous devices that provide soldiers with real-time terrain and mission intel-ligence. The development of next-generation Software Defined Networks (SDN)-enabled devices is enabling the modernization of traditional military networks. Commonly, traditional military networks take the trustworthiness of devices for granted. How-ever, the recent modernization of military networks introduces cyber attacks such as data and identity spoofing attacks. Hence, it is crucial to ensure the trustworthiness of network traffic to ensure the mission's outcome. This work proposes a Continuous Behavior-based Authentication (CBA) protocol that integrates network traffic analysis techniques to provide robust and efficient network management flow by separating data and control planes in SDN-enabled military networks. The evaluation of the CBA protocol aimed to measure the efficiency of the proposed protocol in realistic military networks. Furthermore, we analyze the overall network overhead of the CBA protocol and its accuracy to detect rogue network traffic data from field devices.

Since the advent of the Software Defined Networking (SDN) in 2011 and formation of Open Networking Foundation (ONF), SDN inspired projects have emerged in various fields of computer networks. Almost all the networking organizations are working on their products to be supported by SDN concept e.g. openflow. SDN has provided a great flexibility and agility in the networks by application specific control functions with centralized controller, but it does not provide security guarantees for security vulnerabilities inside applications, data plane and controller platform. As SDN can also use third party applications, an infected application can be distributed in the network and SDN based systems may be easily collapsed. In this paper, a security threats assessment model has been presented which highlights the critical areas with security requirements in SDN. Based on threat assessment model a proposed Security Threats Assessment and Diagnostic System (STADS) is presented for establishing a reliable SDN framework. The proposed STADS detects and diagnose various threats based on specified policy mechanism when different components of SDN communicate with controller to fulfil network requirements. Mininet network emulator with Ryu controller has been used for implementation and analysis.

Middlebox is primarily used in Software-Defined Network (SDN) to enhance operational performance, policy compliance, and security operations. Therefore, security of the middlebox itself is essential because incorrect use of the middlebox can cause severe cybersecurity problems for SDN. Existing attacks against middleboxes in SDN (for instance, middleboxbypass attack) use methods such as cloned tags from the previous packets to justify that the middlebox has processed the injected packet. Flowcloak as the latest solution to defeat such an attack creates a defence using a tag by computing the hash of certain parts of the packet header. However, the security mechanisms proposed to mitigate these attacks are compromise-able since all parts of the packet header can be imitated, leaving the middleboxes insecure. To demonstrate our claim, we introduce a novel attack against SDN middleboxes by hijacking TCP/IP headers. The attack uses crafted TCP/IP headers to receive the tags and signatures and successfully bypasses the middleboxes.

Software-Defined Networking (SDN) can be a good option to support Industry 4.0 (4IR) and 5G wireless networks. SDN can also be a secure networking solution that improves the security, capability, and programmability in the networks. In this paper, we present and analyze an SDN-based security architecture for 4IR with 5G. SDN is used for increasing the level of security and reliability of the network by suitably dividing the whole network into data, control, and applications planes. The SDN control layer plays a beneficial role in 4IR with 5G scenarios by managing the data flow properly. We also evaluate the performance of the proposed architecture in terms of key parameters such as data transmission rate and response time.

In case of deploying additional network security equipment in a new location, network service providers face difficulties such as precise management of large number of network security equipment and expensive network operation costs. Accordingly, there is a need for a method for security-aware network service provisioning using the existing network security equipment. In order to solve this problem, there is an existing reinforcement learning-based routing decision method fixed for each node. This method performs repeatedly until a routing decision satisfying end-to-end security constraints is achieved. This generates a disadvantage of longer network service provisioning time. In this paper, we propose security constraints reinforcement learning based routing (SCRR) algorithm that generates routing decisions, which satisfies end-to-end security constraints by giving conditional reward values according to the agent state-action pairs when performing reinforcement learning.

Port knocking provides an added layer of security on top of the existing security systems of a network. A predefined port knocking sequence is used to open the ports, which are closed by the firewall by default. The server determines the valid request if the knocking sequence is correct and opens the desired port. However, this sequence poses a security threat due to its static nature. This paper presents the port knock sequence-based communication protocol in the Software Defined network (SDN). It provides better management by separating the control plane and data plane. At the same time, it causes a communication overhead between the switches and the controller. To avoid this overhead, we are using the port knocking concept in the data plane without any involvement of the SDN controller. This study proposes three port knock sequence-based protocols (static, partial dynamic, and dynamic) in the data plane. To test the protocol in SDN environment, the P4 implementation of the underlying model is done in the BMV2 (behavioral model version 2) virtual switch. To check the security of the protocols, an informal security analysis is performed, which shows that the proposed protocols are secured to be implemented in the SDN data plane.

Incast traffic is a many-to-one communication pattern used in many applications, including distributed storage, web-search with partition/aggregation design pattern, and MapReduce, commonly in data centers. It is generally composed of short-lived flows that may be queued behind large flows' packets in congested switches where performance degradation is observed. Smart buffering at the switch level is sensed to mitigate this issue by automatically and dynamically adapting to traffic conditions changes in the highly dynamic data center environment. But for this dynamic and smart buffer management to become effectively beneficial for all the traffic, and especially for incast the most critical one, incast performance models that provide insights on how various factors affect it are needed. The literature lacks these types of models. The existing ones are analytical models, which are either tightly coupled with a particular protocol version or specific to certain empirical data. Motivated by this observation, we propose a machine-learning-based incast performance inference. With this prediction capability, smart buffering scheme or other QoS optimization algorithms could anticipate and efficiently optimize system parameters adjustment to achieve optimal performance. Since applying machine learning to networks managed in a distributed fashion is hard, the prediction mechanism will be deployed on an SDN control plane. We could then take advantage of SDN's centralized global view, its telemetry capabilities, and its management flexibility.

SDN marks a paradigm shift towards an externalized and logically centralized controller, unlike the legacy networks where control and data planes are tightly coupled. The controller has a comprehensive view of the network, offering flexibility to enforce new traffic engineering policies and easing automation. In SDN, a high performance controller is required for efficient traffic management. In this paper, we conduct a performance evaluation of two distributed SDN controllers, namely ONOS and OpenDayLight. Specifically, we use the Mininet emulation environment to emulate different topologies and the D-ITG traffic generator to evaluate aforementioned controllers based on metrics such as delay, jitter and packet loss. The experimental results show that ONOS provides a significantly higher latency, jitter and low packet loss than OpenDayLight in all topologies. We attribute the poor performance of OpenDayLight to its excessive CPU utilization and propose the use of Hyper-threading to improve its performance. This work provides practitioners in the telecoms industry with guidelines towards making informed controller selection decisions

With current Traditional / Legacy networks, the reliance on manual intervention to solve a variety of issues be it primary operational functionalities like addressing Link-failure or other consequent complexities arising out of existing solutions for challenges like Link-flapping or facing attacks like DDoS attacks is substantial. This physical and manual approach towards network configurations to make significant changes result in very slow updates and increased probability of errors and are not sufficient to address and support the rapidly shifting workload of the networks due to the fact that networking decisions are left to the hands of physical networking devices. With the advent of Software Defined Networking (SDN) which abstracts the network functionality planes, separating it from physical hardware – and decoupling the data plane from the control plane, it is able to provide a degree of automation for the network resources and management of the services provided by the network. This paper explores some of the aspects of automation provided by SDN capabilities in a Mesh Network (provides Network Security with redundancy of communication links) which contribute towards making the network inherently intelligent and take decisions without manual intervention and thus take a step towards Intelligent Automated Networks.

ICN (Information-Centric Networking) is a traditional networking approach which focuses on Internet design, while SDN (Software Defined Networking) is known as a speedy and flexible networking approach. Integrating these two approaches can solve different kinds of traditional networking problems. On the other hand, it may expose new challenges. In this paper, we study how these two networking approaches are been combined to form SDN-based ICN architecture to improve network administration. Recent research is explored to identify the SDN-based ICN challenges, provide a critical analysis of the current integration approaches, and determine open issues for further research.

In the current network security situation, the types of network threats are complex and changeable. With the development of the Internet and the application of information technology, the general trend is opener. Important data and important business applications will face more serious security threats. However, with the development of cloud computing technology, the trend of large-scale deployment of important business applications in cloud centers has greatly increased. The development and use of software-defined networks in cloud data centers have greatly reduced the effect of traditional network security boundary protection. How to find an effective way to protect important applications in open multi-step large-scale cloud data centers is a problem we need to solve. Threat intelligence has become an important means to solve complex network attacks, realize real-time threat early warning and attack tracking because of its ability to analyze the threat intelligence data of various network attacks. Based on the research of threat intelligence, machine learning, cloud central network, SDN and other technologies, this paper proposes an active defense method of network security based on threat intelligence for super-large cloud data centers.

DDoS attacks have grown in popularity as a tactic for potential hackers, cyber blackmailers, and cyberpunks. These attacks have the potential to put a person unconscious in a matter of seconds, resulting in severe economic losses. Despite the vast range of conventional mitigation techniques available today, DDoS assaults are still happening to grow in frequency, volume, and intensity. A new network paradigm is necessary to meet the requirements of today's tough security issues. We examine the available detection and mitigation of DDoS attacks techniques in depth. We classify solutions based on detection of DDoS attacks methodologies and define the prerequisites for a feasible solution. We present a novel methodology named D3 for detecting and mitigating DDoS attacks using cuckoo filter.

Distributed Denial of Service (DDoS) attacks became a true threat to network infrastructure. DDoS attacks are capable of inflicting major disruption to the information communication technology infrastructure. DDoS attacks aim to paralyze networks by overloading servers, network links, and network devices with illegitimate traffic. Therefore, it is important to detect and mitigate DDoS attacks to reduce the impact of DDoS attacks. In traditional networks, the hardware and software to detect and mitigate DDoS attacks are expensive and difficult to deploy. Software-Defined Network (SDN) is a new paradigm in network architecture by separating the control plane and data plane, thereby increasing scalability, flexibility, control, and network management. Therefore, SDN can dynamically change DDoS traffic forwarding rules and improve network security. In this study, a DDoS attack detection and mitigation system was built on the SDN architecture using the random forest machine-learning algorithm. The random forest algorithm will classify normal and attack packets based on flow entries. If packets are classified as a DDoS attack, it will be mitigated by adding flow rules to the switch. Based on tests that have been done, the detection system can detect DDoS attacks with an average accuracy of 98.38% and an average detection time of 36 ms. Then the mitigation system can mitigate DDoS attacks with an average mitigation time of 1179 ms and can reduce the average number of attack packets that enter the victim host by 15672 packets and can reduce the average number of CPU usage on the controller by 44,9%.

Scalability is one of the effective features of the Software Defined Network (SDN) that allows several devices to communicate with each other. In SDN scalable networks, the number of hosts keeps increasing as per networks need. This increment makes network administrators take a straightforward action to ensure these hosts' authenticity in the network. To address this issue, we proposed a technique to authenticate SDN hosts before permitting them to establish communication with the SDN controller. In this technique, we used the Kerberos authentication protocol to ensure the authenticity of the hosts. Kerberos verifies the hosts' credentials using a centralized server contains all hosts IDs and passwords. This technique eases the secure communication between the hosts and controller and allows the hosts to safely get network rules and policies. The proposed technique ensures the immunity of the network against network attacks.

Modern Intrusion Detection Systems are able to identify and check all traffic crossing the network segments that they are only set to monitor. Traditional network infrastructures use static detection mechanisms that check and monitor specific types of malicious traffic. To mitigate this potential waste of resources and improve scalability across an entire network, we propose a methodology which deploys distributed IDS in a Software Defined Network allowing them to be used for specific types of traffic as and when it appears on a network. The core of our work is the creation of an SDN application that takes input from a Snort IDS instances, thus working as a classifier for incoming network traffic with a static ruleset for those classifications. Our application has been tested on a virtualised platform where it performed as planned holding its position for limited use on static and controlled test environments.

With the new coronavirus crisis, medical devices' workload has increased dramatically, leaving them growingly vulnerable to security threats and in need of a comprehensive solution. In this work, we take advantage of the flexible and highly manageable nature of Software Defined Networks (SDN) to design a thoroughgoing security framework that covers a health organization's various security requirements. Our solution comes to be an advanced SDN firewall that solves the issues facing traditional firewalls. It enables the partitioning of the organization's network and the enforcement of different filtering and monitoring behaviors on each partition depending on security conditions. We pursued the network's efficient and dynamic security management with the least human intervention in designing our model which makes it generally qualified to use in networks with different security requirements.

Cloud computing is a modern computing mode based on network, which is widely participated by the public, and provides virtualized dynamic computing resources in the form of services. Cloud computing builds an effective communication platform with the help of computer internet, so that users can get the same computing resources even if they are in different areas. With its unique technical characteristics and advantages, cloud computing has been deployed to practical applications more and more, and the consequent security problems of cloud computing have become increasingly prominent. In addition to the original cloud computing environment, this paper proposes to build a secure cloud with cloud technology, deploy security agents in the business cloud, connect the business cloud, security cloud and security agents through SDN (software defined network) technology, and dynamically divide the business cloud into logically isolated business areas through security agents. Therefore, security is separated from the specific implementation technology and deployment scheme of business cloud, and an information security protection scheme under cloud computing environment is proposed according to the characteristics of various factors, so as to enhance the security of network information.

The growing adoption of IoT devices is creating a huge positive impact on human life. However, it is also making the network more vulnerable to security threats. One of the major threats is malicious traffic injection attack, where the hacked IoT devices overwhelm the application servers causing large-scale service disruption. To address such attacks, we propose a Software Defined Networking based predictive alarm manager solution for malicious traffic detection and mitigation at the IoT Gateway. Our experimental results with the proposed solution confirms the detection of malicious flows with nearly 95% precision on average and at its best with around 99% precision.

Industrial Internet is widely used in the production field. As the openness of networks increases, industrial networks facing increasing security risks. Information and communication technologies are now available for most industrial manufacturing. This industry-oriented evolution has driven the emergence of cloud systems, the Internet of Things (IoT), Big Data, and Industry 4.0. However, new technologies are always accompanied by security vulnerabilities, which often expose unpredictable risks. Industrial safety has become one of the most essential and challenging requirements. In this article, we highlight the serious challenges facing Industry 4.0, introduce industrial security issues and present the current awareness of security within the industry. In this paper, we propose solutions for the anomaly detection and defense of the industrial Internet based on the demand characteristics of network security, the main types of intrusions and their vulnerability characteristics. The main work is as follows: This paper first analyzes the basic network security issues, including the network security needs, the security threats and the solutions. Secondly, the security requirements of the industrial Internet are analyzed with the characteristics of industrial sites. Then, the threats and attacks on the network are analyzed, i.e., system-related threats and process-related threats; finally, the current research status is introduced from the perspective of network protection, and the research angle of this paper, i.e., network anomaly detection and network defense, is proposed in conjunction with relevant standards. This paper proposes a software-defined network (SDN)-based industrial Internet security gateway for the security protection of the industrial Internet. Since there are some known types of attacks in the industrial network, in order to fully exploit the effective information, we combine the ExtratreesClassifier to enhance the detection rate of anomaly detection. In order to verify the effectiveness of the algorithm, this paper simulates an industrial network attack, using the acquired training data for testing. The test data are industrial network traffic datasets, and the experimental results show that the algorithm is suitable for anomaly detection in industrial networks.

Security is a key component of the network. Software Defined Networking (SDN) is a refined form of traditional network management system. It is a new encouraging approach to design-build and manage networks. SDN decouples control plane (software-based router) and data plane (software-based switch), hence it is programmable. Consequently, it facilitates implementation of security based applications for the prevention of DOS attacks. Various solutions have been proposed by researches for handling of DOS attacks in SDN. However, these solutions are very limited in scope, complex, time consuming and change resistant. In this article, we have proposed a novel model driven framework i.e. MDAP (Model Based DOS Attacks Prevention) Framework. Particularly, a meta model is proposed. As tool support, a tree editor and a Sirius based graphical modeling tool with drag drop palette have been developed in Oboe designer community edition. The tool support allows modeling and visualization of simple and complex network topology scenarios. A Model to Text transformation engine has also been made part of framework that generates java code for the Floodlight SDN controller from the modeled scenario. The validity of proposed framework has been demonstrated via case study. The results prove that the proposed framework can effectively handle DOS attacks in SDN with simplicity as per the true essence of MDSE and can be reliably used for the automation of security based applications in order to deny DOS attacks in SDN.

In this article we have developed a simulation model in the Mininet environment for analyzing the operation of a software-defined network (SDN) in cloud data centers. The results of the simulation model of the operation of the SDN network on the Mininet emulator and the results of the simulation of the traditional network in the Graphical Network Simulator 3 emulator are presented.

This advanced research survey aims to perform intrusion detection and routing in ad hoc networks in wireless MANET networks using machine learning techniques. The MANETs are composed of several ad-hoc nodes that are randomly or deterministically distributed for communication and acquisition and to forward the data to the gateway for enhanced communication securely. MANETs are used in many applications such as in health care for communication; in utilities such as industries to monitor equipment and detect any malfunction during regular production activity. In general, MANETs take measurements of the desired application and send this information to a gateway, whereby the user can interpret the information to achieve the desired purpose. The main importance of MANETs in intrusion detection is that they can be trained to detect intrusion and real-time attacks in the CIC-IDS 2019 dataset. MANETs routing protocols are designed to establish routes between the source and destination nodes. What these routing protocols do is that they decompose the network into more manageable pieces and provide ways of sharing information among its neighbors first and then throughout the whole network. The landscape of exciting libraries and techniques is constantly evolving, and so are the possibilities and options for experiments. Implementing the framework in python helps in reducing syntactic complexity, increases performance compared to implementations in scripting languages, and provides memory safety.

IoT networks today face a myriad of security vulnerabilities in their infrastructure due to its wide attack surface. Large-scale networks are increasingly adopting a Software-Defined Networking approach, it allows for simplified network control and management through network virtualization. Since traditional security mechanisms are incapable of handling virtualized environments, SDSec or Software-Defined Security is introduced as a solution to support virtualized infrastructure, specifically aimed at providing security solutions to SDN frameworks. To further aid large scale design and development of SDN frameworks, Model-Driven Engineering (MDE) has been proposed to be used at the design phase, since abstraction, automation and analysis are inherently key aspects of MDE. This provides an efficient approach to reducing large problems through models that abstract away the complex technicality of the total system. Making adaptations to these models to address security issues faced in IoT networks, largely reduces cost and improves efficiency. These models can be simulated, analysed and supports architecture model adaptation; model changes are then reflected back to the real system. We propose a model-driven security approach for SDSec networks that can self-adapt using machine learning to mitigate security threats. The overall design time changes can be monitored at run time through machine learning techniques (e.g. deep, reinforcement learning) for real time analysis. This approach can be tested in IoT simulation environments, for instance using the CAPS IoT modeling and simulation framework. Using self-adaptation of models and advanced machine learning for data analysis would ensure that the SDSec architecture adapts and improves over time. This largely reduces the overall attack surface to achieve improved end-to-end security in IoT environments.

Mesh topology networks provide Network security in the form of redundancy of communication links. But redundancy also contributes to complexity in configuration and subsequent troubleshooting. Mesh topology deployed in Critical networks like Backbone Networks (used in Cloud Computing) deploy the Mesh topology provides additional security in terms of redundancy to ensure availability of services. One amongst most prominent attacks is Distributed Denial of Service attacks which cause an immense amount of loss of data as well as monetary losses to service providers. This paper proposes a method by which using SDN capabilities and sFlow-RT application, Distributed Denial of Service (DDoS) attacks is detected and consequently mitigated by using REST API to implement Policy Based Flow Management (PBFM) through the SDN Controller which will help in ensuring uninterrupted services in scenarios of such attacks and also further simply and enhance the management of Mesh architecture-based networks.