Biblio

Software defined networking (SDN) architecture frame- work eases the work of the network administrators by separating the data plane from the control plane. This provides a programmable interface for applications development related to security and management. The centralized logical controller provides more control over the total network, which has complete network visibility. These SDN advantages expose the network to vulnerabilities and the impact of the attacks is much severe when compared to traditional networks, where the network devices have protection from the attacks and limits the occurrence of attacks. In this paper, we proposed an entropy based algorithm in SDN to detect as well as stopping distributed denial of service (DDoS) attacks on the servers or clouds or hosts. Firstly, there explored various attacks that can be launched on SDN at different layers. Basically DDoS is one kind of denial of service attack in which an attacker uses multiple distributed sources for attacking a particular server. Every network in a system has an entropy and an increase in the randomness of probability causes entropy to decrease. In comparison with previous entropy based approaches this approach has higher performance in distinguishing legal and illegal traffics and blocking illegal traffic paths. Linux OS and Mininet Simulator along with POX controller are used to validate the proposed approach. By conducting pervasive simulation along with theoretical analysis this method can definitely detect and stop DDoS attacks automatically.

Over the past decade, an infotelecommunication technology has made significant strides forward. With the advent of new generation wireless networks and the massive digitalization of industries, the object of protection has changed. The digital transformation has led to an increased opportunity for cybercriminals. The ability of computational intelligence to quickly process large amounts of data makes the intrusions tailored to specific environments. Polymorphic attacks that have mutations in their sequences of acts adapt to the communication environments, operating systems and service frameworks, and also try to deceive the defense tools. The poor protection of most Internet of Things devices allows the attackers to take control over them creating the megabotnets. In this regard, traditional methods of network protection become rigid and low-effective. The paper reviews a computational intelligence (CI) enabled software- defined network (SDN) for the network management, providing dynamic network reconfiguration to improve network performance and security control. Advanced machine learning and artificial neural networks are promising in detection of false data injections. Bioinformatics methods make it possible to detect polymorphic attacks. Swarm intelligence detects dynamic routing anomalies. Quantum machine learning is effective at processing the large volumes of security-relevant datasets. The CI technology stack provides a comprehensive protection against a variative cyberthreats scope.

Nowadays, Denial of Service (DOS) is a significant cyberattack that can happen on the Internet. This attack can be taken place with more than one attacker that in this case called Distributed Denial of Service (DDOS). The attackers endeavour to make the resources (server & bandwidth) unavailable to legitimate traffic by overwhelming resources with malicious traffic. An appropriate security module is needed to discriminate the malicious flows with high accuracy to prevent the failure resulting from a DDOS attack. In this paper, a DDoS attack discriminator will be designed for Software Defined Network (SDN) architecture so that it can be deployed in the POX controller. The simulation results present that the proposed model can achieve an accuracy of about 99.4%which shows an outstanding percentage of improvement compared with Decision Tree (DT), K-Nearest Neighbour (KNN), Support Vector Machine (SVM) approaches.

Network Function Virtualization or NFV gives numerous advantages over the conventional networking techniques by incorporating distinctive features of a network over the virtual machine (VM). It decreases capital and operational costs to give more noteworthy adaptability and flexibility. But all of these advantages come at the expense of the intrinsic system vulnerabilities because of specific sorts of cyber attacks like the Distributed Denial of Service (DDoS) attack. With the increased number of layers in NFV, it becomes easier for an attacker to execute DDoS attack. This study indicates a new model for mitigating the effects of DDoS attacks on NFV. The model has been designed specifically for the individual users especially gamers and online streamers who become victim of DDoS attack on adaily basis. However, the method can be used for a online service like a website in general as well after making certain changes which have been discussed in detail. ARDefense usually performs server migration and IP spoofing when it detects a DDoS attack on the application layer. Effectiveness of ARDefense was tested by measuring load migration and IP spoofing processing time.

DDoS attacks are pre-dominant in traditional networks, they are used to bring down the services of important servers in the network, thereby affecting its performance. One such kind of attack is HTTP GET Flood DDoS attack in which a lot of HTTP GET request messages are sent to the victim web server, overwhelming its resources and bringing down its services to the legitimate clients. The solution to such attacks in traditional networks is usually implemented at the servers, but this consumes its resources which could otherwise be used to process genuine client requests. Software Defined Network (SDN) is a new network architecture that helps to deal with these attacks in a different way. In SDN the mitigation can be done using the controller without burdening the server. In this paper, we first show how an HTTP GET Flood DDoS attack can be performed on the webserver in an SDN environment and then propose a solution to mitigate the same with the help of the SDN controller. At the server, the attack is detected by checking the number of requests arriving to the web server for a certain period of time, if the number of request is greater than a particular threshold then the hosts generating such attacks will be blocked for the attack duration.

Distributed Denial of Service (DDoS) attacks aim at bringing down or decreasing the availability of services for their legitimate users, by exhausting network or server resources. It is difficult to differentiate attack traffic from legitimate traffic as the attack can come from distributed nodes that additionally might spoof their IP addresses. Traditional DoS mitigation solutions fail to defend all kinds of DoS attacks and huge DoS attacks might exceed the processing capacity of routers and firewalls easily. The advent of Software-defined Networking (SDN) and Network Function Virtualization (NFV) has brought a new perspective for network defense. Key features of such technologies like global network view and flexibly positionable security functionality can be used for mitigating DDoS attacks. In this paper, we propose a collaborative DDoS attack mitigation scheme that uses SDN and NFV. We adopt a machine learning algorithm from related work to derive accurate patterns describing DDoS attacks. Our experimental results indicate that our framework is able to differentiate attack and legitimate traffic with high accuracy and in near-realtime. Furthermore, the derived patterns can be used to create OpenFlow (OF) or Firewall rules that can be pushed back into the direction of the attack origin for more efficient and distributed filtering.

A Distributed Denial of Service ( DDoS ) attack is usually instigated on a primary server that provides important services in a network. However such DDoS attacks can be identified and mitigated by the controller in a Software Defined Network (SDN). If the intruder further performs an attack on the controller along with the server, the attack becomes successful.In this paper, we show how such a combined DDoS attack can be instigated on a controller as well as a primary server. The DDoS attack on the primary server is instigated by compromising few hosts to send packets with spoofed IP addresses and the attack on the controller is instigated by compromising few switches to send flow table requests repeatedly to the controller. With the help of an emulator called mininet, we show the severity of this attack on the performance of the network. We further propose a common technique that can be used to mitigate this kind of attack by observing the variation of destination IP addresses and setting different priorities to switches and handling the flow table requests accordingly by the controller.

In recent years, software defined networking (SDN) has been proposed for enhancing the security of industrial control networks. However, its ability to guarantee the quality of service (QoS) requirements of such networks in the presence of adversarial flow still needs to be investigated. Queueing theory and particularly queueing network models have long been employed to study the performance and QoS characteristics of networks. The latter appears to be particularly suitable to capture the behaviour of SDN owing to the dependencies between layers, planes and components in an SDN architecture. Also, several authors have used queueing network models to study the behaviour of different application of SDN architectures, but none of the existing works have considered the strong periodic network traffic in software-defined industrial control networks. In this paper, we propose a queueing network model for softwaredefined industrial control networks, taking into account the strong periodic patterns of the network traffic in the data plane. We derive the performance measures for the analytical model and apply the queueing network model to study the effect of adversarial flow in software-defined industrial control networks.

This paper investigates the use of Software-Defined Networking (SDN) in the detection and mitigation of malware threat, focusing on the example of ExPetr ransomware. Extensive static and dynamic analysis of ExPetr is performed in a purpose-built SDN testbed. The results acquired from this analysis are then used to design and implement an SDN-based solution to detect the malware and prevent it from spreading to other machines inside a local network. Our solution consists of three security mechanisms that have been implemented as components/modules of the Python-based POX controller. These mechanisms include: port blocking, SMB payload inspection, and HTTP payload inspection. When malicious activity is detected, the controller communicates with the SDN switches via the OpenFlow protocol and installs appropriate entries in their flow tables. In particular, the controller blocks machines which are considered infected, by monitoring and reacting in real time to the network traffic they produce. Our experimental results demonstrate that the proposed designs are effective against self-propagating malware in local networks. The implemented system can respond to malicious activities quickly and in real time. Furthermore, by tuning certain thresholds of the detection mechanisms it is possible to trade-off the detection time with the false positive rate.

Current Internet Protocol routing provides minimal privacy, which enables multiple exploits. The main issue is that the source and destination addresses of all packets appear in plain text. This enables numerous attacks, including surveillance, man-in-the-middle (MITM), and denial of service (DoS). The talk explains how these attacks work in the current network. Endpoints often believe that use of Network Address Translation (NAT), and Dynamic Host Configuration Protocol (DHCP) can minimize the loss of privacy.We will explain how the regularity of human behavior can be used to overcome these countermeasures. Once packets leave the local autonomous system (AS), they are routed through the network by the Border Gateway Protocol (BGP). The talk will discuss the unreliability of BGP and current attacks on the routing protocol. This will include an introduction to BGP injects and the PEERING testbed for BGP experimentation. One experiment we have performed uses statistical methods (CUSUM and F-test) to detect BGP injection events. We describe work we performed that applies BGP injects to Internet Protocol (IP) address randomization to replace fixed IP addresses in headers with randomized addresses. We explain the similarities and differences of this approach with virtual private networks (VPNs). Analysis of this work shows that BGP reliance on autonomous system (AS) numbers removes privacy from the concept, even though it would disable the current generation of MITM and DoS attacks. We end by presenting a compromise approach that creates software-defined data exchanges (SDX), which mix traffic randomization with VPN concepts. We contrast this approach with the Tor overlay network and provide some performance data.

Legacy and novel network services are expected to be migrated and designed to be deployed in fully virtualized environments. Starting with 5G, NFV becomes a formally required brick in the specifications, for services integrated within the infrastructure provider networks. This evolution leads to deployment of virtual resources Virtual-Machine (VM)-based, container-based and/or server-less platforms, all calling for a deep virtualization of infrastructure components. Such a network softwarization also unleashes further logical network virtualization, easing multi-layered, multi-actor and multi-access services, so as to be able to fulfill high availability, security, privacy and resilience requirements. However, the derived increased components heterogeneity makes the detection and the characterization of anomalies difficult, hence the relationship between anomaly detection and corresponding reconfiguration of the NFV stack to mitigate anomalies. In this article we propose an unsupervised machine-learning data-driven approach based on Long-Short- Term-Memory (LSTM) autoencoders to detect and characterize anomalies in virtualized networking services. With a radiography visualization, this approach can spot and describe deviations from nominal parameter values of any virtualized network service by means of a lightweight and iterative mean-squared reconstruction error analysis of LSTM-based autoencoders. We implement and validate the proposed methodology through experimental tests on a vIMS proof-of-concept deployed using Kubernetes.

Security is the basic topic for the normal operation of the power Internet of Things, and its growing scale determines the trend of dynamic deployment and flexible expansion in the future to meet the ever-changing needs. While large-scale networks have a high cost of hardware resources, so the security protection of the ubiquitous power Internet of Things must be lightweight. In this paper, we propose to build a platform of power Internet of things based on SDN (Software Defined Network) technology and extend the openflow protocol by adding some types of actions and meters to achieve the purpose of on-demand monitoring, dynamic defense and flexible response. To achieve the purpose of lightweight protection, we take advantage of DFI(Deep Flow Inspection) technology to collect and analyze traffic in the Internet of Things, and form a security prevention and control strategy model suitable for the power Internet of Things, without in-depth detection of payload and without the influence of ciphertext.

It has been recognized that artificial intelligence (AI) will play an important role in future societies. AI has already been incorporated in many industries to improve business processes and automation. Although the aviation industry has successfully implemented flight management systems or autopilot to automate flight operations, it is expected that full embracement of AI remains a challenge. Given the rigorous validation process and the requirements for the highest level of safety standards and risk management, AI needs to prove itself being safe to operate. This paper addresses the safety issues of AI deployment in an aviation network compatible with the Future Communication Infrastructure that utilizes heterogeneous wireless access technologies for communications between the aircraft and the ground networks. It further considers the exploitation of software defined networking (SDN) technologies in the ground network while the adoption of SDN in the airborne network can be optional. Due to the nature of centralized management in SDN-based network, the SDN controller can become a single point of failure or a target for cyber attacks. To countermeasure such attacks, an intrusion detection system utilises AI techniques, more specifically deep neural network (DNN), is considered. However, an adversary can target the AI-based intrusion detection system. This paper examines the impact of AI security attacks on the performance of the DNN algorithm. Poisoning attacks targeting the DSL-KDD datasets which were used to train the DNN algorithm were launched at the intrusion detection system. Results showed that the performance of the DNN algorithm has been significantly degraded in terms of the mean square error, accuracy rate, precision rate and the recall rate.

Cloud, Software-Defined Networking (SDN), and Network Function Virtualization (NFV) technologies have introduced a new era of cybersecurity threats and challenges. To protect cloud infrastructure, in our earlier work, we proposed Software Defined Security Service (SDS2) to tackle security challenges centered around a new policy-based interaction model. The security architecture consists of three main components: a Security Controller, Virtual Security Functions (VSF), and a Sec-Manage Protocol. However, the security architecture requires an agile and specific protocol to transfer interaction parameters and security messages between its components where OpenFlow considers mainly as network routing protocol. So, The Sec-Manage protocol has been designed specifically for obtaining policy-based interaction parameters among cloud entities between the security controller and its VSFs. This paper focuses on the design and the implementation of the Sec-Manage protocol and demonstrates its use in setting, monitoring, and conveying relevant policy-based interaction security parameters.

Virtualization and Software-defined Networking (SDN) are emerging technologies that play a major role in cloud computing. Cloud computing provides efficient utilization, high performance, and resource availability on demand. However, virtualization environments are vulnerable to various types of intrusion attacks that involve installing malicious software and denial of services (DoS) attacks. Utilizing SDN technology, makes the idea of SDN-based security applications attractive in the fight against DoS attacks. Network intrusion detection system (IDS) which is used to perform network traffic analysis as a detection system implemented on SDN networks to protect virtualization servers from HTTP DoS attacks. The experimental results show that SDN-based IDS is able to detect and mitigate HTTP DoS attacks effectively.

The legacy security defense mechanisms cannot resist where emerging sophisticated threats such as zero-day and malware campaigns have profoundly changed the dimensions of cyber-attacks. Recent studies indicate that cyber threat intelligence plays a crucial role in implementing proactive defense operations. It provides a knowledge-sharing platform that not only increases security awareness and readiness but also enables the collaborative defense to diminish the effectiveness of potential attacks. In this paper, we propose a secure distributed model to facilitate cyber threat intelligence sharing among diverse participants. The proposed model uses blockchain technology to assure tamper-proof record-keeping and smart contracts to guarantee immutable logic. We use an open-source permissioned blockchain platform, Hyperledger Fabric, to implement the blockchain application. We also utilize the flexibility and management capabilities of Software-Defined Networking to be integrated with the proposed sharing platform to enhance defense perspectives against threats in the system. In the end, collaborative DDoS attack mitigation is taken as a case study to demonstrate our approach.

Software Defined Vehicular Networking (SDVN) could be the future of the vehicular networks, enabling interoperability between heterogeneous networks and mobility management. Thus, the deployment of large SDVN is considered. However, SDVN is facing major security issues, in particular, authentication and access control issues. Indeed, an unauthorized SDN controller could modify the behavior of switches (packet redirection, packet drops) and an unauthorized switch could disrupt the operation of the network (reconnaissance attack, malicious feedback). Due to the SDVN features (decentralization, mobility) and the SDVN requirements (flexibility, scalability), the Blockchain technology appears to be an efficient way to solve these authentication and access control issues. Therefore, many Blockchain-based approaches have already been proposed. However, two key challenges have not been addressed: authentication and access control for SDN controllers and high scalability for the underlying Blockchain network. That is why in this paper we propose an innovative and scalable architecture, based on a set of interconnected Blockchain sub-networks. Moreover, an efficient access control mechanism and a cross-sub-networks authentication/revocation mechanism are proposed for all SDVN devices (vehicles, roadside equipment, SDN controllers). To demonstrate the benefits of our approach, its performances are compared with existing solutions in terms of throughput, latency, CPU usage and read/write access to the Blockchain ledger. In addition, we determine an optimal number of Blockchain sub-networks according to different parameters such as the number of certificates to store and the number of requests to process.

Packet classification is a key function in network security systems in SDN, which detect potential threats by matching the packet header bits and a given rule set. It needs to support multi-dimensional fields, large rule sets, and high throughput. Bit Vector-based packet classification methods can support multi-field matching and achieve a very high throughput, However, the range matching is still challenging. To address issue, this paper proposes a Range Supported Bit Vector (RSBV) algorithm for processing the range fields. RSBV uses specially designed codes to store the pre-computed results in memory, and the result of range matching is derived through pipelined Boolean operations. Through a two-dimensional modular architecture, the RSBV can operate at a high clock frequency and line-rate processing can be guaranteed. Experimental results show that for a 1K and 512-bit OpenFlow rule set, the RSBV can sustain a throughput of 520 Million Packets Per Second.

Network policies govern the use of an institution's networks, and are usually written in a high-level human-readable natural language. Normally these policies are enforced by low-level, technically detailed network configurations. The translation from network policies into network configurations is a tedious, manual and error-prone process. To address this issue, we propose a new intermediate language called POlicy LANguage for Campus Operations (POLANCO), which is a human-readable network policy definition language intended to approximate natural language. Because POLANCO is a high-level language, the translation from natural language policies to POLANCO is straightforward. Despite being a high-level human readable language, POLANCO can be used to express network policies in a technically precise way so that policies written in POLANCO can be automatically translated into a set of software defined networking (SDN) rules and actions that enforce the policies. Moreover, POLANCO is capable of incorporating information about the current network state, reacting to changes in the network and adjusting SDN rules to ensure network policies continue to be enforced correctly. We present policy examples found on various public university websites and show how they can be written as simplified human-readable statements using POLANCO and how they can be automatically translated into SDN rules that correctly enforce these policies.

Software defined network (SDN) is an emerging network architecture. Its control logic and forwarding logic are separated. SDN has the characteristics of centralized management, which makes it easier for malicious attackers to use the security vulnerabilities of SDN networks to implement distributed denial Service (DDoS) attack. Information entropy is a kind of lightweight DDoS early detection method. This paper proposes a DDoS attack detection method in SDN networks based on φ-entropy. φ-entropy can adjust related parameters according to network conditions and enlarge feature differences between normal and abnormal traffic, which can make it easier to detect attacks in the early stages of DDoS traffic formation. Firstly, this article demonstrates the basic properties of φ-entropy, mathematically illustrates the feasibility of φ-entropy in DDoS detection, and then we use Mini-net to conduct simulation experiments to compare the detection effects of DDoS with Shannon entropy.

With the advent of IoT devices and exponential growth of nodes on the internet, computer networks are facing new challenges, with one of the more important ones being DDoS attacks. In this paper, new features to detect initiation and termination of DDoS attacks are investigated. The method to extract these features is devised with respect to some openflowbased switch capabilities. These features provide us with a higher resolution to view and process packet count entropies, thus improving DDoS attack detection capabilities. Although some of the technical assumptions are based on SDN technology and openflow protocol, the methodology can be applied in other networking paradigms as well.

Software Defined Networking (SDN) decouples the control plane and the data plane and solves the difficulty of new services deployment. However, the threat of a single point of failure is also introduced at the same time. The attacker can launch DDoS attacks towards the controller through switches. In this paper, a DDoS attack detection method based on information entropy and deep learning is proposed. Firstly, suspicious traffic can be inspected through information entropy detection by the controller. Then, fine-grained packet-based detection is executed by the convolutional neural network (CNN) model to distinguish between normal traffic and attack traffic. Finally, the controller performs the defense strategy to intercept the attack. The experiments indicate that the accuracy of this method reaches 98.98%, which has the potential to detect DDoS attack traffic effectively in the SDN environment.

In the coming future, Software-defined networking (SDN) will become a technology more responsive, fully automated, and highly secure. SDN is a way to manage networks by separate the control plane from the forwarding plane, by using software to manage network functions through a centralized control point. A distributed denial-of-service (DDoS) attack is the most popular malicious attempt to disrupt normal traffic of a targeted server, service, or network. The problem of the paper is the DDoS attack inside the SDN environment and how could use SDN specifications through the advantage of Open vSwitch programmability feature to stop the attack. This paper presents DDoS attack detection and mitigation in the SDN data-plane by applying a written SDN application in python language, based on the malicious traffic abnormal behavior to reduce the interference with normal traffic. The evaluation results reveal detection and mitigation time between 100 to 150 sec. The work also sheds light on the programming relevance with the open daylight controller over an abstracted view of the network infrastructure.

Software Defined Network (SDN) is a new type of network architecture solution, and its innovation lies in decoupling traditional network system into a control plane, a data plane, and an application plane. It logically implements centralized control and management of the network, and SDN is considered to represent the development trend of the network in the future. However, SDN still faces many security challenges. Currently, the number of insecure devices is huge. Distributed Denial of Service (DDoS) attacks are one of the major network security threats.This paper focuses on the detection and mitigation of DDoS attacks in SDN. Firstly, we explore a solution to detect DDoS using Renyi entropy, and we use exponentially weighted moving average algorithm to set a dynamic threshold to adapt to changes of the network. Second, to mitigate this threat, we analyze the historical behavior of each source IP address and score it to determine the malicious source IP address, and use OpenFlow protocol to block attack source.The experimental results show that the scheme studied in this paper can effectively detect and mitigate DDoS attacks.

Fully securing networks from remote attacks is recognized by the IT industry as a critical and imposing challenge. Even highly secure systems remain vulnerable to attacks and advanced persistent threats. Air-gapped networks may be secure from remote attack. One-way flows are a novel approach to improving the security of telemetry for critical infrastructure, retaining some of the benefits of interconnectivity whilst maintaining a level of network security analogous to that of unconnected devices. Simple and inexpensive techniques can be used to provide this unidirectional security, removing the risk of remote attack from a range of potential targets and subnets. The application of one-way networks is demonstrated using IEEE compliant PMU data streams as a case study. Scalability is demonstrated using SDN techniques. Finally, these techniques are combined, demonstrating a node which can be secured from remote attack, within defined limitations.