Biblio

Machine Learning has revolutionized many fields of computer science. Reinforcement Learning (RL), in particular, stands out as a solution to sequential decision making problems. With the growing complexity of computer networks in the face of new emerging technologies, such as the Internet of Things and the growing complexity of threat vectors, there is a dire need for autonomous network systems. RL is a viable solution for achieving this autonomy. Software-defined Networking (SDN) provides a global network view and programmability of network behaviour, which can be employed for security management. Previous works in RL-based threat mitigation have mostly focused on very specific problems, mostly non-sequential, with ad-hoc solutions. In this paper, we propose ATMoS, a general framework designed to facilitate the rapid design of RL applications for network security management using SDN. We evaluate our framework for implementing RL applications for threat mitigation, by showcasing the use of ATMoS with a Neural Fitted Q-learning agent to mitigate an Advanced Persistent Threat. We present the RL model's convergence results showing the feasibility of our solution for active threat mitigation.

Accurate traffic classification is fundamentally important for various network activities such as fine-grained network management and resource utilisation. Port-based approaches, deep packet inspection and machine learning are widely used techniques to classify and analyze network traffic flows. However, over the past several years, the growth of Internet traffic has been explosive due to the greatly increased number of Internet users. Therefore, both port-based and deep packet inspection approaches have become inefficient due to the exponential growth of the Internet applications that incurs high computational cost. The emerging paradigm of software-defined networking has reshaped the network architecture by detaching the control plane from the data plane to result in a centralised network controller that maintains a global view over the whole network on its domain. In this paper, we propose a new deep learning model for software-defined networks that can accurately identify a wide range of traffic applications in a short time, called Deep-SDN. The performance of the proposed model was compared against the state-of-the-art and better results were reported in terms of accuracy, precision, recall, and f-measure. It has been found that 96% as an overall accuracy can be achieved with the proposed model. Based on the obtained results, some further directions are suggested towards achieving further advances in this research area.

Due to centralized control and programmable capability of the SDN architecture, network administrators can easily manage and control the whole network through the centralized controller. According to the SDN architecture, the SDN controller is vulnerable to distributed denial of service (DDOS) attacks. Thus, a failure of SDN controller is a major leak for security concern. The objectives of paper is therefore to detect the DDOS attacks and classify the normal or attack traffic in SDN network using machine learning algorithms. In this proposed system, polynomial SVM is applied to compare to existing linear SVM by using scapy, which is packet generation tool and RYU SDN controller. According to the experimental result, polynomial SVM achieves 3% better accuracy and 34% lower false alarm rate compared to Linear SVM.

Denial of service (DoS) is a process of injecting malicious packets into the network. Intrusion detection system (IDS) is a system used to investigate malicious packets in the network. Software-defined network (SDN) physically separates control plane and data plane. The control plane is moved to a centralized controller, and it makes a decision in the network from a global view. The combination between IDS and SDN allows the prevention of malicious packets to be more efficient due to the advantage of the global view in SDN. IDS needs to communicate with switches to have an access to all end-to-end traffic in the network. The high traffic in the link between switches and IDS results in congestion. The congestion between switches and IDS delays the detection and prevention of malicious traffic. To address this problem, we propose a historical database (Hdb), a scheme to reduce the traffic between switches and IDS, based on the historical information of a sender. The simulation shows that in the average, 54.1% of traffic mirrored to IDS is reduced compared to the conventional schemes.

Intrusion Detection system (IDS) was an application which was aimed to monitor network activity or system and it could find if there was a dangerous operation. Implementation of IDS on Software Define Network architecture (SDN) has drawbacks. IDS on SDN architecture might decreasing network Quality of Service (QoS). So the network could not provide services to the existing network traffic. Throughput, delay and packet loss were important parameters of QoS measurement. Snort IDS and bro IDS were tools in the application of IDS on the network. Both had differences, one of which was found in the detection method. Snort IDS used a signature based detection method while bro IDS used an anomaly based detection method. The difference between them had effects in handling the network traffic through it. In this research, we compared both tools. This comparison are done with testing parameters such as throughput, delay, packet loss, CPU usage, and memory usage. From this test, it was found that bro outperform snort IDS for throughput, delay , and packet loss parameters. However, CPU usage and memory usage on bro requires higher resource than snort.

Recently, the novel networking technology Software-Defined Networking(SDN) and Service Function Chaining(SFC) are rapidly growing, and security issues are also emerging for SDN and SFC. However, the research about security and safety on a novel networking environment is still unsatisfactory, and the vulnerabilities have been revealed continuously. Among these security issues, this paper addresses the ARP Poisoning attack to exploit SFC vulnerability, and proposes a method to defend the attack. The proposed method recognizes the repetitive ARP reply which is a feature of ARP Poisoning attack, and detects ARP Poisoning attack. The proposed method overcomes the limitations of the existing detection methods. The proposed method also detects the presence of an attack more accurately.

To enhance the programmability and flexibility of network and service management, the Software-Defined Networking (SDN) paradigm is gaining growing attention by academia and industry. Motivated by its success in wired networks, researchers have recently started to embrace SDN towards developing next generation wireless networks such as Software-Defined Internet of Vehicles (SD-IoV). As the SD-IoV evolves, new security threats would emerge and demand attention. And since the core of the SD-IoV would be the control plane, it is highly vulnerable to Distributed Denial of Service (DDoS) Attacks. In this work, we investigate the impact of DDoS attacks on the controllers in a SD-IoV environment. Through experimental evaluations, we highlight the drastic effects DDoS attacks could have on a SD-IoV in terms of throughput and controller load. Our results could be a starting point to motivate further research in the area of SD-IoV security and would give deeper insights into the problems of DDoS attacks on SD-IoV.

Internet of vehicles (IoV) is the evolution of conventional vehicle network (VANET), a recent domain attracting a large number of companies and researchers. It is an integration of three networks: an inter-vehicle network, an intra-vehicle network, and vehicular mobile Internet, in which the vehicle is considered as a smart object equipped with powerful multi-sensors platform, connectivity and communication technologies, enabling it to communicate with the world. The cooperative communication between vehicles and other devices causes diverse challenges in terms of: storage and computing capability, energy of vehicle and network's control and management. Security is very important aspect in IoV and it is required to protect connected cars from cybercrime and accidents. In this article, we propose a network model for IoV based on software Defined Network and Cloud Computing.

At present, the network architecture is based on the TCP/IP protocol and node communications are achieved by the IP address and identifier of the node. The IP address in the network remains basically unchanged, so it is more likely to be attacked by network intruder. To this end, it is important to make periodic dynamic hopping in a specific address space possible, so that an intruder fails to obtain the internal network address and grid topological structure in real time and to continue to perform infiltration by the building of a new address space layout randomization system on the basis of SDN from the perspective of an attacker.

In recent trends, Cyber-Physical Systems (CPS) and Internet of Things interpret an evolution of computerized integration connectivity. The specific research challenges in CPS as security, privacy, data analytics, participate sensing, smart decision making. In addition, The challenges in Wireless Sensor Network (WSN) includes secure architecture, energy efficient protocols and quality of services. In this paper, we present an architectures of CPS and its protocols and applications. We propose software related mobile sensing paradigm namely Mobile Sensor Information Agent (MSIA). It works as plug-in based for CPS middleware and scalable applications in mobile devices. The working principle MSIA is acts intermediary device and gathers data from a various external sensors and its upload to cloud on demand. CPS needs tight integration between cyber world and man-made physical world to achieve stability, security, reliability, robustness, and efficiency in the system. Emerging software-defined networking (SDN) can be integrated as the communication infrastructure with CPS infrastructure to accomplish such system. Thus we propose a possible SDN-based CPS framework to improve the performance of the system.

Software Defined Networking (SDN) provides new functionalities to efficiently manage the network traffic, which can be used to enhance the networking capabilities to support the growing communication demands today. But at the same time, it introduces new attack vectors that can be exploited by attackers. Hence, evaluating and selecting countermeasures to optimize the security of the SDN is of paramount importance. However, one should also take into account the trade-off between security and performance of the SDN. In this paper, we present a security optimization approach for the SDN taking into account the trade-off between security and performance. We evaluate the security of the SDN using graphical security models and metrics, and use queuing models to measure the performance of the SDN. Further, we use Genetic Algorithms, namely NSGA-II, to optimally select the countermeasure with performance and security constraints. Our experimental analysis results show that the proposed approach can efficiently compute the countermeasures that will optimize the security of the SDN while satisfying the performance constraints.

We present a system architecture for autonomic operation, administration and maintenance of both the optical and digital layers within the integrated optical transport network infrastructure. This framework encompasses the end-to-end instrumentation: From equipment commissioning to automatic discovery and bring-up, to self-managed, self-(re)configuring optical transport layer. We leverage prevalent networking protocols to build an autonomic control plane for the optical network elements. Various aspects of security, a critical element for self-managed operations, are addressed. We conclude with a discussion on the interaction with SDN, and how autonomic functions can benefit from these capabilities, a brief survey of standardization activities and scope for future work.

The traditional network used today is unable to meet the increasing needs of technology in terms of management, scaling, and performance criteria. Major developments in information and communication technologies show that the traditional network structure is quite lacking in meeting the current requirements. In order to solve these problems, Software Defined Network (SDN) is capable of responding as it, is flexible, easier to manage and offers a new structure. Software Defined Networks have many advantages over traditional network structure. However, it also brings along many security threats due to its new architecture. For example, the DoS attack, which overloads the controller's processing and communication capacity in the SDN structure, is a significant threat. Mobile Ad Hoc Network (MANET), which is one of the wireless network technologies, is different from SDN technology. MANET is exposed to various attacks such as DoS due to its security vulnerabilities. The aim of the study is to reveal the security problems in SDN structure presented with a new understanding. This is based on the currently used network structures such as MANET. The study consists of two parts. First, DoS attacks against the SDN controller were performed. Different SDN controllers were used for more accurate results. Second, MANET was established and DoS attacks against this network were performed. Different MANET routing protocols were used for more accurate results. According to the scenario, attacks were performed and the performance values of the networks were tested. The reason for using two different networks in this study is to compare the performance values of these networks at the time of attack. According to the test results, both networks were adversely affected by the attacks. It was observed that network performance decreased in MANET structure but there was no network interruption. The SDN controller becomes dysfunctional and collapses as a result of the attack. While the innovations offered by the SDN structure are expected to provide solutions to many problems in traditional networks, there are still many vulnerabilities for network security.

Software defined networks represent a new centralized network abstraction that aims to ease configuration and facilitate applications and services deployment to manage the upper layers. However, SDN faces several challenges that slow down its implementation such as security which represents one of the top concerns of SDN experts. Indeed, SDN inherits all security matters from traditional networks and suffers from some additional vulnerability due to its centralized and unique architecture. Using traditional security devices and solutions to mitigate SDN threats can be very complicated and can negatively effect the networks performance. In this paper we propose a study that measures the impact of using some well-known security solution to mitigate intrusions on SDN's performances. We will also present an algorithm named KPG-MT adapted to SDN architecture that aims to mitigate threats such as a Man in the Middle, Deny of Services and malware-based attacks. An implementation of our algorithm based on multiple attacks' scenarios and mitigation processes will be made to prove the efficiency of the proposed framework.

Software defined Network is a network defined by software, which is one of the important feature which makes the legacy old networks to be flexible for dynamic configuration and so can cater to today's dynamic application requirement. It is a programmable network but it is prone to different type of attacks due to its centralized architecture. The author provided a solution to detect and prevent Distributed Denial of service attack in the paper. Mininet [5] which is a popular emulator for Software defined Network is used. We followed the approach in which collection of the traffic statistics from the various switches is done. After collection we calculated the packet rate and bandwidth which shoots up to high values when attack take place. The abrupt increase detects the attack which is then prevented by changing the forwarding logic of the host nodes to drop the packets instead of forwarding. After this, no more packets will be forwarded and then we also delete the forwarding rule in the flow table. Hence, we are finding out the change in packet rate and bandwidth to detect the attack and to prevent the attack we modify the forwarding logic of the switch flow table to drop the packets coming from malicious host instead of forwarding it.

The application of the concept of software-defined networks (SDN) has, on the one hand, led to the simplification and reduction of switches price, and on the other hand, has created a significant number of problems related to the security of the SDN network. In several studies was noted that these problems are related to the lack of flexibility and programmability of the data plane, which is likely first to suffer potential denial-of-service (DoS) attacks. One possible way to overcome this problem is to increase the flexibility of the data plane by increasing the depth of programmability of the packet-switching nodes below the level of flow table management. Therefore, this paper investigates the opportunity of using the architecture of deeply programmable packet-switching nodes (DPPSN) in the implementation of a firewall. Then, an architectural model of the firewall based on a hybrid FPGA/CPU data plane architecture has been proposed and implemented. Realized firewall supports three models of DoS attacks mitigation: DoS traffic filtering on the output interface, DoS traffic filtering on the input interface, and DoS attack redirection to the honeypot. Experimental evaluation of the implemented firewall has shown that DoS traffic filtering at the input interface is the best strategy for DoS attack mitigation, which justified the application of the concept of deep network programmability.

Distributed Denial of Service(DDoS) attacks have become most important network security threat as the number of devices are connected to internet increases exponentially and reaching an attack volume approximately very high compared to other attacks. To make the network safe and flexible a new networking infrastructure such as Software Defined Networking (SDN) has come into effect, which relies on centralized controller and decoupling of control and data plane. However due to it's centralized controller it is prone to DDoS attacks, as it makes the decision of forwarding of packets based on rules installed in switch by OpenFlow protocol. Out of all different DDoS attacks, UDP (User Datagram Protocol) flooding constitute the most in recent years. In this paper, we have proposed an entropy based DDoS detection and rate limiting based mitigation for efficient service delivery. We have evaluated using Mininet as emulator and Ryu as controller by taking switch as OpenVswitch and obtained better result in terms of bandwidth utilization and hit ratio which consume network resources to make denial of service.

A DDoS attack is a spiteful attempt to disrupt legitimate traffic to a server by overwhelming the target with a flood of requests from geographically dispersed systems. Today attackers prefer DDoS attack methods to disrupt target services as they generate GBs to TBs of random data to flood the target. In existing mitigation strategies, because of lack of resources and not having the flexibility to cope with attacks by themselves, they are not considered to be that effective. So effective DDoS mitigation techniques can be provided using emerging technologies such as blockchain and SDN(Software-Defined Networking). We propose an architecture where a smart contract is deployed in a private blockchain, which facilitates a collaborative DDoS mitigation architecture across multiple network domains. Blockchain application is used as an additional security service. With Blockchain, shared protection is enabled among all hosts. With help of smart contracts, rules are distributed among all hosts. In addition, SDN can effectively enable services and security policies dynamically. This mechanism provides ASes(Autonomous Systems) the possibility to deploy their own DPS(DDoS Prevention Service) and there is no need to transfer control of the network to the third party. This paper focuses on the challenges of protecting a hybridized enterprise from the ravages of rapidly evolving Distributed Denial of Service(DDoS) attack.

SDN is new networking concept which has revolutionized the network architecture in recent years. It decouples control plane from data plane. Architectural change provides re-programmability and centralized control management of the network. At the same time it also increases the complexity of underlying physical infrastructure of the network. Unfortunately, the centralized control of the network introduces new vulnerabilities and attacks. Attackers can exploit the limitation of centralized control by DDoS attack on control plane. The entire network can be compromised by DDoS attack. Based on packet entropy, a solution for mitigation of DDoS attack provided in the proposed scheme.

Software-defined networking (SDN) is a relatively new technology that promotes network revolution. The most distinct characteristic of SDN is the transformation of control logic from the basic packet forwarding equipment to a centralized management unit called controller. However, the centralized control of the network resources is like a double-edged sword, for it not only brings beneficial features but also introduces single point of failure if the controller is under distributed denial of service (DDoS) attacks. In this paper, we introduce a light-weight approach based on conditional entropy to improve the SDN security with an aim of defending DDoS at the early stage. The experimental results show that the proposed method has a high average detection rate of 99.372%.

For controllers of Software Defined Network (SDN), Distributed Denial of Service (DDoS) attacks are still the simplest and most effective way to attack. Aiming at this problem, a real-time DDoS detection attack method for SDN controller is proposed. The method first uses the entropy to detect whether the flow is abnormal. After the abnormal warning is issued, the flow entry of the OpenFlow switch is obtained, and the DDoS attack feature in the SDN environment is analyzed to extract important features related to the attack. The BiLSTM-RNN neural network algorithm is used to train the data set, and the BiLSTM model is generated to classify the real-time traffic to realize the DDoS attack detection. Experiments show that, compared with other methods, this method can efficiently implement DDoS attack traffic detection and reduce controller overhead in SDN environment.

With the rapid development of Internet of Things (IoT), distributed denial of service (DDoS) attacks become the important security threat of the IoT. Characteristics of IoT, such as large quantities and simple function, which have easily caused the IoT devices or servers to be attacked and be turned into botnets for launching DDoS attacks. In this paper, we use software-defined networking (SDN) to develop moving target defense (MTD) architecture that increases uncertainty because of ever changing attack surface. In addition, we deploy SDN-based honeypots to mimic IoT devices, luring attackers and malwares. Finally, experimental results show that combination of MTD and SDN-based honeypots can effectively hide network asset from scanner and defend against DDoS attacks in IoT.

Honeypots have become an important tool for capturing attacks. Hybrid honeypots, including the front end and the back end, are widely used in research because of the scalability of the front end and the high interactivity of the back end. However, traditional hybrid honeypots have some problems that the flow control is difficult and topology simulation is not realistic. This paper proposes a new architecture based on SDN applied to the hybrid honeypot system for network topology simulation and attack traffic migration. Our system uses the good expansibility and controllability of the SDN controller to simulate a large and realistic network to attract attackers and redirect high-level attacks to a high-interaction honeypot for attack capture and further analysis. It improves the deficiencies in the network spoofing technology and flow control technology in the traditional honeynet. Finally, we set up the experimental environment on the mininet and verified the mechanism. The test results show that the system is more intelligent and the traffic migration is more stealthy.

Through time inference attacks, adversaries fingerprint SDN controllers, estimate switches flow-table size, and perform flow state reconnaissance. In fact, timing a SDN and analyzing its results can expose information which later empowers SDN resource-consumption or saturation attacks. In the real world, however, launching such attacks is not easy. This is due to some challenges attackers may encounter while attacking an actual SDN deployment. These challenges, which are not addressed adequately in the related literature, are investigated in this paper. Accordingly, practical solutions to mitigate such attacks are also proposed. Discussed challenges are clarified by means of conducting extensive experiments on an actual cloud data center testbed. Moreover, mitigation schemes have been implemented and examined in details. Experimental results show that proposed countermeasures effectively block time inference attacks.

Moving target defense (MTD) is becoming popular with the advancements in Software Defined Networking (SDN) technologies. With centralized management through SDN, changing the network attributes such as routes to escape from attacks is simple and fast. Yet, the available alternate routes are bounded by the network topology, and a persistent attacker that continuously perform the reconnaissance can extract the whole link-map of the network. To address this issue, we propose to use virtual shadow networks (VSNs) by applying Network Function Virtualization (NFV) abilities to the network in order to deceive attacker with the fake topology information and not reveal the actual network topology and characteristics. We design this approach under a formal framework for Internet Service Provider (ISP) networks and apply it to the recently emerged indirect DDoS attacks, namely Crossfire, for evaluation. The results show that attacker spends more time to figure out the network behavior while the costs on the defender and network operations are negligible until reaching a certain network size.