Visible to the public Biblio

Filters: Keyword is control plane  [Clear All Filters]
2023-07-12
Salman, Fatema, Jedidi, Ahmed.  2022.  Trust-Aware Security system for Dynamic Southbound Communication in Software Defined Network. 2022 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT). :93—97.
The vast proliferation of the connected devices makes the operation of the traditional networks so complex and drops the network performance, particularly, failure cases. In fact, a novel solution is proposed to enable the management of the network resources and services named software defined network (SDN). SDN splits the data plane and the control plane by centralizing all the control plane on one common platform. Further, SDN makes the control plane programmable by offering high flexibility for the network management and monitoring mostly in failure cases. However, the main challenge in SDN is security that is presented as the first barrier for its development. Security in SDN is presented at various levels and forms, particularly, the communication between the data plane and control plane that presents a weak point in SDN framework. In this article, we suggest a new security framework focused on the combination between the trust and awareness concepts (TAS-SDN) for a dynamic southbound communication SDN. Further, TAS-SDN uses trust levels to establish a secure communication between the control plane and data plane. As a result, we discuss the implementation and the performance of TAS-SDN which presents a promote security solution in terms of time execution, complexity and scalability for SDN.
2023-02-17
Sharma, Pradeep Kumar, Kumar, Brijesh, Tyagi, S.S.  2022.  STADS: Security Threats Assessment and Diagnostic System in Software Defined Networking (SDN). 2022 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COM-IT-CON). 1:744–751.
Since the advent of the Software Defined Networking (SDN) in 2011 and formation of Open Networking Foundation (ONF), SDN inspired projects have emerged in various fields of computer networks. Almost all the networking organizations are working on their products to be supported by SDN concept e.g. openflow. SDN has provided a great flexibility and agility in the networks by application specific control functions with centralized controller, but it does not provide security guarantees for security vulnerabilities inside applications, data plane and controller platform. As SDN can also use third party applications, an infected application can be distributed in the network and SDN based systems may be easily collapsed. In this paper, a security threats assessment model has been presented which highlights the critical areas with security requirements in SDN. Based on threat assessment model a proposed Security Threats Assessment and Diagnostic System (STADS) is presented for establishing a reliable SDN framework. The proposed STADS detects and diagnose various threats based on specified policy mechanism when different components of SDN communicate with controller to fulfil network requirements. Mininet network emulator with Ryu controller has been used for implementation and analysis.
2022-01-25
Uddin Nadim, Taef, Foysal.  2021.  Towards Autonomic Entropy Based Approach for DDoS Attack Detection and Mitigation Using Software Defined Networking. 2021 International Conference on Automation, Control and Mechatronics for Industry 4.0 (ACMI). :1—5.
Software defined networking (SDN) architecture frame- work eases the work of the network administrators by separating the data plane from the control plane. This provides a programmable interface for applications development related to security and management. The centralized logical controller provides more control over the total network, which has complete network visibility. These SDN advantages expose the network to vulnerabilities and the impact of the attacks is much severe when compared to traditional networks, where the network devices have protection from the attacks and limits the occurrence of attacks. In this paper, we proposed an entropy based algorithm in SDN to detect as well as stopping distributed denial of service (DDoS) attacks on the servers or clouds or hosts. Firstly, there explored various attacks that can be launched on SDN at different layers. Basically DDoS is one kind of denial of service attack in which an attacker uses multiple distributed sources for attacking a particular server. Every network in a system has an entropy and an increase in the randomness of probability causes entropy to decrease. In comparison with previous entropy based approaches this approach has higher performance in distinguishing legal and illegal traffics and blocking illegal traffic paths. Linux OS and Mininet Simulator along with POX controller are used to validate the proposed approach. By conducting pervasive simulation along with theoretical analysis this method can definitely detect and stop DDoS attacks automatically.
2021-02-16
Wang, L., Liu, Y..  2020.  A DDoS Attack Detection Method Based on Information Entropy and Deep Learning in SDN. 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC). 1:1084—1088.
Software Defined Networking (SDN) decouples the control plane and the data plane and solves the difficulty of new services deployment. However, the threat of a single point of failure is also introduced at the same time. The attacker can launch DDoS attacks towards the controller through switches. In this paper, a DDoS attack detection method based on information entropy and deep learning is proposed. Firstly, suspicious traffic can be inspected through information entropy detection by the controller. Then, fine-grained packet-based detection is executed by the convolutional neural network (CNN) model to distinguish between normal traffic and attack traffic. Finally, the controller performs the defense strategy to intercept the attack. The experiments indicate that the accuracy of this method reaches 98.98%, which has the potential to detect DDoS attack traffic effectively in the SDN environment.
Abdulkarem, H. S., Dawod, A..  2020.  DDoS Attack Detection and Mitigation at SDN Data Plane Layer. 2020 2nd Global Power, Energy and Communication Conference (GPECOM). :322—326.
In the coming future, Software-defined networking (SDN) will become a technology more responsive, fully automated, and highly secure. SDN is a way to manage networks by separate the control plane from the forwarding plane, by using software to manage network functions through a centralized control point. A distributed denial-of-service (DDoS) attack is the most popular malicious attempt to disrupt normal traffic of a targeted server, service, or network. The problem of the paper is the DDoS attack inside the SDN environment and how could use SDN specifications through the advantage of Open vSwitch programmability feature to stop the attack. This paper presents DDoS attack detection and mitigation in the SDN data-plane by applying a written SDN application in python language, based on the malicious traffic abnormal behavior to reduce the interference with normal traffic. The evaluation results reveal detection and mitigation time between 100 to 150 sec. The work also sheds light on the programming relevance with the open daylight controller over an abstracted view of the network infrastructure.
Zhai, P., Song, Y., Zhu, X., Cao, L., Zhang, J., Yang, C..  2020.  Distributed Denial of Service Defense in Software Defined Network Using OpenFlow. 2020 IEEE/CIC International Conference on Communications in China (ICCC). :1274—1279.
Software Defined Network (SDN) is a new type of network architecture solution, and its innovation lies in decoupling traditional network system into a control plane, a data plane, and an application plane. It logically implements centralized control and management of the network, and SDN is considered to represent the development trend of the network in the future. However, SDN still faces many security challenges. Currently, the number of insecure devices is huge. Distributed Denial of Service (DDoS) attacks are one of the major network security threats.This paper focuses on the detection and mitigation of DDoS attacks in SDN. Firstly, we explore a solution to detect DDoS using Renyi entropy, and we use exponentially weighted moving average algorithm to set a dynamic threshold to adapt to changes of the network. Second, to mitigate this threat, we analyze the historical behavior of each source IP address and score it to determine the malicious source IP address, and use OpenFlow protocol to block attack source.The experimental results show that the scheme studied in this paper can effectively detect and mitigate DDoS attacks.
2021-01-11
Malik, A., Fréin, R. de, Al-Zeyadi, M., Andreu-Perez, J..  2020.  Intelligent SDN Traffic Classification Using Deep Learning: Deep-SDN. 2020 2nd International Conference on Computer Communication and the Internet (ICCCI). :184–189.
Accurate traffic classification is fundamentally important for various network activities such as fine-grained network management and resource utilisation. Port-based approaches, deep packet inspection and machine learning are widely used techniques to classify and analyze network traffic flows. However, over the past several years, the growth of Internet traffic has been explosive due to the greatly increased number of Internet users. Therefore, both port-based and deep packet inspection approaches have become inefficient due to the exponential growth of the Internet applications that incurs high computational cost. The emerging paradigm of software-defined networking has reshaped the network architecture by detaching the control plane from the data plane to result in a centralised network controller that maintains a global view over the whole network on its domain. In this paper, we propose a new deep learning model for software-defined networks that can accurately identify a wide range of traffic applications in a short time, called Deep-SDN. The performance of the proposed model was compared against the state-of-the-art and better results were reported in terms of accuracy, precision, recall, and f-measure. It has been found that 96% as an overall accuracy can be achieved with the proposed model. Based on the obtained results, some further directions are suggested towards achieving further advances in this research area.
2020-11-02
Siddiqui, Abdul Jabbar, Boukerche, Azzedine.  2018.  On the Impact of DDoS Attacks on Software-Defined Internet-of-Vehicles Control Plane. 2018 14th International Wireless Communications Mobile Computing Conference (IWCMC). :1284—1289.

To enhance the programmability and flexibility of network and service management, the Software-Defined Networking (SDN) paradigm is gaining growing attention by academia and industry. Motivated by its success in wired networks, researchers have recently started to embrace SDN towards developing next generation wireless networks such as Software-Defined Internet of Vehicles (SD-IoV). As the SD-IoV evolves, new security threats would emerge and demand attention. And since the core of the SD-IoV would be the control plane, it is highly vulnerable to Distributed Denial of Service (DDoS) Attacks. In this work, we investigate the impact of DDoS attacks on the controllers in a SD-IoV environment. Through experimental evaluations, we highlight the drastic effects DDoS attacks could have on a SD-IoV in terms of throughput and controller load. Our results could be a starting point to motivate further research in the area of SD-IoV security and would give deeper insights into the problems of DDoS attacks on SD-IoV.

2020-10-05
Chen, Jen-Jee, Tsai, Meng-Hsun, Zhao, Liqiang, Chang, Wei-Chiao, Lin, Yu-Hsiang, Zhou, Qianwen, Lu, Yu-Zhang, Tsai, Jia-Ling, Cai, Yun-Zhan.  2019.  Realizing Dynamic Network Slice Resource Management based on SDN networks. 2019 International Conference on Intelligent Computing and its Emerging Applications (ICEA). :120–125.
It is expected that the concept of Internet of everything will be realized in 2020 because of the coming of the 5G wireless communication technology. Internet of Things (IoT) services in various fields require different types of network service features, such as mobility, security, bandwidth, latency, reliability and control strategies. In order to solve the complex requirements and provide customized services, a new network architecture is needed. To change the traditional control mode used in the traditional network architecture, the Software Defined Network (SDN) is proposed. First, SDN divides the network into the Control Plane and Data Plane and then delegates the network management authority to the controller of the control layer. This allows centralized control of connections of a large number of devices. Second, SDN can help realizing the network slicing in the aspect of network layer. With the network slicing technology proposed by 5G, it can cut the 5G network out of multiple virtual networks and each virtual network is to support the needs of diverse users. In this work, we design and develop a network slicing framework. The contributions of this article are two folds. First, through SDN technology, we develop to provide the corresponding end-to-end (E2E) network slicing for IoT applications with different requirements. Second, we develop a dynamic network slice resource scheduling and management method based on SDN to meet the services' requirements with time-varying characteristics. This is usually observed in streaming and services with bursty traffic. A prototyping system is completed. The effectiveness of the system is demonstrated by using an electronic fence application as a use case.
2020-06-29
Yadav, Sanjay Kumar, Suguna, P, Velusamy, R. Leela.  2019.  Entropy based mitigation of Distributed-Denial-of-Service (DDoS) attack on Control Plane in Software-Defined-Network (SDN). 2019 10th International Conference on Computing, Communication and Networking Technologies (ICCCNT). :1–7.
SDN is new networking concept which has revolutionized the network architecture in recent years. It decouples control plane from data plane. Architectural change provides re-programmability and centralized control management of the network. At the same time it also increases the complexity of underlying physical infrastructure of the network. Unfortunately, the centralized control of the network introduces new vulnerabilities and attacks. Attackers can exploit the limitation of centralized control by DDoS attack on control plane. The entire network can be compromised by DDoS attack. Based on packet entropy, a solution for mitigation of DDoS attack provided in the proposed scheme.
2020-04-13
Phan, Trung V., Islam, Syed Tasnimul, Nguyen, Tri Gia, Bauschert, Thomas.  2019.  Q-DATA: Enhanced Traffic Flow Monitoring in Software-Defined Networks applying Q-learning. 2019 15th International Conference on Network and Service Management (CNSM). :1–9.
Software-Defined Networking (SDN) introduces a centralized network control and management by separating the data plane from the control plane which facilitates traffic flow monitoring, security analysis and policy formulation. However, it is challenging to choose a proper degree of traffic flow handling granularity while proactively protecting forwarding devices from getting overloaded. In this paper, we propose a novel traffic flow matching control framework called Q-DATA that applies reinforcement learning in order to enhance the traffic flow monitoring performance in SDN based networks and prevent traffic forwarding performance degradation. We first describe and analyse an SDN-based traffic flow matching control system that applies a reinforcement learning approach based on Q-learning algorithm in order to maximize the traffic flow granularity. It also considers the forwarding performance status of the SDN switches derived from a Support Vector Machine based algorithm. Next, we outline the Q-DATA framework that incorporates the optimal traffic flow matching policy derived from the traffic flow matching control system to efficiently provide the most detailed traffic flow information that other mechanisms require. Our novel approach is realized as a REST SDN application and evaluated in an SDN environment. Through comprehensive experiments, the results show that-compared to the default behavior of common SDN controllers and to our previous DATA mechanism-the new Q-DATA framework yields a remarkable improvement in terms of traffic forwarding performance degradation protection of SDN switches while still providing the most detailed traffic flow information on demand.
2019-01-21
Dixit, Vaibhav Hemant, Kyung, Sukwha, Zhao, Ziming, Doupé, Adam, Shoshitaishvili, Yan, Ahn, Gail-Joon.  2018.  Challenges and Preparedness of SDN-based Firewalls. Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. :33–38.

Software-Defined Network (SDN) is a novel architecture created to address the issues of traditional and vertically integrated networks. To increase cost-effectiveness and enable logical control, SDN provides high programmability and centralized view of the network through separation of network traffic delivery (the "data plane") from network configuration (the "control plane"). SDN controllers and related protocols are rapidly evolving to address the demands for scaling in complex enterprise networks. Because of the evolution of modern SDN technologies, production networks employing SDN are prone to several security vulnerabilities. The rate at which SDN frameworks are evolving continues to overtake attempts to address their security issues. According to our study, existing defense mechanisms, particularly SDN-based firewalls, face new and SDN-specific challenges in successfully enforcing security policies in the underlying network. In this paper, we identify problems associated with SDN-based firewalls, such as ambiguous flow path calculations and poor scalability in large networks. We survey existing SDN-based firewall designs and their shortcomings in protecting a dynamically scaling network like a data center. We extend our study by evaluating one such SDN-specific security solution called FlowGuard, and identifying new attack vectors and vulnerabilities. We also present corresponding threat detection techniques and respective mitigation strategies.

2018-05-09
Atli, A. V., Uluderya, M. S., Tatlicioglu, S., Gorkemli, B., Balci, A. M..  2017.  Protecting SDN controller with per-flow buffering inside OpenFlow switches. 2017 IEEE International Black Sea Conference on Communications and Networking (BlackSeaCom). :1–5.

Software Defined Networking (SDN) is a paradigm shift that changes the working principles of IP networks by separating the control logic from routers and switches, and logically centralizing it within a controller. In this architecture the control plane (controller) communicates with the data plane (switches) through a control channel using a standards-compliant protocol, that is, OpenFlow. While having a centralized controller creates an opportunity to monitor and program the entire network, as a side effect, it causes the control plane to become a single point of failure. Denial of service (DoS) attacks or even heavy control traffic conditions can easily become real threats to the proper functioning of the controller, which indirectly detriments the entire network. In this paper, we propose a solution to reduce the control traffic generated primarily during table-miss events. We utilize the buffer\_id feature of the OpenFlow protocol, which has been designed to identify individually buffered packets within a switch, reusing it to identify flows buffered as a series of packets during table-miss, which happens when there is no related rule in the switch flow tables that matches the received packet. Thus, we allow the OpenFlow switch to send only the first packet of a flow to the controller for a table-miss while buffering the rest of the packets in the switch memory until the controller responds or time out occurs. The test results show that OpenFlow traffic is significantly reduced when the proposed method is used.

2018-02-21
Jalaian, B., Dasari, V., Motani, M..  2017.  A generalized optimization framework for control plane in tactical wireless networking. 2017 International Conference on Computing, Networking and Communications (ICNC). :986–990.

Tactical networks are generally simple ad-hoc networks in design, however, this simple design often gets complicated, when heterogeneous wireless technologies have to work together to enable seamless multi-hop communications across multiple sessions. In recent years, there has been some significant advances in computational, radio, localization, and networking te, and session's rate i.e., aggregate capacity averaged over a 4-time-slot frame)chnologies, which motivate a clean slate design of the control plane for multi-hop tactical wireless networks. In this paper, we develop a global network optimization framework, which characterizes the control plane for multi-hop wireless tactical networks. This framework abstracts the underlying complexity of tactical wireless networks and orchestrates the the control plane functions. Specifically, we develop a cross-layer optimization framework, which characterizes the interaction between the physical, link, and network layers. By applying the framework to a throughput maximization problem, we show how the proposed framework can be utilized to solve a broad range of wireless multi-hop tactical networking problems.

2018-02-02
Hussein, A., Elhajj, I. H., Chehab, A., Kayssi, A..  2016.  SDN Security Plane: An Architecture for Resilient Security Services. 2016 IEEE International Conference on Cloud Engineering Workshop (IC2EW). :54–59.

Software Defined Networking (SDN) is the new promise towards an easily configured and remotely controlled network. Based on Centralized control, SDN technology has proved its positive impact on the world of network communications from different aspects. Security in SDN, as in traditional networks, is an essential feature that every communication system should possess. In this paper, we propose an SDN security design approach, which strikes a good balance between network performance and security features. We show how such an approach can be used to prevent DDoS attacks targeting either the controller or the different hosts in the network, and how to trace back the source of the attack. The solution lies in introducing a third plane, the security plane, in addition to the data plane, which is responsible for forwarding data packets between SDN switches, and parallel to the control plane, which is responsible for rule and data exchange between the switches and the SDN controller. The security plane is designed to exchange security-related data between a third party agent on the switch and a third party software module alongside the controller. Our evaluation shows the capability of the proposed system to enforce different levels of real-time user-defined security with low overhead and minimal configuration.

2018-01-16
Rengaraju, P., Ramanan, V. R., Lung, C. H..  2017.  Detection and prevention of DoS attacks in Software-Defined Cloud networks. 2017 IEEE Conference on Dependable and Secure Computing. :217–223.

One of the recent focuses in Cloud Computing networks is Software Defined Clouds (SDC), where the Software-Defined Networking (SDN) technology is combined with the traditional Cloud network. SDC is aimed to create an effective Cloud environment by extending the virtualization concept to all resources. In that, the control plane is decoupled from the data plane in a network device and controlled by the centralized controller using the OpenFlow Protocol (OFP). As the centralized controller performs all control functions in a network, it requires strong security. Already, Cloud Computing faces many security challenges. Most vulnerable attacks in SDC is Denial-of-Service (DoS) and Distributed DoS (DDoS) attacks. To overcome the DoS attacks, we propose a distributed Firewall with Intrusion Prevention System (IPS) for SDC. The proposed distributed security mechanism is investigated for two DoS attacks, ICMP and SYN flooding attacks for different network scenarios. From the simulation results and discussion, we showed that the distributed Firewall with IPS security detects and prevents the DoS attack effectively.

2015-05-05
Coras, F., Saucez, D., Iannone, L., Donnet, B..  2014.  On the performance of the LISP beta network. Networking Conference, 2014 IFIP. :1-9.

The future Internet has been a hot topic during the past decade and many approaches towards this future Internet, ranging from incremental evolution to complete clean slate ones, have been proposed. One of the proposition, LISP, advocates for the separation of the identifier and the locator roles of IP addresses to reduce BGP churn and BGP table size. Up to now, however, most studies concerning LISP have been theoretical and, in fact, little is known about the actual LISP deployment performance. In this paper, we fill this gap through measurement campaigns carried out on the LISP Beta Network. More precisely, we evaluate the performance of the two key components of the infrastructure: the control plane (i.e., the mapping system) and the interworking mechanism (i.e., communication between LISP and non-LISP sites). Our measurements highlight that performance offered by the LISP interworking infrastructure is strongly dependent on BGP routing policies. If we exclude misconfigured nodes, the mapping system typically provides reliable performance and relatively low median mapping resolution delays. Although the bias is not very important, control plane performance favors USA sites as a result of its larger LISP user base but also because European infrastructure appears to be less reliable.
 

Lopes Alcantara Batista, B., Lima de Campos, G.A., Fernandez, M.P..  2014.  Flow-based conflict detection in OpenFlow networks using first-order logic. Computers and Communication (ISCC), 2014 IEEE Symposium on. :1-6.

The OpenFlow architecture is a proposal from the Clean Slate initiative to define a new Internet architecture where the network devices are simple, and the control and management plane is performed by a centralized controller. The simplicity and centralization architecture makes it reliable and inexpensive. However, this architecture does not provide mechanisms to detect conflicting in flows, allowing that unreachable flows can be configured in the network elements, and the network may not behave as expected. This paper proposes an approach to conflict detection using first-order logic to define possible antagonisms and employ an inference engine to detect conflicting flows before the OpenFlow controller implement in the network elements.
 

Sourlas, V., Tassiulas, L..  2014.  Replication management and cache-aware routing in information-centric networks. Network Operations and Management Symposium (NOMS), 2014 IEEE. :1-7.

Content distribution in the Internet places content providers in a dominant position, with delivery happening directly between two end-points, that is, from content providers to consumers. Information-Centrism has been proposed as a paradigm shift from the host-to-host Internet to a host-to-content one, or in other words from an end-to-end communication system to a native distribution network. This trend has attracted the attention of the research community, which has argued that content, instead of end-points, must be at the center stage of attention. Given this emergence of information-centric solutions, the relevant management needs in terms of performance have not been adequately addressed, yet they are absolutely essential for relevant network operations and crucial for the information-centric approaches to succeed. Performance management and traffic engineering approaches are also required to control routing, to configure the logic for replacement policies in caches and to control decisions where to cache, for instance. Therefore, there is an urgent need to manage information-centric resources and in fact to constitute their missing management and control plane which is essential for their success as clean-slate technologies. In this thesis we aim to provide solutions to crucial problems that remain, such as the management of information-centric approaches which has not yet been addressed, focusing on the key aspect of route and cache management.
 

2014-09-17
Chasaki, D., Wolf, T..  2012.  Attacks and Defenses in the Data Plane of Networks. Dependable and Secure Computing, IEEE Transactions on. 9:798-810.

Security issues in computer networks have focused on attacks on end systems and the control plane. An entirely new class of emerging network attacks aims at the data plane of the network. Data plane forwarding in network routers has traditionally been implemented with custom-logic hardware, but recent router designs increasingly use software-programmable network processors for packet forwarding. These general-purpose processing devices exhibit software vulnerabilities and are susceptible to attacks. We demonstrate-to our knowledge the first-practical attack that exploits a vulnerability in packet processing software to launch a devastating denial-of-service attack from within the network infrastructure. This attack uses only a single attack packet to consume the full link bandwidth of the router's outgoing link. We also present a hardware-based defense mechanism that can detect situations where malicious packets try to change the operation of the network processor. Using a hardware monitor, our NetFPGA-based prototype system checks every instruction executed by the network processor and can detect deviations from correct processing within four clock cycles. A recovery system can restore the network processor to a safe state within six cycles. This high-speed detection and recovery system can ensure that network processors can be protected effectively and efficiently from this new class of attacks.