Biblio

Over the last few years, the deployment of Internet of Things (IoT) is attaining much more concern on smart computing devices. With the exponential growth of small devices and at the same time cheap prices of these sensing devices, there raises an important question for the security of the stored information as these devices generate a large amount of private data for observing and controlling purposes. Distributed Denial of Service (DDoS) attacks are current examples of major security threats to IoT devices. As yet, no standard protocol can fully ensure the security of IoT devices. But adaptive decision making along with elasticity and incessant monitoring is required. These difficulties can be resolved with the assistance of Software Defined Networking (SDN) which can viably deal with the security dangers to the IoT devices in a powerful and versatile way without hampering the lightweightness of the IoT devices. Although SDN performs quite well for managing and controlling IoT devices, security is still an open concern. Nonetheless, there are a few challenges relating to the mitigation of DDoS attacks in IoT systems implemented with SDN architecture. In this paper, a brief overview of some of the popular DDoS attack mitigation techniques and their limitations are described. Also, the challenges of implementing these techniques in SDN-based architecture to IoT devices have been presented.

Software Defined Networking (SDN) focus on the isolation of control plane and data plane, greatly enhancing the network's support for heterogeneity and flexibility. However, although the programmable network greatly improves the performance of all aspects of the network, flexible load balancing across controllers still challenges the current SDN architecture. Complex application scenarios lead to flexible and changeable communication requirements, making it difficult to guarantee the Quality of Service (QoS) for SDN users. To address this issue, this paper proposes a paradigm that uses blockchain to incentive safe load balancing for multiple controllers. We proposed a controller consortium blockchain for secure and efficient load balancing of multi-controllers, which includes a new cryptographic currency balance coin and a novel consensus mechanism Proof-of-Balance (PoB). In addition, we have designed a novel game theory-based incentive mechanism to incentive controllers with tight communication resources to offload tasks to idle controllers. The security analysis and performance simulation results indicate the superiority and effectiveness of the proposed scheme.

Software Defined Networking (SDN) is a promising network architecture that aims at providing high flexibility through the separation between network logic (control plane) and forwarding functions (data plane). This separation provides logical centralization of controllers, global network overview, ease of programmability, and a range of new SDN-compliant services. In recent years, the adoption of SDN in enterprise networks has been constantly increasing. In the meantime, new challenges arise in different levels such as scalability, management, and security. In this paper, we elaborate on complex security issues in the current SDN architecture. Especially, reconnaissance attack where attackers generate traffic for the goal of exploring existing services, assets, and overall network topology. To eliminate reconnaissance attack in SDN environment, we propose SDN-based solution by utilizing distributed firewall application, security policy, and OpenFlow counters. Distributed firewall application is capable of tracking the flow based on pre-defined states that would monitor the connection to sensitive nodes toward malicious activity. We utilize Mininet to simulate the testing environment. We are able to detect and mitigate this type of attack at early stage and in average around 7 second.

Due to centralized control and programmable capability of the SDN architecture, network administrators can easily manage and control the whole network through the centralized controller. According to the SDN architecture, the SDN controller is vulnerable to distributed denial of service (DDOS) attacks. Thus, a failure of SDN controller is a major leak for security concern. The objectives of paper is therefore to detect the DDOS attacks and classify the normal or attack traffic in SDN network using machine learning algorithms. In this proposed system, polynomial SVM is applied to compare to existing linear SVM by using scapy, which is packet generation tool and RYU SDN controller. According to the experimental result, polynomial SVM achieves 3% better accuracy and 34% lower false alarm rate compared to Linear SVM.

Intrusion Detection system (IDS) was an application which was aimed to monitor network activity or system and it could find if there was a dangerous operation. Implementation of IDS on Software Define Network architecture (SDN) has drawbacks. IDS on SDN architecture might decreasing network Quality of Service (QoS). So the network could not provide services to the existing network traffic. Throughput, delay and packet loss were important parameters of QoS measurement. Snort IDS and bro IDS were tools in the application of IDS on the network. Both had differences, one of which was found in the detection method. Snort IDS used a signature based detection method while bro IDS used an anomaly based detection method. The difference between them had effects in handling the network traffic through it. In this research, we compared both tools. This comparison are done with testing parameters such as throughput, delay, packet loss, CPU usage, and memory usage. From this test, it was found that bro outperform snort IDS for throughput, delay , and packet loss parameters. However, CPU usage and memory usage on bro requires higher resource than snort.

The supervisory control and data acquisition (SCADA) network in a smart grid requires to be reliable and efficient to transmit real-time data to the controller. Introducing SDN into a SCADA network helps in deploying novel grid control operations, as well as, their management. As the overall network cannot be transformed to have only SDN-enabled devices overnight because of budget constraints, a systematic deployment methodology is needed. In this work, we present a framework, named SDNSynth, that can design a hybrid network consisting of both legacy forwarding devices and programmable SDN-enabled switches. The design satisfies the resiliency requirements of the SCADA network, which are specified with respect to a set of identified threat vectors. The deployment plan primarily includes the best placements of the SDN-enabled switches. The plan may include one or more links to be installed newly. We model and implement the SDNSynth framework that includes the satisfaction of several requirements and constraints involved in resilient operation of the SCADA. It uses satisfiability modulo theories (SMT) for encoding the synthesis model and solving it. We demonstrate SDNSynth on a case study and evaluate its performance on different synthetic SCADA systems.

Software defined networks represent a new centralized network abstraction that aims to ease configuration and facilitate applications and services deployment to manage the upper layers. However, SDN faces several challenges that slow down its implementation such as security which represents one of the top concerns of SDN experts. Indeed, SDN inherits all security matters from traditional networks and suffers from some additional vulnerability due to its centralized and unique architecture. Using traditional security devices and solutions to mitigate SDN threats can be very complicated and can negatively effect the networks performance. In this paper we propose a study that measures the impact of using some well-known security solution to mitigate intrusions on SDN's performances. We will also present an algorithm named KPG-MT adapted to SDN architecture that aims to mitigate threats such as a Man in the Middle, Deny of Services and malware-based attacks. An implementation of our algorithm based on multiple attacks' scenarios and mitigation processes will be made to prove the efficiency of the proposed framework.

The next generation military environment requires a delay-tolerant network for sharing data and resources using an interoperable computerized, Command, Control, Communications, Intelligence, Surveillance and Reconnaissance (C4ISR) infrastructure. In this paper, we propose a new distributed SDN (Software-Defined Networks) architecture for tactical environments based on distributed cloudlets. The objective is to reduce the end-to-end delay of tactical traffic flow, and improve management capabilities, allowing flexible control and network resource allocation. The proposed SDN architecture is implemented over three layers: decentralized cloudlets layer where each cloudlet has its SDRN (Software-Defined Radio Networking) controller, decentralized MEC (Mobile Edge Computing) layer with an SDN controller for each MEC, and a centralized private cloud as a trusted third-part authority controlled by a centralized SDN controller. The experimental validations are done via relevant and realistic tactical scenarios based on strategic traffics loads, i.e., Tactical SMS (Short Message Service), UVs (Unmanned Vehicle) patrol deployment and high bite rate ISR (Intelligence, Surveillance, and Reconnaissance) video.

Software Defined Networking (SDN) is a major paradigm in controlling and managing number of heterogeneous networks. It's a real challenge however to secure such complex networks which are heterogeneous in network security. The centralization of the intelligence in network presents both an opportunity as well as security threats. This paper focuses on various potential security challenges at the various levels of SDN architecture such as Denial of service (DoS) attack and its countermeasures. The paper shows the detection of DoS attck with S-FlowRT.

Software Defined Networking (SDN) has introduced both innovative opportunities and additional risks in the computer networking. Among disadvantages of SDNs one can mention their susceptibility to vulnerabilities associated with both virtualization and the traditional networking. Selecting a proper controller for an organization may not be a trivial task as there is a variety of SDN controllers on the market and each of them may come with its own pros and cons from the security point of view. This research proposes a comprehensive methodology for organizations to evaluate security-related features available in SDN controllers. The methodology can serve as a guideline in the decisions related to SDN choice. The proposed security assessment follows a structured approach to evaluate each layer of the SDN architecture and each metrics defined in presented research has been matched with the security controls defined in NIST 800-53. Through the tests on actual controllers the paper provides an example on how the proposed methodology can be used to evaluate existing SDN solutions.

The Software Defined Networks (SDN) paradigm, often referred to as a radical new idea in networking, promises to dramatically simplify network management by enabling innovation through network programmability. However, notable security issues, such as app-to-control threats, remain a significant concern that impedes SDN from being widely adopted. To cope with those app-to-control threats, this paper proposes a solution to securely deploy valid network applications while protecting the SDN controller against the injection of the malicious application. This problem is mitigated by proposing a novel SDN architecture, dubbed SENAD, which splits the well-known SDN controller into: (1) a data plane controller (DPC), and (2) an application plane controller (APC), to secure this latter by design. The role of the DPC is dedicated for interpreting the network rules into OpenFlow entries and maintaining the communication with the data plane. The role of the APC, however, is to provide a secured runtime for deploying the network applications, including authentication, access control, resource isolation, control, and monitoring applications. We show that this approach can easily shield against any deny of service, caused for instance by the resource exhaustion attack or the malicious command injection, that is caused by the co-existence of a malicious application on the controller's runtime. The evaluation of our architecture shows that the packet\_in messages take less than 5 ms to be delivered from the data plane to the application plane on the long range.

DPI Management application which resides on the north-bound of SDN architecture is to analyze the application signature data from the network. The data being read and analyzed are of format JSON for effective data representation and flows provisioned from North-bound application is also of JSON format. The data analytic engine analyzes the data stored in the non-relational data base and provides the information about real-time applications used by the network users. Allows the operator to provision flows dynamically with the data from the network to allow/block flows and also to boost the bandwidth. The DPI Management application allows decoupling of application with the controller; thus providing the facility to run it in any hyper-visor within network. Able to publish SNMP trap notifications to the network operators with application threshold and flow provisioning behavior. Data purging from non-relational database at frequent intervals to remove the obsolete analyzed data.

Software defined networking promises network operators to dramatically simplify network management. It provides flexibility and innovation through network programmability. With SDN, network management moves from codifying functionality in terms of low-level device configuration to building software that facilitates network management and debugging[1]. SDN provides new techniques to solve long-standing problems in networking like routing by separating the complexity of state distribution from network specification. Despite all the hype surrounding SDNs, exploiting its full potential is demanding. Security is still the major issue and a striking challenge that reduces the growth of SDNs. Moreover the introduction of various architectural components and up cycling of novel entities of SDN poses new security issues and threats. SDN is considered as major target for digital threats and cyber-attacks[2] and have more devastating effects than simple networks. Initial SDN design doesn't considered security as its part; therefore, it must be raised on the agenda. This article discusses the security solutions proposed to secure SDNs. We categorize the security solutions in the article by presenting a thematic taxonomy based on SDN architectural layers/interfaces[3], security measures and goals, simulation framework. Moreover, the literature also points out the possible attacks[2] targeting different layers/interfaces of SDNs. For securing SDNs, the potential requirements and their key enablers are also identified and presented. Also, the articles sketch the design of secure and dependable SDNs. At last, we discuss open issues and challenges of SDN security that may be rated appropriate to be handled by professionals and researchers in the future.

In the paper a programmable management framework for SDN networks is presented. The concept is in-line with SDN philosophy - it can be programmed from scratch. The implemented management functions can be case dependent. The concept introduces a new node in the SDN architecture, namely the SDN manager. In compliance with the latest trends in network management the approach allows for embedded management of all network nodes and gradual implementation of management functions providing their code lifecycle management as well as the ability to on-the-fly code update. The described concept is a bottom-up approach, which key element is distributed execution environment (PDEE) that is based on well-established technologies like OSGI and FIPA. The described management idea has strong impact on the evolution of the SDN architecture, because the proposed distributed execution environment is a generic one, therefore it can be used not only for the management, but also for distributing of control or application functions.