TILAK: A token‐based prevention approach for topology discovery threats in SDN

Software‐defined networks (SDNs) decouple the data plane from the control plane. Thus, it provides logically centralized visibility of the entire networking infrastructure to the controller. It enables the applications running on top of the control plane to innovate through network management and programmability. To envision the centralized control and visibility, the controller needs to discover the networking topology of the entire SDN infrastructure. However, discovering and maintaining a global view of the underlying network topology is a challenging task because of (i) frequently changing network topology caused by migration of the virtual machines in the data centers, mobile, end hosts and change in the number of data plane switches because of technical faults or network upgrade; (ii) lack of authentication mechanisms and scarcity in SDN standards; and (iii) availability of security solutions during topology discovery process. To this end, the aim of this paper is threefold. First, we investigate the working methodologies used to achieve global view by different SDN controllers, specifically, POX, Ryu, OpenDaylight, Floodlight, Beacon, ONOS, and HPEVAN. Second, we identify vulnerabilities that affect the topology discovery process in the above controller implementation. In particular, we provide a detailed analysis of the threats namely link layer discovery protocol (LLDP) poisoning, LLDP flooding, and LLDP replay attack concerning these controllers. Finally, to countermeasure the identified risks, we propose a novel mechanism called TILAK which generates random MAC destination addresses for LLDP packets and use this randomness to create a flow entry for the LLDP packets. It is a periodic process to prevent LLDP packet‐based attacks that are caused only because of lack of verification of source authentication and integrity of LLDP packets. The implementation results for TILAK confirm that it covers targeted threats with lower resource penalty.     

FMD: A DoS mitigation scheme based on flow migration in software‐defined networking

Software‐defined networking (SDN) emerges as the next generation of networking architecture, aiming to improve the network manageability and adaptability. However, because of the centralized control policy, SDN is liable to suffering from the denial of service attack in both the data plane and the control plane. To resist the attack and prevent the network from being paralyzed, we propose a novel mitigation scheme named flow migration defense, which uses a slave controller as a substitution to endure flooding requests mitigated from the master controller. Considering the special case that the normal requests may be regarded as the malicious ones, these requests are reforwarded back to the master controller on the basis of the round‐robin scheduling. To prevent the master controller from being flooded by the reforwarded requests, we design the adaptive rate adjustment method to adjust the reforwarding rate. Compared with multilevel feedback queue and FloodDefender, simulations demonstrate that flow migration defense can mitigate the SDN‐aimed denial of service attack efficiently with a better performance in terms of request response time, packet loss rate, and mitigation time.     

Increased network routing efficiency through coordinated Fibbing

For finding the best route in a network, distributed routing offers robustness but has poor flexibility while central control of software‐defined networking is just the opposite. The Fibbing architecture can run distributed routing protocols on software‐defined networking and has both robustness and flexibility. The 2 main steps of Fibbing's process are (1) compute a route that is available for the network according to the network topology and the flow request and (2) add fake nodes and fake links to augment the network topology in conformity with the distributed routing protocol and the route computed in the first step. Both of the 2 steps affect the performance of the network, but Fibbing does not consider them coordinately, and the cost of choosing the routes can be reduced further. In this paper, a coordinated algorithm for Fibbing is proposed to determine a lowest‐cost route. In the process to calculate an available route, our algorithm accommodates not only the network topology and the flow request but also the fake nodes and the fake links. The experiments on random topologies and classic topologies show that our algorithm can reduce the numbers of the fake nodes and the costs of the chosen routes, with the improved flow request acceptance ratios achieved.     

Link stability‐aware reliable packet transmitting mechanism in mobile ad hoc network

To guarantee the QoS of multimedia applications in a mobile ad hoc network (MANET), a reliable packet transmitting mechanism in MANET is proposed. In this paper, we introduce an effective link lifetime estimation scheme. According to the current network topology and corresponding estimated link lifetime, the end‐to‐end connection is established adaptively in the best effort manner. Consequently, utilizing the network coding method the relay node combines and forwards the packets on the working path. Furthermore, to keep the balance between the gain in reliability and the amount of redundant packets, the time for sending the redundant packets on the backup path is determined for the link stability intelligently. Simulations show that our mechanisms can provide reliable transmissions for data packets and enhance the performance of the entire network, such as the packet delivery ratio, the end‐to‐end delay and the number of control messages. Copyright © 2011 John Wiley & Sons, Ltd.     

CFR: A cooperative link failure recovery scheme in software‐defined networks

Software‐defined networking that separates the control plane from the data plane is envisioned as a promising technology to enable resilient and flexible network management. Tolerating link failures is a fundamental problem in enhancing such network resilience in software‐defined networking. Reactive and proactive fault tolerant schemes for conventional networks may not well balance the fault recovery time and network performance, since the proactive scheme typically underutilizes resources and the reactive scheme usually incurs a longer recovery time. In this paper, we propose a cooperative link failure recovery scheme to find a fine‐grained trade‐off between resource utilization and recovery time by combining reactive and proactive methods. We formalize the problem of link failure recovery as a multiobjective optimization problem and devise a 2‐stage algorithm for it. The first stage of the algorithm guarantees connectivity restoration in an acceptable recovery interval based on fast failover feature supported in OpenFlow protocol, meanwhile it assigns virtual local area network tags to back up paths for achieving a lower memory consumption. The second stage of the algorithm guarantees the quality of service for different applications by adjusting the backup paths after rapid connectivity restoration. Extensive simulations highlight that cooperative link failure recovery scheme can satisfy both the carrier‐grade recovery requirements and quality of service requirements in terms of delay and network bandwidth.     

Improved multicast routing in MANETs using link stability and route stability

The growing popularity of multimedia applications and services needs to support several quality of service metrics such as high throughput, low energy, and jitter, which is a challenging task in mobile ad hoc networks. Because of limited bandwidth, energy constraints, dynamic topology, transmission errors, and fluctuating link stability, the links between adjacent nodes are often not reliable and may break because of node mobility. Link breakage initiates the process of rerouting either at the sender node (the node at which the link breaks) or at the source node. In either case, it leads to packet loss, delivery delays, and increased control overheads. Hence, to attain a minimum quality of service, routing protocols must address the dynamic network topology. Uncertain and varying movement of nodes necessitates stability of the links between such nodes. The objective of this paper is to propose 2 protocols, the first based on link stability and the other based on route stability. Link stability identifies a stable link from the available links to the next hop and determines a stable end‐to‐end route. The probability of successful transmission of periodic packets is used as a link stability metric to assess the stable path. Acknowledgment ‐free packets are used to check connectivity in the network. Increased probability of successful transmission implies that the selected link is sustained for longer duration and can deliver packets more reliably or, as a consequence, results in a stable link to deliver a better data rate. With a stable link, there is a reduced possibility of retransmissions, reduced end‐to‐end delay, reduced control overheads, and enhanced data delivery ratio. Selection of the most stable route for data transmission improves the performance. Experimental results from simulations performed on EXata/Cyber v2.0 simulator reveal that our proposed protocols are an improvement over the existing protocols in terms of packet delivery ratio, average end‐to‐end delay, and average route lifetime, even without route optimization with the minor increase in control packets. A case study of the application of proposed protocols is also presented.     

Secure access of resources in software‐defined networks using dynamic access control list

Software‐defined networking (SDN) creates a platform to dynamically configure the networks for on‐demand services. SDN can easily control the data plane and the control plane by implementing the decoupling concept. SDN controller will regulate the traffic flow and creates the new flow label based on the packet dump received from the OpenFlow virtual switches. SDN governs both data information and control information toward the destination based on flow label, but it does not contain security measure to restrict the malicious traffic. The malicious denial‐of‐service (DoS) attack traffic is generated inside the SDN environment; it leads to the service unavailability. This paper is mainly focused on the detection of DoS attacks and also mitigates the malicious traffic by dynamically configuring the firewall. The SDN with dynamic access control list properties is emulated by mininet, and the experimental results exemplify the service unavailable gap between acceptance and rejection ratio of the packets.     

SYN‐Guard: An effective counter for SYN flooding attack in software‐defined networking

In software‐defined networking (SDN), TCP SYN flooding attack is considered as one of the most effective attacks to perform control plane and target server saturation. In this attack, an attacker generates a large number of malicious SYN requests, and because of the absence of the forwarding rules, the data plane switches have to forward these SYN messages to the controller. This excessive forwarding causes congestion over the communication channel between a data plane and control plane, and it also exhausts computational resources at both the planes. In this paper, we propose a novel countermeasure called SYN‐Guard to detect and prevent SYN flooding in SDN networks. We fully implement SYN‐Guard on the SDN controller to validate the incoming TCP connection requests. The controller installs forwarding rules for the SYN requests that successfully clear the validation test of SYN‐Guard. The host of the fake SYN request is detected, and SYN‐Guard prevents it from sending any further SYN requests to the data plane switch. The performance evaluation done using the simulation results shows that SYN‐Guard exhibits low side effect for genuine TCP requests, and when compared with standard SDN and state‐of‐art proposals, it reduces the average response time up to 21% during an ongoing SYN flooding attack.     

Autonet: a high-speed, self-configuring local area network usingpoint-to-point links

Autonet is a self-configuring local area network composed of switches interconnected by 100 Mb/s, full-duplex, point-to-point links. The switches contain 12 ports that are internally connected by a full crossbar. Switches use cut-through to achieve a packet forwarding latency as low as 2 ms/switch. Any switch port can be cabled to any other switch port or to a host network controller. A processor in each switch monitors the network's physical configuration. A distributed algorithm running on the switch processor computes the routes packets are to follow and fills in the packet forwarding table in each switch. With Autonet, distinct paths through the set of network links can carry packets in parallel, allowing many pairs of hosts to communicate simultaneously at full link bandwidth. A 30-switch network with more than 100 hosts has been the service network for Digital's Systems Research Center since February 1990     

Sink location privacy protection under direction attack in wireless sensor networks

Wireless Sensor Networks have been widely deployed in military and civilian applications. Due to the nature of the sensor network, it is easy for an adversary to trace the movement of packets and get the sink location. Many ways have been proposed to deal with this problem, most of them provide path diversity. But these techniques always expose direction information. Once adversaries have got the direction information, they can launch a direction attack by deducing the direction of the sink and choosing right paths to trace. To cope with the direction attack, we present an improved scheme based on injecting fake packets and random walk of real packets. In this scheme, real packets do a random walk to hide direction information at a special phase, fake packets are injected in intersection nodes of two or more shortest paths, which can lead adversaries to fake paths. Privacy analysis shows that our scheme has a good performance on protecting sink location. We also examine the delivery time, energy consumption and safe time by simulations.     

Deep Learning Based Analog Beamforming Design for Millimetre Wave Massive MIMO System

Software-defined networking (SDN) is a new approach that overcomes the obstacles which are faced by conventional networking architecture. The core idea of SDN is to separate the control plane from the data plane. This idea improves the network in many ways, such as efficient utilization of resources, better management of the network, reduced cost, innovation with new evolution, and many others. To manage all these changes, there is a great need for an efficient controller to improve the utilization of resources for the better performance of the network. The controller is also responsible for the analysis and monitoring of real-time data traffic. There is a great need for a high-performance controller in networking industries, data centres, academia, and research due to the tremendous growth of distributed processing-based real time applications. Therefore, it is crucial to investigate the performance of an open-source controller to provide efficient traffic routing, leading to improved utilization of resources for the enhanced performance metrics of the network. The paper presents an implementation of SDN architecture using an open-source RYU SDN controller for the network traffic analysis. The proposed work evaluates the performance of SDN architecture based custom network topology for a node to node performance parameters such as bandwidth, throughput and roundtrip time, etc. The simulation results exhibit an improved performance of the proposed work in comparison to the existing default network topology for SDN.

     

一种两跳聚簇的移动自组网拓扑发现策略

基于两跳聚簇的拓扑发现策略可用于解决移动自组网中由于网络拓扑动态变化带来的拓扑发现难题。该策略使用了节点聚簇和双向链路的方法,规定只有簇头节点才能生成路由更新包,通过采用多点传递集抑制了路由更新包在网络中的泛洪;通过相邻簇的簇头协同管理,最大程度地减少了双向链路被重复报告。分析结果显示,相比于使用普通链路状态协议的拓扑发现策略,该策略消除了将近50%的拓扑发现控制负载。     

Cooperative detection and protection for Interest flooding attacks in named data networking

Named data networking (NDN) is a new emerging architecture for future network, which may be a substitute of the current TCP/IP‐based network, for the content‐oriented data request mode becoming the future trend of development. The security of NDN has attracted much attention, as an implementation of next‐generation Internet architecture. Although NDN is immune to most current attack, it cannot resist the distributed denial of service like attack – Interest flooding attack (IFA) – effectively. IFA takes advantages of the forwarding mechanism of NDN, flooding a large number of malicious Interest packets at quite a high rate, and exploits the network resources, which may cause the paralysis of the network. Taking into account the severity of the destruction, we propose an algorithm to counter such new type of attack. We analyze three properties of IFA, and use them to judge and filter Interest packets. Vector space model and Markov model are used in our method to realize a cooperative detection. Meanwhile, we present the retransmission forwarding mechanism to ensure legitimate user request. The ndnSIM module of ns3 is used for the corresponding simulation, and results of the simulation will be given to show the effectiveness of our algorithm. Copyright © 2014 John Wiley & Sons, Ltd.     

层次型多中心的SDN控制器部署

软件定义网络(SDN)通过转发与控制分离,借助控制面的集中化实现网络的灵活性和开放性.控制器部署是SDN部署运行的基础和前提.针对层次型多中心SDN的控制器部署问题,该文采用多层k路划分方法实现大规模SDN网络的区域划分,将传统的SDN多控制器直接部署转化为区域划分和域内控制器部署,同时通过减少图划分的域间割边数以降低SDN跨域流数量以提高流表构建效率.通过实验验证,较其他传统方法,该文提出的层次型多中心控制器部署方法可有效减少网络通信代价,降低流表构建代价.     

Multi‐topology routing based egress selection approach to achieve hybrid intra‐AS and inter‐AS traffic engineering

Hot‐potato routing is a border gateway protocol policy that selects the ‘closest’ egress router in terms of interior gateway protocol cost. This policy imposes inherent interactions between intra‐AS (Autonomous System) and inter‐AS traffic engineering. In light of this observation, we present a hybrid intra‐AS and inter‐AS traffic engineering scheme named egress selection based upon hot potato routing. This scheme involves link weight optimization, which can not only minimize the time that IP (Internet Protocol) packets travel across the network by assigning specified egress router but also balance the load among the internal links of the transit network. Egress selection based upon hot potato routing also incorporates multi‐topology routing technique to address the problem that one set of link weights might not guarantee specified egress routers. Accordingly, we formulate the link weights optimization problem using multi‐topology routing as a mixed integer linear programming model. And we present a new heuristic algorithm to make the problem tractable. Numerical results show that only a few topologies are needed to guarantee specified egress router, and maximum link utilization is also reduced. Copyright © 2014 John Wiley & Sons, Ltd.     

一种SDN中基于熵值计算的异常流量检测方法

摘要：软件定义网络（software defined networking,SDN）是一种新型网络创新架构,其分离了控制平面与转发平面,使得网络管理更为灵活。借助SDN控制与转发分离的思想,在SDN基础上引入一个集中式安全中心,在数据平面设备上采集数据,用于对网络流量进行分析,通过熵值计算和分类算法判断异常流量行为。对于检测到的网络异常情况,安全中心通过与SDN控制器的接口通告SDN控制器上的安全处理模块,进行流表策略的下发,进而缓解网络异常行为。通过本系统可以在不影响SDN控制器性能的情况下,快速检测网络中的异常行为,并通过SDN下发流表策略对恶意攻击用户进行限制,同时对SDN控制器进行保护。     

智能光网络自动发现技术

智能光网络与传统光网的根本区别就在于明确的提出了控制平面的概念。其中网络拓扑(节点和连接)及其可用资源是网络操作的基础。理想状态下,网络拓扑和资源应该是自动发现的,这就要求邻居发现以及在整个网络进行信息发布的机制。此外,智能光网络的边缘节点应该具有业务发现能力,从而在以UNI接口模型实现的网络互联中,UNI-C指示客户设备能力且从UNI-N获取跟传送网络业务能力有关的信息。     

Denial of service attacks on network-based control systems: impact and mitigation

Replacing specialized industrial networks with the Internet is a growing trend in industrial informatics, where packets are used to transmit feedback and control signals between a plant and a controller. Today, denial of service (DoS) attacks cause significant disruptions to the Internet, which will threaten the operation of network-based control systems (NBCS). In this paper, we propose two queueing models to simulate the stochastic process of packet delay jitter and loss under DoS attacks. The motivation is to quantitatively investigate how these attacks degrade the performance of NBCS. The example control system consists of a proportional integral controller, a second-order plant, and two one-way delay vectors induced by attacks. The simulation results indicate that Model I attack (local network DoS attack) impairs the performance because a large number of NBCS packets are lost. Model II attack (nonlocal network DoS attack) deteriorates the performance or even destabilizes the system. In this case, the traffic for NBCS exhibits strong autocorrelation of delay jitter and packet loss. Mitigating measures based on packet filtering are discussed and shown to be capable of ameliorating the performance degradation.     

Direct trust-based security scheme for RREQ flooding attack in mobile ad hoc networks

The routing algorithms in MANETs exhibit distributed and cooperative behaviour which makes them easy target for denial of service (DoS) attacks. RREQ flooding attack is a flooding-type DoS attack in context to Ad hoc On Demand Distance Vector (AODV) routing protocol, where the attacker broadcasts massive amount of bogus Route Request (RREQ) packets to set up the route with the non-existent or existent destination in the network. This paper presents direct trust-based security scheme to detect and mitigate the impact of RREQ flooding attack on the network, in which, every node evaluates the trust degree value of its neighbours through analysing the frequency of RREQ packets originated by them over a short period of time. Taking the node’s trust degree value as the input, the proposed scheme is smoothly extended for suppressing the surplus RREQ and bogus RREQ flooding packets at one-hop neighbours during the route discovery process. This scheme distinguishes itself from existing techniques by not directly blocking the service of a normal node due to increased amount of RREQ packets in some unusual conditions. The results obtained throughout the simulation experiments clearly show the feasibility and effectiveness of the proposed defensive scheme.     

Active routing for ad hoc networks

Ad hoc networks are wireless multihop networks whose highly volatile topology makes the design and operation of a standard routing protocol hard. With an active networking approach, one can define and deploy routing logic at runtime in order to adapt to special circumstances and requirements. We have implemented several active ad hoc routing protocols that configure the forwarding behavior of mobile nodes, allowing data packets to be efficiently routed between any two nodes of the wireless network. Isolating a simple forwarding layer in terms of both implementation and performance enables us to stream delay-sensitive audio data over the ad hoc network. In the control plane, active packets permanently monitor the connectivity and setup, and modify the routing state