SAIDE: Efficient application interference detection and elimination in SDN

Abstract The ease of programmability in Software-Defined Networking has greatly facilitated SDN application development and deployment. Applications run simultaneously in the controller and generate policies to serve the network together. However, multiple applications may cause unintentionally harmful interferences even if each SDN application is properly programmed. Unfortunately, the existing SDN verification and test work have no consideration of application interferences. To solve this problem, we develop the mathematical models for applications and policies and elaborate the relationships of policies based on computational geometry. The application interference is formally defined according to policy conflict. To this end, we propose an efficient SDN Application Interference Detection and Elimination (SAIDE) scheme. Firstly, on the basis of designed policy refactor, we encode the matching fields of policies as bit vectors and design bit vectors AND operation to analyze the policy relationships. Then, we combine the action and refactor fields of policies to detect the application interferences (direct and indirect interferences). Finally, with multi-criteria decision making, we assign priorities to conflicting policies to eliminate the corresponding application interferences. We demonstrate the effectiveness and scalability of SAIDE through a proof-of-concept prototype. Simulation results show that the SAIDE can effectively detect the application interferences with 98% accuracy at least and has reduced the detection time by 23.9% compared to the state-of-the-art work.

[1]  Ashraf Matrawy,et al.  SDN-VSA: Modeling and Analysis of SDN Control Applications Using Vector Spaces , 2017, 2018 IEEE International Conference on Communications (ICC).

[2]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[3]  Juan Felipe Botero,et al.  Security in SDN: A comprehensive survey , 2020, J. Netw. Comput. Appl..

[4]  Bo Yan,et al.  BigMaC: Reactive Network-Wide Policy Caching for SDN Policy Enforcement , 2018, IEEE Journal on Selected Areas in Communications.

[5]  Yoshiaki Katayama,et al.  A Topology-Based Conflict Detection System for Firewall Policies using Bit-Vector-Based Spatial Calculus , 2011, Int. J. Commun. Netw. Syst. Sci..

[6]  Seungwon Shin,et al.  Astraea: Towards an effective and usable application permission system for SDN , 2019, Comput. Networks.

[7]  Thar Baker,et al.  Multi-controller Based Software-Defined Networking: A Survey , 2018, IEEE Access.

[8]  Magnos Martinello,et al.  A Survey on SDN Programming Languages: Toward a Taxonomy , 2016, IEEE Communications Surveys & Tutorials.

[9]  Seungwon Shin,et al.  SHIELD: An Automated Framework for Static Analysis of SDN Applications , 2016, SDN-NFV@CODASPY.

[10]  Jianping Wu,et al.  MSAID: Automated detection of interference in multiple SDN applications , 2019, Comput. Networks.

[11]  Marco Canini,et al.  A NICE Way to Test OpenFlow Applications , 2012, NSDI.

[12]  Seungwon Shin,et al.  INDAGO: A New Framework For Detecting Malicious SDN Applications , 2018, 2018 IEEE 26th International Conference on Network Protocols (ICNP).

[13]  Li Lin and Lu Xianliang An Algorithm for Detecting Filters Conflicts Based on the Intersection of Bit Vectors , 2008 .

[14]  Hongxin Hu,et al.  Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks , 2016, SACMAT.

[15]  Vinod Yegneswaran,et al.  Securing the Software Defined Network Control Layer , 2015, NDSS.

[16]  Wu Chou,et al.  SDN Northbound REST API with Efficient Caches , 2014, 2014 IEEE International Conference on Web Services.

[17]  Yue Zhang,et al.  BENBI: Scalable and Dynamic Access Control on the Northbound Interface of SDN-Based VANET , 2019, IEEE Transactions on Vehicular Technology.

[18]  Bo Yang,et al.  SDNShield: Reconciliating Configurable Application Permissions for SDN App Markets , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[19]  Dijiang Huang,et al.  Brew: A Security Policy Analysis Framework for Distributed SDN-Based Cloud Environments , 2019, IEEE Transactions on Dependable and Secure Computing.

[20]  Theophilus Benson,et al.  Isolating and Tolerating SDN Application Failures with LegoSDN , 2016, SOSR.

[21]  Xin Sun,et al.  A Case for Systematic Detection and Rigorous Location of SDN Control Conflicts , 2018, 2018 IEEE 43rd Conference on Local Computer Networks (LCN).

[22]  Ying Zhang,et al.  PGA: Using Graphs to Express and Automatically Reconcile Network Policies , 2015, Comput. Commun. Rev..

[23]  Arjan Durresi,et al.  Quality of Service (QoS) in Software Defined Networking (SDN): A survey , 2017, J. Netw. Comput. Appl..

[24]  Mabry Tyson,et al.  A security enforcement kernel for OpenFlow networks , 2012, HotSDN '12.

[25]  Holger Karl,et al.  Composition of SDN applications: Options/challenges for real implementations , 2016, ANRW '16.

[26]  Michael Schapira,et al.  VeriCon: towards verifying controller programs in software-defined networks , 2014, PLDI.

[27]  Liusheng Huang,et al.  Rule Anomalies Detecting and Resolving for Software Defined Networks , 2014, GLOBECOM 2014.

[28]  Weiming Wang,et al.  Research on Network Policy Combination and Conflict Detection in SDN , 2016, TRIDENTCOM.

[29]  Zonghua Zhang,et al.  Controller DAC: Securing SDN controller with dynamic access control , 2017, 2017 IEEE International Conference on Communications (ICC).

[30]  Michael Ian Shamos,et al.  Computational geometry: an introduction , 1985 .

[31]  Ali E. Abdallah,et al.  A Trust Management Framework for Network Applications within an SDN Environment , 2017, 2017 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA).