SDN based Scalable MTD solution in Cloud Network

Software-Defined Networking (SDN) has emerged as a framework for centralized command and control in cloud data centric environments. SDN separates data and control plane, which provides network administrator better visibility and policy enforcement capability compared to traditional networks. The SDN controller can assess reachability information of all the hosts in a network. There are many critical assets in a network which can be compromised by a malicious attacker through a multistage attack. Thus we make use of centralized controller to assess the security state of the entire network and pro-actively perform attack analysis and countermeasure selection. This approach is also known as Moving Target Defense (MTD). We use the SDN controller to assess the attack scenarios through scalable Attack Graphs (AG) and select necessary countermeasures to perform network reconfiguration to counter network attacks. Moreover, our framework has a comprehensive conflict detection and resolution module that ensures that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free policy implementation and preventing information leakage.

[1]  Sakir Sezer,et al.  Queen ' s University Belfast-Research Portal Are We Ready for SDN ? Implementation Challenges for Software-Defined Networks , 2016 .

[2]  Jeannette M. Wing,et al.  Scenario graphs and attack graphs , 2004 .

[3]  David Garlan,et al.  Architecture-Based Self-Adaptation for Moving Target Defense (CMU-ISR-14-109) , 2014 .

[4]  Sarah Smith Heckman,et al.  On establishing a benchmark for evaluating static analysis alert prioritization and classification techniques , 2008, ESEM '08.

[5]  Jin B. Hong,et al.  Scalable Security Models for Assessing Effectiveness of Moving Target Defenses , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[6]  Jin B. Hong,et al.  Performance Analysis of Scalable Attack Representation Models , 2013, SEC.

[7]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[8]  Ehab Al-Shaer,et al.  Openflow random host mutation: transparent moving target defense using software defined networking , 2012, HotSDN '12.

[9]  Christel Baier,et al.  Principles of Model Checking (Representation and Mind Series) , 2008 .

[10]  Dijiang Huang,et al.  Security policy checking in distributed SDN based clouds , 2016, 2016 IEEE Conference on Communications and Network Security (CNS).

[11]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[12]  Shashi Shekhar,et al.  Multilevel hypergraph partitioning: applications in VLSI domain , 1999, IEEE Trans. Very Large Scale Integr. Syst..

[13]  Angelos Stavrou,et al.  MOTAG: Moving Target Defense against Internet Denial of Service Attacks , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[14]  Christel Baier,et al.  Principles of model checking , 2008 .

[15]  Donald R. Morrison,et al.  PATRICIA—Practical Algorithm To Retrieve Information Coded in Alphanumeric , 1968, J. ACM.

[16]  David Walker,et al.  Composing Software Defined Networks , 2013, NSDI.

[17]  Richard Colbaugh,et al.  Predictability-oriented defense against adaptive adversaries , 2012, 2012 IEEE International Conference on Systems, Man, and Cybernetics (SMC).

[18]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[19]  Ehab Al-Shaer,et al.  Firewall Policy Advisor for Anomaly Discovery and Rule Editing , 2003, Integrated Network Management.

[20]  Michael J. Franklin,et al.  Resilient Distributed Datasets: A Fault-Tolerant Abstraction for In-Memory Cluster Computing , 2012, NSDI.

[21]  Fang Hao,et al.  ElastiCon; an elastic distributed SDN controller , 2014, 2014 ACM/IEEE Symposium on Architectures for Networking and Communications Systems (ANCS).

[22]  Deep Medhi,et al.  SeReNe: On Establishing Secure and Resilient Networking Services for an SDN-based Multi-tenant Datacenter Environment , 2015, 2015 IEEE International Conference on Dependable Systems and Networks Workshops.

[23]  Aleksandar Trifunovic,et al.  Parallel algorithms for hypergraph partitioning , 2006 .

[24]  Sailik Sengupta,et al.  Moving Target Defense for Web Applications using Bayesian Stackelberg Games: (Extended Abstract) , 2016, AAMAS.

[25]  И.В. Ашметков,et al.  Математическое моделирование кровообращения на основе программного комплекса CVSS , 2001 .

[26]  Martín Casado,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[27]  Jeannette M. Wing,et al.  Tools for Generating and Analyzing Attack Graphs , 2003, FMCO.

[28]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.