Global Flow Table: A convincing mechanism for security operations in SDN

One of the key challenges of network security is that security middle boxes, such as firewalls and Intrusion Detection Systems (IDSs), only have local view of the network. This lowers the efficiency of security detection and makes it difficult to locate the sources of the threats. There have been growing demands for security operations and appliances that are aware of the distribution and behavior of flows in the whole network; logically centralized control ability of Software-Defined Network (SDN) makes it possible for the network controller to acquire the global view of the network. In this paper, we propose a mechanism named Global Flow Table (GFT) which can provide security appliances and operators with paths of all the flows in SDN network, in addition to their sources, destinations, setup and terminate time, traffic volume and directions. A weak vertex cover based GFT algorithm which sacrifices less than 5% accuracy is also provided to improve scalability. Tests with different network topologies of cloud computing center and enterprise networks show promising performance. Utilizing the Global Flow Table, we built several applications to illustrate how GFT could benefit the security operations.

[1]  Lei Xu,et al.  Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures , 2015, NDSS.

[2]  Wanjiun Liao,et al.  Software defined networks [Guest Editorial] , 2013, IEEE Communications Magazine.

[3]  Yin Jianping,et al.  Analysis of Efficient Monitoring Method for the Network Flow , 2003 .

[4]  Guomin Zhang,et al.  Research on OpenFlow-Based SDN Technologies: Research on OpenFlow-Based SDN Technologies , 2013 .

[5]  D. West Introduction to Graph Theory , 1995 .

[6]  Rajeev Rastogi,et al.  Efficiently monitoring bandwidth and latency in IP networks , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[7]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM.

[8]  Liu Xiang Analysis of Efficient Monitoring Method for the Network Flow , 2003 .

[9]  Zheng Yan,et al.  A Survey on Software-Defined Networking Security , 2016, MobiMedia.

[10]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[11]  Nick McKeown,et al.  I Know What Your Packet Did Last Hop: Using Packet Histories to Troubleshoot Networks , 2014, NSDI.

[12]  George Varghese,et al.  Usenix Association 10th Usenix Symposium on Networked Systems Design and Implementation (nsdi '13) 99 Real Time Network Policy Checking Using Header Space Analysis , 2022 .

[13]  Panos M. Pardalos,et al.  Experimental Analysis of Approximation Algorithms for the Vertex Cover and Set Covering Problems , 2006, Comput. Oper. Res..

[14]  Vandana Rohokale,et al.  SDN Control Plane Security in Cloud Computing Against DDoS Attack , 2016 .

[15]  Mirko Sailio,et al.  Detecting man-in-the-middle attacks on non-mobile systems , 2014, CODASPY '14.

[16]  Bibhudatta Sahoo,et al.  A Comprehensive Tutorial on Software Defined Network: The Driving Force for the Future Internet Technology , 2016 .

[17]  Russell J. Clark,et al.  Leveraging SDN for ARP security , 2016, SoutheastCon 2016.

[18]  R.C. Chen,et al.  MININET: A microprocessor-controlled "Mininetwork" , 1976, Proceedings of the IEEE.

[19]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM 2011.

[20]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[21]  Nick McKeown,et al.  Where is the debugger for my software-defined network? , 2012, HotSDN '12.