Autonomic protection of multi-tenant 5G mobile networks against UDP flooding DDoS attacks

Abstract There is a lack of effective security solutions that autonomously, without any human intervention, detect and mitigate DDoS cyber-attacks. The lack is exacerbated when the network to be protected is a 5G mobile network. 5G networks push multi-tenancy to the edge of the network. Both the 5G user mobility and multi-tenancy are challenges to be addressed by current security solutions. These challenges lead to an insufficient protection of 5G users, tenants and infrastructures. This research proposes a novel autonomic security system, including the design, implementation and empirical validation to demonstrate the efficient protection of the network against Distributed Denial of Service (DDoS) attacks by applying countermeasures decided on and taken by an autonomic system, instead of a human. The self-management architecture provides support for all the different phases involved in a DDoS attack, from the detection of an attack to its final mitigation, through making the appropriate autonomous decisions and enforcing actions. Empirical experiments have been performed to protect a 5G multi-tenant infrastructure against a User Datagram Protocol (UDP) flooding attack, as an example of an attack to validate the design and prototype of the proposed architecture. Scalability results show self-protection against DDoS attacks, without human intervention, in around one second for an attack of 256 simultaneous attackers with 100 Mbps bandwidth per attacker. Furthermore, results demonstrate the proposed approach is flow-, user- and tenant-aware, which allows applying different protection strategies within the infrastructure.

[1]  Gürkan Gür,et al.  Software-Defined Edge Defense Against IoT-Based DDoS , 2017, 2017 IEEE International Conference on Computer and Information Technology (CIT).

[2]  Sunghyun Choi,et al.  3GPP SA2 architecture and functions for 5G mobile communication system , 2017, ICT Express.

[3]  Yixin Chen,et al.  FADM: DDoS Flooding Attack Detection and Mitigation System in Software-Defined Networking , 2017, GLOBECOM 2017 - 2017 IEEE Global Communications Conference.

[4]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[5]  Jian Zhu,et al.  SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks , 2016, J. Netw. Comput. Appl..

[6]  Gurusamy Mohan,et al.  Dynamic attack detection and mitigation in IoT using SDN , 2017, 2017 27th International Telecommunication Networks and Applications Conference (ITNAC).

[7]  Jose M. Alcaraz Calero,et al.  Future mode of operations for 5G - The SELFNET approach enabled by SDN/NFV , 2017, Comput. Stand. Interfaces.

[8]  Fei Wang,et al.  A new multistage approach to detect subtle DDoS attacks , 2012, Math. Comput. Model..

[9]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[10]  Raouf Boutaba,et al.  Machine Learning for Cognitive Network Management , 2018, IEEE Communications Magazine.

[11]  Jose M. Alcaraz Calero,et al.  Towards the transversal detection of DDoS network attacks in 5G multi-tenant overlay networks , 2018, Comput. Secur..

[12]  Gregory Blanc,et al.  ArOMA: An SDN based autonomic DDoS mitigation framework , 2017, Comput. Secur..

[13]  F. Richard Yu,et al.  A Multi-Level DDoS Mitigation Framework for the Industrial Internet of Things , 2018, IEEE Communications Magazine.

[14]  Antonio F. Gómez-Skarmeta,et al.  5G NB-IoT: Efficient Network Traffic Filtering for Multitenant IoT Cellular Networks , 2018, Secur. Commun. Networks.

[15]  Yao Zheng,et al.  DDoS attack protection in the era of cloud computing and Software-Defined Networking , 2015, Comput. Networks.

[16]  Nabajyoti Medhi,et al.  FlowTrApp: An SDN based architecture for DDoS attack detection and mitigation in data centers , 2016, 2016 3rd International Conference on Signal Processing and Integrated Networks (SPIN).

[17]  Andrés Felipe Murillo-Piedrahita,et al.  Extending the Floodlight Controller , 2015, 2015 IEEE 14th International Symposium on Network Computing and Applications.

[18]  Jaehoon Paul Jeong,et al.  SDN-based network security functions for effective DDoS attack mitigation , 2017, 2017 International Conference on Information and Communication Technology Convergence (ICTC).

[19]  B. B. Gupta,et al.  A DDoS attack mitigation framework for internet of things , 2017, 2017 International Conference on Communication and Signal Processing (ICCSP).