SDN/NFV security framework for fog‐to‐things computing infrastructure

Currently, core networking architectures are facing disruptive developments, due to emergence of paradigms such as Software‐Defined‐Networking (SDN) for control, Network Function Virtualization (NFV) for services, and so on. These are the key enabling technologies for future applications in 5G and locality‐based Internet of things (IoT)/wireless sensor network services. The proliferation of IoT devices at the Edge networks is driving the growth of all‐connected world of Internet traffic. In the Cloud‐to‐Things continuum, processing of information and data at the Edge mandates development of security best practices to arise within a fog computing environment. Service providers are transforming their business using NFV‐based services and SDN‐enabled networks. The SDN paradigm offers an easily programmable model, global view, and control for modern networks, which demand faster response to security incidents and dynamically enforce countermeasures to intrusions and cyberattacks. This article proposes an autonomic multilayer security framework called Distributed Threat Analytics and Response System (DTARS) for a converged architecture of Fog/Edge computing and SDN infrastructures, for emerging applications in IoT and 5G networks. The major detection scheme is deployed within the data plane, consisting of a coarse‐grained behavioral, anti‐spoofing, flow monitoring and fine‐grained traffic multi‐feature entropy‐based algorithms. We developed exemplary defense applications under DTARS framework, on a malware testbed imitating the real‐life DDoS/botnets such as Mirai. The experiments and analysis show that DTARS is capable of detecting attacks in real‐time with accuracy more than 95% under attack intensities up to 50 000 packets/s. The benign traffic forwarding rate remains unaffected with DTARS, while it drops down to 65% with traditional NIDS for advanced DDoS attacks. Further, DTARS achieves this performance without incurring additional latency due to data plane overhead.

[1]  Martín Casado,et al.  NOX: towards an operating system for networks , 2008, CCRV.

[2]  Qun Li,et al.  Challenges and Software Architecture for Fog Computing , 2017, IEEE Internet Computing.

[3]  Jun Bi,et al.  SDPA: Toward a Stateful Data Plane in Software-Defined Networking , 2017, IEEE/ACM Transactions on Networking.

[4]  Hong Yan,et al.  A clean slate 4D approach to network control and management , 2005, CCRV.

[5]  Jose M. Alcaraz Calero,et al.  Combined NFV and SDN Applications for Mitigation of CyberAttacks Conducted by Botnets in 5 G Mobile Networks , 2017 .

[6]  Lei Guo,et al.  Mobility Support for Fog Computing: An SDN Approach , 2018, IEEE Communications Magazine.

[7]  Jia Wang,et al.  Scalable flow-based networking with DIFANE , 2010, SIGCOMM '10.

[8]  Krishnashree Achuthan,et al.  SDN Framework for Securing IoT Networks , 2017 .

[9]  Anja Feldmann,et al.  Incremental SDN deployment in enterprise networks , 2013, Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication.

[10]  Luying Zhou,et al.  Applying NFV/SDN in mitigating DDoS attacks , 2017, TENCON 2017 - 2017 IEEE Region 10 Conference.

[11]  Daniel W. Engels,et al.  Black SDN for the Internet of Things , 2015, 2015 IEEE 12th International Conference on Mobile Ad Hoc and Sensor Systems.

[12]  Feng Wang,et al.  MiFo: A novel edge network integration framework for fog computing , 2019, Peer Peer Netw. Appl..

[13]  H. Jonathan Chao,et al.  Dynamic flow scheduling for Power-efficient Data Center Networks , 2016, 2016 IEEE/ACM 24th International Symposium on Quality of Service (IWQoS).

[14]  Jian Zhu,et al.  SD-Anti-DDoS: Fast and efficient DDoS defense in software-defined networks , 2016, J. Netw. Comput. Appl..

[15]  Raja Lavanya,et al.  Fog Computing and Its Role in the Internet of Things , 2019, Advances in Computer and Electrical Engineering.

[16]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[17]  Khaled Salah,et al.  IoT security: Review, blockchain solutions, and open challenges , 2017, Future Gener. Comput. Syst..

[18]  Yonggang Wen,et al.  “ A Survey of Software Defined Networking , 2020 .

[19]  Anja Feldmann,et al.  Panopticon: Reaping the Benefits of Incremental SDN Deployment in Enterprise Networks , 2014, USENIX Annual Technical Conference.

[20]  Cheng Li,et al.  Securing SDN Infrastructure of IoT–Fog Networks From MitM Attacks , 2017, IEEE Internet of Things Journal.

[21]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[22]  Mauro Conti,et al.  LineSwitch: Tackling Control Plane Saturation Attacks in Software-Defined Networking , 2017, IEEE/ACM Transactions on Networking.

[23]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[24]  Nathalie Mitton,et al.  LEGIoT: A Lightweight Edge Gateway for the Internet of Things , 2018, Future Gener. Comput. Syst..

[25]  Martín Casado,et al.  Rethinking Enterprise Network Control , 2009, IEEE/ACM Transactions on Networking.

[26]  MengChu Zhou,et al.  Security and trust issues in Fog computing: A survey , 2018, Future Gener. Comput. Syst..

[27]  Yehuda Afek,et al.  Network anti-spoofing with SDN data plane , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[28]  M. Repetto,et al.  Building situational awareness for network threats in fog/edge computing: Emerging paradigms beyond the security perimeter model , 2018, Future Gener. Comput. Syst..

[29]  Rui Wang,et al.  An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[30]  Fang Hao,et al.  Application-aware data plane processing in SDN , 2014, HotSDN.

[31]  Gregory Blanc,et al.  ArOMA: An SDN based autonomic DDoS mitigation framework , 2017, Comput. Secur..

[32]  Vinod Yegneswaran,et al.  AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks , 2013, CCS.

[33]  Fatih Alagöz,et al.  SDNScore: A statistical defense mechanism against DDoS attacks in SDN environment , 2017, 2017 IEEE Symposium on Computers and Communications (ISCC).

[34]  Jinshu Su,et al.  OverWatch: A Cross-Plane DDoS Attack Defense Framework with Collaborative Intelligence in SDN , 2018, Secur. Commun. Networks.

[35]  Srinivasan Seshan,et al.  Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things , 2015, HotNets.

[36]  1 A Taxonomy of SDN-enabled Cloud Computing , 2017 .

[37]  Tooska Dargahi,et al.  A Survey on the Security of Stateful SDN Data Planes , 2017, IEEE Communications Surveys & Tutorials.

[38]  Olivier Festor,et al.  Oko: Extending Open vSwitch with Stateful Filters , 2018, SOSR.

[39]  Scott Shenker,et al.  SoftFlow: A Middlebox Architecture for Open vSwitch , 2016, USENIX Annual Technical Conference.

[40]  Luis Rodero-Merino,et al.  Finding your Way in the Fog: Towards a Comprehensive Definition of Fog Computing , 2014, CCRV.

[41]  Dimitrios P. Pezaros,et al.  SDNFV-Based DDoS Detection and Remediation in Multi-tenant, Virtualised Infrastructures , 2017, Guide to Security in SDN and NFV.

[42]  Rajkumar Buyya,et al.  Software-Defined Network (SDN) Data Plane Security: Issues, Solutions and Future Directions , 2018, Handbook of Computer Networks and Cyber Security.

[43]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[44]  Cataldo Basile,et al.  A novel approach for integrating security policy enforcement with dynamic network virtualization , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[45]  XingHuanlai,et al.  SD-Anti-DDoS , 2016 .

[46]  Giuseppe Bianchi,et al.  OpenState: programming platform-independent stateful openflow applications inside the switch , 2014, CCRV.

[47]  Krishnashree Achuthan,et al.  Managing Network Functions in Stateful Application Aware SDN , 2018, SSCC.

[48]  Gürkan Gür,et al.  JESS: Joint Entropy-Based DDoS Defense Scheme in SDN , 2018, IEEE Journal on Selected Areas in Communications.

[49]  RexfordJennifer,et al.  Scalable flow-based networking with DIFANE , 2010 .

[50]  Jianli Pan,et al.  Future Edge Cloud and Edge Computing for Internet of Things Applications , 2018, IEEE Internet of Things Journal.

[51]  Olivier Flauzac,et al.  SDN Based Architecture for IoT and Improvement of the Security , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications Workshops.

[52]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[53]  Karthik Raghunath,et al.  Towards A Secure SDN Architecture , 2018, 2018 9th International Conference on Computing, Communication and Networking Technologies (ICCCNT).