Dynamic Defense Provision via Network Functions Virtualization

Network Function Virtualization (NFV) is a critical part of a new defense paradigm providing high flexibility at a lower cost through software-based virtual instances. Despite the promise of the NFV, the original Intrusion Detection System (IDS) designed for NFV still draws heavily on processing power and requires significant CPU resources. In this paper, we provide a framework for dynamic defense provision by building in light intrusion detection network functions (NFs) over NFV. Without using the existing IDSes, our system constructs a light intrusion detection system by using a chain of network functions in NFV. The entire IDS is broken down into separate light network functions according to different protocols. The intrusion detection NFs cover various protocol stacks from the link layer to the application layer protocols. They also include different deep packet inspection NFs for different application layer protocols. The experimental results show the proposed system reduces resource consumption while performing valid intrusion detection functions.

[1]  Min Chen,et al.  Software-Defined Network Function Virtualization: A Survey , 2015, IEEE Access.

[2]  Taekhee Kim,et al.  SDN and NFV benchmarking for performance and reliability , 2015, 2015 17th Asia-Pacific Network Operations and Management Symposium (APNOMS).

[3]  Gail-Joon Ahn,et al.  FLOWGUARD: building robust firewalls for software-defined networks , 2014, HotSDN.

[4]  K. K. Ramakrishnan,et al.  Toward a software-based network: integrating software defined networking and network function virtualization , 2015, IEEE Network.

[5]  Kuang-Ching Wang,et al.  VNGuard: An NFV/SDN combination framework for provisioning and managing virtual firewalls , 2015, 2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN).

[6]  M. Uysal,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.

[7]  IFIP/IEEE International Symposium on Integrated Network Management, IM 2015, Ottawa, ON, Canada, 11-15 May, 2015 , 2015, IM.

[8]  Anat Bremler-Barr,et al.  Deep Packet Inspection as a Service , 2014, CoNEXT.

[9]  Aditya Akella,et al.  Stratos: Virtual Middleboxes as First-Class Entities , 2012 .

[10]  M. Vijayalakshmi,et al.  IP traceback system for network and application layer attacks , 2012, 2012 International Conference on Recent Trends in Information Technology.

[11]  Roberto Bifulco,et al.  ClickOS and the Art of Network Function Virtualization , 2014, NSDI.

[12]  Wouter Tavernier,et al.  ESCAPE: extensible service chain prototyping environment using mininet, click, NETCONF and POX , 2014, SIGCOMM.

[13]  References , 1971 .

[14]  Vyas Sekar,et al.  Bohatei: Flexible and Elastic DDoS Defense , 2015, USENIX Security Symposium.

[15]  Laxmana Rao Battula Network Security Function Virtualization(NSFV) towards Cloud computing with NFV Over Openflow infrastructure: Challenges and novel approaches , 2014, 2014 International Conference on Advances in Computing, Communications and Informatics (ICACCI).

[16]  Rami Cohen,et al.  EnforSDN: Network policies enforcement with SDN , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[17]  Xi Wang,et al.  Design and Implementation of Push Notification System Based on the MQTT Protocol , 2013, ISCA 2013.

[18]  Wouter Tavernier,et al.  ESCAPE: extensible service chain prototyping environment using mininet, click, NETCONF and POX , 2015, SIGCOMM 2015.

[19]  Filip De Turck,et al.  Network Function Virtualization: State-of-the-Art and Research Challenges , 2015, IEEE Communications Surveys & Tutorials.