Traffic scheduling for deep packet inspection in software‐defined networks

Deep packet inspection (DPI) is important for network security. In this paper, we consider a software‐defined network where several DPI proxy nodes are available for serving flows from ingress switches. These DPI proxy nodes can be implemented in either software or hardware. We study an integrated proxy allocation and routing determining problem with the objective of minimizing the total delay of flows from ingress switches to DPI proxies. This problem is formulated as an integer linear programming problem that is NP‐hard in general. To solve this problem, we design a 2‐phase algorithm that can quickly select proxy and find routing paths for incoming flows. Finally, extensive simulations are conducted to evaluate the performance of our proposed algorithm. Some useful parameter setting insights are obtained.

[1]  Hui Li,et al.  Research on intelligent intrusion prevention system based on Snort , 2010, 2010 International Conference on Computer, Mechatronics, Control and Electronic Engineering.

[2]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[3]  Huang Guo,et al.  An Improved Routing Algorithm Based on Social Link Awareness in Delay Tolerant Networks , 2014, Wirel. Pers. Commun..

[4]  Jinsong Wu,et al.  Joint middlebox selection and routing for software-defined networking , 2016, 2016 IEEE International Conference on Communications (ICC).

[5]  Minlan Yu,et al.  SIMPLE-fying middlebox policy enforcement using SDN , 2013, SIGCOMM.

[6]  Henning Schulzrinne,et al.  Extending the NetServ autonomic management capabilities using OpenFlow , 2012, 2012 IEEE Network Operations and Management Symposium.

[7]  Yue Yu,et al.  A query-matching mechanism over out-of-order event stream in IOT , 2013, Int. J. Ad Hoc Ubiquitous Comput..

[8]  Dahai Xu,et al.  Network Design and Architectures for Highly Dynamic Next-Generation IP-Over-Optical Long Distance Networks , 2009, Journal of Lightwave Technology.

[9]  Chen Liang,et al.  Hierarchical policies for software defined networks , 2012, HotSDN '12.

[10]  Hani Jamjoom,et al.  Don't call them middleboxes, call them middlepipes , 2014, HotSDN.

[11]  Lei Zhang,et al.  Deployment of Intrusion Prevention System based on Software Defined Networking , 2013, 2013 15th IEEE International Conference on Communication Technology.

[12]  Jonathan Loo,et al.  On the Investigation of Cloud-Based Mobile Media Environments With Service-Populating and QoS-Aware Mechanisms , 2013, IEEE Transactions on Multimedia.

[13]  Dijiang Huang,et al.  SnortFlow: A OpenFlow-Based Intrusion Prevention System in Cloud Environment , 2013, 2013 Second GENI Research and Educational Experiment Workshop.

[14]  Lei Shu,et al.  Mobile big data fault-tolerant processing for ehealth networks , 2016, IEEE Network.

[15]  Minlan Yu,et al.  FlowTags: enforcing network-wide policies in the presence of dynamic middlebox actions , 2013, HotSDN '13.

[16]  Guido Appenzeller,et al.  Implementing an OpenFlow switch on the NetFPGA platform , 2008, ANCS '08.

[17]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[18]  Rodrigo Braga,et al.  Lightweight DDoS flooding attack detection using NOX/OpenFlow , 2010, IEEE Local Computer Network Conference.

[19]  Kim-Kwang Raymond Choo,et al.  Security, Privacy, and Anonymity in Computation, Communication, and Storage , 2017, Lecture Notes in Computer Science.

[20]  David Walker,et al.  Abstractions for network update , 2012, SIGCOMM '12.

[21]  Jia Wang,et al.  Scalable flow-based networking with DIFANE , 2010, SIGCOMM '10.

[22]  Anat Bremler-Barr,et al.  Deep Packet Inspection as a Service , 2014, CoNEXT.

[23]  Vyas Sekar,et al.  Design and Implementation of a Consolidated Middlebox Architecture , 2012, NSDI.

[24]  Glen Gibb,et al.  Outsourcing network functionality , 2012, HotSDN '12.

[25]  Mathieu Bouet,et al.  Cost-Based Placement of Virtualized Deep Packet Inspection Functions in SDN , 2013, MILCOM 2013 - 2013 IEEE Military Communications Conference.

[26]  Vyas Sekar,et al.  Stratos: A Network-Aware Orchestration Layer for Virtual Middleboxes in Clouds , 2013, 1305.0209.