Lightweight IPS for port scan in OpenFlow SDN networks

Security has been one of the major concerns for the computer network community due to resource abuse and malicious flows intrusion. Before a network or a system is attacked, a port scan is typically performed to discover vulnerabilities, like open ports, which may be used to access and control them. Several studies have addressed Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) methods for detecting malicious activities, based on received flows or packet data analysis. However, those methods lead to an increase in switching latency, due to the need to analyze flows or packets before routing them. This may also increase network overhead when flows or packets are duplicated to be parsed by an external IDS. On the one hand, an IDS/IPS may be a bottleneck on the network and may not be useful. On the other hand, the new paradigm called Software Defined Networking (SDN) and the OpenFlow protocol provide some statistical information about the network that may be used for detecting malicious activities. Hence, this work presents a new port scan IPS for SDN based on the OpenFlow switch counters data. A non-intrusive and lightweight method was developed and implemented, with low network overhead, and low memory and processing power consumption. The results showed that our method is effective on detecting and preventing port scan attacks.

[1]  Ming Gao,et al.  Efficient packet matching for gigabit network intrusion detection using TCAMs , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[2]  Anirudha A. Kolpyakwar,et al.  A Survey on Data Mining Approaches for Network Intrusion Detection System , 2017 .

[3]  Jon Postel,et al.  Telnet Protocol Specification , 1980, RFC.

[4]  A. Neeraja,et al.  Licensed under Creative Commons Attribution Cc by Improving Network Management with Software Defined Networking , 2022 .

[5]  Jim Esch,et al.  Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[6]  Mathieu Bouet,et al.  Statesec: Stateful monitoring for DDoS protection in software defined networks , 2017, 2017 IEEE Conference on Network Softwarization (NetSoft).

[7]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[8]  Jérôme François,et al.  Knowledge discovery of port scans from darknet , 2017, 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[9]  Martín Casado,et al.  Extending Networking into the Virtualization Layer , 2009, HotNets.

[10]  张连成,et al.  A Port Hopping Based DoS Mitigation Scheme in SDN Network , 2016 .

[11]  Philippe Owezarski,et al.  0day Anomaly Detection Made Possible Thanks to Machine Learning , 2010, WWIC.

[12]  Irfan-Ullah Awan,et al.  Cyber-Attack Modeling Analysis Techniques: An Overview , 2016, 2016 IEEE 4th International Conference on Future Internet of Things and Cloud Workshops (FiCloudW).