Robust and Agile System against Fault and Anomaly Traffic in Software Defined Networks

Mihui Kim, Younghee Park, Rohit Kotalwar
2017 Applied Sciences  
The main advantage of software defined networking (SDN) is that it allows intelligent control and management of networking though programmability in real time. It enables efficient utilization of network resources through traffic engineering, and offers potential attack defense methods when abnormalities arise. However, previous studies have only identified individual solutions for respective problems, instead of finding a more global solution in real time that is capable of addressing multiple
more » ... situations in network status. To cover diverse network conditions, this paper presents a comprehensive reactive system for simultaneously monitoring failures, anomalies, and attacks for high availability and reliability. We design three main modules in the SDN controller for a robust and agile defense (RAD) system against network anomalies: a traffic analyzer, a traffic engineer, and a rule manager. RAD provides reactive flow rule generation to control traffic while detecting network failures, anomalies, high traffic volume (elephant flows), and attacks. The traffic analyzer identifies elephant flows, traffic anomalies, and attacks based on attack signatures and network monitoring. The traffic engineer module measures network utilization and delay in order to determine the best path for multi-dimensional routing and load balancing under any circumstances. Finally, the rule manager generates and installs a flow rule for the selected best path to control traffic. We implement the proposed RAD system based on Floodlight, an open source project for the SDN controller. We evaluate our system using simulation with and without the aforementioned RAD modules. Experimental results show that our approach is both practical and feasible, and can successfully augment an existing SDN controller in terms of agility, robustness, and efficiency, even in the face of link failures, attacks, and elephant flows. Recently, greater emphasis has been placed on preserving the availability of networks because of the importance of fault management for huge and complicated networks as well as the increasing numbers of distributed denial of service (DDoS) attacks. In particular, data center networks have a variety of requirements, including high availability of up to 99.999%, simple and quick error detection, reliability, and fast restoration [2]. Thus, enterprises demand a highly available SDN infrastructure to meet growing business needs. This type of infrastructure can be strategized by using an SDN controller. The controller provides a global and centralized view of the network. It transmits information between the network switches or routers and the applications above them. Having an abstract SDN controller enables us to control network elements programmatically and dynamically reconfigure these network elements based on network conditions. However, this shift of intelligence to the controller requires efficient operation therein. Leveraging the agility and programmability of SDN, the controller must provide comprehensive monitoring and management even when abnormalities are present and act as a nimble countermeasure to assure the availability. Many research groups have concentrated on utilizing the high controllability of SDN or preventing faults or anomalies, based on different goals: traffic engineering for efficiency, measurement and monitoring for accuracy and low load, and security and dependability for specific attacks. Traffic engineering includes load balancing, flow rules and traffic optimization, and application-aware networking. Load balancing has been researched for network efficiency [3] [4] [5] [6] . The goal for flow rules and traffic optimization is SDN efficiency [7] [8] [9] [10] [11] [12] [13] [14] [15] . Application-aware networking guarantees quality of service (QoS) of multimedia traffic [16, 17] . Next, as a basic process for traffic engineering or security, research on measurement and monitoring has tried to improve the accuracy of the process while simultaneously reducing the load of the controller [18] [19] [20] [21] [22] . Moreover, because of the vulnerability of the SDN controller itself (i.e., one point of failure) some studies consider new possible attack scenarios (e.g., crash and data compromise attacks [23], host location hijacking attacks [24], or control plane saturation attacks [25]) and design a proper defense for each. However, these studies do not provide a comprehensive system for monitoring and preventing internal faults, anomalies and outside attacks. Thus, the synthetic system research providing an agile and efficient defense is necessary. Our goal in this study is to develop readily available and stable SDNs that take adept actions against both fault and anomaly traffic, quickly detect anomalies by means of packet inspection, generate automatic flow rules, and directly apply them on switches. Our proposed architecture helps to develop a comprehensive solution for fault and abnormal detection and prevention, minimize latency, and increase network availability and efficiency under any circumstances. Moreover, our architecture adopts proper SDN rule management methods (i.e., proactive and reactive) based on flow types (i.e., mice and elephant flows). To achieve these goals, we propose a robust and agile defense (RAD) system against both fault and anomaly traffic by utilizing SDN technologies. Our RAD system consists of three main modules: a traffic analyzer, a traffic engineer, and a rule manager. The traffic analyzer monitors the traffic using sFlow-RT [26], a real-time network measurement tool, and Snort IDS [27], a signature-based intrusion detection system, to detect elephant flows and attacks, respectively. If an anomaly is detected, the traffic engineer module generates new routing paths based on the network status (i.e., network utilization or delay). The newly determined routing paths enable the rule manager to generate flow rules for the data plane on network devices. These steps are automatically and circularly performed according to the outbreak of anomaly events. The contributions of this study are as follows:
doi:10.3390/app7030266 fatcat:jyjvnfzpyra5tpxnox7xhploju