Enhanced Mechanism for Link Failure Rerouting in Software-Defined Exchange Point Networks

Internet Exchange Point(IXP)is a system that increases network bandwidth performance.Internet exchange points facilitate interconnection among network providers,including Internet Service Providers(ISPs)andContent Delivery Providers(CDNs).To improve service management,Internet exchange point providers have adopted the Software Defined Network(SDN)paradigm.This implementation is known as a Software-Defined Exchange Point(SDX).It improves network providers’operations and management.However,performance issues still exist,particularly with multi-hop topologies.These issues include switch memory costs,packet processing latency,and link failure recovery delays.The paper proposes Enhanced Link Failure Rerouting(ELFR),an improved mechanism for rerouting link failures in software-defined exchange point networks.The proposed mechanism aims to minimize packet processing time for fast link failure recovery and enhance path calculation efficiency while reducing switch storage overhead by exploiting the Programming Protocol-independent Packet Processors(P4)features.The paper presents the proposed mechanisms’efficiency by utilizing advanced algorithms and demonstrating improved performance in packet processing speed,path calculation effectiveness,and switch storage management compared to current mechanisms.The proposed mechanism shows significant improvements,leading to a 37.5%decrease in Recovery Time(RT)and a 33.33%decrease in both Calculation Time(CT)and Computational Overhead(CO)when compared to current mechanisms.The study highlights the effectiveness and resource efficiency of the proposed mechanism in effectively resolving crucial issues inmulti-hop software-defined exchange point networks.

Data Analysis of Network Parameters for Secure Implementations of SDN-Based Firewall

Software-Defined Networking(SDN)is a new network technology that uses programming to complement the data plane with a control plane.To enable safe connection,however,numerous security challenges must be addressed.Flooding attacks have been one of the most prominent risks on the internet for decades,and they are now becoming challenging difficulties in SDN networks.To solve these challenges,we proposed a unique firewall application built on multiple levels of packet filtering to provide a flooding attack prevention system and a layer-based packet detection system.This study offers a systematic strategy for wrapping up the examination of SDN operations.The Mininet simulator examines the effectiveness of SDN-based firewalls at various network tiers.The fundamental network characteristics that specify how SDN should operate.The three main analytical measures of the network are jitter,response time,and throughput.During regular operations,their behavior evaluates in the standard SDN conditions of Transmission Control Protocol(TCP)flooding and User Datagram Protocol(UDP)flooding with no SDN occurrences.Low Orbit Ion Cannon(LOIC)is applied to launch attacks on the transmission by the allocated server.Wireshark and MATLAB are used for the behavioral study to determine how sensitive the parameters are used in the SDN network and monitor the fluctuations of those parameters for different simulated scenarios.

Sea Turtle Foraging Optimization-Based Controller Placement with Blockchain-Assisted Intrusion Detection in Software-Defined Networks

Software-defined networking(SDN)algorithms are gaining increas-ing interest and are making networks flexible and agile.The basic idea of SDN is to move the control planes to more than one server’s named controllers and limit the data planes to numerous sending network components,enabling flexible and dynamic network management.A distinctive characteristic of SDN is that it can logically centralize the control plane by utilizing many physical controllers.The deployment of the controller—that is,the controller placement problem(CPP)—becomes a vital model challenge.Through the advancements of blockchain technology,data integrity between nodes can be enhanced with no requirement for a trusted third party.Using the lat-est developments in blockchain technology,this article designs a novel sea turtle foraging optimization algorithm for the controller placement problem(STFOA-CPP)with blockchain-based intrusion detection in an SDN environ-ment.The major intention of the STFOA-CPP technique is the maximization of lifetime,network connectivity,and load balancing with the minimization of latency.In addition,the STFOA-CPP technique is based on the sea turtles’food-searching characteristics of tracking the odour path of dimethyl sulphide(DMS)released from food sources.Moreover,the presented STFOA-CPP technique can adapt with the controller’s count mandated and the shift to controller mapping to variable network traffic.Finally,the blockchain can inspect the data integrity,determine significantly malicious input,and improve the robust nature of developing a trust relationship between sev-eral nodes in the SDN.To demonstrate the improved performance of the STFOA-CPP algorithm,a wide-ranging experimental analysis was carried out.The extensive comparison study highlighted the improved outcomes of the STFOA-CPP technique over other recent approaches.

Performance Evaluation of Topologies for Multi-Domain Software-Defined Networking

Software-defined networking(SDN)is widely used in multiple types of data center networks,and these distributed data center networks can be integrated into a multi-domain SDN by utilizing multiple controllers.However,the network topology of each control domain of SDN will affect the performance of the multidomain network,so performance evaluation is required before the deployment of the multi-domain SDN.Besides,there is a high cost to build real multi-domain SDN networks with different topologies,so it is necessary to use simulation testing methods to evaluate the topological performance of the multi-domain SDN network.As there is a lack of existing methods to construct a multi-domain SDN simulation network for the tool to evaluate the topological performance automatically,this paper proposes an automated multi-domain SDN topology performance evaluation framework,which supports multiple types of SDN network topologies in cooperating to construct a multi-domain SDN network.The framework integrates existing single-domain SDN simulation tools with network performance testing tools to realize automated performance evaluation of multidomain SDN network topologies.We designed and implemented a Mininet-based simulation tool that can connect multiple controllers and run user-specified topologies in multiple SDN control domains to build and test multi-domain SDN networks faster.Then,we used the tool to perform performance tests on various data center network topologies in single-domain and multi-domain SDN simulation environments.Test results show that Space Shuffle has the most stable performance in a single-domain environment,and Fat-tree has the best performance in a multi-domain environment.Also,this tool has the characteristics of simplicity and stability,which can meet the needs of multi-domain SDN topology performance evaluation.

Multi-Attack Intrusion Detection System for Software-Defined Internet of Things Network

Currently,the Internet of Things(IoT)is revolutionizing communi-cation technology by facilitating the sharing of information between different physical devices connected to a network.To improve control,customization,flexibility,and reduce network maintenance costs,a new Software-Defined Network(SDN)technology must be used in this infrastructure.Despite the various advantages of combining SDN and IoT,this environment is more vulnerable to various attacks due to the centralization of control.Most methods to ensure IoT security are designed to detect Distributed Denial-of-Service(DDoS)attacks,but they often lack mechanisms to mitigate their severity.This paper proposes a Multi-Attack Intrusion Detection System(MAIDS)for Software-Defined IoT Networks(SDN-IoT).The proposed scheme uses two machine-learning algorithms to improve detection efficiency and provide a mechanism to prevent false alarms.First,a comparative analysis of the most commonly used machine-learning algorithms to secure the SDN was performed on two datasets:the Network Security Laboratory Knowledge Discovery in Databases(NSL-KDD)and the Canadian Institute for Cyberse-curity Intrusion Detection Systems(CICIDS2017),to select the most suitable algorithms for the proposed scheme and for securing SDN-IoT systems.The algorithms evaluated include Extreme Gradient Boosting(XGBoost),K-Nearest Neighbor(KNN),Random Forest(RF),Support Vector Machine(SVM),and Logistic Regression(LR).Second,an algorithm for selecting the best dataset for machine learning in Intrusion Detection Systems(IDS)was developed to enable effective comparison between the datasets used in the development of the security scheme.The results showed that XGBoost and RF are the best algorithms to ensure the security of SDN-IoT and to be applied in the proposed security system,with average accuracies of 99.88%and 99.89%,respectively.Furthermore,the proposed security scheme reduced the false alarm rate by 33.23%,which is a significant improvement over prevalent schemes.Finally,tests of the algorithm for dataset selection showed that the rates of false positives and false negatives were reduced when the XGBoost and RF algorithms were trained on the CICIDS2017 dataset,making it the best for IDS compared to the NSL-KDD dataset.

Toward Secure Software-Defined Networks Using Machine Learning: A Review, Research Challenges, and Future Directions

Over the past few years,rapid advancements in the internet and communication technologies have led to increasingly intricate and diverse networking systems.As a result,greater intelligence is necessary to effectively manage,optimize,and maintain these systems.Due to their distributed nature,machine learning models are challenging to deploy in traditional networks.However,Software-Defined Networking(SDN)presents an opportunity to integrate intelligence into networks by offering a programmable architecture that separates data and control planes.SDN provides a centralized network view and allows for dynamic updates of flow rules and softwarebased traffic analysis.While the programmable nature of SDN makes it easier to deploy machine learning techniques,the centralized control logic also makes it vulnerable to cyberattacks.To address these issues,recent research has focused on developing powerful machine-learning methods for detecting and mitigating attacks in SDN environments.This paper highlighted the countermeasures for cyberattacks on SDN and how current machine learningbased solutions can overcome these emerging issues.We also discuss the pros and cons of using machine learning algorithms for detecting and mitigating these attacks.Finally,we highlighted research issues,gaps,and challenges in developing machine learning-based solutions to secure the SDN controller,to help the research and network community to develop more robust and reliable solutions.

Optimal configuration of firewall, IDS and vulnerability scan by game theory

The integrated linkage control problem based on attack detection is solved with the analyses of the security model including firewall, intrusion detection system （IDS） and vulnerability scan by game theory. The Nash equilibrium for two portfolios of only deploying IDS and vulnerability scan and deploying all the technologies is investigated by backward induction. The results show that when the detection rates of IDS and vulnerability scan are low, the firm will not only inspect every user who raises an alarm, but also a fraction of users that do not raise an alarm; when the detection rates of IDS and vulnerability scan are sufficiently high, the firm will not inspect any user who does not raise an alarm, but only inspect a fraction of users that raise an alarm. Adding firewall into the information system impacts on the benefits of firms and hackers, but does not change the optimal strategies of hackers, and the optimal investigation strategies of IDS are only changed in certain cases. Moreover, the interactions between IDS ＆ vulnerability scan and firewall ＆ IDS are discussed in detail.

一种适用于Diverse Firewall Design的规则集比较算法

随着防火墙规则数目的增多,Diverse Firewall Design设计方法越来越受到重视。在应用该方法进行规则集设计时,多个开发团队会独立地编写若干规则集。由于规则集配置的复杂性,这些规则集有可能不一致。因此,需要使用规则集比较算法,判断这些规则集是否等价,以达到检测出错误配置的目的。然而现有规则集比较算法,实现复杂且效率较低。针对这一问题,提出了一种基于规则交集运算的规则集比较算法。该算法首先使用规则冲突消除算法对规则集进行预处理,将规则集比较问题,转换成多维空间中的图形比较问题;然后利用规则交集运算,判断图形所占区域和颜色是否一致,进而确定规则集是否等价。理论分析和测试表明,算法能检测出规则集之间的不同点,且时空效率优于现有算法。

基于校园网的FireWall的构架与实现

论述了 Fire Wall的工作原理及在校园网中的架构 ,并利用共享软件 Linux实现了 Fire Wall在校园网中的架构 ;该 Fire Wall最大的优点是经济、实用、安全性高。

基于Full Proxy的NAT/Firewall的穿越

VoIP语音视频流对NAT/F irewall的穿越已经成为语音数据业务开展过程中最大的障碍。Fu ll Proxy提供了一种NAT/F irewall穿越的有效途径,具有很强的适应性和透明性。深入讨论了Fu ll Proxy的实现原理和基于Fu ll Proxy的整个呼叫流程,最后在一个嵌入式双CPU系统的基础上实现了一个Fu ll Proxy。

浅谈Firewall技术

Firewall是一种非常有效的网络安全模型。系统分析了Firewall技术中的主要技术数据包过滤和代理服务技术,同时对Firewall的基本类型进行了比较,从而为企业选择一种访问控制策略提供一定的理论依据。

基于ACE和SSL的Firewall与IDS联动系统研究

随着Internet的迅猛发展,网络攻击的方法和技术越来越智能化和多样化,网络安全需求与日俱增。传统的防火墙(Firewall)与入侵检测系统IDS已不能满足网络安全整体化需求。鉴于此,引入ACE网络通信中间件和SSL协议,采用开放接口方式,从网络安全整体性与动态性的需求考虑,设计了一种新型的基于ACE和SSL通信平台的Firewall和IDS协同联动系统模型。该系统模型融合了Firewall和IDS的优点,采用加密信息传输机制、策略管理机制和联动分析算法,确保了传输信息的可靠性、完整性和机密性。实验结果表明,该联动系统不但能够有效地检测和防御攻击,而且具有良好的协作性、通用性和可扩展性。

用IPTABLES构建LINUX FIREWALL在校园网中的应用

在校园网迅速发展的现在,服务器的安全问题成了网络管理员最为关心的问题。为了提高服务器的安全性,文章提出利用基于LINUX的IPTABLES构建防火墙,然后结合学校实际情况对外提供各种服务,例如:Web、FTP、MAIL等等;并给出了一套关于Web服务的访问进出规则。

Etrust Firewall在校园网络安全中的应用

防火墙是一个或一组系统 ,它能够过滤进入和离开校园计算机网络的数据 ,EtrustFire wall能够根据各种给定的条件来保护网络 ,这些给定的条件既可以是指定的应用程序和指定的网络服务 ,也可以是指定的源地址和目标地址等。它通常以单个规则为基础 ,为校园计算机网络提供一致的安全保护。利用EtrustFirewall可以快速和容易地保护校园计算机网络 。

On Reliability-optimized Controller Placement for Software-Defined Networks

By decoupling control plane and data plane,Software-Defined Networking(SDN) approach simplifies network management and speeds up network innovations.These benefits have led not only to prototypes,but also real SDN deployments.For wide-area SDN deployments,multiple controllers are often required,and the placement of these controllers becomes a particularly important task in the SDN context.This paper studies the problem of placing controllers in SDNs,so as to maximize the reliability of SDN control networks.We present a novel metric,called expected percentage of control path loss,to characterize the reliability of SDN control networks.We formulate the reliability-aware control placement problem,prove its NP-hardness,and examine several placement algorithms that can solve this problem.Through extensive simulations using real topologies,we show how the number of controllers and their placement influence the reliability of SDN control networks.Besides,we also found that,through strategic controller placement,the reliability of SDN control networks can be significantly improved without introducing unacceptable switch-to-controller latencies.

A Survey: Typical Security Issues of Software-Defined Networking

Software-Defined Networking (SDN) has been a hot topic for future network development, which implements the different layers of control plane and data plane respectively. Despite providing high openness and programmability, the “three-layer two-interface” architecture of SDN changes the traditional network and increases the network attack nodes, which results in new security issues. In this paper, we firstly introduced the background, architecture and working process of SDN. Secondly, we summarized and analyzed the typical security issues from north to south: application layer, northbound interface, control layer, southbound interface and data layer. Another contribution is to review and analyze the existing solutions and latest research progress of each layer, mainly including: authorized authentication module, application isolation, DoS/DDoS defense, multi-controller deployment and flow rule consistency detection. Finally, a conclusion about the future works of SDN security and an idealized global security architecture is proposed.

Quality of Service Improvement with Optimal Software-Defined Networking Controller and Control Plane Clustering

The controller is indispensable in software-defined networking(SDN).With several features,controllers monitor the network and respond promptly to dynamic changes.Their performance affects the quality-of-service(QoS)in SDN.Every controller supports a set of features.However,the support of the features may be more prominent in one controller.Moreover,a single controller leads to performance,single-point-of-failure(SPOF),and scalability problems.To overcome this,a controller with an optimum feature set must be available for SDN.Furthermore,a cluster of optimum feature set controllers will overcome an SPOF and improve the QoS in SDN.Herein,leveraging an analytical network process(ANP),we rank SDN controllers regarding their supporting features and create a hierarchical control plane based cluster(HCPC)of the highly ranked controller computed using the ANP,evaluating their performance for the OS3E topology.The results demonstrated in Mininet reveal that a HCPC environment with an optimum controller achieves an improved QoS.Moreover,the experimental results validated in Mininet show that our proposed approach surpasses the existing distributed controller clustering(DCC)schemes in terms of several performance metrics i.e.,delay,jitter,throughput,load balancing,scalability and CPU(central processing unit)utilization.

An Algorithm for Optimal Firewall Placement in IEC61850 Substations

Recently, most electric power substations have adopted production control systems, such as SCADA systems, which communicate with field devices and remotely control processes from a computer screen. However, these systems together with protection measures and additional control actions (using protocol IEC61850) seem not to be enough to free substations of security attacks (e.g. virus, intruders, forgery or unauthorized data manipulation). This paper analyzes the main features of an electric power substation together with the aspects that might be significantly affected by cyber-attacks. The paper also presents the implementation of a specific security system (i.e. firewall-wise system) intended to protect a target distribution network.

Challenge-based collaborative intrusion detection in software-defined networking: An evaluation

Software-Defined Networking(SDN)is an emerging architecture that enables a computer network to be intelligently and centrally controlled via software applications.It can help manage the whole network environment in a consistent and holistic way,without the need of understanding the underlying network structure.At present,SDN may face many challenges like insider attacks,i.e.,the centralized control plane would be attacked by malicious underlying devices and switches.To protect the security of SDN,effective detection approaches are indispensable.In the literature,challenge-based collaborative intrusion detection networks(CIDNs)are an effective detection framework in identifying malicious nodes.It calculates the nodes'reputation and detects a malicious node by sending out a special message called a challenge.In this work,we devise a challenge-based CIDN in SDN and measure its performance against malicious internal nodes.Our results demonstrate that such a mechanism can be effective in SDN environments.

On the use of the genetic programming for balanced load distribution in software-defined networks

As a new networking paradigm,Software-Defined Networking(SDN)enables us to cope with the limitations of traditional networks.SDN uses a controller that has a global view of the network and switch devices which act as packet forwarding hardware,known as“OpenFlow switches”.Since load balancing service is essential to distribute workload across servers in data centers,we propose an effective load balancing scheme in SDN,using a genetic programming approach,called Genetic Programming based Load Balancing(GPLB).We formulate the problem to find a path:1)with the best bottleneck switch which has the lowest capacity within bottleneck switches of each path,2)with the shortest path,and 3)requiring the less possible operations.For the purpose of choosing the real-time least loaded path,GPLB immediately calculates the integrated load of paths based on the information that receives from the SDN controller.Hence,in this design,the controller sends the load information of each path to the load balancing algorithm periodically and then the load balancing algorithm returns a least loaded path to the controller.In this paper,we use the Mininet emulator and the OpenDaylight controller to evaluate the effectiveness of the GPLB.The simulative study of the GPLB shows that there is a big improvement in performance metrics and the latency and the jitter are minimized.The GPLB also has the maximum throughput in comparison with related works and has performed better in the heavy traffic situation.The results show that our model stands smartly while not increasing further overhead.