Software-Defined Mobile Networks Security

The future 5G wireless is triggered by the higher demand on wireless capacity. With Software Defined Network (SDN), the data layer can be separated from the control layer. The development of relevant studies about Network Function Virtualization (NFV) and cloud computing has the potential of offering a quicker and more reliable network access for growing data traffic. Under such circumstances, Software Defined Mobile Network (SDMN) is presented as a promising solution for meeting the wireless data demands. This paper provides a survey of SDMN and its related security problems. As SDMN integrates cloud computing, SDN, and NFV, and works on improving network functions, performance, flexibility, energy efficiency, and scalability, it is an important component of the next generation telecommunication networks. However, the SDMN concept also raises new security concerns. We explore relevant security threats and their corresponding countermeasures with respect to the data layer, control layer, application layer, and communication protocols. We also adopt the STRIDE method to classify various security threats to better reveal them in the context of SDMN. This survey is concluded with a list of open security challenges in SDMN.     

DDoS protection with stateful software‐defined networking

Distributed denial of service (DDoS) attacks represent one of the most critical security challenges facing network operators. Software‐defined networking (SDN) permits fast reactions to such threats by dynamically enforcing simple forwarding/blocking rules as countermeasures. However, the centralization of the control plane requires that the SDN controller, besides network management operations, should also collect information to identify and mitigate the security menaces. A major drawback of this approach is that it may overload the controller and the control channel. On the other hand, stateful SDN represents a new concept, developed to improve reactivity and offload the controller by delegating local treatments to the switches. In this article, we embrace this paradigm to protect end‐hosts from DDoS attacks. We propose StateSec, a novel approach based on in‐switch processing capabilities to detect and mitigate flooding threats. StateSec monitors packets matching configurable traffic features without resorting to the controller. By feeding an entropy‐based detection algorithm with such monitoring features, it detects and mitigates several threats such as (D)DoS with high accuracy. We implemented StateSec in an SDN platform comparing it with state‐of‐the‐art approaches. We show that StateSec is far more efficient: It achieves very accurate detection levels, reducing at the same time the control plane overhead. We have also evaluated the memory footprint of StateSec for a possible use in production. Finally, we deployed StateSec over a real network to tune its parameters and assess its suitability to real‐world deployments.     

基于贝叶斯攻击图的SDN安全预测方法

现有研究者采用威胁建模和安全分析系统的方法评估和预测软件定义网络（software defined network, SDN）安全威胁,但该方法未考虑SDN控制器的漏洞利用概率以及设备在网络中的位置,安全评估不准确。针对以上问题,根据设备漏洞利用概率和设备关键度结合PageRank算法,设计了一种计算SDN中各设备重要性的算法;根据SDN攻击图和贝叶斯理论设计了一种度量设备被攻击成功概率的方法。在此基础上设计了一种基于贝叶斯攻击图的SDN安全预测算法,预测攻击者的攻击路径。实验结果显示,该方法能够准确预测攻击者的攻击路径,为安全防御提供更准确的依据。     

Survey on SDN-based network testbeds

The network testbed based on software defined networking (referred as SDN testbed) has attracted extensive attention in the academic and industrial circles in recent years,and there have been many valuable cases of system/platform construction.Therefore,an overview of the SDN testbed was intended to conduct in the global scope.Firstly,the advantages of the SDN testbed and the basic design principles of the large-scale SDN testbed was explored comparing with the traditional network testbed.Secondly,in-depth analysis of existing SDN testbed projects was provided from the aspects of the project objectives and progress,the key technologies,network deployment,and featured applications.Finally,the challenges faced in this field were described in terms of network slicing,light and wireless convergence,security,and reliability.Future research directions are also suggested.     

TILAK: A token‐based prevention approach for topology discovery threats in SDN

Software‐defined networks (SDNs) decouple the data plane from the control plane. Thus, it provides logically centralized visibility of the entire networking infrastructure to the controller. It enables the applications running on top of the control plane to innovate through network management and programmability. To envision the centralized control and visibility, the controller needs to discover the networking topology of the entire SDN infrastructure. However, discovering and maintaining a global view of the underlying network topology is a challenging task because of (i) frequently changing network topology caused by migration of the virtual machines in the data centers, mobile, end hosts and change in the number of data plane switches because of technical faults or network upgrade; (ii) lack of authentication mechanisms and scarcity in SDN standards; and (iii) availability of security solutions during topology discovery process. To this end, the aim of this paper is threefold. First, we investigate the working methodologies used to achieve global view by different SDN controllers, specifically, POX, Ryu, OpenDaylight, Floodlight, Beacon, ONOS, and HPEVAN. Second, we identify vulnerabilities that affect the topology discovery process in the above controller implementation. In particular, we provide a detailed analysis of the threats namely link layer discovery protocol (LLDP) poisoning, LLDP flooding, and LLDP replay attack concerning these controllers. Finally, to countermeasure the identified risks, we propose a novel mechanism called TILAK which generates random MAC destination addresses for LLDP packets and use this randomness to create a flow entry for the LLDP packets. It is a periodic process to prevent LLDP packet‐based attacks that are caused only because of lack of verification of source authentication and integrity of LLDP packets. The implementation results for TILAK confirm that it covers targeted threats with lower resource penalty.     

软件定义网络安全研究

软件定义网络（SDN）采用控制和转发的分离架构,使研究者可以通过软件实现任意的网络控制逻辑,而不需对网络设备本身进行修改,具备极强的灵活性,已经在路由决策、网络虚拟化、无线接入、云计算数据中心网络等领域得到研究和应用,成为一项热点技术。但SDN在蓬勃发展的同时,也引入了新的安全风险,带来新的安全问题。另一方面,SDN也给传统安全技术以冲击,带来创新的网络安全应用发展的机会。鉴于此,结合SDN网络架构的特点综述了SDN安全的研究现状,包括SDN安全风险分析和安全技术及应用,并思考了SDN对信息安全的意义。     

Research on software-defined network and the security defense technology

Software-defined network (SDN) separated the traditional control plane from the data plane,formed a centralized controller,opened up the network programming interface,simplified network management,promoted network innovation and optimized network operation.However,SDN's “three-layer two-interface” architecture increased the network attack surface,resulting in many new security issues.The development,characteristics and working principle of SDN were first introduced,and the existing security problems from the application layer,the northbound interface,the control plane,the southbound interface,the data plane were summarized respectively.Secondly,the latest research progress and existing solutions were discussed.Finally,SDN current and future security challenges were summarized,and the future SDN security development direction was looked forward to.     

DDoS attack detection and defense based on hybrid deep learning model in SDN

Software defined network (SDN) is a new kind of network technology,and the security problems are the hot topics in SDN field,such as SDN control channel security,forged service deployment and external distributed denial of service (DDoS) attacks.Aiming at DDoS attack problem of security in SDN,a DDoS attack detection method called DCNN-DSAE based on deep learning hybrid model in SDN was proposed.In this method,when a deep learning model was constructed,the input feature included 21 different types of fields extracted from the data plane and 5 extra self-designed features of distinguishing flow types.The experimental results show that the method has high accuracy,it’s better than the traditional support vector machine (SVM) and deep neural network (DNN) and other machine learning methods.At the same time,the proposed method can also shorten the processing time of classification detection.The detection model is deployed in SDN controller,and the new security policy is sent to the OpenFlow switch to achieve the defense against specific DDoS attack.     

Survey on IoV routing protocols: Security and network architecture

As today, vehicles are equipped with wireless sensors and on‐board computers capable of collecting and processing a large amount of data; they can communicate to each other via different communication types and through different relay nodes. Internet of Vehicles (IoV) routing protocols are deployed to monitor these communications with various strategies to achieve a high availability of communication. In this paper, we propose to extend an existing taxonomy representing the necessary criteria to build IoV routing algorithms, by adding two new important criteria: security aspect and network architecture. Enhanced vehicular routing protocols with different security mechanisms have been studied, compared, and classified with respect to the authentication, the integrity, the confidentiality, the nonrepudiation, and the availability of data and communications. Routing protocols using the software‐defined networking (SDN) paradigm have also been reviewed in order to compare with those with traditional network architectures. Three types of SDN routing protocols, namely, centralized, decentralized, and hybrid control planes, have been analyzed. This survey will be useful for the choice of IoV routing protocols that take into account the flexibility, the scalability, and the intelligence of vehicular networks, as well as the security mechanisms against cyberattacks while being cost aware.     

A virtualized infrastructure to offer network mapping functionality in SDN networks

The separation of control and forwarding planes in software‐defined networking (SDN) networks is a key issue of the SDN technology. This feature and the existence of the SDN controller allow the developing of dynamic, adaptable and manageable networks, networks that require adequate services, and applications. However, the separation of these planes prevents the use of existing powerful tools that were coded considering traditional networks. In this paper, we make use of the potential of network virtualization (NV) technologies to propose the use of a virtualized infrastructure that makes possible the incorporation of these existing services and/or applications to an SDN network, without the need for programming additional and complex software modules in the SDN controller. Thus, in this paper, NV is not employed to develop a network managed by SDN but to broaden and give support to the SDN control layer. As an example, we describe the incorporation of nmap (a versatile and powerful tool widely used by security experts for network exploration) into the SDN framework. It is only necessary to develop a simple control plane service that thanks to the proposed virtualized infrastructure allows the inclusion of this powerful management application. The result offers the complete functionality of the nmap utility to the network administrators, who control the SDN network through the out‐of‐band control plane. In addition, a northbound REST API has been defined to offer the main functionality of the tool (host discovery, port scanning, and operating system detection) to the application layer.     

UDM:NFV-based prevention mechanism against DDoS attack on SDN controller

DDoS attack extensively existed have been mortal threats for the software-defined networking (SDN) controllers and there is no any security mechanism which can prevent them yet.Combining SDN and network function virtualization (NFV),a novel preventing mechanism against DDoS attacks on SDN controller called upfront detection middlebox (UDM) was proposed.The upfront detection middlebox was deployed between SDN switch interfaces and user hosts distributed,and DDoS attack packets were detected and denied.An NFV-based method of implementing the upfront middlebox was put forward,which made the UDM mechanism be economical and effective.A prototype system based on this mechanism was implemented and lots experiments were tested.The experimental results show that the UDM mechanism based on NFV can real-time and effectively detect and prevent against DDoS attacks on SDN controllers.     

AuthFlow: authentication and access control mechanism for software defined networking

Software-defined networking (SDN) is being widely adopted by enterprise networks, whereas providing security features in these next generation networks is a challenge. In this article, we present the main security threats in software-defined networking and we propose AuthFlow, an authentication and access control mechanism based on host credentials. The main contributions of our proposal are threefold: (i) a host authentication mechanism just above the MAC layer in an OpenFlow network, which guarantees a low overhead and ensures a fine-grained access control; (ii) a credential-based authentication to perform an access control according to the privilege level of each host, through mapping the host credentials to the set of flows that belongs to the host; (iii) a new framework for control applications, enabling software-defined network controllers to use the host identity as a new flow field to define forwarding rules. A prototype of the proposed mechanism was implemented on top of POX controller. The results show that AuthFlow denies the access of hosts either without valid credentials or with revoked authorization. Finally, we show that our scheme allows, for each host, different levels of access to network resources according to its credential.     

地理空间信息网格安全问题研究

计算机网络是地理空间信息网格的载体，二者之间有着密切的联系。其关联性主要表现在互连互通、基于协议、交互接口和虚拟组织几个方面。因此，计算机网络遇到的安全威胁，地理空间信息网格也同样会遇到。此外，地理空间信息网格还要面对自身特征带来的诸如攻击核心设施，导致整体瘫痪，或破坏局部计算等各种安全威胁。针对这些问题，基于用户、通信网络、应用程序、网格资源四个环节，研究设计了地理空间信息网格安全体系结构，并论述了各模块功能和相互之间的关系，以及整体协同运行程序。     

Prioritized admission control with load distribution over multiple controllers for scalable SDN-based mobile networks

Wireless Networks - Software-defined networking (SDN) is a promising networking paradigm towards a centralized network control plane decoupled from the forwarding plane. Owing to its intrinsic...     

IPTV业务安全需求与架构研究

网络业务安全的基本目的就是抵御内外部各种形式的威胁,确保网络和业务的健康运行.在计算机网络安全理论中,一般按照以下步骤来建立相应的安全保护机制:确定保护目标;分析其所面临的安全威胁;决定安全需求;以最经济合理的方法实现安全目标.本文将按照以上步骤,从威胁描述、安全需求分析、安全架构模型几个方面对IPTV业务的安全问题进行分析和梳理.     

一种基于SDN的开放SaaS平台网络安全体系设计

为解决开放软件即服务（SaaS）平台下的网络安全问题,将软件定义网络（SDN）与开放SaaS平台建设相结合,提出了一种基于SDN的开放SaaS平台网络安全体系设计思路。在对系统物理模型、功能模型与协同模型进行分析的基础上,设计了系统体系结构,分析了体系构成关键要素,给出了系统典型应用示例。基于SDN开展SaaS平台网络安全系统建设,对提高系统的安全性与开放性、构建满足用户个性化需求的网络安全体系具有重要意义。     

TPAAD: Two-phase authentication system for denial of service attack detection and mitigation using machine learning in software-defined network

Software-defined networking (SDN) has received considerable attention and adoption owing to its inherent advantages, such as enhanced scalability, increased adaptability, and the ability to exercise centralized control. However, the control plane of the system is vulnerable to denial-of-service (DoS) attacks, which are a primary focus for attackers. These attacks have the potential to result in substantial delays and packet loss. In this study, we present a novel system called Two-Phase Authentication for Attack Detection that aims to enhance the security of SDN by mitigating DoS attacks. The methodology utilized in our study involves the implementation of packet filtration and machine learning classification techniques, which are subsequently followed by the targeted restriction of malevolent network traffic. Instead of completely deactivating the host, the emphasis lies on preventing harmful communication. Support vector machine and K-nearest neighbours algorithms were utilized for efficient detection on the CICDoS 2017 dataset. The deployed model was utilized within an environment designed for the identification of threats in SDN. Based on the observations of the banned queue, our system allows a host to reconnect when it is no longer contributing to malicious traffic. The experiments were run on a VMware Ubuntu, and an SDN environment was created using Mininet and the RYU controller. The results of the tests demonstrated enhanced performance in various aspects, including the reduction of false positives, the minimization of central processing unit utilization and control channel bandwidth consumption, the improvement of packet delivery ratio, and the decrease in the number of flow requests submitted to the controller. These results confirm that our Two-Phase Authentication for Attack Detection architecture identifies and mitigates SDN DoS attacks with low overhead.     

认知无线电网络链路层关键技术的研究进展

构建认知无线电网络是解决频谱资源日趋紧张问题的根本途径.为实现无干扰的伺机频谱共享,认知无线电网络的链路层不仅需要提供传统的数据传输服务,还必须支持一套与频谱非均匀特性相适应的新功能.对这些新功能所需的关键技术进行了归纳,分别从协作感知、感知机制优化、动态频谱接入、动态频谱分配、跨层设计及安全机制等6个方面进行了探讨,重点对这些关键技术的最新研究进展进行了总结和分析,并讨论了下一步的主要研究方向.     

Securing ad hoc networks

Ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditional mobile wireless networks, ad hoc networks do not rely on any fixed infrastructure. Instead, hosts rely on each other to keep the network connected. Military tactical and other security-sensitive operations are still the main applications of ad hoc networks, although there is a trend to adopt ad hoc networks for commercial uses due to their unique properties. One main challenge in the design of these networks is their vulnerability to security attacks. In this article, we study the threats on ad hoc network faces and the security goals to be achieved. We identify the new challenges and opportunities posed by this new networking environment and explore new approaches to secure its communication. In particular, we take advantage of the inherent redundancy in ad hoc networks-multiple routes between nodes-to defend routing against denial-of-service attacks. We also use replication and new cryptographic schemes, such as threshold cryptography, to build a highly secure and highly available key management service, which terms the core of our security framework     

基于SDN的接入网安全解决方案设计

针对当前接入网中存在的主要安全问题,在总结分析现有的相应解决方案的基础上,结合SDN网络架构的特点及其相关技术,利用现有的安全机制,从组网安全的角度,提出一种基于SDN的接入网安全问题解决新方案,并详细描述了该方案的设计思想、总体架构及其通信流程。最后通过搭建实验环境进行测试,从而验证了该方案的可行性。