ControllerSEPA: A Security-Enhancing SDN Controller Plug-in for OpenFlow Applications
|
|
- Lawrence Rich
- 5 years ago
- Views:
Transcription
1 th International Conference on Parallel and Distributed Computing, Applications and Technologies ControllerSEPA: A Security-Enhancing SDN Controller Plug-in for OpenFlow Applications Yuchia Tseng Paris Descartes University yuchia.tseng@outlook.com Zonghua Zhang Institute Mines-Télécom Lille/TELECOM Lille CNRS UMR 5157 SAMOVAR Lab zonghua.zhang@telecom-lille.fr Farid Naït-Abdesselam Paris Descartes University naf@parisdescartes.fr Abstract Software-defined networking (SDN), as a new network paradigm, has the advantage of centralizing control and global visibility over a network. However, security issues remain a major concern and prevent SDN from being widely adopted. One of the challenges is the prevention of malicious OpenFlow application (OF app) access to the SDN controller as it opens a programmable northbound interface for third party applications. In this paper, we address app-to-control security issues with focus on five main attack vectors: unauthorized access, illegal function calling, malicious rules injection, resources exhausting and manin-the-middle attack. Based on the identified threat models, we develop a light-weight plug-in, which is called ControllerSEPA, by using RESTful API to defend SDN controller against malicious OF apps. Specifically, ControllerSEPA can provide the services including OF app-based AAA control (unlike OpenDaylight and ONOS which offer user-based or role-based AAA control), rule conflict resolution, OF app isolation, fine-grained access control and encryption. Furthermore, we study the feasibility of deploying ControllerSEPA on five open source SDN controllers: OpenDaylight, ONOS, Floodlight, Ryu and POX. Results show that the deployment operates with very low complexity, and most of time the modification of source codes is unnecessary. In our implementations, the repacked services in ControllerSEPA create negligible latency (0.1% to 0.3%) and can provide more rich services to OF apps. I. INTRODUCTION Software-defined networking (SDN), as a new network paradigm, decouples the control plane from the data plane. The control plane, or the so-called SDN controller, acts as the network brain to provide the functionalities for centralized control and network visibility. However, the security concern with respect to SDN controllers is the main obstacle that prevents SDN from being widely adopted. Notably the question of securing the SDN controller from the malicious behaviors of OF app remains a constant issue. For example, references [1] [2] [3] [4] [5] show the importance of limiting the access of OF app to controller resources. The tasks of modifying all controller source codes or even scanning all the related functions for modifying and enhancing its security are unfeasible. [6] [7] [8] [9] show the risk of flow rule conflict introduced by the OF app. However, it is challenging to find a way of resolve these issues due to the coexistence of OF apps. In this paper, we present a controller-independent plugin to delegate the services provided by SDN controller and to expose them to OF apps after hardening them. II. RELATED WORK PermOF [3] presents 18 permissions to control OF app without actual implementation. [1] and [2] implement their permission control by modifying the source codes of the controller. However, it is infeasible to secure the controller s functions by modifying every function in the source code. In the worst scenario, it would need to scan all the functions (methods). For example, in order to control the topology information, OperationCheckpoint would need to modify the codes of the two methods: getallswitchmap and getlinks in two different classes Controller.java and LinkDiscoverManager.java, respectively, since both of them provide the information about network topology in Floodlight. In some SDN controllers, like OpenDaylight and ONOS, it s quite hard to scan and find out all these relatedmethods and harden them. In contrast, ControllerSEPA reduce the deployment complexity. Reference [10] also decouples the external OF app by RESTful API and encrypts the communication with TLS, but it does not provide accounting services as in ControllerSEPA. [10] implements only in Floodlight and our work provides a wider study on five SDN controllers, which shows this approach is feasible and readily applied on the current mainstream SDN controllers. In our work, we also studied further possible functions that can be deployed by this RESTlike system. Rosemary secures the controller by separating OF apps from the controller via IPC to exchange information between the controller and the OF apps [11]. We use RPC, i.e., RESTful APIs, to decouple the OF app. Our approach can be implemented on existing controllers. SE-Floodlight extends from FortNOX to detect the flow rule conflicts in controller; however, it is not suitable for big networks as it will produce tremendous latency when the controller verifies every flow rule in the kernel [7]. ControllerSEPA can detect rule conflicts outside of controller, even remotely, to keep controller s performance. III. ATTACK MODELS AND EXISTING COUNTERMEASURES A. App-to-control attacks SDN enables networking functionalities to be written in software, called OF applications (OF apps), by using open APIs to facilitate development and accelerate network innovations. Unfortunately, problems arise when an OF app contains flaws, vulnerabilities, or malicious logic that may interfere with control layer operations. In worse scenarios, the attack from app- to-control can be caused not only by the non-authenticated /16 $ IEEE DOI /PDCAT
2 TABLE I. APP-TO-CONTROL ATTACKS AND CORRESPONDING COUNTERMEASURES OF app authentication OF app authorization Operation accounting OF app isolation Rules resolution OF app monitoring Unauthorized access " " Illegal functions calling " " " Malicious rules injection " " " " Exhausting resources " " " Man-in-the-middle attack Communication encryption " OF app but also by the authenticated one such as in the flow rule conflict [7] [8]. 1) Unauthorized access: Once the malicious app can access the controller s data storage or internal memory, the abuse of such trust could lead to various types of attacks impacting the entire network. For example, the packet in count value is kept in the controller s internal storage for the usage of DoS detector or traffic monitoring. However, a malicious app can clear packet in count in the internal storage to confuse the DoS detector app. The controller also contains the network link information and flow rules in data storage, if the OF app can modify these values, the topology and flow rules will be tampered [2] [11]. 2) Illegal functions calling: SDN controllers always contain built-in functions; however, once these functions are used maliciously, it will cause the controller to crash. For example, a malicious OF app can terminate the controllers by calling the function exit() in Floodlight, OpenDayLight and POX (sys.exit(0)) [11]. The IOFMessage Listener service in Floodlight could be used to change OF app order to process packet in message, as a result, the malicious OF app can interrupt the communication for packet in messages among with other OF apps by modifying the order via this service [5]. 3) Malicious flow rules injection: In SDN, forwarding decisions are flow-based, which is defined by a set of packet field values acting as a match (filter) criterion, with fields such as actions (instructions), priority, counter and timeout etc. However, a malicious OF app can insert a flow rules to reach the unexpected destination, to block another legitimate service or to confuse the service provided by other OF apps coexisting on the same SDN controller such as the action set and priority in flow rule [6] [7] [12]. 4) Exhausting resources: A malicious OF app can create multiple memory objects, large number of threads, infinite loops or non-stop growing linked lists to deplete the resources of the controller s host. Controllers such as NOX, Beacon, Floodlight and OpenDaylight do not limit memory allocations to its applications, which can ultimately result in the controller crashing with an out-of-memory error [2] [11]. 5) Man-in-the-middle attack: OF app exchanges data with SDN controller via northbound interface. One of the most popular northbound interfaces is RESTful API, which is adapted by controllers such as OpenDaylight, ONOS, Ryu, Floodlight,etc. The shortage of supporting SSL, i.e. HTTPS for OF app, makes communication in the northbound interface at risk of being tampered or eavesdropped. Controllers like Floodlight, ONOS and OpenDaylight support HTTPS. Ryu does not and OpenMUL does so only partially [13] [14] [15] [16] [17]. B. Countermeasures 1) Authentication: To prevent the controller from malicious OF app, the basic protection is to authenticate the OF app. For example, SE-Floodlight and Rosemary use digital signatures to authenticate the OF app [7] [11]. Reference [10] also adopts key pairs to authenticate the OF app. 2) Authorization: [1], [2], [3], and [10] show the OF app-based access control. PermOF proposes the use of 18 permission sets under four distinct categories without experimental evaluation of the access control system proposed. OperationCheckpoint adopts the part of the permission set of PermOF in constraining the northbound interface access and implements the permission set in SDN controller Floodlight, but this permission set does not enable OF app users to distinguish malicious applications from benign ones [1]. Moreover, this permission set is not controller-independent, i.e. it should modify the source codes on every controller that attempts to apply this system. [10] proposes a controllerindependent solution for securing the integration of external OF app via RESTful API. However, it is not able to find the malicious OF app. Inspired by Android permission control, [2] is a permission system based on OF messages states and the actions. 3) Accounting: The audit log record is useful for network troubleshooting as well as a data source for security monitoring as an OF app modifies flow tables or sends a packet out message etc [1] [10] [7] [4]. For instance, SE-Floodlight [7] introduces an audit subsystem that traces all security-related events occurring in the control layer. With this auditing record, the controller can report to the network administrator the event time, the message type, and the full message content, etc 4) Flow rules verification: There are several different approaches to mitigate the security issues caused by malicious or misconfigured flow rules. The FlowChecker[18] system encodes OpenFlow flow tables into Binary Decision Diagrams (BDD) and uses model checking to verify security properties. Veriflow [19] is a real-time system that slices flow rules into equivalence classes to efficiently check for invariant property violations. However, the evaluation of FlowChecker and Veriflow do not consider the handling of set action commands as in FortNOX and SE-Floodlight [6] [7]. On top of VeriFlow, [20] provides a library to verify correctness properties for OF apps on several controller platforms. FlowGuard extends HSA [21] for rule-conflict resolution in the context of firewalls in order to build more robust firewalls in SDN environments. FLOVER [22], a model checking system based on the Yices SMT solver existing on the SDN App plane, verifies the instantiated flow rules which does not violate the network s predefined security 269
3 Fig. 1. High-level overview of ControllerSEPA architecture policy. SRV checks the priority-bypassing attack by binding topology to check flow rules [12]; FortNOX and SE-Floodlight use the Alias Set Reduce(ASR) method to detect the rule conflict [6] [7]. 5) OF app isolation: One of the primary reasons behind the fragility of the controllers is their tight coupling with applications. YANC adopts UNIX-like permission to separate OF apps from exposing the network configuration and stating it as a file system [23]. [11] and [24] propose to separate OF app from SDN controller even by processes. Rosemary [11] separates OF app from the controller by invoking each new OF app in Rosemary as a new process. Rosemary s OF app connects to the SDN controller process through the IPC (inter- process communication). The basic network services in the Rosemary kernel communicate with each other through an IPC channel, and the implication is that if a service crashes, other services are unaffected. 6) OF app monitoring: An application that keeps allocating memory can consume all of the available memory in a host, thereby affecting other applications. Limiting resources that the OF app uses and incorporating resource monitoring services that track and recognize the resource utilization of OF app could be the complementary protection of app isolation to mitigate this effect [4] [11]. 7) Communication encryption: To protect the controller from man-in-the-middle attack, encryption is one of the popular solutions to secure the northbound interface for RESTful API. We summarize this section in Table I. IV. DESIGN PRINCIPLE OF CONTROLLERSEPA Based on the threat models in Section III, we find that it is insufficient to limit OF app behaviors with only authentication and gross-grained authorization or to merely adopt a role-based authorization. We need to control OF app with AAA, i.e., authenticating OF app, authorizing OF app, and accounting or monitoring OF apps operations [1] [3] [6] [7] [11] [25]. Detecting the rule conflict protects controller from malicious rule injection and separating the OF app from controller can avoid the crash of controller due to resource exhausting. Hence, we continue the work [10] to provide a wider and deeper study on how to use the REST-like system to protect SDN controller from malicious OF app. Firstly, we explore more functions that can possibly be deployed via the REST-like system, called ControllerSEPA. Secondly, we study the feasibility of applying this framework to five open-source controllers, which include OpenDaylight, ONOS, Floodlight, Ryu and POX. A. ControllerSEPA: Design objectives In this section, we discuss what functions can be deployed via the REST-like system, which is a plug-in called ControllerSEPA (SEPA: Security-Enhancing Plug-in for OF App), in order to delegate and repack the services of the SDN controller. The high-level architecture of ControllerSEPA is depicted in Figure 1. 1) Controller-independent: The ControllerSEPA can set up the connection with the SDN controller and the controller delegates operation permission to ControllerSEPA. The OF app only communicates with the services provided by ControllerSEPA. Hence, it is controller-independent, i.e. it can reduce the deployment complexity for the application to current SDN controllers [10]. 2) Information disclosure: ControllerSEPA repacks all the services provided by SDN controller, including RESTful APIs (OpenDaylight, ONOS and Floodlight), OSGI bundles(opendaylight and ONOS) or Python API (POX) into new standard APIs and exposes them to the OF apps. As OF app can only communicate with ControllerSEPA instead of the SDN controller, OF app does not know the details concerning the SDN controller or which version is providing the services, i.e., the controller is protected from malicious scanning. 3) Authentication: ControllerSEPA can verify the digital signature through key pairs as [10] proposes. The App credential management in SE-Floodlight and Rosemary also use this way to authenticate OF app via northbound interface [7] [11]. 270
4 TABLE II. 8MEANS THIS API IS OFFICIALLY SUPPORTED IN THE SDN CONTROLLER, CONTROLLERSEPA CAN USE IT DIRECTLY AND REPACK WITHOUT TOUCHING THE CONTROLLER S SOURCE CODES; 'MEANS SDN COMMUNITY HAS RELEASED THE CONTRIBUTIONS FOR THIS API Category Permission Description ControllerSEPA API ODL ONOS FL Ryu POX Read host.read Read all or specific host(s) info /get/device/<all> or <hostid> ' Read switch.read Read all or specific switch(s) info /get/switch/<all> or <switchid> ' Read link.read Read all or specific link(s) info /get/link/<all> or <linkid> ' Read port.read Read all or specific ports(es) info /get/port/<all> or <portid> ' Read flowmod.read Read all or specific flow entry(ies) info /get/flowmod/<switchid>/<all>or<entryid> ' Read group.read Read all or specific group info /get/flowmod/<switchid>/<all>or<entryid> ' Read vlan.read Read vlan info in a flow entry /get/vlan/<switchid>/<all>or<entryid> Read statistics.read Read statistics /get/statistics 8 8 Read application.read Read other OF app info /get/app/<all>or<appid> 8 8 Read controller.read Read controller info (listen IP, port) /get/controllerinfo 8 ' Write port.write Update port status /post/port/<switchid>/<entryid> 8 Write flowmod.write Add a flow entry with any action /put/flowmod/<switchid> Write flowmod.write Update/remove a flow entry with any action /post or remove/flowmod/<switchid>/<entryid> Write vlan.write Add a vlan tag in a flow entry /put/vlan/<switchid>/<entryid> Write vlan.write Update/remove vlan tag in a flow entry /post or delete/vlan/<switchid>/<entryid> Write group.write Add a group entry /put/group/<switchid> 8 8 Write group.write Update/remove a group entry /post or delete/group/<switchid>/<groupid> 8 8 4) Authorization: Once the OF app is authenticated successfully, it should deliver its operation permissions on SDN controller to the ControllerSEPA. Every time the OF app requires services on the controller, ControllerSEPA will deliver an authentication token, which contains the information about the OF app such as id, permission, and priority, etc. ControllerSEPA will check its permission by this token. 5) Accounting: All operations of OF app will be kept on ControllerSEPA s data base, including the date, time, application ID, called API, and return code(successful, refused or sever error), in the form date, time, appid, api, and code. 6) Rule conflict resolution: : ControllerSEPA not only can keep the records about the OF apps operation history; moreover, it can keep the inserted flow rules from OF apps, and uses the flow rule verification system to check the rule conflicts with various detection algorithms, such as SRV or ASR, etc [6] [12]. This detection system can work with cluster computing API which connects with this database and analyzes the malicious flow rules. 7) Isolation: As ControllerSEPA adopts RESTful API to communicate with OF app, the OF app can be decoupled and run on any host remotely. This can secure a controller from an exhausting resources attack from malicious OF app and prevent the controller from crashing. As we repack the service into RESTful APIs, OF app can call these services via the network and run the services in a machine isolated from the controller. This is a more secure way than decoupling OF app from the controller by process or file system [11] [23]. 8) Fine-grained control: As ControllerSEPA repacks the services of the controller, it can control them in a more finegrained way. app has permission to access the database, it will have full permission to obtain any resources without limitation. But with this plug-in, the OF app will be constrained by the permission as to which resources they can get. ControllerSEPA can even limit their scope in the same resources. For example, if both of the OF apps have permission to insert a flow rule, one of them may have full permission to insert a rule for any network with any priority while the other is constrained by the fact that it only has permission to insert the rule for /24 to /24 with priority between 100 and 200. In doing so, we can control the OF app in a more refined way. 9) Encryption service: The plug-in is able to encrypt the communication between OF app and controller by using TLS, i.e., HTTPS for RESTful API, even if the SDN controller doesn t secure the northbound interface natively. 10)More rich services for OF apps: The efforts such as described in [1] [3] and [10] show that the ability to notify events proactively (such as flow mod or port status updated messages) is useful for OF app development. Unfortunately, few SDN controllers support this function. ControllerSEPA can create this service by incorporating with the frameworks such as SSE (Server Sent Events) or Websockets etc. B. ControllerSEPA: Details implementations In this section, We extend the permission set proposed in [10], as well as referred to the permissions in PermOF and OperationCheckpoint in [1] [3]. The permission set used in ControllerSEPA is as shown in Table II. For example, the APIs for reading packet in, packet out, feature reply, and flow mod events can be used in SPHINX to form the flow graph and detect the malicious flow in data plane [26]. The APIs used to read port status (/get/port/*) can be used in TopoGuard to detect the malicious host migration [27]. We provide a nonexclusive list of the possible APIs because the APIs are demand-driven, i.e., we should know the needs of OF app and then offer the necessary APIs; hence, we can only list the basic APIs. More features such as queue, meter, group, MPLS tags and priority-setting etc will be discussed in our future work. 1) OpenDaylight case: OpenDaylight uses Java API or RESTCONF to communicate with data storage. Hence, we benefit from RESTCONF protocol, which is implemented as an OF app in OpenDaylight (restconf module). OpenDaylight provides a rich RESTful API support and we repack these services into ControllerSEPA as standard RESTful API opening to OF app. For example, we repack the addresses in /openflow:n/node-connector/openflow:n:m 1 1 API root: opendaylight-inventory:nodes/node 271
5 TABLE III. SERVICES CALLING TIME COMPARISON (MILLISECOND) BETWEEN OPENDAYLIGHT AND THE REPACKED SERVICES IN CONTROLLERSEPA. API 1: GET DEVICES INFO; API 2: GET LINKS INFO; API 3: GET FLOW ENTRIES; API 4: INSERT A FLOW ENTRY; API 5: UPDATE AFLOWENTRY; API 6: REMOVE A FLOW ENTRY API 1 API 2 API 3 API 4 API 5 API 6 OpenDaylight ControllerSEPA Percent(%) Fig. 2. Repacking service provided by ControllerSEPA: (a) ControllerSEPA repacks the API /network-topology:network-topology provided by OpenDaylight RESTCONF module to /get/device/all; (b) Repacking the API /wm/device in Floodlight to /get/device/all. For example, both of them repack the information about host with IP and MAC 00:00:00:00:00:01 into the same form of response. to /get/device/* for obtaining the host s information such as MAC and IPs and /openflow: n/table/0/ to /get/flowmod/<switchid>/* to get the flow entries in switch n. OpenDaylight supports only role-based control, not app-based, that means, once a OF app has the permission to use restconf module in OpenDaylight, it will have the full permission to operate the data storage. Therefore, ControllerSEPA can be a security-enhancing module to provide app-based AAA control for OpenDaylight with low deployment complexity [13]. 2) ONOS case: Similar to OpenDaylight, ONOS also adopts Java API as well as implements RESTCONF protocol as an OF app ( org.onosproject.drivers), we repack the services in ONOS by merging, for example, /v1/devices and /v1/links into /get/switches/all in ControllerSEPA to get the complete information about switches and their connection status. The ONOS strict mode also uses role-based control like OpenDaylight. This means that it can also benefit from the app-based AAA control provided by ControllerSEPA [14]. 3) Floodlight case: Floodlight supports RESTful APIs natively, such as /wm/device/ for showing the details of the hosts connections, and /wm/staticflowpusher/list/<switch>/json for reading the proactive flow rules in switch. The shortage of authenticating the use of OF app can be supplemented in ControllerSEPA, which can provide the digital signature service to authenticate OF app without touching the source code in Floodlight. Evidently, it can also benefit from the app authorization and accounting services in ControllerSEPA [15]. 4) Ryu case: Ryu is a component-based SDN controller, which provides complete northbound interface for OF app development. However, Ryu (version 3.5) does not yet support the TLS for northbound interface, i.e., no HTTPS for securing the communication between OF app and SDN controller. Hence, ControllerSEPA can be used as the security-enhancing module to improve the problem of shortage of northbound interface encryption as well as provide app-based AAA control for Ryu [16]. 5) POX case: POX, an early SDN controller, does not use RESTful API, but Python API, as the official northbound interface. That means we should implement manually the RESTful API server in POX, such as Flask, for transferring data in POX via RESTful API. Fortunately, we can find contributions in community for the RESTful API support in POX such as pox-jsonrest on GitHub [28]. C. Discussion Obviously, the actual implementations of SDN controllers are different from each other; however, SDN controller works as a network operating system, which includes the basic components such as internal data storage, built-in functions, core network services, and programmable interfaces [5] [13] [15] [16] [28] [29] [30] [31]. We agree with the proposition of the Rosemary controller [11] that a secure SDN controller should run only the essential network service for keeping its reliability; other network services should be decoupled from SDN controller if possible. Hence, for securing the SDN controller from malicious OF app, the SDN community should clarify as soon as possible the core network services provided by SDN controller, such as OF messages processing, network topology providing, flow entry management as well as which network services can be provided by third party applications. V. PROTOTYPE AND EXPERIMENTAL VALIDATION In our implementation, we tested how ControllerSEPA secures OpenDaylight (version Beryllium-SR2), which runs on a Ubuntu-based(16.04) machine with CPU Intel i7, 8 cores, and 16G DDR2 RAMS. Controller connects with a linear topology with 20 OF switches and 20 hosts on each (total 400 hosts) simulated by mininet. Figure 2 shows that ControllerSEPA repacks the two APIs provided by different SDN controllers, OpenDaylight and Floodlight(1.2) respectively. After the repackage, both of them become /get/device/all and show the same responses to OF apps. By doing so, we hide the sensitive information about controller from OF apps. Similarly, we also successfully deployed one app can only insert flow entry with action output to a specific port while the other OF app can do more actions such as output to controller and flood the packet for testing the fine-grained control on OF app. In these implementations, we did not modify any source code of OpenDaylight and provided a more secure and fine-grained control on OF app. In Table III, we find the average latency of 20 times tests after ControllerSEPA repacks the services provided by OpenDaylight. We use Java spark framework as RESTful API server and JS as client to call the APIs. The repackage in ControllerSEPA produces negligible latency, from less than 0.1% to 0.3%. The same design principle can be applied in other SDN controllers as shown in Table II. For API 3 to get the flow entries, which contains the flow entries to allow ICMP packets between all hosts, it closes to ms after the seventh run from ms at the first run. 272
6 VI. CONCLUSION The main concern, which prevents SDN from being widely adopted, is security. Specifically, the SDN controller opens a programmable interface to the third party when accessed by the malicious OF app. We propose ControllerSEPA to protect the SDN controller in a flexible and efficient way. ControllerSEPA works well with OpenDaylight, ONOS, Floodlight, Ryu and POX with low deployment complexity. No modification of their source codes is required in their implementation while the overall security of the SDN controller is enhanced with negligible latency from less than 0.1% to 0.3% for repacking the services. Furthermore, ControllerSEPA can provide rich services such as AAA control on OF apps, information disclosure, rule conflict resolution, OF app isolation, and fine-grained control on OF apps. Our main purpose in this work is not only to present a new approach but also to define a clear separation between core network services provided by SDN controller and network services that can be provided by a third party OF app in facilitating the security of the SDN controller for OF apps. ACKNOWLEDGMENT This work was partially supported by the National Natural Science Foundation of China grant REFERENCES [1] S. Scott-Hayward, C. Kane, and S. Sezer, Operationcheckpoint: Sdn application control, in Proceedings of the 2014 IEEE 22Nd International Conference on Network Protocols, ser. ICNP 14, 2014, pp [2] J. Noh, S. Lee, J. Park, S. Shin, and B. B. Kang, Vulnerabilities of network os and mitigation with state-based permission system, Security and Communication Networks. [3] X. Wen, Y. Chen, C. Hu, C. Shi, and Y. Wang, Towards a secure controller platform for openflow applications, in Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking, ser. HotSDN 13, 2013, pp [4] B. Chandrasekaran and T. Benson, Tolerating sdn application failures with legosdn, in Proceedings of the 13th ACM Workshop on Hot Topics in Networks, ser. HotNets-XIII, [5] S. Lee, C. Yoon, and S. Shin, The smaller, the shrewder: A simple malicious application can kill an entire sdn environment, in Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks; Network Function Virtualization, ser. SDN-NFV Security 16, [6] P. Porras, S. Shin, V. Yegneswaran, M. Fong, M. Tyson, and G. Gu, A security enforcement kernel for openflow networks, in Proceedings of the First Workshop on Hot Topics in Software Defined Networks, ser. HotSDN 12, 2012, pp [7] P. Porras, S. Cheung, M. Fong, K. Skinner, and V. Yegneswaran, Securing the Software-Defined Network Control Layer, in Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), February [8] S. K. Fayazbakhsh, L. Chiang, V. Sekar, M. Yu, and J. C. Mogul, Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags, in 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14), Seattle, WA, Apr. 2014, pp [9] H. Hu, W. Han, G.-J. Ahn, and Z. Zhao, Flowguard: Building robust firewalls for software-defined networks, in Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, ser. HotSDN 14, 2014, pp [10] C. Banse and S. Rangarajan, A secure northbound interface for sdn applications, in Trustcom/BigDataSE/ISPA, 2015 IEEE, vol. 1, Aug 2015, pp [11] S. Shin, Y. Song, T. Lee, S. Lee, J. Chung, P. Porras, V. Yegneswaran, J. Noh, and B. B. Kang, Rosemary: A robust, secure, and highperformance network operating system, in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS 14. New York, NY, USA: ACM, 2014, pp [Online]. Available: [12] Y. Tseng, Z. Zhang, and F. Naït-Abdesselam, Srv: Switch-based rules verification in software defined networking, in 2016 IEEE NetSoft Conference and Workshops (NetSoft), June 2016, pp [13] OpenDaylight: A Linux Foundation Collaborative Project, , online available. [14] ONOS, , online available. [15] Floodlight, , online available. [16] Ryu, , online available. [17] OpenMUL, , online available. [18] E. Al-Shaer and S. Al-Haj, Flowchecker: Configuration analysis and verification of federated openflow infrastructures, in Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration, ser. SafeConfig 10. New York, NY, USA: ACM, 2010, pp [Online]. Available: [19] A. Khurshid, X. Zou, W. Zhou, M. Caesar, and P. B. Godfrey, Veriflow: Verifying network-wide invariants in real time, in Proceedings of the 10th USENIX Conference on Networked Systems Design and Implementation, ser. nsdi 13. Berkeley, CA, USA: USENIX Association, 2013, pp [Online]. Available: http: //dl.acm.org/citation.cfm?id= [20] R. Beckett, X. K. Zou, S. Zhang, S. Malik, J. Rexford, and D. Walker, An assertion language for debugging sdn applications, in Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, ser. HotSDN 14. New York, NY, USA: ACM, 2014, pp [Online]. Available: [21] P. Kazemian, M. Chang, H. Zeng, G. Varghese, N. McKeown, and S. Whyte, Real time network policy checking using header space analysis, in Presented as part of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13). Lombard, IL: USENIX, 2013, pp [Online]. Available: usenix.org/conference/nsdi13/technical-sessions/presentation/kazemian [22] S. Son, S. Shin, V. Yegneswaran, P. A. Porras, and G. Gu, Model checking invariant security properties in openflow. in ICC. IEEE, 2013, pp [Online]. Available: http: //dblp.uni-trier.de/db/conf/icc/icc2013.html#sonsypg13 [23] M. Monaco, O. Michel, and E. Keller, Applying operating system principles to sdn controller design, in Proceedings of the Twelfth ACM Workshop on Hot Topics in Networks, ser. HotNets-XII. New York, NY, USA: ACM, 2013, pp. 2:1 2:7. [Online]. Available: [24] D. E. A. Takayuki Sasaki and A. Perrig, Control-plane isolation and recovery for a secure sdn architecture, [25] A. Wundsam, D. Levin, S. Seetharaman, and A. Feldmann, Ofrewind: Enabling record and replay troubleshooting for networks, in Proceedings of the 2011 USENIX Conference on USENIX Annual Technical Conference, ser. USENIXATC 11, [26] M. Dhawan, R. Poddar, K. Mahajan, and V. Mann, Sphinx: Detecting security attacks in software-defined networks. in NDSS. The Internet Society, [Online]. Available: ndss2015.html#dhawanpmm15 [27] S. Hong, L. Xu, H. Wang, and G. Gu, Poisoning network visibility in software-defined networks: New attacks and countermeasures, in Proceedings of 2015 Annual Network and Distributed System Security Symposium (NDSS 15), February [28] POX, , online available. [29] NOX, , online available. [30] Opencontrail, , online available. [31] P. Berde, M. Gerola, J. Hart, Y. Higuchi, M. Kobayashi, T. Koide, B. Lantz, B. O Connor, P. Radoslavov, W. Snow, and G. Parulkar, Onos: Towards an open, distributed sdn os, in Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, ser. HotSDN 14,
Securing Network Application Deployment in Software Defined Networking 11/23/17
Securing Network Application Deployment in Software Defined Networking Yuchia Tseng, Farid Naıı t-abdesselam, and Ashfaq Khokhar 11/23/17 1 Outline Introduction to OpenFlow-based SDN Security issues of
More informationOperationCheckpoint: SDN Application Control
OperationCheckpoint: SDN Application Control Scott-Hayward, S., Kane, C., & Sezer, S. (2014). OperationCheckpoint: SDN Application Control. In The 22nd IEEE International Conference on Network Protocols
More informationSDN-GUARD: Protecting SDN Controllers Against SDN Rootkits
SDN-GUARD: Protecting SDN Controllers Against SDN Rootkits Dennis Tatang, Florian Quinkert, Joel Frank, Christian Röpke, and Thorsten Holz Horst Görtz Institute for IT-Security (HGI) Ruhr-University Bochum,
More informationECIT Institute (Est.2003)
ECIT Institute (Est.2003) Research Excellence & Innovation 180 people 4 Queen s University Belfast Research Groups - Digital Communications - High Frequency Electronics - Speech, Imaging and Vision Systems
More informationPreventing Malicious SDN Applications From Hiding Adverse Network Manipulations
Preventing Malicious SDN Applications From Hiding Adverse Network Manipulations Christian Röpke Ruhr-University Bochum christian.roepke@rub.de Thorsten Holz Ruhr-University Bochum thorsten.holz@rub.de
More informationInt. J. Advanced Networking and Applications Volume: 6 Issue: 3 Pages: (2014) ISSN :
2347 OpenFlow Security Threat Detection and Defense Services Wanqing You Department of Computer Science, Southern Polytechnic State University, Georgia Email: wyou@spsu.edu Kai Qian Department of Computer
More informationDesign and deployment of secure, robust, and resilient SDN Controllers
Design and deployment of secure, robust, and resilient SDN Controllers Sandra Scott-Hayward Centre for Secure Information Technology (CSIT), Queen s University Belfast, Belfast, BT3 9DT, N. Ireland Email:
More informationLeveraging SDN & NFV to Achieve Software-Defined Security
Leveraging SDN & NFV to Achieve Software-Defined Security Zonghua Zhang @imt-lille-douai.fr NEPS: NEtwork Performance and Security Group 2 Topics Anomaly detection, root cause analysis Security evaluation
More informationSecuring the Software-Defined Network Control Layer
Securing the Software-Defined Network Control Layer Speaker: Yuyan Lin 2017/5/9 P. Porras, S. Cheung, M. Fong, K. Skinner, and V. Yegneswaran, Securing the Software Defined Network Control Layer, In NDSS,
More informationSDPMN: Privacy Preserving MapReduce Network Using SDN
1 SDPMN: Privacy Preserving MapReduce Network Using SDN He Li, Hai Jin arxiv:1803.04277v1 [cs.dc] 12 Mar 2018 Services Computing Technology and System Lab Cluster and Grid Computing Lab School of Computer
More informationBuilding Security Services on top of SDN
Building Security Services on top of SDN Gregory Blanc Télécom SudParis, IMT 3rd FR-JP Meeting on Cybersecurity WG7 April 25th, 2017 Keio University Mita Campus, Tokyo Table of Contents 1 SDN and NFV as
More informationAn Assertion Language for Debugging SDN Applications
An Assertion Language for Debugging SDN Applications Ryan Beckett, X. Kelvin Zou, Shuyuan Zhang, Sharad Malik, Jennifer Rexford, and David Walker Princeton University {rbeckett, xuanz, shuyuanz, sharad,
More informationEnhanced Malware Monitor in SDN using Kinetic Controller
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727 PP 46-52 www.iosrjournals.org Enhanced Malware Monitor in SDN using Kinetic Controller Jiphi T S, Simi Krishna K R Department
More informationPerformance Evaluation and Comparison of Software Defined Networks Controllers
Performance Evaluation and Comparison of Software Defined Networks Controllers Mahmood Z. Abdullah 1, Nasir A. Al-awad 1, Fatima W. Hussein 1 1 Computer Engineering Department, Al-Mustansiriyah University,
More informationManaging Failures in IP Networks Using SDN Controllers by Adding Module to OpenFlow
Managing Failures in IP Networks Using SDN Controllers by Adding Module to OpenFlow Vivek S 1, Karthikayini T 2 1 PG Scholar, Department of Computer Science and Engineering, New Horizon College of Engineering,
More informationSecurity Threats in the Data Plane of Software-Defined Networks
1 Security Threats in the of Software-Defined Networks Shang Gao, Zecheng Li, Bin Xiao, Senior Member, IEEE, and Guiyi Wei Abstract Software-defined networking (SDN) has enabled high network programmability
More informationSecurity improvement in IOT based on Software
International Journal of Scientific & Engineering Research, Volume 8, Issue 4, April-2017 122 Security improvement in IOT based on Software Raghavendra Reddy, Manoj Kumar, Dr K K Sharma Abstract With the
More informationFormal Verification of Computer Switch Networks
Formal Verification of Computer Switch Networks Sharad Malik; Department of Electrical Engineering; Princeton Univeristy (with Shuyuan Zhang (Princeton), Rick McGeer (HP Labs)) 1 SDN: So what changes for
More informationA Software-Defined Networking Security Controller Architecture. Fengjun Shang, Qiang Fu
4th International Conference on Machinery, Materials and Computing Technology (ICMMCT 2016) A Software-Defined Networking Security Controller Architecture Fengjun Shang, Qiang Fu College of Computer Science
More informationKeywords SDN, Firewall, Openflow, Mininet, Pox
Volume 6, Issue 6, June 2016 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Development of
More informationBuilding world-class security response and secure development processes
Building world-class security response and secure development processes David Jorm, Senior Manager of Product Security, IIX Outline Introduction SDN attack surface Recent OpenDaylight vulnerabilities Defensive
More informationVulnerabilities of network OS and mitigation with state-based permission system
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2016; 9:1971 1982 Published online 26 October 2015 in Wiley Online Library (wileyonlinelibrary.com)..1369 RESEARCH ARTICLE Vulnerabilities of
More informationCisco Extensible Network Controller
Data Sheet Cisco Extensible Network Controller Product Overview Today s resource intensive applications are making the network traffic grow exponentially putting high demands on the existing network. Companies
More informationIdentifier Binding Attacks and Defenses in Software-Defined Networks
Identifier Binding Attacks and Defenses in Software-Defined Networks Samuel Jero 1, William Koch 2, Richard Skowyra 3, Hamed Okhravi 3, Cristina Nita-Rotaru 4, and David Bigelow 3 1 Purdue University,
More informationData Plane Verification and Anteater
Data Plane Verification and Anteater Brighten Godfrey University of Illinois Work with Haohui Mai, Ahmed Khurshid, Rachit Agarwal, Matthew Caesar, and Sam King Summer School on Formal Methods and Networks
More informationand controller independence with NetIDE
Supporting composed SDN applications and controller independence with NetIDE Alec Leckey Intel Labs SDN Application Development Java Python C/C++ Javascript Beacon Iris Pox Nox NodeFlow Jaxon Floodlight
More informationOn the State of the Inter-domain and Intra-domain Routing Security
On the State of the Inter-domain and Intra-domain Routing Security Mingwei Zhang April 19, 2016 Mingwei Zhang Internet Routing Security 1 / 54 Section Internet Routing Security Background Internet Routing
More informationResearch on Firewall in Software Defined Network
Advances in Computer, Signals and Systems (2018) 2: 1-7 Clausius Scientific Press, Canada Research on Firewall in Software Defined Cunqun Fan a, Manyun Lin, Xiangang Zhao, Lizi Xie, Xi Zhang b,* National
More informationUsing libnetvirt to control the virtual network
Using libnetvirt to control the virtual network Daniel Turull, Markus Hidell, Peter Sjödin KTH Royal Institute of Technology, School of ICT Kista, Sweden Email: {danieltt,mahidell,psj}@kth.se Abstract
More informationProceedings of the Fourth Engineering Students Conference at Peradeniya (ESCaPe) SDN Flow Caching
Proceedings of the Fourth Engineering Students Conference at Peradeniya (ESCaPe) 2016 SDN Flow Caching N.B.U.S. Nanayakkara, R.M.L.S. Bandara, N.B. Weerasinghe, S,N, Karunarathna Department of Computer
More informationSDN-based Defending against ARP Poisoning Attack
Journal of Advances in Computer Research Quarterly pissn: 2345-606x eissn: 2345-6078 Sari Branch, Islamic Azad University, Sari, I.R.Iran (Vol. 8, No. 2, May 2017), Pages: 95- www.jacr.iausari.ac.ir SDN-based
More informationA POX Controller Module to Collect Web Traffic Statistics in SDN Environment
A POX Controller Module to Collect Web Traffic Statistics in SDN Environment Wisam H. Muragaa, Kamaruzzaman Seman, Mohd Fadzli Marhusin Abstract Software Defined Networking (SDN) is a new norm of networks.
More informationThe Load Balancing Research of SDN based on Ant Colony Algorithm with Job Classification Wucai Lin1,a, Lichen Zhang2,b
2nd Workshop on Advanced Research and Technology in Industry Applications (WARTIA 2016) The Load Balancing Research of SDN based on Ant Colony Algorithm with Job Classification Wucai Lin1,a, Lichen Zhang2,b
More informationNetwork Monitoring using Test Packet Generation
Network Monitoring using Test Packet Generation Madhuram Kabra Modern Education Society s College of Engineering Pune, India Mohammed Sukhsarwala Modern Education Society s College of Engineering Pune,
More informationNetwork Layer: The Control Plane
Network Layer: The Control Plane 7 th Edition, Global Edition Jim Kurose, Keith Ross Pearson April 06 5- Software defined networking (SDN) Internet network layer: historically has been implemented via
More informationSoftware-Defined Networking (SDN) Overview
Reti di Telecomunicazione a.y. 2015-2016 Software-Defined Networking (SDN) Overview Ing. Luca Davoli Ph.D. Student Network Security (NetSec) Laboratory davoli@ce.unipr.it Luca Davoli davoli@ce.unipr.it
More informationChapter 5 Network Layer: The Control Plane
Chapter 5 Network Layer: The Control Plane A note on the use of these Powerpoint slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you
More informationInteractive Monitoring, Visualization, and Configuration of OpenFlow-Based SDN
Interactive Monitoring, Visualization, and Configuration of OpenFlow-Based SDN Pedro Heleno Isolani Juliano Araujo Wickboldt Cristiano Bonato Both Lisandro Zambenedetti Granville Juergen Rochol July 16,
More informationNational Taiwan University. Software-Defined Networking
Software-Defined Networking Prof. Ai-Chun Pang Graduate Institute of Networking and Multimedia, Dept. of Comp. Sci. and Info. Engr., Email: acpang@csie.ntu.edu.tw http://www.csie.ntu.edu.tw/~acpang June
More informationDetecting Suspicious Behavior of SDN Switches by Statistics Gathering with Time
Detecting Suspicious Behavior of SDN Switches by Statistics Gathering with Time Takahiro Shimizu, Naoya Kitagawa, Kohta Ohshima, Nariyoshi Yamai Tokyo University of Agriculture and Technology Tokyo University
More informationChapter 5 Network Layer: The Control Plane
Chapter 5 Network Layer: The Control Plane A note on the use of these Powerpoint slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you
More informationA Hybrid Hierarchical Control Plane for Software-Defined Network
A Hybrid Hierarchical Control Plane for Software-Defined Network Arpitha T 1, Usha K Patil 2 1* MTech Student, Computer Science & Engineering, GSSSIETW, Mysuru, India 2* Assistant Professor, Dept of CSE,
More informationFlowRanger: A Request Prioritizing Algorithm for Controller DoS Attacks in Software Defined Networks
FlowRanger: A Request Prioritizing Algorithm for Controller DoS Attacks in Software Defined Networks Lei Wei School of Computer Engineering Nanyang Technological University Singapore Carol Fung Dept. of
More informationDevelop, Deploy and Deliver with NetIDE: An Integrated Service Level Network Programming Framework
Develop, Deploy and Deliver with NetIDE: An Integrated Service Level Network Programming Framework Matteo Gerola, Roberto Doriguzzi Corin (Create-net) Pedro A. Aranda Gutiérrez (Telefónica) This work is
More informationInterconnected Multiple Software-Defined Network Domains with Loop Topology
Interconnected Multiple Software-Defined Network Domains with Loop Topology Jen-Wei Hu National Center for High-performance Computing & Institute of Computer and Communication Engineering NARLabs & NCKU
More informationRed Hat OpenStack Platform 10 Red Hat OpenDaylight Product Guide
Red Hat OpenStack Platform 10 Red Hat OpenDaylight Product Guide Overview of Red Hat OpenDaylight OpenStack Team Red Hat OpenStack Platform 10 Red Hat OpenDaylight Product Guide Overview of Red Hat OpenDaylight
More informationVeriFlow: Verifying Network-Wide Invariants in Real Time
VeriFlow: Verifying Network-Wide Invariants in Real Time Ahmed Khurshid, Wenxuan Zhou, Matthew Caesar, P. Brighten Godfrey Department of Computer Science University of Illinois at Urbana-Champaign 201
More informationOpenFlow: A Security Analysis
Introduction OpenFlow: A Security Analysis Rowan Klöti 1 Vasileios Kotronis 2 Paul Smith 3 1 rkloeti@alumni.ethz.ch ETH Zurich 2 vkotroni@tik.ee.ethz.ch ETH Zurich 3 paul.smith@ait.ac.at AIT Austrian Institute
More informationA Static-Dynamic Conjunct Windows Process Integrity Detection Model
A Static-Dynamic Conjunct Windows Process Integrity Detection Model Fei Chen 1, Yi Li 1, Tong Zhang 1, Kehe Wu 1, 1 North China Electric Power University, Department of Control and Computer Engineering,
More informationAUTHENTICATION AND LOOKUP FOR NETWORK SERVICES
Vol.5, No.1, pp. 81-90, 2014 doi: 10.7903/ijecs.1040 AUTHENTICATION AND LOOKUP FOR NETWORK SERVICES Daniel J. Buehrer National Chung Cheng University 168 University Rd., Min-Hsiung Township, Chiayi County,
More information2013 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media,
2013 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by behavior-based threat detection and intelligent automation.
More informationOpen SDN Controller Applications
The following topics describe the five applications that Open SDN Controller provides to facilitate the day-to-day administration of your network: BGPLS Manager, page 1 Inventory Manager, page 3 Model
More informationInvestigating. Flow Networks. Focusing on the control-data plane communications M.L. Pors
Investigating current state Security of Open- Flow Networks Focusing on the control-data plane communications M.L. Pors Investigating current state Security of OpenFlow Networks Focusing on the control-data
More informationSoftware Defined Networking Security: Security for SDN and Security with SDN. Seungwon Shin Texas A&M University
Software Defined Networking Security: Security for SDN and Security with SDN Seungwon Shin Texas A&M University Contents SDN Basic Operation SDN Security Issues SDN Operation L2 Forwarding application
More informationDCFabric: An Open Source SDN Controller for Cloud Computing Data Centers. White Paper. Shanghai Engineering Research Center for Broadband Networks
DCFabric: An Open Source SDN Controller for Cloud Computing Data Centers White Paper Shanghai Engineering Research Center for Broadband Networks and Applications Wuhan GreeNet Information Service Co.,
More informationSecuring the Network Topology in a Source Routing Multi Domain SDN
Securing the Network Topology in a Source Routing Multi Domain SDN Sarat Chandra Prasad Gingupalli NITK,Surathkal sarath.ginjupalli89@gmail.com Saumya Hegde NITK,Surathkal hegdesaumya@gmail.com ABSTRACT
More informationSecurity Research for Software Defined Network
, pp.87-93 http://dx.doi.org/10.14257/astl.2016.134.15 Security Research for Software Defined Network 1 Jianfei Zhou, 2 Na Liu 1 Admission and Employment Office, Chongqing Industry Polytechnic College
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationA Hypothesis Testing Framework for Network Security
A Hypothesis Testing Framework for Network Security P. Brighten Godfrey University of Illinois at Urbana-Champaign TSS Seminar, September 15, 2015 Part of the SoS Lablet with David Nicol Kevin Jin Matthew
More informationCommunication System Design Projects
Communication System Design Projects KUNGLIGA TEKNISKA HÖGSKOLAN PROFESSOR: DEJAN KOSTIC TEACHING ASSISTANT: GEORGIOS KATSIKAS Traditional Vs. Modern Network Management What is Network Management (NM)?
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationStrengthening Network Security: An SDN (Software Defined Networking) Approach
Strengthening Network Security: An SDN (Software Defined Networking) Approach Pradeep Kumar Sharma 1, Dr. S. S. Tyagi 2 1 Ph.D Research Scholar, Computer Science & Engineering, MRIU, Faridabad, Haryana,
More informationHeterogeneous Interconnection between SDN and Layer2 Networks based on NSI
Heterogeneous Interconnection between SDN and Layer2 Networks based on NSI Ta-Yuan Chou, Wun-Yuan Huang, Hui-Lan Lee, Te-Lung Liu, Joe Mambretti*, Jim Hao Chen*, Fei Yeh* National Center for High-Performance
More informationFirewall A New Approach to Solve Issues in Software Define Networking
RESEARCH ARTICLE OPEN ACCESS Firewall A New Approach to Solve Issues in Software Define Networking S.Vasudevan Assistant Professor CSE Department, Chendu College Of Engineering And Technology, Chennai.
More informationSecurity Challenges in Software Defined Networks (SDN)
ecurity Challenges in oftware Defined Networks (DN) Lecture 18 1 Outline Market and DN Conventional Networks v.s DN OpenFlow-enabled DN devices DN ecurity Applications DN ecurity Challenges Community Debate
More informationRosemary: A Robust, Secure, and High-Performance Network Operating System
Rosemary: A Robust, Secure, and High-Performance Network Operating System Seungwon Shin Yongjoo Song Taekyung Lee Sangho Lee Jaewoong Chung Phillip Porras Vinod Yegneswaran Jiseong Noh Brent Byunghoon
More informationWeb-Based User Interface for the Floodlight SDN Controller
3175 Web-Based User Interface for the Floodlight SDN Controller Hakan Akcay Department of Computer Engineering, Istanbul University, Istanbul Email: hknakcay@gmail.com Derya Yiltas-Kaplan Department of
More informationTaxonomy of SDN. Vara Varavithya 17 January 2018
Taxonomy of SDN Vara Varavithya 17 January 2018 Modern Data Center Environmentally protected warehouses Large number of computers for compute and storage Blades Computer- Top-of-Rack (TOR) Switches Full
More informationLast mile authentication problem
Last mile authentication problem Exploiting the missing link in end-to-end secure communication DEF CON 26 Our team Sid Rao Doctoral Candidate Aalto University Finland Thanh Bui Doctoral Candidate Aalto
More informationOPENFLOW CONTROLLER-BASED SDN:SECURITY ISSUES AND COUNTERMEASURES
DOI: http://dx.doi.org/10.26483/ijarcs.v9i1.5498 ISSN No. 0976-5697 Volume 9, No. 1, January-February 2018 International Journal of Advanced Research in Computer Science RESEARCH PAPER Available Online
More informationProfiling Software Defined Networks for Dynamic Distributed-Controller Provisioning
Profiling Software Defined Networks for Distributed-Controller Provisioning Diogo M. F. Mattos, Otto Carlos M. B. Duarte, and Guy Pujolle Grupo de Teleinformática e Automação - Universidade Federal do
More informationWHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution
WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution Tervela helps companies move large volumes of sensitive data safely and securely over network distances great and small. We have been
More informationReal-time Communications Security and SDN
Real-time Communications Security and SDN 2016 [Type here] Securing the new generation of communications applications, those delivering real-time services including voice, video and Instant Messaging,
More informationSoftware Define Network Applications on Top of Blockchain Technology
Software Define Network Applications on Top of Blockchain Technology Muhammad Johar Jaafar To Link this Article: http://dx.doi.org/10.6007/ijarbss/v8-i6/4312 DOI: 10.6007/IJARBSS/v8-i6/4312 Received: 24
More informationWhite Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.
White Paper February 2005 McAfee Network Protection Solutions Encrypted Threat Protection Network IPS for SSL Encrypted Traffic Network IPS for SSL Encrypted Traffic 2 Introduction SSL Encryption Overview
More informationMan in the Middle Attacks and Secured Communications
FEBRUARY 2018 Abstract This document will discuss the interplay between Man in The Middle (MiTM/ MITM) attacks and the security technologies that are deployed to prevent them. The discussion will follow
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationSDN-based Dynamic and Adaptive Policy Management System to Mitigate DDoS Attacks
SDN-based Dynamic and Adaptive Policy Management System to Mitigate DDoS Attacks Rishikesh Sahay rishikesh.sahay@telecomsudparis.eu Khalifa Toumi khalifa.toumi@telecomsudparis.eu Gregory Blanc gregory.blanc@telecomsudparis.eu
More informationAvailable online at ScienceDirect. Procedia Computer Science 34 (2014 )
Available online at www.sciencedirect.com ScienceDirect Procedia Computer Science 34 (2014 ) 680 685 International Workshop on Software Defined Networks for a New Generation of Applications and Services
More informationCSC 401 Data and Computer Communications Networks
CSC 401 Data and Computer Communications Networks Network Layer ICMP (5.6), Network Management(5.7) & SDN (5.1, 5.5, 4.4) Prof. Lina Battestilli Fall 2017 Outline 5.6 ICMP: The Internet Control Message
More informationSecure and QoS Aware Architecture for Cloud Using Software Defined Networks and Hadoop
Secure and QoS Aware Architecture for Cloud Using Software Defined Networks and Hadoop Abhijeet Desai [1], Nagegowda K S [3] Department of Computer Science and Engineering, PESIT Bangalore, 560085, India
More informationExtending Dijkstra s Shortest Path Algorithm for Software Defined Networking
Extending Dijkstra s Shortest Path Algorithm for Software Defined Networking Jehn-Ruey Jiang, Hsin-Wen Huang, Ji-Hau Liao, and Szu-Yuan Chen Department of Computer Science and Information Engineering National
More informationSDN AND NFV SECURITY DR. SANDRA SCOTT-HAYWARD, QUEEN S UNIVERSITY BELFAST COINS SUMMER SCHOOL, 23 JULY 2018
SDN AND NFV SECURITY DR. SANDRA SCOTT-HAYWARD, QUEEN S UNIVERSITY BELFAST COINS SUMMER SCHOOL, 23 JULY 2018 Queen s University Belfast Lanyon Building Est. 1845 Centre for Secure Information Technologies
More information@IJMTER-2016, All rights Reserved ,2 Department of Computer Science, G.H. Raisoni College of Engineering Nagpur, India
Secure and Flexible Communication Technique: Implementation Using MAC Filter in WLAN and MANET for IP Spoofing Detection Ashwini R. Vaidya 1, Siddhant Jaiswal 2 1,2 Department of Computer Science, G.H.
More informationRethinking the SDN Abstraction: May the Flexibility, Scalability and Security be with Us. Chengchen Hu XJTU Oct. 15, 2016
Rethinking the SDN Abstraction: May the Flexibility, Scalability and Security be with Us Chengchen Hu XJTU Oct. 15, 2016 2 Traditional Computer Networks Data plane: Packet streaming Table lookup, forward,
More informationA Collaborative Network Security Management System in Metropolitan Area Network
211 Third International Conference on Communications and Mobile Computing A Collaborative Network Security Management System in Metropolitan Area Network Beipeng Mu and Xinming Chen Department of Automation
More informationSlicing a Network. Software-Defined Network (SDN) FlowVisor. Advanced! Computer Networks. Centralized Network Control (NC)
Slicing a Network Advanced! Computer Networks Sherwood, R., et al., Can the Production Network Be the Testbed? Proc. of the 9 th USENIX Symposium on OSDI, 2010 Reference: [C+07] Cascado et al., Ethane:
More informationModule: Cloud Computing Security
Module: Computing Security Professor Trent Jaeger Penn State University Systems and Internet Infrastructure Security Laboratory (SIIS) 1 Computing Is Here Systems and Internet Infrastructure Security (SIIS)
More informationSDN-Based Network Security Functions for VoIP and VoLTE Services
SDN-Based Network Security Functions for VoIP and VoLTE Services Daeyoung Hyun, Jinyoug Kim, Jaehoon (Paul) Jeong, Hyoungshick Kim, Jungsoo Park, and Taejin Ahn Department of Software, Sungkyunkwan University,
More informationDDOS Attack Prevention Technique in Cloud
DDOS Attack Prevention Technique in Cloud Priyanka Dembla, Chander Diwaker CSE Department, U.I.E.T Kurukshetra University Kurukshetra, Haryana, India Email: priyankadembla05@gmail.com Abstract Cloud computing
More informationHacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK
Hacker Academy Ltd COURSES CATALOGUE Hacker Academy Ltd. LONDON UK TABLE OF CONTENTS Basic Level Courses... 3 1. Information Security Awareness for End Users... 3 2. Information Security Awareness for
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL OF COMMUNICATION TECHNOLOGY, JUNE 2010, VOLUME: 01, ISSUE: 02 DOI: 10.21917/ijct.2010.0013 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationShreds: S H R E. Fine-grained Execution Units with Private Memory. Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu D S
Shreds: S H R E D S Fine-grained Execution Units with Private Memory Yaohui Chen, Sebassujeen Reymondjohnson, Zhichuang Sun, Long Lu RiS3 Lab / Computer Science / Stony Brook University 1 Execution Units
More informationM2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres
M2M / IoT Security Eurotech`s Everyware IoT Security Elements Overview Robert Andres 23. September 2015 The Eurotech IoT Approach : E2E Overview Application Layer Analytics Mining Enterprise Applications
More informationUNIVERSITY OF CAGLIARI
UNIVERSITY OF CAGLIARI DIEE - Department of Electrical and Electronic Engineering Infrastrutture ed Applicazioni Avanzate nell Internet SDN: Control Plane ACK: content taken from Foundations of Modern
More informationExperimenting with Scalability of Floodlight Controller in Software Defined Networks
2017 International Conference on Electrical, Electronics, Communication, Computer and Optimization Techniques (ICEECCOT) Experimenting with Scalability of Floodlight Controller in Software Defined Networks
More informationIX: A Protected Dataplane Operating System for High Throughput and Low Latency
IX: A Protected Dataplane Operating System for High Throughput and Low Latency Belay, A. et al. Proc. of the 11th USENIX Symp. on OSDI, pp. 49-65, 2014. Reviewed by Chun-Yu and Xinghao Li Summary In this
More informationApplying Operating System Principles to SDN Controller Design
Applying Operating System Principles to SDN Controller Design Oliver Michel, Matthew Monaco, Eric Keller Invited Talk University of Illinois at Urbana-Champaign April 11th, 2014. 2 What we clearly need
More information