Rsk-Based Packet Routng for Prvacy and Complance-Preservng SDN Karan K. Budhraja Abhshek Malvankar Mehd Bahram Chnmay Kundu Ashsh Kundu Mukesh Snghal, Unversty of Maryland, Baltmore County, MD, USA Emal: karanb1@umbc.edu IBM Watson Health, Yorktown Heghts, NY, USA Emal: asmalvan@us.bm.com Fujtsu Laboratores of Amerca, Sunnyvale, Calforna, USA Emal: mbahram@us.fujtsu.com Researcher, Inda Emal: ckkundu@gmal.com IBM Thomas J. Watson Research Center, Yorktown Heghts, NY, USA Emal: akundu@us.bm.com Cloud Lab, Unversty of Calforna Merced, USA Emal:msnghal@ucmerced.edu Abstract Software Defned Networkng (SDN) s ncreasngly beng used n data centers as well as enterprse networks. In an envronment that has strct complance requrements, such as HIPAA complance, a crtcal role for an SDN controller s to route all data packets whle consderng data prvacypreservaton and complance-preservaton. In ths paper, we address ths problem by proposng a routng protocol for SDN whch s an effcent rsk-based swarm routng protocol. The programmable capablty of controllers s exploted n order to mnmze prvacy and complance rsks n data transmsson. The proposed routng protocol s based on the Ant Colony Optmzaton technque and machne learnng, whle the data for learnng s obtaned from OVSDB and the OpenvSwtch Database management protocol. We collect a hstory of packet transfers for tranng purposes and learn from the tranng data to effcently and ntellgently route senstve data packets whle t preserves the target complance. Ths routng s obtaned by ntellgent evcton of rules that are downloaded to the swtches. We have mplemented the proposed schemes based on an RYU controller. Index Terms SDN; cloud computng; prvacy; securty; routng; complance-preservaton. I. INTRODUCTION Software-Defned Networkng (SDN) [1], [2], [3], [4] s a networkng approach that smplfes and optmzes network operatons. Exstng work on SDN routng has not addressed the problem of data transmsson n the presence of prvacy and complance requrements. Another prvacy requrement that needs to be consdered n ths context s that only a statc or specfc routng path (a sequence of swtches) should not be used transfer hgh densty of packets carryng senstve data, snce t poses a rsk of Denal of Servce attacks as well as nference attacks. Such a scheme, f used for controlled envronment such as HIPAA, could lead to a potental nformaton leakage when attacked. In ths paper, we address data prvacy and complance restrcton challenges for transferrng senstve data n SDN envronment that preserves prvacy and adheres to the target complance, such as HIPAA. We acheve our goals that by usng: ) dstrbuted routng optmzaton by employng a swarm routng algorthm; ) defnton of prvacy, rsk and technques to compute such rsks on an SDN network usng analytcs and machne learnng; ) mnmzaton of rsk and route-randomzaton n order acheve prvacy and complance requrements. The contrbuton of ths work s a novel approach to route prvacy-senstve and complance-senstve data n an SDN envronment. Ths s acheved by reducng a noton of prvacy rsks and usng swarm-based (ant) routng [5], [6], [7]. The prvacy rsk s dynamcally computed over the network node graph and s thus holstc n nature. We perform route-randomzaton by montorng the amount of packets transmtted on the forwardng path wth help of openflow protocol and utltes such as ovs-vsctl (a utlty for queryng and confgurng ovs-vswtchd) and ovs-ofctl (to admnster OpenFlow swtches) [8]. Once we have counter metrcs, we defne rsk as a functon of number of packets transferred on the same datapath. Ths number would be calculated by an agglomeraton of offlne log montorng models n python sc-kt learn. Montorng models n ths fashon would provde features to an algorthm based on probablstc graphcal models (whch s Ant Colony Optmzaton n our case, explaned n Secton IV) for traffc spreadng across other nodes to mnmze rsk. The organzaton of the paper s as follows. Secton II dscusses relevant exstng work n ths doman and related to our research problem statement. Secton III then formalzes the problem that our work ntends to provde a soluton to. Secton IV and Secton V descrbe the detals related to the proposed soluton. Fnally, Secton VI evaluates the proposed method on vared assocated parameters and Secton VII concludes our work wth closng remarks and scope for future work and any open questons. II. RELATED WORK The concept of prvacy preservaton routng s mportant when dealng wth senstve data [9], [10]. The former cted work dscusses an attempt to dscover the patterns by whch a controller nstalls a flow, and thereby learn from request for a custom nstallaton. Ths s done from the pont of vew of an adversary. The latter preserves prvacy by usng prvatekey based encrypton for each data packet. Nether, however, consder complance-based networkng whch s explored n ths study.
The congeston control use case of Ant Colony Optmzaton (ACO) s mplemented n [5], [6], [7]. Our work extends ths dea by combnng the relatvely low tme-complexty wth respect to tradtonal shortest path problem whch s tradtonally NP-hard. We use an ant-based approxmaton soluton wth prvacy and complance constrants. III. PROBLEM DEFINITION Our work focuses on two types of rsks to the network traffc. They are as follows. A. Prvacy Exposure Consder a scenaro where the flow of packets through the network uses a fxed route or set of routes, for a gven source (s) and destnaton (d). The swtches along those routes may then dentfy the presence of communcaton between s and d. Dependng on the ntellgence capabltes of the swtches, they may then be able to learn or gather senstve nformaton about the data beng transmtted. Ths results n a leakage of prvacy for that communcaton sesson. B. Complance To dscuss complance rsk, consder a settng where a network topology has grown over tme. When plannng of changes n network topology, ths translates to vared hardware components gathered over tme. As a result, there may only be a subset of those components that are capable of adherng to a certan role or requrement. For our problem, ths means that a subset of swtches (and/or controllers) used by the network may be complant to process data transferred n regulated envronment. It therefore becomes a mandate, then, that any data travelng across the network that requres complance, be constraned to such a selected subset of network components. Ths may also be consdered for a gven (s, d) par, n whch case all routes connectng those components must be checked. In other words, network components or routes that do not comply wth complance requrement wll pose a greater rsk when caterng to HIPAA senstve data. Ths s not a favorable stuaton for our problem settng. IV. PROPOSED PRIVACY AND COMPLIANCE-PRESERVING ROUTING TECHNIQUE A crtcal role for an SDN controller s to route data packets by prvacy-preservng of all data packets. The proposed routng protocol collects a hstory of data packets for tranng purposes and t uses the tranng data to effcently and ntellgently route data packets. The key role of our swarm ntellgence routng protocol s to allow for a small amount (less than tradtonal networkng algorthms because of beng a dstrbuted ntellgence approach rather than a centralzed one) of processng (computaton by the network component wth respect to tme complexty) per data packet. In the future, ths can be extended to pushng computaton to ntellgent swtches to share the load of the controller. In order to preserve the users data prvacy n our proposed SDN routng protocol, we propose a lght-weght data prvacy method that allows the protocol effcently use meta-data of data packets n the tranng data set to ntellgently route the packets. In ths secton, we show how our proposed routng protocol preserves the users data prvacy and dscuss the varous components nvolved n the proposed soluton. A. Prvacy Exposure In order to preserve prvacy packets should be sent across multple paths. Instead of havng a fxed route or set of routes that are used for communcaton, data packets may be sent probablstcally along paths n a network. Whle a convergence mechansm may be used to ensure a bound to communcaton tme, the ntermttent passage of packets through any gven swtch wll sgnfcantly reduce the rsk of prvacy exposure. B. Complance In order to determne low-rsk routes for sendng senstve nformaton, the SDN controller could determne whch network components are complant. A path computaton then nvolvng those components could be formulated. Ths results n mnmal rsk when handlng senstve data sent across the network. An upper bound (lmt) to such routng may also be consdered. V. RISK ANALYSIS Rsk computaton provdes quantfy rsks across varous network components. Ths quantfcaton can then be used to make an optmal decson for the routng of senstve traffc. The followng are the key factors n computaton and usage of rsk quantfcaton. 1. Rsk for each router may be consdered as categorzed based on the dscusson n Secton III. Ths results n two types of rsks: () prvacy exposure rsk and () complance rsk. The prvacy exposure rsk may be quantfed by evaluatng the securty of a router and ts vulnerablty to external attacks. The complance rsk for a network may be quantfed by evaluatng the number of controls that are not mplemented n that network component.for nstance the total number of HIPAA controls s 59, ths value could be scaled by 59 to result n a value n the range (0, 1). 2. The overall (global) rsk for a graph or subgraph of network components, may then be computed and quantfed by focusng on the maxmum flow of complant route or node and low prvacy exposure data across the network. Gven a graph G(V, E), where V and E are the sets of vertces and edges respectvely (for that graph), the controller output after processng (as explaned above) wll be as follows. The controller may take one of two possble decsons. 1. Ths s the case where the controller has found a path or a set of paths across the network, by whch senstve data may be routed. The paths are selected so as to mnmze prvacy exposure and complance rsks for a gven data transmsson sesson. 2. On computaton of the rsks along varous paths n the network, the controller may not fnd any favorable path on
whch data may be transmtted wthout sgnfcant rsk n context of prvacy exposure and complance. In ths case, the controller acknowledges that the data transmsson rsk s too hgh and may decde to not send any senstve data across the network. No data transmsson sesson s ntated n ths settng. Ths stuaton can be resolved when more lowrsk resources become avalable at a later tme, or f the rsk quantfcaton of network components changes. In order to admnster the algorthm on the network across varous connected components, the followng are steps that can be followed for contnuous montorng and operaton. 1. Each SDN controller (C) s allowed to focus on an assocated graph G(V, E). Ths graph may change from tme to tme based on change n network structure, addton or removal of varous network components, or even varatons n network traffc and securty. 2. In order to mark a certan data transmsson for a low-rsk requrement, the (s, d) par may be tagged or the data packets nvolved may be tagged. Ths s a way for the controller to ensure that all other network components are able to dentfy that these data packets must adhere to a low-rsk envronment. 3. Ant Colony Optmzaton (ACO) provdes a computatonally cheap soluton to path computatons (snce t uses approxmaton) for a gven network. The controller may leverage ACO to compute optmzed routes whch adhere to prvacy exposure and complance constrants assocated wth the current data transmsson. Ths may be specfc to a packet or may be for a gven (s, d) par. The prmtve ACO algorthm only uses pheromones. For our problem settng, we also ncorporate securty rsks for each edge of the graph. These rsks may be accumulated over neghbors of several hops along a path n the network. Ths may also be extended to prevous paths used by the network. Smlar to pheromone values, quantfed rsk values also observe a gradual decay n value as tme progresses. Ths allows the use of dfferent paths for a gven data flow n the network(whch s a favorable feature n rsk-assocated envronments). In ths study, we consder several parameters for analyzng the rsk of routng of a data packet. The fnal output of rsk analyss, rsk rato, allows the SDN controller to reconfgure the forwardng table on each swtch. In order to avod the computaton overhead, we perform off-lne computaton, therefore the forwardng table s updated perodcally. A. Rsk Parameters Frst, we defne several parameters for computng rsk rato as follows. 1. Meta-data of a data packet when t s routed to a swtch and transferred to a destnaton address. Ths parameter ncludng orgn address, destnaton address, sze of data packet, prorty, n port, out port, and routng path. 2. Tmestamp wth respect to local tmezone of the node or swtch. Ths parameter assocates to three nodes at each routng step: ) orgn local tme; ) destnaton local tme; ) current swtch local tme. The tme allows us to assess each data packet or a group of data packets based on the average rate for dfferent tmes. 3. Hstory of routng path for a specfc orgn and destnaton node. Ths parameter uses a tme-stamp parameter to provde a comprehensve evaluaton. 4. Data packet content. We randomly evaluate data packet f there s a chance of plan text data transfers through the network whch mght be performed by software applcaton whch s complance unaware. Evaluaton of data packet enables the rsk analyzer to assess hgh rsk applcatons that are not encryptng orgnal data. 5. Type of data packet. Ths may correspond to dfferent protocols, such as ARP, IP4, and IP6. 6. Data Integrty. We assess a data packet by revewng mnmum of two swtches n a routng path. Data packets are randomly selected for data ntegrty evaluaton. At the same tme, the data packet may be forwarded to the destnaton and a copy could be submtted to Integrty Evaluator SDN controller that has all requred nformaton for addtonal revew. 7. Type of data packet encrypton. Packets may have dfferent levels of securty provded by dfferent types of encrypton. B. Rsk Computaton Second, we consder ACO to analyze onlne rsk rato and use a well-known clusterng algorthm, k means, to teratvely compute k centrod objects for our n crtera to fnd the rsk rato based on descrbed parameters n Secton V-A. Snce ths algorthm has more computaton overhead than ACO, t s processed on the SDN controller n an off-lne mode or t can be processed on an ndvdual node and t modfes forwardng tables of the swtches based on computed rsk factors. In the k means algorthm, let X = {x 1, x 2,..., x n } be n elements of rsk parameter objects, and S = {s 1, s 2,..., s n } whch s the set of our rsk level clusters. The goal s clusterng n parameters nto S clusters of rsk ratos. The algorthm ams to partton n parameters nto k clusters based on mnmzng the Wthn-Cluster Sum of Squares (WCSS) whch s a summaton of dstance functon of each rsk parameters to the rsk level clusters. The WCSS for each s can be defned as follows: x S x µ 2 (1) If µ be the mean of cluster of s, therefore the rsk rato can be defned as follows: k arg mn x µ 2 (2) =1 x S Ths algorthm has to perform two steps. 1) Assgn each pont to the closest cluster to generate a partton as follows: s (t) m (t) = {x p : x p m (t) 2 x p m (t) j 2, j = 1, 2,..., k (3) represents the mean value of th cluster
2) Compute the centrod of the new cluster as follows: m (t+1) = 1 x S (t) j (4) x j S (t) In ths paper, we consder fve rsk levels as follows: ) very low-rsk; ) low-rsk; ) normal; v) hgh-rsk; v) very hgh-rsk. These rsk levels correspond to cluster centers {s 1, s 2, s 3, s 4, s 5 }, respectvely. In ths scenaro the target of our algorthm s fndng a lower rsk rato for each route to dstrbutng data packets n SDN envronment. VI. EVALUATION We mplement the rsk analyzer n python by usng scktlearn lbrary. We use 10 dfferent features or data prvacy parameters as nput for analyzng the rsk rato wth 5 dfferent rsk levels as descrbed n Secton V-A. Each feature represents a rsk parameter to be used n the k means algorthm.we have mplemented our log analyss model s an offlne smulaton process (usng RYU), whch however, can be mplemented for onlne log analyss and rsk computaton. In ths experment, we consdered 10, 000 sample log records whch are generated randomly as follows. 1. Usng an ansotropc dstrbuton for 10 dfferent features when we consder dfferent tme-stamp features. We transform the orgnal feature of the tme-stamp to the cluster-dstance space. Let us consder dfferent tmestamps as the man key for ths classfcaton algorthm whle usng the other 9 features as parameters. In ths scenaro, we can dvde each day nto three perods as follows: 8:00AM-4:00PM, 4:00PM-1:00AM and 1:00AM-8:00AM. Therefore, we can evaluate all 9 features wth respect to ths tme dvson. The result of ths experment s shown n Fgure 1. Each record of 10, 000 sample records have been labeled wth ts rsk rato level. In Fgure 1, we reduce the 10-dmenson nput to a 2D as shown ponts as X-axs and Y-axs. We also label each of the ponts based on ther rsk rato wth dfferent colors when 10 features are consdered. In ths experment, we found that any securty and prvacy ssue between 4:00PM-1:00AM (the mddle cluster represents ths set of tme-stamps) ndcates a very hgh-rsk factor. For nstance, when a health-care applcaton s usng plan-text wthout encryptng the orgnal content and usng a plan-text protocol. 2. Usng dfferent varance for generatng random values for 10 dfferent features s shown Fgure 2, the rsk level for dfferent cluster have been dentfed for all 10, 000 records; and fnally 3. Usng unevenly szed blocks to generate random values for 10 dfferent features. As shown n Fgure 3, the rsk levels for dfferent clusters have been dentfed for all 10, 000 records. Consderng dfferent subjects for evaluatng the rsk n a SDN network allows the proposed method to provde a rgorous evaluaton for strct complance requrement network. In addton, mplementng ths method on each swtch even for open swtch s not feasble because the method requres heavy computaton. However, when we are usng a SDN controller we are able to collect data perodcally from the swtches and Fg. 1. Rsk level for ansotropc dstrbuton of 10 features. Multdmensonal feature vectors are reduced to two dmensons. Fg. 2. Rsk level for dfferent varances of 10 features. Clusters of rsk vared level data are observed to be well separated n ths representaton. compute the rsk factors for dfferent data packets based on ther orgn, destnaton, tme, and etc. The collected data can be revewed by an external revewer (rsk analyzer) to decde whch forwardng table s requred modfcaton. Our ACO method wll be able to use ths rsk level tag to evaluate network edge weghts and therefore forward data packets based on all consdered rsk parameters. ACO s tested by evaluatng the tme duratons of a seres of random message nteractons between hosts. Ths nvolves rule computaton for new communcatons, as well as a hard tmeout (tme after whch any rule s forcefully erased, f not erased already) by the controller. These are summarzed n Fgure 4. Expermental results are averaged over 10 runs. Wth the addton of rsk and prvacy constrants, the routng path selected may no longer be the shortest (because routng
Fg. 3. Rsk level for dfferent 10 features when usng unevenly szed blocks. Some overlap n clusters data tems across rsk levels s observed when analyzng all features. preferences no longer depend solely on physcal network dstance).whle an nteracton wth the controller (when a flow s not nstalled) takes sgnfcantly longer than bypassng t (when a flow s nstalled), the use of ACO stll allows for lower complexty than other tradtonal algorthms (as explaned n Secton II). The tme complexty for the controller can further be reduced by decreasng the amount of nformaton beng logged or retaned, and optmzng the mplementaton. ACO s an nherently parallel algorthm and may therefore take advantage of parallel compute archtectures. VII. CONCLUSION In ths paper, we proposed a novel data prvacy preservaton method for SDN routng. In ths routng algorthm, the SDN controller collects dfferent features, such as: data packet types, network topology, and data packet routng hstory. We used two methods, frst, rsk analyzer that provdes an offlne process to compute the rsk rato and the second, an onlne method to make real-tme decson for routng data packets. Frst, the SDN controller processes the data packet features by evaluatng them based on a well-known machne learnng method, k means, and t classfes the data packet based on ther level of rsks accordng to HIPPA rsk parameters. Second, we used ACO to provde a real-tme decson for routng data packets because t provdes a much lower tme complexty soluton than ts tradtonal graph algorthm counterparts. The expermental results show an evaluaton on 10 dfferent rsk parameters whch s consdered as hgh dmensonal data. The rsk analyzer s combned wth ACO to provde a holstc soluton to prvacy and rsk complant assocate to the whole SDN network. Fg. 4. Delays n communcaton (after the controller nstalls a flow) wth and wthout rsk analyss. [2] K. Krkpatrck, Software-defned networkng, Communcatons of the ACM, vol. 56, no. 9, pp. 16 19, 2013. [3] N. Feamster, Software defned networkng, Coursera, 2013. [4] S. Baley, D. Bansal, L. Dunbar, D. Hood, Z. L. Ks, B. MackCrane, J. Magure, D. Malek, D. Meyer, M. Paul et al., Sdn archtecture overvew, Open Networkng Foundaton, Ver, vol. 1, 2013. [5] O. Dobrjevc, M. Santl, and M. Matjasevc, Ant colony optmzaton for qoe-centrc flow routng n software-defned networks, n Network and Servce Management (CNSM), 2015 11th Internatonal Conference on. IEEE, 2015, pp. 274 278. [6] M. Gunes, U. Sorges, and I. Bouazz, Ara-the ant-colony based routng algorthm for manets, n Parallel Processng Workshops, 2002. Proceedngs. Internatonal Conference on. IEEE, 2002, pp. 79 85. [7] W. Guo, W. Zhang, and G. Lu, A comprehensve routng protocol n wreless sensor network based on ant colony algorthm, n Networks Securty Wreless Communcatons and Trusted Computng (NSWCTC), 2010 Second Internatonal Conference on, vol. 1. IEEE, 2010, pp. 41 44. [8] B. Pfaff, Open vswtch manual, Manual, Open vswtch. [9] M. Cont, F. De Gaspar, and L. V. Mancn, Know your enemy: Stealth confguraton-nformaton gatherng n sdn, arxv preprnt arxv:1608.04766, 2016. [10] Q. Chen, C. Qan, and S. Zhong, Prvacy-preservng cross-doman routng optmzaton-a cryptographc approach, n 2015 IEEE 23rd Internatonal Conference on Network Protocols (ICNP). IEEE, 2015, pp. 356 365. REFERENCES [1] N. McKeown, Software-defned networkng, INFOCOM keynote talk, vol. 17, no. 2, pp. 30 32, 2009.