Exploring SDN @ Anna University · SDN and Security (Cognizant/ISEA) •Intrusion detection system...
Transcript of Exploring SDN @ Anna University · SDN and Security (Cognizant/ISEA) •Intrusion detection system...
Exploring SDN @ Anna University
People
Faculty StudentsResearchers
Dr Arockia Xavier Annie RDr Gopal T VDr Ranjani ParthasarathiDr Vetriselvi VDr Yogesh P
Mr. Ashok Kumar MMrs. Bharathi N A
Ms. Aarthi SMr. Balaji SMr. Baratheraja R NMr. Gowtham V NMs. Jahnavi NMs. Jayabarathi GMs. Kirutika KMs. Lakshmipriyadarshini VMr. Parthiban P RMr. Raakesh MMs. Sathiya Priya LMr. Sethu Ramalingam RMs. Shafreen Nihara AMs. Shalini SMs. Shivaranjani
SDN in curricula
• Networking Technologies / Network Engineering core course –One unit is on Software Defined Networks
PG Level – M.E CSE & M.Tech IT (R2015)
• One unit on SDN in Advanced Networks elective course (R2015)
• Software Defined Networks is offered as an elective (R2017)
• Basics of SDN is introduced in core course of Computer Networks (R2017)
UG Level – B.E CSE / B.Tech IT
Areas Explored &
Collaborators
Network Monitoring (Interface Masters Technologies)
• Distributed Traffic Monitoring Fabric
• Network Applications using DPDK
Network Management
• Network Resilience using SDN and NFV
• Proactive failure recovery in openflow based SDN
• Failure recovery using segment protection in openflow based SDN
SDN and Security (Cognizant/ISEA)
• Intrusion detection system (IDS) in data plane of SDN
• Two-level IDS using ML/Genetic/Fuzzy
• Collaborative IDS using Game theory
• URL filtering in SDN
Mitigating attacks on SDN (AU-Cognizant Security Research Lab)
• Mitigation of DDoS attacks
• Detecting compromised controllers
Network Monitoring
Distributed Traffic Monitoring Fabric• Flow management in SDN
▪ Flow Aggregation▪ Path optimization
• Pattern Based Load balancing▪ Classify network traffic using machine
learning algorithms▪ Perform load balancing based on the
class of the traffic
• Interactive Monitoring and Visualization▪ Statistics collection – number of flows,
bytes , packets, errors etc.▪ Performance calculation - link utilization,
bandwidth▪ Create customized alerts on various
aspects like flows, utilization, topologyevents
▪ Chord diagram, Zoomable circle packing– used to visualize links, devices,flows and traffic
DTMF
• Interface Masters Network Packet Broker Devices connected to ONOS controller
• DTMF deployed as an application running on top of ONOS
Network Applications Using DPDK
• High Performance Network Applications that run on x86 hardware using Intel DPDK framework▪ Packet Trimming
▪ Data Masking
• Packet Trimming• Removing payload from the packets – Only headers can be sent to the monitoring
tools
• Data Masking• Masking sensitive information in the packets
Network Management
Network Resilience Using SDN and NFV
• Leveraging SDN and NFV for network monitoring and security services –together providing network resilience
• On demand provisioning of following virtual network functions,
• Traffic Monitoring
• Firewall
• IDS/IPS
• Tools used
• Ryu and Floodlight Controllers
• Snort IDS/IPS
• Mininet
• OpenMANO
Failure Recovery
• Proactive failure recovery• Controller adds backup paths along with working paths• Switches perform local recovery actions• Backup paths added only for Critical/Important paths
• Segment Protection for failure recovery• Backup paths computed using segment (smaller than path) protection• Bidirectional Forwarding Detection protocol used to identify failure
Publication:
V.Padma and P.Yogesh, "Proactive Failure Recovery in OpenFlow based Software Defined Networks", International Conference onSignal Processing, Communication and Networking (ICSCN 2015), organized by MIT Campus Anna University Chennai, India.Available in IEEE Xplore digital library
V.Padma, Gayathri Santhosh and Yogesh Palanichamy, "Failure Recovery using Segment Protection in Software DefinedNetworks", International Conference on Intelligent Information Technologies 2017 (ICIIT 2017), organized by College ofEngineering Guindy Anna University Chennai, India. Available in Springer CCIS
SDN and Security
Intrusion Detection System in Data Plane of SDN• Build IDS that enhances security in
the data plane
• Goals
• Firewall based on - Flow/ Transport/ Application
• Preventing controller resource saturation attacks using Multi-Layer Fair Queuing (MLFQ)
• Detecting Virus – Signature based – Aho corasick Algorithm
• Truncating packets for efficient analysis by monitoring tools
• P4 based switches are used as the data plane with customized pipeline and flow tables
Two Level IDS using ML• Building IDS using the principles
of Machine Learning and Geneticalgorithm
• Anomaly Detection using ML algorithm (ID3)
• Anomaly Classification usingGenetic Algorithm
• P4 based switches are usedwith customized pipelinesand match tables for DPI
IDS for SDN using Fuzzy System
Fuzzy IDS
• Early Detection Algorithms – Connection success ratio, throttling connection
• Anomaly-based fuzzy IDS – Supervised machine learning approach• Trained with KDD Cup 99 dataset
• Features – Duration, protocol, flag, src bytes, dst bytes, urg packets, packet count, diff serv count
• Attack Categories considered• Denial of Service (DOS)
• Remote to Local (R2L)
• User to Root (U2R)
• Probing
Publication:
Shalini S, Shafreen Nihara A, Sathiya Priya L, Vetriselvi.V, “Intrusion Detection System for Software-Defined Networks Using Fuzzy System”,Proceedings of the International Conference on Computing and Communication Systems, Lecture Notes in Networks and Systems bookseries (LNNS, volume 24), Springer, March 2018.
Collaborative Intrusion Detection System using Game Theory• Multiple Controller and Multiple IDS environment – communicating with
each other – a collaborative system
• Collaborative system is formalized using Game Theoretical Framework
• Optimizes each IDS with respect to other IDS by achieving Nash Equilibrium State
• Two different IDSs are used• Entropy based IDS – detects attacks based on behavioral change in entropy• Snort IDS – rule based – detects predefined signatures
Publication:
Gowtham V.N., Baratheraja R.N., Jayabarathi G., Vetriselvi V. , "Collaborative Intrusion Detection System in SDN Using Game Theory", Proceedings of the International Conference on Computing and Communication Systems. Lecture Notes in Networks and Systems, vol 24. Springer(2018), Singapore.
Collaborative IDS Framework
URL filtering in SDN• Detection of phishing URLs
• Analyze the lexical and content-based features of the URLs
• Use Deep Packet Inspection(DPI) and machine learning techniques
• Performance of the system is evaluated based on the response time and accuracyin a simulation framework
Publication:
Archana Janani, V. Vetriselvi, Ranjani Parthasarathi, “An Approach to URL Filtering in SDN”International Conference on Computer Networks and Communication Technologies,Springer(2018). Springer Lecture Notes on Data Engineering and Communications Technologies
Mitigation of DOS attack in SDN• Mitigating the denial-of-service attack on flow tables
• Randomization of the paths – distributing rules• Flow aggregation - reducing rules
• Overall number of rules is reduced by 58%, which is better than 26% reported in SDNGuard (a similar approach)
Publication:
N.A.Bharathi, Ranjani Parthasarathi, V. Vetriselvi, “Mitigation of DoS in SDN using PathRandomization” International Conference on Computer Networks and Communication Technologies,Springer (2018). Springer Lecture Notes on Data Engineering and Communications Technologies.
Detecting Compromised Controllers in SDN• Uses machine learning algorithm – Random Forest Classifier
• Classifies the controller as compromised or not at any given point in time
• Monitors various aspects of the system like• System logs
• Packet In, Packet Out Ratio
• Packet In, Packet Out Disparity
• Switch Participation Index
• Average degree of nodes
• Timeout Frequency
• Performance evaluation under following attacks• DoS
• Topology Poisoning
• Traffic Diversion
• Pass traffic via compromised switch
• Tear Drop Attack
Detecting Compromised Controllers in SDN
SDN for Internet of Things: SecuringHome networks using SDN
• Heterogeneity and Interoperability of diverse home devices handled with SDN
• IDS using ensemble of ID3, Fuzzy and deep neural network approaches
Work in Progress
• Setting up of 5G SDN security test bed• Dell PowerEdge T430 - Intel Xeon processor E5-2600 v4 product family – 20 GB
RAM• Running as a Kubernetes Worker Node – ONOS and other application containers are
deployed on it
• Dell PowerEdge T20 - Intel Xeon E3-1225 v3 product family – On-board RAID
• 3 x Ruijie RG-S2910-24GT4XS-E - OpenFlow Enabled Gigabit Switches
• Maxinet – to emulate huge number of nodes
• DDos attack detection and mitigation in a data center network• Considering – leaf and spine topology with – ONOS Trellis fabric
• sflow based behavioral analysis
Thank You