Software defined networking (SDN) is an emerging phenomenon in the field of computer networking, separating the control logic from traffic forwarding and introducing real-time network programmability. The paradigm has found increasing application in several domains, seeking to replace the traditional networking models (e.g, Campus LANs, WANs, DCN, LTE and 5G along with IoT). The technology however, still being nascent suffers from multiple security concerns at the application, control and data planes in an SDN ecosystem. Present research at CIMACS focuses on improving detection and mitigation of cyber attacks targetting SDN planes. Primary research themes are detailed as follows.
Threat Identification and Classification
Software defined networks comprise of at least three different logical/physical layers that may result in the generation and implementation of differenty types of attack vectors. Attacks at the application plane can target individual applications services as well as the Northbound Interface (APIs) connecting the application to the control plane. Similarly taking over the control plane realizes the compromise of the entire SDN system. The Southbound interface between the control and data plane is also the subject of cyber security attacks. Finally end-user devices connected to individual datapaths (switches) can also overwhelm the data plane with unwanted/malicious traffic (e.g. DoS, DDoS) leading to memory issues. As a first step in hardening SDN system, we therefore, need to identify as well as classify the different types of susceptibilities that can compromise SDNs. CIMACS has carried out a detailed investigation in this regard culminating in the following publication with ongoing work in identifying emerging threats/vectors as the technology gains further traction and adoption.
Benchmarking Network Behaviour
Going beyond basic user traffic profiling, the present project collected network (accounting) information from several residential premises using SDN-based virtual switches and developed an anomaly detection solution for SDN. The collected (network attributes) from residential premises was futher cluster analysed to identify different traffic patterns inherent in the user trends. The derived clusters were benchmarked for stability and employed as a baseline to discriminate between normal and attack traffic. The proposed anomalous traffic identification mechanism was further compared against typical anomaly detection approaches (e.g. entropy) and found to deliver highly accurate results with minimum overhead. Publications in this regard include Multi-Feature Enterprise Characterization in Software Defined Networks and OpenFlow-based Traffic Profiling in SDN. Ongoing work is extending earlier findings to introduce attack mitigation techniques in SDN.