Adaptive Network Security Service Orchestration Based on SDN/NFV

Ganta, Priyatham; Yu, Kicho; Chintala, Dharma Dheeraj; Park, Younghee

doi:10.1007/978-3-030-89432-0_19

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13009))

Included in the following conference series:

International Conference on Information Security Applications

861 Accesses

Abstract

The integration of Software-Defined Network (SDN) and Network Function Virtualization (NFV) is an innovative network architecture that abstracts lower-level functionalities through the separation of the control plane from the data plane and enhances the management of network behavior and network services in real time. It provides unprecedented programmability, automation, and control for network dynamics. In this paper, we propose a flexible and elastic network security service management system for timely reacting to abnormal network behavior by orchestrating network security functions based on the technology of SDN/NFV. In designing the system, we address key challenges associated with scalability, responsiveness, and adversary resilience. The proposed system provides a real time and lightweight monitoring and response function by integrating security functions in the SDN/NFV domain. The SDN automatically learns the network conditions to orchestrate security functions for effective monitoring against attacks. The system is implemented based on an open-source SDN controller, RYU, and consists of three main agents; network monitoring, orchestration agents, and response agents. Experimental results have shown that our approach achieved low network latency with small memory usages for virtual intrusion detection systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 54.99; Price excludes VAT (USA)

Softcover Book: USD 69.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Ryu SDN framework [software] (2014). https://osrg.github.io/ryu/
Braga, R., Mota, E., Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE Local Computer Network Conference, Denver, CO, pp. 408–415, October 2010. https://doi.org/10.1109/LCN.2010.5735752. https://dx.doi.org/10.1109/LCN.2010.5735752
Deng, J., et al.: VNGuard: an NFV/SDN combination framework for provisioning and managing virtual firewalls. In: IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN 2015). IEEE (2015)
Google Scholar
Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832 (2015)
Google Scholar
Feng, Y., Guo, R., Wang, D., Zhang, B.: Research on the active DDoS filtering algorithm based on IP flow. In: Fifth International Conference on Natural Computation, Tianjin, China, vol. 4, pp. 628–632, August 2009. https://doi.org/10.1109/ICNC.2009.550
Gember-Jacobson, A., Akella, A.: Improving the safety, scalability, and efficiency of network function state transfers. In: Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization, pp. 43–48. ACM (2015)
Google Scholar
Gember-Jacobson, A., et al.: OpenNF: enabling innovation in network function control. In: Proceedings of the 2014 ACM Conference on SIGCOMM, pp. 163–174. ACM (2014)
Google Scholar
Gude, N., et al.: NOX: towards an operating system for networks. SIGCOMM Comput. Commun. Rev. 38(3), 105–110 (2008). https://doi.org/10.1145/1384609.1384625. https://doi.acm.org/10.1145/1384609.1384625
Lim, S., Ha, J., Kim, H., Kim, Y., Yang, S.: A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp. 63–68, July 2014. https://doi.org/10.1109/ICUFN.2014.6876752
McKeown, N., et al.: OpenFlow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008). https://doi.org/10.1145/1355734.1355746. https://doi.acm.org/10.1145/1355734.1355746
Padekar, H., Park, Y., Hu, H., Chang, S.Y.: Enabling dynamic access control for controller applications in software-defined networks. In: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies, SACMAT 2016, pp. 51–61. ACM, New York (2016). https://doi.org/10.1145/2914642.2914647. https://doi.acm.org/10.1145/2914642.2914647
Rajagopalan, S., Williams, D., Jamjoom, H.: Pico replication: a high availability framework for middleboxes. In: Proceedings of the 4th Annual Symposium on Cloud Computing, p. 1. ACM (2013)
Google Scholar
Rajagopalan, S., Williams, D., Jamjoom, H., Warfield, A.: Split/merge: system support for elastic execution in virtual middleboxes. In: NSDI, pp. 227–240 (2013)
Google Scholar
Sekar, V., Egi, N., Ratnasamy, S., Reiter, M.K., Shi, G.: Design and implementation of a consolidated middlebox architecture. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, p. 24. USENIX Association (2012)
Google Scholar
Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: network processing as a cloud service. ACM SIGCOMM Comput. Commun. Rev. 42(4), 13–24 (2012)
Article Google Scholar
Sherry, J., Ratnasamy, S., At, J.S.: A survey of enterprise middlebox deployments (2012)
Google Scholar
Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Avant-guard: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & #38; Communications Security, CCS 2013, pp. 413–424. ACM, New York (2013). https://doi.org/10.1145/2508859.2516684. https://doi.acm.org/10.1145/2508859.2516684
Wang, B., Zheng, Y., Lou, W., Hou, Y.T.: DDoS attack protection in the era of cloud computing and software-defined networking. Comput. Netw. 81, 308–319 (2015). http://dx.doi.org/10.1016/j.comnet.2015.02.026. http://www.sciencedirect.com/science/article/pii/S1389128615000742
Wang, H., Xu, L., Gu, G.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 239–250, June 2015. https://doi.org/10.1109/DSN.2015.27

Download references

Author information

Authors and Affiliations

Computer Engineering Department, San Jose State University, San Jose, USA
Priyatham Ganta, Dharma Dheeraj Chintala & Younghee Park
Computer Science Department, Northeastern University, Shenyang, China
Kicho Yu
Silicon Valley Cybersecurity Institute (SVCSI), San Jose, USA
Kicho Yu & Younghee Park

Authors

Priyatham Ganta
View author publications
You can also search for this author in PubMed Google Scholar
Kicho Yu
View author publications
You can also search for this author in PubMed Google Scholar
Dharma Dheeraj Chintala
View author publications
You can also search for this author in PubMed Google Scholar
Younghee Park
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Younghee Park .

Editor information

Editors and Affiliations

Sungkyunkwan University, Suwon-Si, Korea (Republic of)
Hyoungshick Kim

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Ganta, P., Yu, K., Chintala, D.D., Park, Y. (2021). Adaptive Network Security Service Orchestration Based on SDN/NFV. In: Kim, H. (eds) Information Security Applications. WISA 2021. Lecture Notes in Computer Science(), vol 13009. Springer, Cham. https://doi.org/10.1007/978-3-030-89432-0_19

Download citation

DOI: https://doi.org/10.1007/978-3-030-89432-0_19
Published: 27 October 2021
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-89431-3
Online ISBN: 978-3-030-89432-0
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics