Abstract
The integration of Software-Defined Network (SDN) and Network Function Virtualization (NFV) is an innovative network architecture that abstracts lower-level functionalities through the separation of the control plane from the data plane and enhances the management of network behavior and network services in real time. It provides unprecedented programmability, automation, and control for network dynamics. In this paper, we propose a flexible and elastic network security service management system for timely reacting to abnormal network behavior by orchestrating network security functions based on the technology of SDN/NFV. In designing the system, we address key challenges associated with scalability, responsiveness, and adversary resilience. The proposed system provides a real time and lightweight monitoring and response function by integrating security functions in the SDN/NFV domain. The SDN automatically learns the network conditions to orchestrate security functions for effective monitoring against attacks. The system is implemented based on an open-source SDN controller, RYU, and consists of three main agents; network monitoring, orchestration agents, and response agents. Experimental results have shown that our approach achieved low network latency with small memory usages for virtual intrusion detection systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ryu SDN framework [software] (2014). https://osrg.github.io/ryu/
Braga, R., Mota, E., Passito, A.: Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: IEEE Local Computer Network Conference, Denver, CO, pp. 408–415, October 2010. https://doi.org/10.1109/LCN.2010.5735752. https://dx.doi.org/10.1109/LCN.2010.5735752
Deng, J., et al.: VNGuard: an NFV/SDN combination framework for provisioning and managing virtual firewalls. In: IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN 2015). IEEE (2015)
Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 817–832 (2015)
Feng, Y., Guo, R., Wang, D., Zhang, B.: Research on the active DDoS filtering algorithm based on IP flow. In: Fifth International Conference on Natural Computation, Tianjin, China, vol. 4, pp. 628–632, August 2009. https://doi.org/10.1109/ICNC.2009.550
Gember-Jacobson, A., Akella, A.: Improving the safety, scalability, and efficiency of network function state transfers. In: Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization, pp. 43–48. ACM (2015)
Gember-Jacobson, A., et al.: OpenNF: enabling innovation in network function control. In: Proceedings of the 2014 ACM Conference on SIGCOMM, pp. 163–174. ACM (2014)
Gude, N., et al.: NOX: towards an operating system for networks. SIGCOMM Comput. Commun. Rev. 38(3), 105–110 (2008). https://doi.org/10.1145/1384609.1384625. https://doi.acm.org/10.1145/1384609.1384625
Lim, S., Ha, J., Kim, H., Kim, Y., Yang, S.: A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp. 63–68, July 2014. https://doi.org/10.1109/ICUFN.2014.6876752
McKeown, N., et al.: OpenFlow: enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008). https://doi.org/10.1145/1355734.1355746. https://doi.acm.org/10.1145/1355734.1355746
Padekar, H., Park, Y., Hu, H., Chang, S.Y.: Enabling dynamic access control for controller applications in software-defined networks. In: Proceedings of the 21st ACM on Symposium on Access Control Models and Technologies, SACMAT 2016, pp. 51–61. ACM, New York (2016). https://doi.org/10.1145/2914642.2914647. https://doi.acm.org/10.1145/2914642.2914647
Rajagopalan, S., Williams, D., Jamjoom, H.: Pico replication: a high availability framework for middleboxes. In: Proceedings of the 4th Annual Symposium on Cloud Computing, p. 1. ACM (2013)
Rajagopalan, S., Williams, D., Jamjoom, H., Warfield, A.: Split/merge: system support for elastic execution in virtual middleboxes. In: NSDI, pp. 227–240 (2013)
Sekar, V., Egi, N., Ratnasamy, S., Reiter, M.K., Shi, G.: Design and implementation of a consolidated middlebox architecture. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, p. 24. USENIX Association (2012)
Sherry, J., Hasan, S., Scott, C., Krishnamurthy, A., Ratnasamy, S., Sekar, V.: Making middleboxes someone else’s problem: network processing as a cloud service. ACM SIGCOMM Comput. Commun. Rev. 42(4), 13–24 (2012)
Sherry, J., Ratnasamy, S., At, J.S.: A survey of enterprise middlebox deployments (2012)
Shin, S., Yegneswaran, V., Porras, P., Gu, G.: Avant-guard: scalable and vigilant switch flow management in software-defined networks. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & #38; Communications Security, CCS 2013, pp. 413–424. ACM, New York (2013). https://doi.org/10.1145/2508859.2516684. https://doi.acm.org/10.1145/2508859.2516684
Wang, B., Zheng, Y., Lou, W., Hou, Y.T.: DDoS attack protection in the era of cloud computing and software-defined networking. Comput. Netw. 81, 308–319 (2015). http://dx.doi.org/10.1016/j.comnet.2015.02.026. http://www.sciencedirect.com/science/article/pii/S1389128615000742
Wang, H., Xu, L., Gu, G.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 239–250, June 2015. https://doi.org/10.1109/DSN.2015.27
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Ganta, P., Yu, K., Chintala, D.D., Park, Y. (2021). Adaptive Network Security Service Orchestration Based on SDN/NFV. In: Kim, H. (eds) Information Security Applications. WISA 2021. Lecture Notes in Computer Science(), vol 13009. Springer, Cham. https://doi.org/10.1007/978-3-030-89432-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-89432-0_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-89431-3
Online ISBN: 978-3-030-89432-0
eBook Packages: Computer ScienceComputer Science (R0)