Abstract
Software-Defined Networking (SDN) is a core technology. However, Denial of Service (DoS) has been proved a serious attack in SDN environments. A variety of Intrusion Detection and Prevention Systems (IDPS) have been proposed for the detection and mitigation of DoS threats, but they often present significant performance overhead and long mitigation time so as to be impractical. To address these issues, we propose KernelDetect, a lightweight kernel-level intrusion detection and prevention framework. KernelDetect leverages modular string searching and filtering mechanisms with SDN techniques. By considering that the Aho-Corasick and Bloom filter are exact string matching and partial matching techniques respectively, we design KernelDetect to leverage the strengths of both algorithms with SDN. Moreover, we compare KernelDetect with traditional IDPS: SNORT and BRO, using a real-world testbed. Comprehensive experimental studies demonstrate that KernelDetect is an efficient mechanism and performs better than SNORT and BRO in threat detection and mitigation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Apache Spam Assassin Public Corpus. https://spamassassin.apache.org/publiccorpus/
DDoS attack 2007 dataset, CAIDA, UCSD. http://www.caida.org/data/passive/ddos-20070804dataset.xml
Floodlight controller. http://www.projectfloodlight.org/floodlight/
Mininet: an instant virtual network on your laptop (or other PC). http://mininet.org
Akella, A.V., Xiong, K.: Quality of service (QoS)-guaranteed network resource allocation via software defined networking (SDN). In: DASC 2014. IEEE (2014)
Chin, T., et al.: An SDN-supported collaborative approach for DDoS flooding detection and containment. In: MILCOM 2015. IEEE (2015)
Chin, T., et al.: Selective packet inspection to detect DoS flooding using software defined networking (SDN). In: ICDCSW 2015. IEEE (2015)
Chin, T., Xiong, K.: Dynamic generation containment systems (DGCS): a moving target defense approach. In: CPS Week EITEC 2016. IEEE (2016)
Chin, T., Xiong, K.: A forensic methodology for software-defined network switches. Advances in Digital Forensics XIII. IAICT, vol. 511, pp. 97–110. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67208-3_6
Chin, T., Xiong, K., Rahouti, M.: End-to-end delay minimization approaches using software-defined networking. In: RACS 2017. ACM (2017)
Dharmapurikar, S., Lockwood, J.W.: Fast and scalable pattern matching for network intrusion detection systems. JSAC 24, 1781–1792 (2006)
Jackson, E.J., et al.: SoftFlow: a middlebox architecture for Open vSwitch. In: USENIX ATC (2016)
Curtis, A.R., et al.: Mahout: low-overhead datacenter traffic management using end-host-based elephant detection. In: INFOCOM (2011)
Tirumala, A., et al.: iPerf: the TCP/UDP bandwidth measurement tool (2005). http://dast.nlanr.net/Projects
Pfaff, B., et al.: The design and implementation of Open vSwitch. In: USENIX Symposium on NSDI (2015)
Chung, C.-J., et al.: NICE: network intrusion detection and counter-measure selection in virtual network systems. TDSC 10, 198–211 (2013)
Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S.: Gnort: high performance network intrusion detection using graphics processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 116–134. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-87403-4_7
Mekky, H., et al.: Application-aware data plane processing in SDN. In: HotSDN (2014)
Wang, H., et al.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: DSN (2015)
Ahrenholz, J., et al.: CORE: a real-time network emulator. In: MILCOM (2008)
Amann, J., Sommer, R.: Providing dynamic control to passive network security monitoring. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 133–152. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_7
Ballard, J.R., et al.: Extensible and scalable network monitoring using OpenSAFE. In: INM/WREN (2010)
Ko, C., et al.: Detecting and countering system intrusions using software wrappers. In: USENIX Security Symposium (2000)
Giotis, K., et al.: Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput. Netw. 62, 122–136 (2014)
Khurshid, K., et al.: VeriFlow: verifying network-wide invariants in real time. In: NSDI (2013)
Alicherry, M., et al.: High speed pattern matching for network IDS/IPS. In: ICNP (2006)
Berman, M., et al.: GENI: a federated testbed for innovative network experiments. Comput. Netw. 61, 5–23 (2014)
Dhawan, M., et al.: SPHINX: detecting security attacks in software-defined networks. In: NDSS (2015)
Roesch, M., et al.: SNORT-lightweight intrusion detection for networks. In: USENIX LISA (1999)
Kazemian, P., et al.: Real time network policy checking using header space analysis. In: NSDI (2013)
Porras, P., et al.: A security enforcement kernel for OpenFlow networks. In: HotSDN (2012)
Wang, R., et al.: An entropy-based distributed DDoS detection mechanism in software-defined networking. In: Trustcom/BigDataSE/ISPA (2015)
Avallone, S., et al.: D-ITG: distributed internet traffic generator. In: QEST (2004)
Hong, S., et al.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS (2015)
Scott-Hayward, S., et al.: A survey of security in software defined networks. IEEE Commun. Surv. Tutor. 18, 623–654 (2016)
Shin, S., et al.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: CCS (2013)
Shin, S., et al.: FRESCO: modular composable security services for software-defined networks. In: NDSS (2013)
Shin, S., et al.: Rosemary: a robust, secure, and high-performance network operating system. In CCS (2014)
Paxson, V.: BRO: a system for detecting network intruders in real-time. Computer Networks (1999)
Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: HotSDN. ACM (2013)
Xiong, K.: Multiple priority customer service guarantees in cluster computing. In: IEEE IPDPS, pp. 1–12 (2009)
Xiong, K., Wang, R., Du, W., Ning, P.: Containing bogus packet insertion attacks for broadcast authentication in sensor networks. In: TOSN 2012 (2012)
Acknowledgments
We acknowledge National Science Foundation (NSF) to partially sponsor the work under grants #1633978, #1620871, #1620862, and #1636622, and BBN/GPO project #1936 through NSF/CNS grant. We also thank the Florida Center for Cybersecurity for a seed grant. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied of NSF.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Chin, T., Xiong, K., Rahouti, M. (2018). SDN-Based Kernel Modular Countermeasure for Intrusion Detection. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-78813-5_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78812-8
Online ISBN: 978-3-319-78813-5
eBook Packages: Computer ScienceComputer Science (R0)