Skip to main content
SpringerLink
Log in

SAND: semi-automated adaptive network defense via programmable rule generation and deployment

  • Research Paper
  • Published:
Science China Information Sciences Aims and scope Submit manuscript

Abstract

Cyber security is dynamic as defenders often need to adapt their defense postures. The state-of-the-art is that the adaptation of network defense is done manually (i.e., tedious and error-prone). The ideal solution is to automate adaptive network defense, which is however a difficult problem. As a first step towards automation, we propose investigating how to attain semi-automated adaptive network defense (SAND). We propose an approach extending the architecture of software-defined networking, which is centered on providing defenders with the capability to program the generation and deployment of dynamic defense rules enforced by network defense tools. We present the design and implementation of SAND, as well as the evaluation of the prototype implementation. Experimental results show that SAND can achieve agile and effective dynamic adaptations of defense rules (less than 15 ms on average for each operation), while only incurring a small performance overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Zhang M H, Li G Y, Wang S C, et al. Poseidon: mitigating volumetric DDoS attacks with programmable switches. In: Proceedings of the 27th Annual Network and Distributed System Security Symposium, San Diego, 2020

  2. Kang Q, Xue L, Morrison A, et al. Programmable in-network security for context-aware BYOD policies. In: Proceedings of the 29th USENIX Security Symposium, 2020. 595–612

  3. Sebastián E, Lewis G A, Grabowski C, et al. KalKi: a software-defined IoT security platform. In: Proceedings of the 6th IEEE World Forum on Internet of Things, New Orleans, 2020. 1–6

  4. McCormack M, Vasudevan A, Liu G Y, et al. Towards an architecture for trusted edge IoT security gateways. In: Proceedings of the 3rd USENIX Workshop on Hot Topics in Edge Computing, 2020

  5. Yu T L, Fayaz S K, Collins M, et al. PSI: precise security instrumentation for enterprise networks. In: Proceedings of Network and Distributed System Security Symposium, San Diego, 2017

  6. Zou C C, Duffield N, Towsley D, et al. Adaptive defense against various network attacks. IEEE J Sel Areas Commun, 2006, 24: 1877–1888

    Article  Google Scholar 

  7. Li M H, Li M. An adaptive approach for defending against DDoS attacks. Math Problems Eng, 2010, 2010: 1–15

    MATH  Google Scholar 

  8. Fayaz S K, Tobioka Y, Sekar V, et al. Bohatei: flexible and elastic DDoS defense. In: Proceedings of USENIX Security Symposium, Washington, 2015. 817–832

  9. Cho J H, Sharma D P, Alavizadeh H, et al. Toward proactive, adaptive defense: a survey on moving target defense. IEEE Commun Surv Tut, 2020, 22: 709–745

    Article  Google Scholar 

  10. Xu S H, Lu W L, Xu L, et al. Adaptive epidemic dynamics in networks. ACM Trans Auton Adapt Syst, 2014, 8: 1–19

    Article  Google Scholar 

  11. Huang L N, Zhu Q Y. Strategic learning for active, adaptive, and autonomous cyber defense. In: Adaptive Autonomous Secure Cyber Systems. Cham: Springer, 2020. 205–230

    Chapter  Google Scholar 

  12. Huang L N, Zhu Q Y. Adaptive strategic cyber defense for advanced persistent threats in critical infrastructure networks. SIGMETRICS Perform Eval Rev, 2019, 46: 52–56

    Article  Google Scholar 

  13. Mijumbi R, Serrat J, Gorricho J L, et al. Network function virtualization: state-of-the-art and research challenges. IEEE Commun Surv Tut, 2016, 18: 236–262

    Article  Google Scholar 

  14. Seungwon S, Phillip A P, Vinod Y, et al. FRESCO: modular composable security services for software-defined networks. In: Proceedings of Network and Distributed System Security Symposium, San Diego, 2013

  15. Hu H X, Han W, Ahn G-J, et al. FLOWGUARD: building robust firewalls for software-defined networks. In: Proceedings of the 3rd Workshop on Hot Topics in Software Defined Networking, Chicago, 2014. 97–102

  16. Deng J, Hu H X, Li H D, et al. VNGuard: an NFV/SDN combination framework for provisioning and managing virtual firewalls. In: Proceedings of IEEE Conference on Network Function Virtualization and Software Defined Networks, San Francisco, 2015. 107–114

  17. Deng J, Li H D, Wang K C, et al. On the safety and efficiency of virtual firewall elasticity control. In: Proceedings of Network and Distributed System Security Symposium, San Diego, 2017

  18. Xia M, Shirazipour M, Zhang Y, et al. Optical service chaining for network function virtualization. IEEE Commun Mag, 2015, 53: 152–158

    Article  Google Scholar 

  19. Fayaz S K, Luis C, Vyas S, et al. Enforcing network-wide policies in the presence of dynamic middlebox actions using FlowTags. In: Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation, Seattle, 2014. 543–546

  20. Amann J, Sommer R. Providing dynamic control to passive network security monitoring. In: Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses, Kyoto, 2015. 133–152

  21. Durumeric Z, Kasten J, Adrian D, et al. The matter of heartbleed. In: Proceedings of the 2014 Internet Measurement Conference, Vancouver, 2014. 475–488

  22. Ramaswamy C. Secure virtual network configuration for virtual machine (VM) protection. NIST Special Publ, 2016, 800: 125B

    Google Scholar 

  23. Wette P, Dräxler M, Schwabe A. MaxiNet: distributed emulation of software-defined networks. In: Proceedings of IFIP Networking Conference, Trondheim, 2014. 1–9

  24. Horn A, Kheradmand A, Prasad M R. Delta-net: real-time network verification using atoms. In: Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, Boston, 2017. 735–749

  25. Chen F, Liu A X, Hwang J H, et al. First step towards automatic correction of firewall policy faults. ACM Trans Auton Adapt Syst, 2012, 7: 1–24

    Article  Google Scholar 

  26. Panda A, Lahav O, Argyraki K J, et al. Verifying reachability in networks with mutable datapaths. In: Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, Boston, 2017. 699–718

  27. Stoenescu R, Popovici M, Negreanu L, et al. SymNet: scalable symbolic execution for modern networks. In: Proceedings of the ACM SIGCOMM 2016 Conference, Florianopolis, 2016. 314–327

Download references

Acknowledgements

This work was supported by Key Program of National Science Foundation of China (Grant No. U1936211), Shenzhen Fundamental Research Program (Grant No. JCYJ20170413114215614), and Key-Area Research and Development Program of Guangdong Province (Grant No. 2019B010139001).

Author information

Authors and Affiliations

  1. National Engineering Research Center for Big Data Technology and System, Services Computing Technology and System Lab, Cluster and Grid Computing Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, 430074, China

    Haoyu Chen & Hai Jin

  2. National Engineering Research Center for Big Data Technology and System, Services Computing Technology and System Lab, Hubei Engineering Research Center on Big Data Security, School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan, 430074, China

    Deqing Zou & Bin Yuan

  3. Department of Computer Science, University of Colorado at Colorado Springs, Colorado Springs, 80918, USA

    Shouhuai Xu

Authors
  1. Haoyu Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Deqing Zou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hai Jin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Shouhuai Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Bin Yuan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hai Jin.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chen, H., Zou, D., Jin, H. et al. SAND: semi-automated adaptive network defense via programmable rule generation and deployment. Sci. China Inf. Sci. 65, 172102 (2022). https://doi.org/10.1007/s11432-020-3193-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11432-020-3193-2

Keywords

Search

Navigation