Application Of HSA In Intrusion Detection System For SDN

Currently, as the emergence and development of new network technology andapplications such as IOT, cloud computing, virtualization, mobile Internet and etc. thetraditional network architecture cannot satisfy the requirement for network bandwidth,network performance and network service diversification from corporations, operators,universities and enterprise organizations. As a new-born network architecture, SoftwareDefined Networking (SDN) has moved into commercials from academic fields and grows intoa trend these days. SDN separates the control plane from data plane, centralizedly control thewhole network with SDN controller and makes the SDN switches programmable. Theseadvantages of SDN make it easier to manage and control the network, provide diversifiednetwork services, but also bring about many security issues. The Intrusion Detection Systemsin traditional network environment have been well developed, but this paper focus on whetherand how the traditional IDS could be applied to SDN.Header Space Analysis (HSA) is proposed by a Stanford graduate student in2012. Thisframework is protocol-independent and used to check network state and to model network.HSA is generally used to help network manager analyze network situation statically, detectnetwork failure and ensure the traffic isolation among different users. The idea of HSAinitially comes from a paper published in SIGCOMM in1998by Lakshman and Stiliadis. Themultiple geometry space is used to classify the network packet in that paper. In2013, alaboratory in Stanford developed a HSA based real-time policy checking tool calledNetPlumber for SDN. This tool is able to detect network failure and resolve the reachabilityproblem and loop issues. And in2014, a HSA based firewall called FLOWGUARD wasproposed in SIGCOMM. This paper takes advantage of HSA in network situation analysis andproposes a HSA based Intrusion Detection System.Because of the centralized control in SDN, no more than one IDS is required to analyzethe network traffic. The SDN controllers will control the whole network and mirror the trafficof every switch to IDS by means of tap or PACKET_IN. Because of the programmability ofSDN switches, the actions and functions in SDN switches are far more complicated than thatin traditional switches. The uncertainty and dynamic of actions of SDN switches bring about alot of difficulties for network manager. This paper not only takes advantage of the centralizedcontrol of SDN controller to simplify the deployment of IDS, but also applies HSA to analyzenetwork condition to resolve the difficulties caused by programmability.In the conclusion, this paper proposes a HSA based IDS according to the centralizedcontrol and programmability in SDN. The proposed IDS is able to detect the abnormal flow in SDN and simultaneously work out the specific switch and port from which the abnormal flowgets into the network. And then it can stop the abnormal flow from the source. The proposedHSA based IDS consists of five modules: SDN Controller, Agent, HSA Computing, IntrusionDetection and Packet Interception. SDN controller mirrors the traffic for Intrusion Detection,controls and manage the whole SDN network and sends message to Agent while detecting thetopology changing. Agent gets the topology and flow tables for HSA Computing. HSAComputing analyzes and tracks the abnormal packets detected by Intrusion Detection and tellsthe Packet Interception to stop the abnormal flow. This paper uses Floodlight as SDNController and Snort as Intrusion Detection. And the Agent, HSA Computing and PacketInterception have been implemented and the whole system has been evaluated in this paper.The experiments show that even though there are as many as12000switches in SDN network,the HSA Computing is able to finish the forward tracking in less than2seconds and backwardtracking in about0.5seconds on average, which proves the high performance and scalabilityin this proposed intrusion detection system.