Attack Protection Strategy Based On SDN Architecture

Software Defined Network is a network architecture that decouples the network control from underlying network forwarding infrastructure so as to enable the network control to become directly programmable.Through software-based SDN controllers, the network is centrally managed so that administrators could configure network resources very quickly and dynamically adjust network-wide traffic flow to meet changing needs. These advantages of SDN have already been proven in academia and industry.However, software defined network are facing some challenges for the short development period, this paper mainly discusses the security issues about data level. With new SDN architecture, some security threats are common to traditional network, including ARP fraud or other forged packets, but the profile of these threats changes. Moreover, there are some new security challenges such as bypassing predefined mandatory policies by overwriting flow entries. Meanwhile, there may be a conflict between the rules of the flow table.Aiming at the above two kinds of security challenges, this paper presents an attack protection strategy for the data layer of software defined network. To resolve the potential threat of the southbound device,we detect forged packets, in use of ability of the controller to perceive the state of the whole network, to ensure that the data packets received by the subsequent modules have correct addresses and, at the same time, the design of the host credit evaluation makes the module can be more easily coupled with other security modules. For the case that the application rules of high security level are bypassed or get overwritten, the flow table rules and the security rules are respectively used to generate the rule space. When new rules are sent to the controller by applications, detect whether there is an overlap between the two spaces, borrowing the idea of header space analysis. Once there is an overlap, which means there are conflicts between rules, we call the conflict resolution module to discard the packet or insert additional flow entries.