Efficient Forwarding Anomaly Detection in Software-Defined Networks

Abstract

Data centers, the critical infrastructure underpinning Cloud computing, often employ Software-Defined Networks (SDN) to manage cluster, wide-area and enterprise networks. As the network forwarding in SDN is dynamically programmed by controllers, it is crucial to ensure that the controller intent is correctly translated into underlying forwarding rules. Therefore, detecting and locating forwarding anomalies in SDN is a fundamental problem in production networks. Existing research proposals, roughly categorized into probing-based, packet piggybacking-based, and flow statistics analysis-based, either impose significant overhead or do not provide sufficient coverage for certain forwarding anomalies. In this article, we propose <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> , a controllable and passive measuring scheme to simultaneously deliver detection efficiency and accuracy. <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> first analyzes the entire network topology and flow rules, and then computes a minimal set of flows that can cover all forwarding rules. For each selected network flow, <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> decides the optimal number of monitoring positions on its path (much less than total number of hops), and installs dedicated rules to collect flow statistics. <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> controls the installation and expiration of these rules, along with unique flow labels, to guarantee the accuracy of collected statistics, based on which <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> algorithmically decides whether a forwarding anomaly is detected, and if so it further locates the anomaly. On top of <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> , we propose <inline-formula><tex-math notation="LaTeX">${\sf iFADE}$</tex-math></inline-formula> (a more scalable version of <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> ) to further optimize the usage and deployment of dedicated measurement rules. <inline-formula><tex-math notation="LaTeX">${\sf iFADE}$</tex-math></inline-formula> achieves over 40 percent rule reduction compared with <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> . We implement a prototype of both <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> and <inline-formula><tex-math notation="LaTeX">${\sf iFADE}$</tex-math></inline-formula> in about 12000 lines of code and evaluate the prototype extensively. The experiment results demonstrate <inline-formula><tex-math notation="LaTeX">${\sf (i)}$</tex-math></inline-formula> <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> and <inline-formula><tex-math notation="LaTeX">${\sf iFADE}$</tex-math></inline-formula> are accurate, e.g., they achieve over 95 percent true positive rate and 99 percent true negative rate in anomaly detection; <inline-formula><tex-math notation="LaTeX">${\sf (ii)}$</tex-math></inline-formula> <inline-formula><tex-math notation="LaTeX">${\sf FADE}$</tex-math></inline-formula> and <inline-formula><tex-math notation="LaTeX">${\sf iFADE}$</tex-math></inline-formula> are lightweight, e.g., they reduce the overhead of control messages compared with state-of-the-art by about 50 and 90 percent, respectively.