Software Defined Networking Architecture Research Articles

Simulation of DOS Attacks Mitigation in Software Defined Network Architecture using Load Balancing Algorithm

Simulation of DOS Attacks Mitigation in Software Defined Network Architecture using Load Balancing Algorithm

An Efficient Approach for Detection of Compromised SDN Switches and Restoration of Network Flow

In Software Defined Networking (SDN) the data plane is separated from the controller plane to achieve better functionality than the traditional networking. Although this approach poses a lot of security vulnerabilities due to its centralized approach. One significant issue is compromised SDN switches because the switches are dumb in SDN architecture and in absence of any intelligence it can be a easy target to the attackers. If one or more switches are attacked and compromised by the attackers, then the whole network might be down or defunct. Therefore, in this work we have devised a strategy to successfully detect the compromised SDN switches, isolate them and then reconstruct the whole network flow again by bypassing the compromised switches. In our proposed approach of detection, we have used two controllers, one as primary and another as secondary which is used to run and validate our algorithm in the detection process. Flow reconstruction is the next job of the secondary controller which after execution is conveyed to the primary controller. A two-controller strategy has been used to balance the additional load of detection and reconstruction activity from the master controller and thus achieved a balanced outcome in terms of running time and CPU utilization. All the propositions are validated by experimental analysis of the results and compared with existing state of the art to satisfy our claim.

A Collaborative Approach to Detecting DDoS Attacks in SDN Using Entropy and Deep Learning

Software-defined networking (SDN) is an approach to network management allowing to enhance the performance of the network and making it more flexible. The centralized architecture of SDN makes it vulnerable to cyberattacks, especially distributed denial of service (DDoS) attacks. Existing research investigates the detection of DDoS attacks separately on the control plane and data plane. However, there is a need for efficient and accurate detection of these attacks using features obtained from both control and data planes. Therefore, we present a mechanism for identifying DDoS attacks using entropy, multiple feature selection mechanisms, and deep learning. Initially, we use entropy on the control plane to detect anomalous activity and identify suspicious switches. Next, we capture traffic on the suspicious switches to detect DDoS attacks. To detect these attacks, we utilize multi-layer perceptron (MLP) deep learning models, convolutional neural network (CNN), and the long short-term memory (LSTM) approach. An InSDN dataset is used to train the model and test data are generated using Mininet emulation and the Ryu controller. The results reveal that LSTM outperforms MLP and CNN, achieving an accuracy of 99.83%.

Research on Multi-Layer Defense against DDoS Attacks in Intelligent Distribution Networks

With the continuous development of new power systems, the intelligence of distribution networks has been increasingly enhanced. However, network security issues, especially distributed denial-of-service (DDoS) attacks, pose a significant threat to the safe operation of distribution networks. This paper proposes a novel DDoS attack defense mechanism based on software-defined network (SDN) architecture, combining Rényi entropy and multi-level convolutional neural networks, and performs fine-grained analysis and screening of traffic data according to the amount of calculation to improve the accuracy of attack detection and response speed. Experimental verification shows that the proposed method excels in various metrics such as accuracy, precision, recall, and F1-score. It demonstrates significant advantages in dealing with different intensities of DDoS attacks, effectively enhancing the network security of user-side devices in power distribution networks.

Software-Defined Virtual Private Network for SD-WAN

Software-Defined Wide Area Networks (SD-WANs) are an emerging Software-Defined Network (SDN) technology to reinvent Wide Area Networks (WANs) for ubiquitous network interconnections in cloud computing, edge computing, and the Internet of Everything. The state-of-the-art overlay-based SD-WANs are simply conjunctions of Virtual Private Network (VPN) and SDN architecture to leverage the controllability and programmability of SDN, which are only applicable for specific platforms and do not comply with the extensibility of SDN. This paper motivates us to refactor traditional VPNs with SDN architecture by proposing an overlay-based SD-WAN solution named Software-Defined Virtual Private Network (SD-VPN). An SDN-based auto-constructed VPN model and its evaluating metrics are put forward to automatically construct overlay WANs by node placement and service orchestration of SD-VPN. Therefore, a joint placement algorithm of VPN nodes and algorithms for overlay WAN service loading and offloading are proposed for SD-VPN controllers. Finally, a three-layer SD-VPN system is implemented and deployed in actual network environments. Simulation experiments and system tests are conducted to prove the high-efficiency controllability, real-time programmability, and auto-constructed deployability of the proposed SD-VPN. Performance trade-off between SD-VPN control channels and data channels is evaluated, and SD-VPN controllers are proven to be extensible for other VPN protocols and advanced services.

Improvement of the secure routing model in software-configured networks

Currently, the deployment of such network architectures as Software-Defined Networking (SDN) is facing new cyber security threats that require the development and research of new specialized solutions to increase the level of network security. Despite its high openness and programmability, the SDN architecture replaces the traditional network, but it increases the number of potential network attacks, which leads to new security problems. The growing interest in SDN and the widespread deployment of software-configured networks of various types allow identifying their shortcomings in the process of combating cyber security threats. Obviously, security issues are closely related to the characteristics of SDN networks themselves. Furthermore, security issues in SDN can be divided based on three layers: data plane, control plane, and application plane. At the same time, devices of different SDN levels can be among the objects of attacks. Therefore, according to the multilayer architecture of SDN, security threats can be classified at the data transmission, management and application layers. For its part, the data plane consists of switches and other network devices and is mainly responsible for data processing, forwarding, discarding, and collecting statistics. The data plane functions on the basis of flow rules provided by the network controller. While the main causes of security problems are the SDN architecture itself, external malicious attacks, insufficient access control and encryption tools. Today, an important place in the complex of means of increasing network security, including SDN networks, is given to routing protocols, which require the systematic and coordinated interaction of a number of network elements at the same time – SDN switches and network controllers during the formation (calculation) of paths and flow rules, along which the required level of security must be ensured according to selected indicators or criteria. The paper analyzes how to modify route metrics in such a way that the resulting model acquires the properties of secure QoS routing. It is shown that the improvement of the model and the choice of the route should be chosen taking into account the basic metrics of the criticality of vulnerabilities and the bandwidth of the communication channels that make up this route.

Enabling IP-optical integration in core and metro networks [Invited

IP-optical (Internet protocol and optical) integration, or “IP over DWDM (dense wavelength division multiplexing),” is a concept spanning over two decades since the advent of coherent DSP (digital signal processing). In recent years, coherent DSP technology has progressed to a point where it can be integrated on small pluggable form factors that can be equipped in optical line systems and disaggregated transponders or directly in IP routers to support a range of metro and core applications. The option of equipping pluggable digital coherent optics (DCOs) directly in IP routers has the biggest potential for operational cost savings but hinges on the availability of a unified management environment with a single pane of glass to coordinate and automate IP routing and optical transport functions. This work presents alternative software-defined networking (SDN) architectures and evaluates the challenges associated with the evolution to IP over DWDM network architectures. It demonstrates the first, to our knowledge, implementation of the Transport API supporting colored pluggable interfaces in routers in a real network testbed. This work contributes to the realization of end-to-end network management for IP-optical networks, offering operators comprehensive visibility into multi-layer and multi-domain services and empowering revenue generation.

An Integrated DQN and RF Packet Routing Framework for the V2X Network

With the development of artificial intelligence technology, deep reinforcement learning (DRL) has become a major approach to the design of intelligent vehicle-to-everything (V2X) routing protocols for vehicular ad hoc networks (VANETs). However, if the V2X routing protocol does not consider both real-time traffic conditions and historical vehicle trajectory information, the source vehicle may not transfer its packet to the correct relay vehicles and, finally, to the destination. Thus, this kind of routing protocol fails to guarantee successful packet delivery. Using the greater network flexibility and scalability of the software-defined network (SDN) architecture, this study designs a two-phase integrated DQN and RF Packet Routing Framework (IDRF) that combines the deep Q-learning network (DQN) and random forest (RF) approaches. First, the IDRF offline phase corrects the vehicle’s historical trajectory information using the vehicle trajectory continuity algorithm and trains the DQN model. Then, the IDRF real-time phase judges whether vehicles can meet each other and makes a real-time routing decision to select the most appropriate relay vehicle after adding real-time vehicles to the VANET. In this way, the IDRF can obtain the packet transfer path with the shortest end-to-end delay. Compared to two DQN-based approaches, i.e., TDRL-RP and VRDRT, and traditional VANET routing algorithms, the IDRF exhibits significant performance improvements for both sparse and congested periods during intensive simulations of the historical GPS trajectories of 10,357 taxis within Beijing city. Performance improvements in the average packet delivery ratio, end-to-end delay, and overhead ratio of the IDRF over TDRL-RP and VRDRT under different numbers of pairs and transmission ranges are at least 3.56%, 12.73%, and 5.14% and 6.06%, 11.84%, and 7.08%, respectively.

A lightweight packet forwarding verification in SDN using sketch

By decoupling the control plane and the data plane, Software Defined Networking (SDN) has reshaped the ossified network architecture and improved the programmability of the network. However, SDN is also susceptible to malicious injection, tampering, dropping and hijacking attacks against forwarding packets, and the SDN architecture cannot perceive the real behavior of switches in the data plane. Packet forwarding verification and exception localization are recognized as effective and promising methods, enabling reliable packet delivery in the data plane and allowing the controller in SDN to identify abnormal links. While existing mechanisms embed the linear-scale cryptographic tags into the packet header space as the transmission path lengthens to realize packet verification and exception localization, which cannot achieve a feasible tradeoff between efficiency and security. Leveraging the central controllability of SDN, we propose a lightweight packet forwarding verification mechanism. This mechanism splits the runtime of a flow into consecutive epochs by address hopping. The switches in the data plane forward packets based on hopping address, collecting the information of packets forwarded in a compact data structure, namely traffic sketch. The controller verifies traffic sketches and localizes exception in the epoch. We further prototype the proposed mechanism based on simulation network. The analysis and experiments demonstrate that the cost of proposed scheme is lower than the similar mechanisms, introducing no more than 9 % additional forwarding delay and less than 8 % throughput degradation.

An effective deep-Q learning scheme for QoS improvement in physical layer of software-defined networks

The demands of diverse applications necessitate specific communication requirements, such as jitter, packet loss ratio (PLR), and latency, at the end-to-end (E2E) level within the physical layer of software-defined networking (SDN). In heterogeneous network environments, E2E routes traverse multiple domains with varying quality-of-service (QoS) classes of traffic, posing challenges in meeting unique E2E QoS criteria. Hence the performance on the E2E path is significant to meet the needs of applications. Hence, the issue of providing services on the E2E route is challenging due to several QoS classes in a domain on the source-to-destination route. This paper presents an SDN architecture leveraging Deep Q-learning (DQL) to ascertain the appropriate QoS class for E2E routes in software-defined heterogeneous networks, thereby reducing overall E2E delay. The proposed model with DQL is compared with benchmark reinforcement learning. The proposed framework is validated using various real Internet topologies such as Abilene, USNet, and OS3E, assessing not only E2E delay but also jitter, PLR, and throughput, showcasing its efficacy in optimizing network performance regarding these performance metrics.

Utilizing Extremely Fast Decision Tree (EFDT) Algorithm to Categorize Conflict Flow on a Software-Defined Network (SDN) Controller

Software-Defined Networks (SDNs) provide a contemporary approach to networking technology, offering a versatile and dynamically efficient network architecture for enhanced surveillance and performance. However, SDN architectures may encounter flow conflicts. These conflicts arise when modifications are made to specific flow properties, such as priority, match field, and action. Despite the existence of recommended solutions, the process of resolving conflicts in SDN continues to encounter difficulties. This study proposes an Extremely Fast Decision Tree (EFDT) classification technique to detect and categorize conflicts inside the flow table. The novelty of this method is based on the development of an accurate and effective machine-learning technique implemented on the Ryu controller plane and validated using the Mininet simulator. The effectiveness and efficiency of the proposed method were evaluated using various indicators, demonstrating superior performance in recognizing and categorizing conflict flow types in all flow sizes ranging from 10,000 to 100,000.

Blockchain-Enabled Intelligent IoT Protocol for High-Performance and Secured Big Financial Data Transaction

In the recent era, the communication network with the support of many wireless technologies is giving benefits for remote access. Such a communication model increases the flexibility for data storage with the management of network resources efficiently with the integration of the Internet of Things (IoT). Although, the industrial Internet of Things (IIoT) has enabled the development of numerous machine learning-based solutions to provide real-time applications. However, most of the solutions are not prepared to cope with heterogeneous services and the huge amount of device data in the digital world. Furthermore, conducting financial transactions over the Internet raises several security issues. Such restrictions compromise the sensitive data of financial institutions and also degrade the trust of network users in the system. Thus, this article presents a secured blockchain model for high-performance computing in a big data environment, which aims to protect the business activities for financial interaction with intelligent services of software-defined network (SDN) architecture. First, to keep the security credentials, the SDN controller creates an association between the IoT devices and maintains local and global records. Second, the machine learning approach is explored using reliable and fault-tolerant methods to support the network scalability and extract the updated routing information for transmitting financial data. The proposed protocol also provides data integrity with a high level of network availability and copes with the financial security of big data by investigating cryptographic approaches. Our proposed protocol is tested using simulation, and various experiments are performed to show its efficacy in terms of network throughput, computing overhead, data delay, response time, and dropped packets as compared to tunicate swarm algorithm-based optimized routing mechanism (TORM) and RouteChain.

An Adaptive State Consistency Architecture for Distributed Software-Defined Network Controllers: An Evaluation and Design Consideration

The Physically Distributed Logically Centralized (PDLC) software-defined network (SDN) control plane is physically dispersed across several controllers with a global network view for performance, scalability, and fault tolerance. This design, providing control applications with a global network view, necessitates network state synchronization among controllers. The amount of inter-controller synchronization can affect the performance and scalability of the system. The absence of standardized communication protocols for East-bound SDN interfaces underscores the need for high-performance communication among diverse SDN controllers to maintain consistent state exchange. An inconsistent controller’s network view can significantly impact network effectiveness and application performance, particularly in dynamic networks. This survey paper offers an overview of noteworthy AI and non-AI solutions for PDLC SDN architecture in industry and academia, specifically focusing on their approaches to consistency and synchronization challenges. The suggested PDLC framework achieves an adaptive controller-to-controller synchronization rate in a dynamic network environment.

Enhanced Anomaly Detection Framework for 6G Software-Defined Networks: Integration of Machine Learning, Deep Neural Networks, and Dynamic Telemetry

The advent of 6G networks ushers in a new era of intelligent network management, necessitating robust security measures to safeguard against emerging threats. This paper presents a comprehensive framework for anomaly detection tailored specifically for 6G Software-Defined Networks (SDNs), leveraging innovative ML), (DL), and dynamic telemetry techniques. The proposed framework, termed Anomaly Detection System for 6G SDNs, integrates ensemble learning (EL) algorithms and deep neural networks (DNNs) to detect anomalies within network traffic. Beginning with the preprocessing and feature selection stages, the proposed system employs an amalgam EL method to enhance the efficacy of anomaly detection. Datasets including CICDDOS2019, NSL KDD, CIC_IDS2017, and NB2015 undergo dimensionality reduction and feature subset determination to optimize performance. Furthermore, dynamic telemetry is seamlessly integrated into the proposed, enabling real- time monitoring and adaptive response mechanisms within SDN environments. By harnessing the flexibility and programmability of SDNs, the framework ensures a proactive defense against evolving threats, bolstering the security posture of 6G networks. Experimental evaluations demonstrate the effectiveness of ADS6SDN across diverse datasets, achieving high accuracies while minimizing false alarm rates. In conclusion, integrating ML, DL, and dynamic telemetry within the proposed approach offers a potent solution for enhancing the security and responsiveness of 6G SDNs. By leveraging the inherent advantages of SDN architectures, the framework not only fortifies network defenses against emerging threats but also ensures adaptability to the budding scenario of next-generation telecommunications.

Comparative Analysis of Cloud based SDN and NFV in 5g Networks

The acceleration of 5G and other communication technologies is significantly influenced by digitization. However, the current state of 5G development falls short in meeting various performance and manageability requirements, particularly in supporting data center networks. To overcome these challenges, telecom enterprises commonly utilize Network Function Virtualization (NFV) and Software-Defined Networking (SDN) in their data centers. This paper introduces a comprehensive SDN-NFV architecture aimed at simplifying network administration tasks for telecom enterprises. The evolution of interconnect network operations for virtual services has undergone substantial transformations due to the adoption of Software-Defined Networking (SDN) and Network Function Virtualization (NFV). We conducted an investigation into the SDN/NFV paradigm to determine the effective implementation, management, and distribution of network services to end users. This compilation of research papers delves into various aspects of Software-Defined Networking (SDN) and Network Function Virtualization (NFV) within the realm of emerging technologies. Aissioui et al. (2015) contribute with an elastic distributed SDN/NFV controller designed for the efficient management of 5G mobile cloud systems, addressing their dynamic nature. Alenezi et al. (2019) focus on cloud-based SDN and NFV architectures tailored for IoT infrastructure, emphasizing scalability and flexibility. Barakabitze et al. (2020) provide an extensive survey on 5G network slicing using SDN and NFV, categorizing approaches and discussing future challenges.

A Comprehensive Survey of Distributed Denial of Service Detection and Mitigation Technologies in Software-Defined Network

The widespread adoption of software-defined networking (SDN) technology has brought revolutionary changes to network control and management. Compared to traditional networks, SDN enhances security by separating the control plane from the data plane and replacing the traditional network architecture with a more flexible one. However, due to its inherent architectural flaws, SDN still faces new security threats. This paper expounds on the architecture and security of SDN, analyzes the vulnerabilities of SDN architecture, and introduces common distributed denial of service (DDoS) attacks within the SDN architecture. This article also provides a review of the relevant literature on DDoS attack detection and mitigation in the current SDN environment based on the technologies used, including statistical analysis, machine learning, policy-based, and moving target defense techniques. The advantages and disadvantages of these technologies, in terms of deployment difficulty, accuracy, and other factors, are analyzed. Finally, this study summarizes the SDN experimental environment and DDoS attack traffic generators and datasets of the reviewed literature and the limitations of current defense methods and suggests potential future research directions.

A cost and demand sensitive adjustment algorithm for service function chain in data center network

The introduction of Network Function Virtualization (NFV) and Software-Defined Network (SDN) architectures has significantly reduced the Operational Expenditure (OPEX) and Capital Expenditure (CAPEX) of network system. However, NFV orchestration management also brings about challenges. After the initial deployment of VNFs, due to the volatility of network requests, the original deployment may not be able to meet user resource demands. The key issue is how to readjust resources dynamically to accommodate more network requests without violating Quality of Service (QoS) for users. Several existing techniques can be used to achieve this goal, such as horizontal scaling, vertical scaling, and virtual network function (VNF) migration. However, these techniques inevitably incur some overhead, such as the cost of instantiating VNF and link rerouting. Additionally, resource adjustment may also result in unbalanced distribution of network resources. In this paper, an Intelligent Service Function Chain Dynamic Adjustment Algorithm (ISFCDAA) is proposed to address the above challenges. Firstly, an Integer Linear Programming (ILP) model is established with the objective of minimizing the long-term adjustment cost and reducing the imbalance of resource distribution. Then we transform the optimization process into a Markov Decision Process (MDP). Secondly, to solve the problems that the state and action space is too large and the state transition probability is uncertain in MDP, a SFC dynamic adjustment algorithm based on deep reinforcement learning is proposed. This algorithm can obtain an approximate optimal adjustment strategy for ILP model. The simulation results show that ISFCDAA can reduce the adjustment overhead and maintain a balanced distribution of network resources while ensuring the QoS. Compared with the existing algorithms, the average standard deviation of resource distribution of ISFCDAA is reduced by up to 9.90%, the average acceptance rate of ISFCDAA is improved by up to 39.57%, and the average long-term profit is improved by up to 42.92%. The incorporation of cost and demand-sensitive considerations into ISFCDAA enhances its responsiveness to fluctuating network demands, solidifying its effectiveness in dynamic resource management scenarios.

A Temporal Deep Q Learning for Optimal Load Balancing in Software-Defined Networks.

With the rapid advancement of the Internet of Things (IoT), there is a global surge in network traffic. Software-Defined Networks (SDNs) provide a holistic network perspective, facilitating software-based traffic analysis, and are more suitable to handle dynamic loads than a traditional network. The standard SDN architecture control plane has been designed for a single controller or multiple distributed controllers; however, a logically centralized single controller faces severe bottleneck issues. Most proposed solutions in the literature are based on the static deployment of multiple controllers without the consideration of flow fluctuations and traffic bursts, which ultimately leads to a lack of load balancing among controllers in real time, resulting in increased network latency. Moreover, some methods addressing dynamic controller mapping in multi-controller SDNs consider load fluctuation and latency but face controller placement problems. Earlier, we proposed priority scheduling and congestion control algorithm (eSDN) and dynamic mapping of controllers for dynamic SDN (dSDN) to address this issue. However, the future growth of IoT is unpredictable and potentially exponential; to accommodate this futuristic trend, we need an intelligent solution to handle the complexity of growing heterogeneous devices and minimize network latency. Therefore, this paper continues our previous research and proposes temporal deep Q learning in the dSDN controller. A Temporal Deep Q learning Network (tDQN) serves as a self-learning reinforcement-based model. The agent in the tDQN learns to improve decision-making for switch-controller mapping through a reward-punish scheme, maximizing the goal of reducing network latency during the iterative learning process. Our approach-tDQN-effectively addresses dynamic flow mapping and latency optimization without increasing the number of optimally placed controllers. A multi-objective optimization problem for flow fluctuation is formulated to divert the traffic to the best-suited controller dynamically. Extensive simulation results with varied network scenarios and traffic show that the tDQN outperforms traditional networks, eSDNs, and dSDNs in terms of throughput, delay, jitter, packet delivery ratio, and packet loss.

Multi-Stage Learning Framework Using Convolutional Neural Network and Decision Tree-Based Classification for Detection of DDoS Pandemic Attacks in SDN-Based SCADA Systems

Supervisory Control and Data Acquisition (SCADA) systems, which play a critical role in monitoring, managing, and controlling industrial processes, face flexibility, scalability, and management difficulties arising from traditional network structures. Software-defined networking (SDN) offers a new opportunity to overcome the challenges traditional SCADA networks face, based on the concept of separating the control and data plane. Although integrating the SDN architecture into SCADA systems offers many advantages, it cannot address security concerns against cyber-attacks such as a distributed denial of service (DDoS). The fact that SDN has centralized management and programmability features causes attackers to carry out attacks that specifically target the SDN controller and data plane. If DDoS attacks against the SDN-based SCADA network are not detected and precautions are not taken, they can cause chaos and have terrible consequences. By detecting a possible DDoS attack at an early stage, security measures that can reduce the impact of the attack can be taken immediately, and the likelihood of being a direct victim of the attack decreases. This study proposes a multi-stage learning model using a 1-dimensional convolutional neural network (1D-CNN) and decision tree-based classification to detect DDoS attacks in SDN-based SCADA systems effectively. A new dataset containing various attack scenarios on a specific experimental network topology was created to be used in the training and testing phases of this model. According to the experimental results of this study, the proposed model achieved a 97.8% accuracy rate in DDoS-attack detection. The proposed multi-stage learning model shows that high-performance results can be achieved in detecting DDoS attacks against SDN-based SCADA systems.

Bi-channel hybrid GAN attention based anomaly detection system for multi-domain SDN environment

Software-Defined Networking (SDN) is a strategy that leads the network via software by separating its control plane from the underlying forwarding plane. In support of a global digital network, multi-domain SDN architecture emerges as a viable solution. However, the complex and ever-evolving nature of network threats in a multi-domain environment presents a significant security challenge for controllers in detecting abnormalities. Moreover, multi-domain anomaly detection poses a daunting problem due to the need to process vast amounts of data from diverse domains. Deep learning models have gained popularity for extracting high-level feature representations from massive datasets. In this work, a novel deep neural network architecture, supervised learning based LD-BiHGA (Low Dimensional Bi-channel Hybrid GAN Attention) system is designed to learn class-specific features for accurate anomaly detection. Two asymmetric GANs are employed for learning the normal and abnormal network flows separately. Then, to extract more relevant features, a bi-channel attention mechanism is added. This is the first study to introduce an innovative hybrid architecture that merges bi-channel hybrid GANs with attention models for the purpose of anomaly detection in a multi-domain SDN environment that effectively handles real-time unbalanced data. The suggested architecture demonstrates its effectiveness on three benchmark datasets, achieving an average accuracy improvement of 7.225% on balanced datasets and 3.335% on imbalanced datasets compared to previous intrusion detection system (IDS) architectures in the literature.