Abstract
Through research on the access control of software defined network (SDN) northbound interfaces, we found that malicious OpenFlow applications (OF applications) abuse the northbound interfaces with ADD permissions, which can cause the controllers function failure and other serious harm or even crash directly. Most previous studies of this issue, such as those resulting in the ControllerDAC scheme, set static thresholds; and did not find effective solutions to those problems. This paper analyzes the characteristics of the input flows and proposes an SDN dynamic access control scheme based on prediction and dynamic adjustment of the load threshold. By examining the access characteristics of the OF application, we use a prediction algorithm to determine whether the application will disrupt the API with ADD permissions. This algorithm enables us to perform targeted dynamic access control for different types of applications. Experimental results show that compared with the aforementioned ControllerDAC scheme, our scheme effectively reduces the malicious flow table rate and limits the delivery of malicious flow tables, and the extra delay generated by our scheme is less than 10%.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Scott-Hayward, S., Kane, C., Sezer, S.: Operationcheckpoint: SDN application control. In: Proceedings of the 2014 IEEE 22nd International Conference on Network Protocols, Ser., ICNP 2014, pp. 618–623 (2014)
Noh, J., Lee, S., Park, J., et al.: Vulnerabilities of network os and mitigation with state-based permission system. Secur. Commun. Netw. 9(13), 1971–1982 (2016)
Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., Gu, G.: A security enforcement kernel for OpenFlow networks. In: Proceedings of the 1st Workshop on Hot Topics in Software Defined Networks, pp. 121–126. ACM, Helsinki (2012)
Tseng, Y., Pattaranantakul, M., He, R., Zhang, Z., Nait-Abdesselam, F.: Controller DAC: securing SDN controller with dynamic access control. In: IEEE ICC 2017 Communication and Information System Security Symposium (2107)
Alfred, R., Fun, T.S., Tahir, A., et al.: Concepts labeling of document clusters using a hierarchical agglomerative clustering (HAC) technique. In: Uden, L., Wang, L., Corchado RodrÃguez, J., Yang, H.C., Ting, I.H. (eds.) The 8th International Conference on Knowledge Management in Organizations, pp. 263–272. Springer, Dordrecht (2013). https://doi.org/10.1007/978-94-007-7287-8_21
Porras, P., Cheung, S., Fong, M., Skinner, K., Yegneswaran, V.: Securing the software-defined network control layer. In: Proceedings of the 2105 Annual Network and Distributed System Security Symposium (NDSS 2015), pp. 1–15. Internet Society, San Diego (2015)
Banse, C., Rangarajan, S.: A secure northbound interface for SDN applications. In: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA (2015)
Tseng, Y., Zhang, Z., Nait-Abdesselam, F.: ControllerSEPA: a security-enhancing SDN controller plug-in for OpenFlow application. In: Proceedings of the 17th International Conference on Parallel and Distributed Computing, Applications and Technologies (2016)
ON.Lab: ONOS application permissions. https://wiki.onosproject.org/display/ONOS/ONOS+Application+Permissions
Porras, P., Cheung, S., Fong, M., Skinner, K.: Securing the software-defined network control layer. In: Proceedings of the 2015 Network and Distributed System Security Symposium (NDSS), February 2015
Benson, T., Akella, A., Maltz, D.A.: Network traffic characteristics of data centers in the wild. In: Proceeding of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 267–280. ACM (2010)
Kreutz, D., Ramos, F.M.V., VerÃssimo, P., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. CoRR, vol. abs/1406.0440 (2014). http://arxiv.org/abs/1406.0440
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Cui, Q., Zheng, S., Sun, B., Cai, Y. (2019). SDN Dynamic Access Control Scheme Based on Prediction. In: Liu, S., Yang, G. (eds) Advanced Hybrid Information Processing. ADHIP 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 279. Springer, Cham. https://doi.org/10.1007/978-3-030-19086-6_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-19086-6_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-19085-9
Online ISBN: 978-3-030-19086-6
eBook Packages: Computer ScienceComputer Science (R0)