Skip to main content
SpringerLink
Log in

DOCSDN: Dynamic and Optimal Configuration of Software-Defined Networks

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11547))

Included in the following conference series:

Abstract

Networks are designed with functionality, security, performance, and cost in mind. Tools exist to check or optimize individual properties of a network. These properties may conflict, so it is not always possible to run these tools in series to find a configuration that meets all requirements. This leads to network administrators manually searching for a configuration.

This need not be the case. In this paper, we introduce a layered framework for optimizing network configuration for functional and security requirements. Our framework is able to output configurations that meet reachability, bandwidth, and risk requirements. Each layer of our framework optimizes over a single property. A lower layer can constrain the search problem of a higher layer allowing the framework to converge on a joint solution.

Our approach has the most promise for software-defined networks which can easily reconfigure their logical configuration. Our approach is validated with experiments over the fat tree topology, which is commonly used in data center networks. Search terminates in between 1–5 min in experiments. Thus, our solution can propose new configurations for short term events such as defending against a focused network attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Al-Fares, M., Loukissas, A., Vahdat, A.: A scalable, commodity data center network architecture. In: Proceedings of the ACM SIGCOMM 2008 Conference on Data Communication, SIGCOMM 2008, pp. 63–74. ACM, New York (2008)

    Google Scholar 

  2. Baptiste, P., Le Pape, C., Nuijten, W.: Constraint-Based Scheduling. Kluwer Academic Publishers (2001)

    Google Scholar 

  3. Barnhart, C., Johnson, E.L., Nemhauser, G.L., Savelsbergh, M.W.P., Vance, P.H.: Branch-and-price: column generation for solving huge integer programs. Oper. Res. 46(3), 316–329 (1998)

    Article  MathSciNet  Google Scholar 

  4. Beckett, R., Gupta, A., Mahajan, R., Walker, D.: A general approach to network configuration verification. In: Proceedings of the Conference of the ACM Special Interest Group on Data Communication, pp. 155–168. ACM (2017)

    Google Scholar 

  5. Beckett, R., Mahajan, R., Millstein, T., Padhye, J., Walker, D.: Network configuration synthesis with abstract topologies. In: Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 437–451. ACM (2017)

    Google Scholar 

  6. Benders, J.F.: Partitioning procedures for solving mixed-variables programming problems. Numer. Math. 4(1), 238–252 (1962)

    Article  MathSciNet  Google Scholar 

  7. Benson, T., Akella, A., Maltz, D.A.: Network traffic characteristics of data centers in the wild. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, IMC 2010, pp. 267–280. ACM, New York (2010)

    Google Scholar 

  8. Bixby, E.R., Fenelon, M., Gu, Z., Rothberg, E., Wunderling, R.: MIP: theory and practice — closing the gap. In: Powell, M.J.D., Scholtes, S. (eds.) CSMO 1999. ITIFIP, vol. 46, pp. 19–49. Springer, Boston, MA (2000). https://doi.org/10.1007/978-0-387-35514-6_2

    Chapter  MATH  Google Scholar 

  9. Byeon, G., Van Hentenryck, P., Bent, R., Nagarajan, H.: Communication-Constrained Expansion Planning for Resilient Distribution Systems. ArXiv e-prints, January 2018

    Google Scholar 

  10. Cherdantseva, Y., et al.: A review of cyber security risk assessment methods for scada systems. Comput. Secur. 56, 1–27 (2016)

    Article  Google Scholar 

  11. Coatta, T., Neufeld, G.W.: Configuration management via constraint programming. In: CDS, pp. 90–101. IEEE (1992)

    Google Scholar 

  12. Codato, G., Fischetti, M.: Combinatorial Benders’ cuts for mixed-integer linear programming. Oper. Res. 54(4), 756–766 (2006)

    Article  MathSciNet  Google Scholar 

  13. MITRE Corporation. Common vulnerabilities and exposures, December 2018

    Google Scholar 

  14. Dantzig, G.B., Wolfe, P.: Decomposition principle for linear programs. Oper. Res. 8(1), 101–111 (1960)

    Article  Google Scholar 

  15. Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: USENIX Security Symposium, pp. 817–832 (2015)

    Google Scholar 

  16. Foster, N., et al.: Frenetic: a network programming language. ACM SIGPLAN Not. 46(9), 279–291 (2011)

    Article  Google Scholar 

  17. Fourer, B.: Amazing solver speedups (2015). http://bob4er.blogspot.com/2015/05/amazing-solver-speedups.html

  18. Gill, P., Schapira, M., Goldberg, S.: A survey of interdomain routing policies. ACM SIGCOMM Comput. Commun. Rev. 44(1), 28–34 (2013)

    Article  Google Scholar 

  19. Hijazi, H., Mak, T.W.K., Van Hentenryck, P.: Power system restoration with transient stability. In: Proceedings of the Twenty-Ninth AAAI Conference on Artificial Intelligence, AAAI 2015, pp. 658–664. AAAI Press (2015)

    Google Scholar 

  20. Hooker, J.N.: Logic-based Benders decomposition. Math. Program. 96, 2003 (1995)

    MathSciNet  Google Scholar 

  21. Hooker, J.N.: Logic-Based Methods for Optimization: Combining Optimization and Constraint Satisfaction. Wiley, Hoboken (2000)

    Book  Google Scholar 

  22. Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Annual Computer Security Applications Conference, pp. 121–130. IEEE (2006)

    Google Scholar 

  23. Ioannidis, J., Bellovin, S.M.: Pushback: router-based defense against DDoS attacks (2001)

    Google Scholar 

  24. Ioannidis, J., Bellovin, S.M.: Implementing pushback: router-based defense against DDoS attacks. In: NDSS, vol. 2 (2002)

    Google Scholar 

  25. Jansen, W.: Directions in Security Metrics Research. Diane Publishing (2010)

    Google Scholar 

  26. Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inf. Secur. Appl. 29, 27–56 (2016)

    Google Scholar 

  27. Khurshid, A., Zhou, W., Caesar, M., Godfrey, P.: Veriflow: verifying network-wide invariants in real time. In: Proceedings of the First Workshop on Hot Topics in Software Defined Networks, pp. 49–54. ACM (2012)

    Google Scholar 

  28. Kim, H., Reich, J., Gupta, A., Shahbaz, M., Feamster, N., Clark, R.J.: Kinetic: verifiable dynamic network control. In: NSDI, pp. 59–72 (2015)

    Google Scholar 

  29. Kottler, S.: February 28th DDoS incident report, March 2018

    Google Scholar 

  30. Kreutz, D., Ramos, F.M.V., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)

    Article  Google Scholar 

  31. Lam, E., Van Hentenryck, P.: A branch-and-price-and-check model for the vehicle routing problem with location congestion. Constraints 21(3), 394–412 (2016)

    Article  MathSciNet  Google Scholar 

  32. Layeghy, S., Pakzad, F., Portmann, M.: SCOR: software-defined constrained optimal routing platform for SDN. CoRR, abs/1607.03243 (2016)

    Google Scholar 

  33. Lippmann, R.P., Riordan, J.F.: Threat-based risk assessment for enterprise networks. Lincoln Lab. J. 22(1), 33–45 (2016)

    Google Scholar 

  34. Lippmann, R.P., Riordan, J.F., Yu, T.H., Watson, K.K.: Continuous security metrics for prevalent network threats: introduction and first four metrics. Technical report, Massachusetts Institute of Technology Lexington Lincoln Laboratory (2012)

    Google Scholar 

  35. Marczak, B., et al.: China’s great cannon. Citizen Lab (2015)

    Google Scholar 

  36. McKeown, N., et al.: Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)

    Article  Google Scholar 

  37. Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)

    Article  Google Scholar 

  38. Moy, J.T.: OSPF: Anatomy of An Internet Routing Protocol. Addison-Wesley Professional, Boston (1998)

    Google Scholar 

  39. Nagarajan, H., Yamangil, E., Bent, R., Van Hentenryck, P., Backhaus, S.: Optimal resilient transmission grid design. In: PSCC, pp. 1–7. IEEE (2016)

    Google Scholar 

  40. Neves, P., et al.: The SELFNET approach for autonomic management in an NFV/SDN networking paradigm. Int. J. Distrib. Sensor Netw. 12(2), 2897479 (2016)

    Article  MathSciNet  Google Scholar 

  41. NIST. National vulnerability database, December 2018

    Google Scholar 

  42. Gurobi Optimization Inc.: Gurobi optimizer reference manual (2015). http://www.gurobi.com (2014)

  43. Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. (CSUR) 39(1), 3 (2007)

    Article  Google Scholar 

  44. Reich, J., Monsanto, C., Foster, N., Rexford, J., Walker, D.: Modular SDN programming with Pyretic. Technical report of USENIX (2013)

    Google Scholar 

  45. Rossi, F., van Beek, P., Walsh, T.: Handbook of Constraint Programming (Foundations of Artificial Intelligence). Elsevier Science Inc., New York (2006)

    MATH  Google Scholar 

  46. Schneier, B.: Attack trees. Blog (1999)

    Google Scholar 

  47. Shaw, P.: Using constraint programming and local search methods to solve vehicle routing problems. In: Maher, M., Puget, J.-F. (eds.) CP 1998. LNCS, vol. 1520, pp. 417–431. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49481-2_30

    Chapter  Google Scholar 

  48. Skowyra, R., Lapets, A., Bestavros, A., Kfoury, A.: A verification platform for SDN-enabled applications. In: IEEE International Conference on Cloud Engineering (IC2E), pp. 337–342. IEEE (2014)

    Google Scholar 

  49. Stolfo, S., Bellovin, S.M., Evans, D.: Measuring security. IEEE Secur. Privacy 9(3), 60–65 (2011)

    Article  Google Scholar 

  50. Stoneburner, G., Goguen, A.Y., Feringa, A.: SP 800-30. Risk management guide for information technology systems (2002)

    Google Scholar 

  51. Wang, R., Butnariu, D., Rexford, J., et al.: Openflow-based server load balancing gone wild. Hot-ICE 11, 12 (2011)

    Google Scholar 

  52. Yu, R., Xue, G., Kilari, V.T., Zhang, X.: Deploying robust security in internet of things. In: IEEE Conference on Computer and Network Security (2018)

    Google Scholar 

  53. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)

    Article  Google Scholar 

  54. Zhang, S., Malik, S.: SAT based verification of network data planes. In: Van Hung, D., Ogawa, M. (eds.) ATVA 2013. LNCS, vol. 8172, pp. 496–505. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02444-8_43

    Chapter  Google Scholar 

Download references

Acknowledgments

The authors thank the anonymous reviewers for their helpful insights. The authors would also like to thank Pascal Van Hentenryck, Bing Wang, Sridhar Duggirala and Heytem Zitoun for their helpful feedback and discussions. The work of T.C., B.F., and L.M. are supported by the Office of Naval Research, Comcast and Synchrony Financial. The work of D.C. is supported by the U.S. Army. The opinions in this paper are those of the authors and do not necessarily reflect the opinions of the supporting organizations.

Author information

Authors and Affiliations

  1. University of Connecticut, Storrs, CT, 06268, USA

    Timothy Curry, Devon Callahan, Benjamin Fuller & Laurent Michel

Authors
  1. Timothy Curry
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Devon Callahan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Benjamin Fuller
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Laurent Michel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Devon Callahan .

Editor information

Editors and Affiliations

  1. Massey University, Palmerston North, New Zealand

    Julian Jang-Jaccard

  2. University of Wollongong, Wollongong, NSW, Australia

    Fuchun Guo

Rights and permissions

Reprints and permissions

Copyright information

© 2019 This is a U.S. government work and not under copyright protection in the U.S.; foreign copyright protection may apply

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Curry, T., Callahan, D., Fuller, B., Michel, L. (2019). DOCSDN: Dynamic and Optimal Configuration of Software-Defined Networks. In: Jang-Jaccard, J., Guo, F. (eds) Information Security and Privacy. ACISP 2019. Lecture Notes in Computer Science(), vol 11547. Springer, Cham. https://doi.org/10.1007/978-3-030-21548-4_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-21548-4_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-21547-7

  • Online ISBN: 978-3-030-21548-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation