Dimitrios Kalogeras

Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments

Software Defined Networks (SDNs) based on the OpenFlow (OF) protocol export control-plane programmability of switched substrates. As a result, rich functionality in traffic management, load balancing, routing, firewall configuration, etc. that may pertain to specific flows they control, may be easily developed. In this paper we extend these functionalities with an efficient and scalable mechanism for performing anomaly detection and mitigation in SDN architectures. Flow statistics may reveal anomalies triggered by large scale malicious events (typically massive Distributed Denial of Service attacks) and subsequently assist networked resource owners/operators to raise mitigation policies against these threats. First, we demonstrate that OF statistics collection and processing overloads the centralized control plane, introducing scalability issues. Second, we propose a modular architecture for the separation of the data collection process from the SDN control plane with the employment of sFlow monitoring data. We then report experimental results that compare its performance against native OF approaches that use standard flow table statistics. Both alternatives are evaluated using an entropy-based method on high volume real network traffic data collected from a university campus network. The packet traces were fed to hardware and software OF devices in order to assess flow-based data-gathering and related anomaly detection options. We subsequently present experimental results that demonstrate the effectiveness of the proposed sFlow-based mechanism compared to the native OF approach, in terms of overhead imposed on usage of system resources. Finally, we conclude by demonstrating that once a network anomaly is detected and identified, the OF protocol can effectively mitigate it via flow table modifications.

Low bit-rate coding of image sequences using adaptive regions of interest

An adaptive algorithm for extracting foreground objects from background in videophone or videoconference applications is presented. The algorithm uses a neural network architecture that classifies the video frames in regions of interest (ROI) and non-ROI areas, also being able to automatically adapt its performance to scene changes. The algorithm is incorporated in motion-compensated discrete cosine transform (MC-DCT)-based coding schemes, allocating more bits to ROI than to non-ROI areas. Simulation results are presented, using the Claire and Trevor sequences, which show reconstructed images of better quality, as well as signal-to-noise ratio improvements of about 1.4 dB, compared to those achieved by standard MC-DCT encoders.

SaTPEP: A TCP Performance Enhancing Proxy for Satellite Links

Satellite link characteristics cause reduced performance in TCP data transfers. In this paper we present SaTPEP, a TCP Performance Enhancing Proxy which attempts to improve TCP performance by performing connection splitting. SaTPEP monitors the satellite link utilization, and assigns to connections window values that reflect the available bandwidth. Loss recovery is based on Negative Acknowledgements. The performance of SaTPEP is investigated in terms of goodput and fairness, through a series of simulation experiments. Results obtained in these experiments, show significant performance improvement in presence of available bandwidthand at higherror rates.

PaFloMon -- A Slice Aware Passive Flow Monitoring Framework for OpenFlow Enabled Experimental Facilities

The Passive Flow Monitoring (PaFloMon) framework aims at enriching OpenFlow (OF) platforms with user-aware passive monitoring tools. It thus complements user-oriented network programming of OF controllers with measurement capabilities offered to advanced users (slice owners), e.g. Future Internet researchers. PaFloMon provides per-slice monitoring plane isolation, extending control-plane slice isolation features of OF infrastructures, while it empowers users with monitoring toolsets, e.g. sFlow, Net Flow, widely employed in legacy networking systems. It is based on slice-centric statistics unilaterally described through an XML based Resource Specification schema (RSpec) and collected across Future Internet experimental facilities. The feasibility of slice-based monitoring is verified via sFlow trials in OpenFlow S/W (Open vSwitch) and H/W (NEC IP8800) platforms. PaFoMon can be easily integrated within OF control frameworks, notably the OFELIA framework being developed by the Future Internet Research & Experimentation program of the European Union.

Managing federations of virtualized infrastructures: A semantic-aware policy based approach

This paper presents our work toward organizing and managing various forms of federations of virtualized infrastructures. We adopt the Ponder2 policy framework and the SMC architecture as a powerful engineering approach, which we apply to semantic-aware management of federations of Future Internet (FI) virtualized infrastructures. To cater for context-awareness, we plan for a common information model, based on the Network Description Language (NDL), capturing a common set of abstractions of virtualized resources and services, nodes, routers and switches, custom network topologies with specific bandwidth demands, etc. To handle management of generic complex federated environments, we employ structural patterns to model federations as graphs, whose vertices represent SMCs and edges denote the type of relationship between them. We give an illustration of such structures corresponding to existing FI experimental platforms in the US and Europe and we provide examples containing inter-domain management responsibilities as missions. Finally, we propose to augment the Ponder2 framework with single & multi-domain resource provisioning capabilities, enabling efficient sharing of virtualized networked facilities among federation users.

QoS experiences in native IPv6 networks

Deployment of IPv6 technology in research and commercial networks has accelerated in the last few years. Inevitably, as more advanced services take advantage of the new technology, IPv6 traffic gradually increases. Today, there is limited experience in the deployment of Quality of Service (QoS) for IPv6 traffic in backbone networks that support the Differentiated Services framework. As available software and hardware are designed to handle IPv4 packets, there is a need to accurately measure and validate performance of QoS mechanisms in an IPv6 environment. This paper discusses tests and technical challenges in the deployment of IPv6 QoS in core networks, namely the production dual stack gigabit-speed Greek Research and Education Network (GRNET) and the IPv6-only 6NET European test network, using both hardware and software platforms. In either case, we succeeded in delivering advanced transport services to IPv6 traffic and provided different performance guarantees to portions of traffic. The deployed QoS schema was common to IPv6 and IPv4; in most cases both v4 and v6 traffic exhibited comparable performance per class, while imposing no significantly different overhead on network elements. A major conclusion of our tests is that the IPv6 QoS mechanisms are efficiently supported with state-of-the-art router cards at gigabit speeds.

Control-plane slicing methods in multi-tenant software defined networks

In this paper, we focused on two prevailing architectural approaches for control-plane virtualization in multi-tenant OpenFlow-ready SDN domains: The first permits the delegation of a specific, non-overlapping part of the overall flowspace to each tenant OpenFlow controller, exposing him/her the entire substrate topology; the second conceals the substrate topology to tenants by abstracting resources and exposing user-controlled (tenant) Virtual Networks (VNs). For both cases, we propose and analyze three control-plane slicing methods (domain, switch and port-wide), enforced by the management plane, that safeguard control-plane isolation among tenant VNs. Their effectiveness is assessed in terms of control-plane resources (number of flowspace policy rule entries, table lookup times and memory consumption) via measurements on a prototype implementation. To that end, we introduced and prototyped the Flowspace Slicing Policy (FSP) rule engine, an automated mechanism translating substrate management-plane policies into VN mapping control-plane rules. Our experiments, involving thousands of tenants VN requests over a variety of WAN-scale network topologies (e.g. Internet2/OSE3 and GÉANT), demonstrate that the port-wide slicing method is the most efficient in terms of tenant request acceptance ratio, within acceptable control-plane delays and memory consumption.

Real-time MPEG-1 video transmission over local area networks

In this work is presented the architecture of an MPEG-1 stream transmission system appropriate for point-to-point transfer of live video and audio over TCP/IP local area networks. The hardware and software modules of the system are presented as well. Experimental results on the statistical behavior of the generated and transmitted MPEG-1 stream are quoted.

Federated trouble ticket system for service management support in loosely coupled multi-domain environments

Summary Operating services in multi-domain environments is inherently more complex than in a single domain because of the existence of multiple managed domains with various operating procedures, devices and systems in use. This increased complexity on one side and the demand to provide efficient and reliable services in such environment on the other impose the need to automate service operations processes and procedures. However, in loosely coupled federated service environments where participating domains retain absolute control over internal resources and processes, remotely operated configuration commands, which are prerequisite for automated operations, directly threaten the autonomy of the participating members. In this article, we identify key business processes and required operating support systems components unique to federated environments by analysing process flows for services jointly provided by European National Research and Education Networks. Although we conclude that the involvement of human operators in key service operations processes is inevitable, we propose a new workflow scheme and other necessary components needed to integrate domains in a way that minimizes manual intervention. The proposed scheme interconnects independently operating trouble ticket systems (TTSs) from participating domains in a federated TTS (FTTS). The proposed FTTS is not constrained just to the basic function of TTS—fault management, but it supports all key federated service operation activities like service provisioning, problem or performance management. The proposed fully decentralized federated scheme retains the main inherent capabilities of TTSs such as tracking, escalation and expiration and at the same time supports the desired federated service communication processes. Copyright