Georgios Androulidakis

Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments

Software Defined Networks (SDNs) based on the OpenFlow (OF) protocol export control-plane programmability of switched substrates. As a result, rich functionality in traffic management, load balancing, routing, firewall configuration, etc. that may pertain to specific flows they control, may be easily developed. In this paper we extend these functionalities with an efficient and scalable mechanism for performing anomaly detection and mitigation in SDN architectures. Flow statistics may reveal anomalies triggered by large scale malicious events (typically massive Distributed Denial of Service attacks) and subsequently assist networked resource owners/operators to raise mitigation policies against these threats. First, we demonstrate that OF statistics collection and processing overloads the centralized control plane, introducing scalability issues. Second, we propose a modular architecture for the separation of the data collection process from the SDN control plane with the employment of sFlow monitoring data. We then report experimental results that compare its performance against native OF approaches that use standard flow table statistics. Both alternatives are evaluated using an entropy-based method on high volume real network traffic data collected from a university campus network. The packet traces were fed to hardware and software OF devices in order to assess flow-based data-gathering and related anomaly detection options. We subsequently present experimental results that demonstrate the effectiveness of the proposed sFlow-based mechanism compared to the native OF approach, in terms of overhead imposed on usage of system resources. Finally, we conclude by demonstrating that once a network anomaly is detected and identified, the OF protocol can effectively mitigate it via flow table modifications.

Network anomaly detection and classification via opportunistic sampling

In this article the emphasis is placed on the evaluation of the impact of intelligent flow sampling techniques on the detection and classification of network anomalies. Based on the observation that for specific-purpose applications such as anomaly detection a large fraction of information is contained in a small fraction of flows, we demonstrate that by using sampling techniques that opportunistically and preferentially sample traffic data, we achieve magnification of the appearance of anomalies within the sampled data set and therefore improve their detection. Therefore, the inherently lossy sampling process is transformed to an advantageous feature in the anomaly detection case, allowing the revealing of anomalies that would be otherwise untraceable, and thus becoming the vehicle for efficient anomaly detection and classification. The evaluation of the impact of intelligent sampling techniques on the anomaly detection process is based on the application of an entropy-based anomaly detection method on a packet trace with data that has been collected from a real operational university campus network.

Improving network anomaly detection via selective flow-based sampling

Sampling has become an essential component of scalable Internet traffic monitoring and anomaly detection. A new flow-based sampling technique that focuses on the selection of small flows, which are usually the source of malicious traffic, is introduced and analysed. The proposed approach provides a flexible framework for preferential flow sampling that can effectively balance the tradeoff between the volume of the processed information and the anomaly detection accuracy. The performance evaluation of the impact of selective flow-based sampling on the anomaly detection process is achieved through the adoption and application of a sequential non-parametric change-point anomaly detection method on realistic data that have been collected from a real operational university campus network. The corresponding numerical results demonstrate that the proposed approach achieves to improve anomaly detection effectiveness and at the same time reduces the number of selected flows.

Data fusion algorithms for network anomaly detection: classification and evaluation

In this paper, the problem of discovering anomalies in a large-scale network based on the data fusion of heterogeneous monitors is considered. We present a classification of anomaly detection algorithms based on data fusion, and motivated by this classification, the operational principles and characteristics of two different representative approaches, one based on the Demster-Shafer theory of evidence and one based on principal component analysis, are described. The detection effectiveness of these strategies are evaluated and compared under different attack scenarios, based on both real data and simulations. Our study and corresponding numerical results revealed that in principle the conditions under which they operate efficiently are complementary, and therefore could be used effectively in an integrated way to detect a wider range of attacks..

Leveraging SDN for Efficient Anomaly Detection and Mitigation on Legacy Networks

In this paper, we investigate the applicability of Software-Defined Networking (SDN), and specifically the use of the OpenFlow protocol as a means to enhance the legacy Remote Triggered Black-Hole (RTBH) routing approach, towards Distributed Denial of Service (DDoS) attack mitigation. More specifically, we exploit the network programmability of OpenFlow to match and handle traffic on a per-flow level, in order to preserve normal operation of the victim, while pushing the mitigation process upstream towards the edge of the network. To this end, we implemented and evaluated a sketch-based anomaly detection and identification mechanism, capable of pinpointing the victim and remotely triggering the mitigation of the offending network traffic. The evaluation is based on the combination of datasets containing real DDoS attacks and normal background traffic from an operational university campus network. Our results demonstrated that the proposed approach succeeds in identifying the victim of the attack and efficiently filtering the malicious sources.

PaFloMon -- A Slice Aware Passive Flow Monitoring Framework for OpenFlow Enabled Experimental Facilities

The Passive Flow Monitoring (PaFloMon) framework aims at enriching OpenFlow (OF) platforms with user-aware passive monitoring tools. It thus complements user-oriented network programming of OF controllers with measurement capabilities offered to advanced users (slice owners), e.g. Future Internet researchers. PaFloMon provides per-slice monitoring plane isolation, extending control-plane slice isolation features of OF infrastructures, while it empowers users with monitoring toolsets, e.g. sFlow, Net Flow, widely employed in legacy networking systems. It is based on slice-centric statistics unilaterally described through an XML based Resource Specification schema (RSpec) and collected across Future Internet experimental facilities. The feasibility of slice-based monitoring is verified via sFlow trials in OpenFlow S/W (Open vSwitch) and H/W (NEC IP8800) platforms. PaFoMon can be easily integrated within OF control frameworks, notably the OFELIA framework being developed by the Future Internet Research & Experimentation program of the European Union.

Understanding and Evaluating the Impact of Sampling on Anomaly Detection Techniques

In this paper, the emphasis is placed on the evaluation of the impact of various packet sampling techniques that have been proposed in the PSAMP IETF draft, on two widely used anomaly detection approaches. More specifically, we evaluate the behavior of a sequential nonparametric change-point detection method and an algorithm based on principal component analysis (PCA) with the use of different metrics, under different traffic and measurement sampling methodologies. One of the key objectives of our study is to gain some insight about the feasibility and scalability of the anomaly detection process, by analyzing and understanding the tradeoff of reducing the volume of collected data while still maintaining the accuracy and effectiveness in the anomaly detection

Virtual Topology Mapping in SDN-Enabled Clouds

Software-Defined Networking (SDN) is transforming the way networks are designed and built, by decoupling control and data forwarding planes and centralizing network intelligence, mainly through the use of the OpenFlow standard. On the other hand the cloud is evolving to the networked cloud paradigm, integrating communication resources. Due to its functional characteristics (network programmability, network partitioning and virtualization) OpenFlow lends well to networked cloud concept. In order however to provide networked cloud resources with minimal management effort, it is essential to address efficiently the resource mapping problem at hand. The current study adapts an existing resource mapping algorithm, to be applied in an SDN-enabled networked cloud environment. The adaptation provides flexibility in the setup of virtual network topologies and efficient use of the flowspace.

A scalable anomaly detection and mitigation architecture for legacy networks via an OpenFlow middlebox

In this paper, we investigate the applicability of inserting an OpenFlow middlebox to enhance the remotely triggered black hole routing mechanism, to mitigate distributed denial of service DDoS attacks in legacy networks. Specifically, we propose a modular architecture that exploits the network programmability of software-defined networking within the context of network functions virtualization, deploying on-demand virtualized network functions VNFs capable to manipulate and filter malicious traffic. Leveraging on the OpenFlow control functionality, we match and handle traffic on a per-flow level, preserving connectivity to/from the victim while pushing the mitigation process upstream, towards the edge of the affected network. To that end, a multilevel anomaly detection and identification mechanism was developed, pinpointing the victim in case an attack is detected. Subsequently, a virtualized network function instructs the edge router to forward all traffic destined to the victim to an OpenFlow switch, acting as a middlebox capable to filter malicious traffic identified by an OpenFlow controller, while preserving benign flows. The proposed architecture was implemented and evaluated based on the combination of datasets containing traces of real DDoS attacks and normal background traffic from our university campus network. Our analysis illustrated a clear clustering of Internet protocol prefixes used by malicious sources; thus, we implemented a longest common prefix aggregation algorithm to enable scaling of the proposed mitigation process, overcoming constraints due to hardware limitations of OpenFlow devices. Our analysis verifies that the proposed modular and scalable schema can efficiently identify DDoS attack victims and filter malicious traffic, without exhausting system and network resources. Copyright

Intelligent Flow-Based Sampling for Effective Network Anomaly Detection

Sampling has become an essential component of scalable Internet traffic monitoring and anomaly detection. In this paper, the emphasis is placed on the evaluation of the impact of using intelligent flow sampling techniques on the anomaly detection process. Based on the observation that small flows are usually the source of many network attacks (DDoS, portscans, worm propagation) we first introduce a new flow sampling methodology that focuses on the selection of small flows and achieves to improve anomaly detection effectiveness, while at the same time reduces the number of selected flows. The performance evaluation of the impact of intelligent flow-based sampling on the anomaly detection process is achieved through the adoption and application of a sequential non-parametric Change-Point Detection anomaly detection method on realistic data that have been collected from a real operational university campus network.