Po-Wen Chi

How to detect a compromised SDN switch

SDN is a concept of programmable networking. A network manager can process each network flow through software programs. There is a hypothesis that all switches are trusted and follow programmed commands to handle packets. That is, once a switch is compromised by an attacker and does not follow the order of the network manager, this will bring a huge network disaster. In this paper, we define some attack models through compromised switches and design a detection mechanism to find these compromised devices. We evaluate our mechanism and discuss some future works.

A prevention approach to scrambling attacks in WiMAX networks

WiMAX is a telecommunication technology. It is based on IEEE802.16 family and provides the network service with large coverage, high data rate and mobility. Since IEEE802.16 series are connection-based wireless technologies, WiMAX is exposed to a special kind of DoS attacks which can target a specific victim connection without influencing the others. This paper will introduce this scrambling attack in WiMAX networks in detail and will provide a prevention approach.

Efficient NFV deployment in data center networks

NFV is a new network concept that moves network functions from network appliances to virtual machines. Users can customize their own services by setting ordered traffic paths through network function virtual machines they want. Though this idea is flexible and scalable, it brings additional growth in east-west traffic. In this paper, we focus on NFV deployment in data center networks. An user has multiple VMs in a data center and wants to have some network functions for these VMs. According to the users requirements and traffic flows, we design a heuristic NFV deployment algorithm for VNF allocation, VNF placement and traffic dispatching. We set a traffic model and evaluate our algorithm by simulation. We also give some further research directions in this paper.

Audit-Free Cloud Storage via Deniable Attribute-Based Encryption

Cloud storage services have become increasingly popular. Because of the importance of privacy, many cloud storage encryption schemes have been proposed to protect data from those who do not have access. All such schemes assumed that cloud storage providers are safe and cannot be hacked; however, in practice, some authorities (i.e., coercers) may force cloud storage providers to reveal user secrets or confidential data on the cloud, thus altogether circumventing storage encryption schemes. In this paper, we present our design for a new cloud storage encryption scheme that enables cloud storage providers to create convincing fake user secrets to protect user privacy. Since coercers cannot tell if obtained secrets are true or not, the cloud storage providers ensure that user privacy is still securely protected.

SFaaS: Keeping an eye on IoT fusion environment with security fusion as a service

Abstract Currently, Internet of Things (IoT) applications are being fused with multiple technologies. Software-defined networking (SDN) is a core component of IoT fusion environments because of its concept of programmable networking in which a network manager can process each network flow using software programs. SDN is a powerful and flexible solution for the IoT communication infrastructure offering a centralized control architecture. However, the infrastructure is based on the hypothesis that all switches are trusted and follow programmed commands to handle packets. This means that if the switches are compromised by an attacker and do not follow the order of the network manager, a huge network disaster will occur. In this study, we propose a concept of Security Fusion as a Service (SFaaS) for addressing this issue. Based on this concept, we design two detection mechanisms fused on a softwarized switch topology measurement architecture environment to detect the attack models. We evaluate, analyze, and simulate our mechanisms and the softwarized measurement architecture service and demonstrate the high performance of detection and damage reduction to prove the validity of the SFaaS concept.

Give me a broadcast-free network

In computer networking, broadcasting means to transmit a packet to every device in one broadcast domain. Broadcasting is widely used in many protocols, like ARP [1], DHCP [2] and so on. The main reason is that in a distributed network, each node has no knowledge about the whole network. Therefore, the node has to use broadcast ways to build its knowledge. However, for those who do not need to get or answer the broadcast message, the broadcast message is nothing but a noise packet. In this paper, we propose a broadcast handling framework in software defined networking. With this framework, a network manager can minimize the broadcast behavior in the network without impacting hosts. We also implement some broadcast handling modules in this work. We evaluate our frameworks performance by comparing our framework with legacy networks and other SDN network platforms. We also discuss the impact of our framework to the spanning tree protocol.

SDUDP: A Reliable UDP-Based Transmission Protocol Over SDN

The recent rapid development of Web technology, multimedia content, and interactive data has considerably expanded the size of the Internet transmissions. Benefiting from the paradigm-shifting technology of software defined networking (SDN), the administrators are now able to easily manage network flows by customizing flow rules over SDN. Inspired by this, we propose a UDP-based reliable transmission framework to improve efficiency of transmission control protocol (TCP) transmission on an SDN-enabled network. The main idea of our framework is to convert the TCP transmission into UDP packets to decrease the overhead during communications, such as handshaking, acknowledgment, and header overhead while using TCP. To guarantee reliability, we have leveraged the power of SDN to designate packets under our protocol to flow in predefined routes and monitor them to avoid possible packet loss. Our proposal is composed of a series of designs and implementations, including the packet format transformations, packet buffering, and retransmission mechanisms on switches. For users, this means that they are transmitting data with TCP, while the overhead of the TCP traffic is reduced significantly through a reliable and lightweight UDP transmission mechanism on the SDN-enabled network. Our evaluation results show that our framework provides a more efficient bandwidth usage and guarantees the reliability of packets as in TCP transmissions.

SDN storage: A stream-based storage system over software-defined networks

Software-defined networking (SDN) is well-known of its programmable and centralized management mechanism of networks. The controller unit in SDN enables users to determine network behaviors by defining flow rules on programmable switches in SDN. In this paper, we briefly propose a novel concept of network storage systems. Unlike most network storage systems store files on hosts and access files through networks, we leverage the programmable ability of SDN to assemble switching fabric queues as a storage system. Users upload files and our system keeps the files as packets alive by looping them in our defined routes. Every time users want to retrieve their files, our system duplicates the desired packets and redirects them to users.

SDN Migration: An Efficient Approach to Integrate OpenFlow Networks with STP-Enabled Networks

Software Defined Networking (SDN) is a paradigm shift technology in networking. However, it is not practical to remove existing networks for building SDN networks or to replace all operating network devices with SDN-enabled devices. Therefore, SDN migration, which implies co-existing techniques and gradually moving to SDN, is an important issue. In this paper, we focus on how to integrate SDN networks with legacy networks which run Spanning Tree Protocol (STP). Our approach has three advantages. First, our approach does not require an SDN controller to apply the STP exchange APP on all switches but only on boundary switches. Second, our approach enables legacy networks to concurrently use multiple links that used to be blocked except one for avoiding loops. Third, our approach decreases BPDU frames used in STP construction and topology change.

SDNort: A Software Defined Network Testing Framework Using Openflow

Network performance evaluation tools play important roles in network researches. However, most tools will cause highly CPU utilization and high monetary cost. Moreover, it is not easy to set up a test environment anytime and anywhere. To solve this problem, we build a lightweight network performance evaluation tool, SDNort, through the OpenFlow architecture. Through our evaluation tool, users can generate high throughput traffic to testing targets and collect related statistics via OpenFlow commands. Furthermore, users can easily customize testing packets for application evaluation. Finally, we virtualize our work as a VNF (Virtual Network Function) and deployed to a cloud system.