Elastic and Adaptive SDN-based Defense in Cloud Computing with Programmable Measurement
Başlık:
Elastic and Adaptive SDN-based Defense in Cloud Computing with Programmable Measurement
Yazar:
Wang, An, author.
ISBN:
9780438115200
Yazar Ek Girişi:
Fiziksel Tanımlama:
1 electronic resource (113 pages)
Genel Not:
Source: Dissertation Abstracts International, Volume: 79-11(E), Section: B.
Advisors: Songqing Chen Committee members: Fei Li; Brian Mark; Aziz Mohaisen; Robert Simon.
Özet:
Software Defined Networking (SDN) has been proposed as a way to programmatically control networks, facilitating the deployment of new applications and services, as well as tuning network policies and performance. A key aspect of SDN is the separation of control and forwarding planes. The logical centralization of network intelligence presents exciting challenges and opportunities to enhance security in such networks, including new ways to prevent, detect, and react to threats, as well as innovative security services and applications that could be built upon SDN capabilities.
Due to the extra communication channel between the switches and the centralized controller, the SDN architecture is vulnerable to network saturation attacks, such as Distributed Denial-of-Service (DDoS) attacks. Also the large gap between the control plane and the data plane throughputs provides attackers the advantages to degrade the network performance, further congesting the network completely. The load on the control path can be reduced by limiting reactive flows and pre-installing rules for all expected traffic. However, this comes at the expense of fine-grained policy control, visibility, and flexibility in traffic management, as evidently required by many security applications.
By design, the networking behaviors of SDN are dictated by two differnt modes: reactive mode and proactive mode. Various defense mechanisms have been proposed to tackle the security issues in SDN following these two paradigms. The proposed solutions could be categorized into two groups: (1) security intelligence integrated into the dataplane to make the best use of traffic visibility reactively or (2) centralized logic provided by the controller applications for flexible management proactively. For the reactive defense mechanisms, they do not scale to manage larger networks due to the inability of OpenFlow agent (OFA) on the switch side to handle a large amount of incoming packets that need inspection. On the other hand, for the proactive defense, it is inevitable to introduce additional overhead to network processing especially when network attacks are absent.
To provide effective and flexible defense mechanisms against network attacks, we propose to build programmable defense architectures with SDN technologies and explore solutions with SDN controllers working in both reactive and proactive modes. (1) For controllers working in reactive mode, we find that OFA typically runs on a low end CPU that has limited processing power especially for proprietary hardware. Thus, the control path throughput is significantly limited with such a design. To alleviate this problem, we propose to design and implement Scotch, which is an Open vSwitch based overlay that avoids the OFA bottleneck by using the data plane to scale the control channel capacity. Further, Scotch provides elephant flow migration functionality to preserve user's QoS. (2) For controllers working in proactive mode, the most important functionality for most security services is the global visibility of network data and state, which requires intelligent traffic monitoring. However, in the current SDN systems, the network monitoring is interweaved with the traffic monitoring functions, and interferes the traffic routing. Through analysis of the current implementation of Open vSwitch, we find that it utilizes an advanced edge switch approach to solving network management problem. To this end, we propose to develop UMON that separates the traffic monitoring from the routing by introducing a separate monitoring table based on the Open vSwitch. (3) While UMON provides a foundation to decouple the monitoring from the routing, efficient monitoring on SDN requires software defined measurement (SDM) that can automate the monitoring and measurement tasks while users have the most flexibility.
Notlar:
School code: 0883
Konu Başlığı:
Tüzel Kişi Ek Girişi:
Mevcut:*
Yer Numarası | Demirbaş Numarası | Shelf Location | Lokasyon / Statüsü / İade Tarihi |
---|---|---|---|
XX(692407.1) | 692407-1001 | Proquest E-Tez Koleksiyonu | Arıyor... |
On Order
Liste seç
Bunu varsayılan liste yap.
Öğeler başarıyla eklendi
Öğeler eklenirken hata oldu. Lütfen tekrar deneyiniz.
:
Select An Item
Data usage warning: You will receive one text message for each title you selected.
Standard text messaging rates apply.