An Aware-Scheduling Security Architecture with Priority-Equal Multi-Controller for SDN

Chao Qi＊, Jiangxing Wu, Guozhen Cheng, Jianjian Ai, Shuo Zhao

National Digital Switching System Engineering & Technological R&D Center Zhengzhou 450002, Henan, China

* The corresponding author, email: 13937147170@163.com

I. INTRODUCTION

SDN frameworks, such as OpenFlow, introduce separation of data and control planes to achieve highly programmable switch infrastructure [1]. Nowadays, SDN has been widely applied in various fields and a large number of attacks on it appear. Thus, researchers have recently paid more attention to the security issues of SDN and a great deal of research have been conducted on it. Although from the view of protecting users directly, existing proposed mechanisms can improve the security of SDN,there is still urgent need to consider additional information concerning threats, and ideas how SDN should be secured [2].

In SDN, the control layer is the critical part and responsible for handling and distributing the flows of information between network applications and the data plane. As key components in control layer, OpenFlow controllers [3][4][5][6] have been largely adopted to probe the data plane for state information,generate and deliver flow rules. They can communicate with switches within their network domain or slice [7]. And the set of flow rules distributed by them is of importance to optimize flow routes and improve the network efficiency [8]. Thus, it’s obvious that controllers play an important role in SDN applications.And it’s no doubt that the controller is bound to be an important target of attackers.

Focusing on the modifying flow rule attack,the authors propose Mcad-SA, an aware decision-making security architecture with multi-controller, which exploits heterogeneity and redundancy from different controllers to prevent that attack proactively.

From the perspective of network security,due to the fact that all unknown traffic must be transmitted to the controller for investigation, it’s common that malicious traffic may lead to Denial of Service (DoS) attack [9].Furthermore, most networks are managed by merely one controller, which may easily result in single failures. Besides, as there are no compulsory mechanisms for enforcing access control on applications [10], an application cooperating with the controller may have effect on the generation of flow rules if the application is infected with some malicious codes that attempt to impact rule generating process to worsen the effectiveness of generated rules. In other words, instead of paralyzing the controller, an attacker can enable the basic function of the controller but in extremely low efficiency.

In order to address or alleviate the above problems, we exploit heterogeneity and redundancy from different controllers to construct the control plane, which means the network is no longer equipped with one controller but manipulated by multiple controllers which are priority-equal. Meantime, ADS algorithm is adopted to choose the most reliable controllers through perception to supervise the corresponding network. This mechanism can to some extent lower the controllers’ probability of being attacked, increase the attack cost and improve security further.

The paper is organized as follows. The next section describes the problems we try to solve.

Fig. 1 Modifying flow rule attack

The third section introduces explicitly constitutions of Mcad-SA and the ADS algorithm.Section 4 presents experimental results. We present related work in Section 5. The last section concludes by summarizing our work and discussing future work.

II. PROBLEM DESCRIPTION

As illustrated in figure 1, the right flow rule generated by controllerbetween switch A and B is normally the green arrow. After the modifying flow rule attack, that rule is modified into the path along with the red arrow(i.e). We refer these ineffective rules as distorted rules. Obliviously, these distorted rules won’t influence the forwarding function because packets from switch A will eventually reach switch B. However, the network performance is dramatically decreased.What’s worse, it may cause traffic congestion to some critical links if the majority of distorted rules go through that link, which will lead to paralysis of the whole network in the end.

The above depicted attack can be regarded as a high-level type of attack in control plane because it’s difficult for managers to detect the abnormity and determine whether the controller has been compromised or not in a short period. Thus, it’s urgent that a novel and effective method should be devised to deal with such attacks.

In this paper, we propose Mcad-SA to address this problem. This architecture associates with various controllers to make the most use of their advantages of security respectively. And the key idea of this design is that flow rules in a network are no longer generated by a single controller, since multiple controllers will take part in the decision procedure to judge which controller produces the valid rules. As the difficulty and cost is increased tremendously when attackers attempt to compromise numerous controllers successfully simultaneously. Thus, the probability of altering flow rules via attacks gets low under this situation. Further, a scheduling mechanism called ADS is devised to protect the system from intruding easily, which is also an effective method to defend attackers. Hence, the defense strategy offered by this architecture can improve the robustness and resilience of the holistic network.

III. THE DESIGN OF MCAD-SA

First, we illustrates the overview of the Mcad-SA as shown in figure 2. Then specific functions are described for main components in the framework. Last but not the least, a scheduling algorithm is presented which combines probability theory to achieve better defense policies.

3.1 Architecture

3.1.1 Overview

In addition to the data plane and control plane,a scheduling plane is introduced between them to assist the implementation of virtual functions (perception, scheduling, etc.) in Mcad-SA. The constitution and functions of different planes are described as follows:

Data Plane:It’s identical to that in traditional SDN without any modification.

Control Plane:Instead of deploying one controller, this plane is equipped with N (N≥3)controllers. And they possess the equal priority on the subnet they supervise. What’s more,N controllers are achieved on heterogeneous structures (POX, Ryu, Floodlight, etc.) which are implemented with various programming languages but with the coherent algorithm.One point to be specified specially, although these controllers are created in diverse ways,they achieve identical output when they acquire equal input, which means that these controllers will generate the same flow rules in the case that they receive identical network state information. Further, to enhance the level of security, all the controllers are deployed on diverse hosts with different operation systems(Windows, MacOS, Linux, etc.).

Scheduling Plane:The virtual plane is the most important layer in Mcad-SA and responsible for interaction, decision-making and scheduling process in the sub-network.Due to its critical importance, it’s deployed on equipment with specific protection and high security. And it consists of four virtual function modules: Transponder, Sensor, Decider and Scheduler whose functions are depicted below.

●Transponder:The main goal of the transponder is gathering network information including topology, state information of switches and so on. Then collected information will be transmitted to all running controllers managing the same domain.On receiving messages some controllers merely store and update corresponding data while others are required to generate flow rules relying on the messages. And the role assigned to each controller is guided by the scheduler.

●Sensor:The primary purpose of sensor is monitoring the state of controllers in the control plane. For example, it will try to analyze whether they have been probed or exploited by attackers. If so, an alert message is produced and sent to the scheduler.This message is an indication of controllers’reliability.

Fig. 2 The overview of Mcad-SA

●Decider:The vital function of the decider is receiving data produced by controllers and judging whether controllers are in benign conditions or not via comparing their flow rules. Then the decider chooses to send the most reliable rules to switches. The choice is made on the following assumption: the probability of successful attacks simultaneously to the majority of controllers is relatively low. Thus, the identical flow rules from the majority can be considered as secure, correct and effective rules. After the decision-making procedure, the decider will transmit a message to notify the scheduler of suspecting controllers’ information if it discovers incongruous flow rules.

Fig. 3 Process of scheduling and decision-making

Fig. 4 Flow Rule Attack under Mcad-SA

●Scheduler:The chief duty of the scheduler is responsible for selecting controllers to provide service for the network. In general,it picks M (M is usually an odd number and changeable and) from N controllers via the policy we design and generates flow rules respectively as described in figure 3.And there are two mechanisms under which the scheduler will switch M controllers.One is timer mechanism which indicates the scheduler is going to re-select new M controllers to implement the above procedure at fixed intervals. The other is that only when an alert or a notification message arrives at the scheduler does it execute the formal actions. Finally, according to results observed by the decider, the scheduler will notify the control plane to make adaptations or not.

3.1.2 Workflow

Next, we make a conclusion about the entire work flow in Mcad-SA. First, the transponder maintains collecting real-time state information of infrastructure and transmits them to controllers. In the meantime, the sensor keeps an eye on anomaly detection and intrusion attacks about controllers. It will notify the scheduler of real-time “healthy condition”about controllers. Then the scheduler selects M reliable controllers and the decider sends the valid instructions to switches. Then, once two mechanisms of the scheduler are activated, new M controllers will be chosen to generate their own flow rules respectively and present results to the decider for judgment.And if some rules are different from that of most controllers, the decider will inform the scheduler of messages about controllers which produce fake rules. Next time those controllers will be picked with lower probability till they are reset. Ultimately, above steps will be repeated to protect the network and maintain the network in a secure, robust and resilient state.

Now, let’s review the attack in figure 1 under Mcad-SA. In figure 3 flow rules controllerproduces are distorted or false while that fromandare correct. Obviously, the aberrant rule can’t reach switch A because of the decision mechanism which chooses the same rules from the majority to forward. Moreover,as running controllers are always varying in some scheduling strategies, it’s difficult for attackers to locate them and launch attacks.

Therefore, Mcad-SA can guarantee the network operates smoothly even when facing threats. Further, the scheduling algorithm has effect on the security of Mcad-SA. Next, we introduce an aware dynamic scheduling algorithm to improve its security to the maximum.

3.2 An aware dynamic scheduling algorithm

In order to intensify security and increase attack cost, we present an aware algorithm to dynamically schedule controllers (ADS). The algorithm is implemented inside the scheduler.Moreover, this method will improve controllers’ uncertainty while maintains the network operate normally and reliably, making it more difficult for attackers to compromise running controllers. The notations used in the statement of ADS are listed in table 1.

3.2.1 Problem statement

Mcad-SA is a third-layer SDN which has been illustrated above. The upper layer is the control plane which hastotal controllers. The middle layer is the scheduling plane which is comprised of four components depicted above.The lower layer is the data plane consisting of a set of switches and hosts.

The problem of aware dynamic scheduling controllers (ADS) in Mcad-SA can be concluded as follows: Given a set of controllers and a subnet, attackers attempt to compromise controllers through probes (i.e. the more probes on a controller, the easier it can be controlled) while the defender attempts to devise a dynamic scheduling strategy that can ensure the subnet operate in a reliable way, in other words, it reducesdue to attacks to the maximum extent.

3.2.2 Design of ADS

Our goal is to guarantee the subnet operates in a most reliable and secure way when facing probes from attackers. That’s to say, we need ensure the reliability and safety of the running controllers setThus, we formulate the aware dynamic scheduling mechanism as an optimization problem to minimize failure probability of Mcad-SA via every switching step. And the essential requirements for this problem are: 1) To ensure the switch cost is reasonable, the total switch times of controllers each step can’t exceedbecause once the number is immense, more time is required to accomplish the switch process. 2) To guarantee service quality, the number of controllers inis no bigger thanIfis too big, it takes longer for the decider to hand flow rules to switches since it waits for rules from all controllers to compare. One point to be mentioned,andare changeable relying on current conditions and demands of the subnet.

It’s obvious that to ensure the security of control plane, we ought to choose the most reliable controllers from C. And the reliability can be measured bywhich means the more reliable a controller is, the biggeris.Besides,is allocated by the scheduler which regulatesaccording to messages from the sensor and decider.

The sensor records operating conditions of all controllers. For example, if it detects probes against running controllers, then it will calculate their reliability based on results of detections. Andequalswhereis a scaling parameter. After this process, a message aboutwill be sent to the scheduler.

Table I Notations in the ADS problem.

Minimize:

Subject to:

3.2.3 Procedures

The above optimization is a typical NP-hard problem which is difficult to finish the computation if C is very large. Therefore, we put forward a heuristic algorithm to solve this question with polynomial time complexity. In this algorithm,is represented with 3-tuplewheremeans what kind of controller it is, POX or Floodlight, etc.

In this section, an algorithm attempting to minimize failure probability of the control plane (MinFP) is proposed to solve the ADS problem. Its fundamental idea is to successively choose the most reliable controllers from various types of controllers. This method can ensure heterogeneity of controllers and guarantee the most secure controllers are chosen every time. The specific process is discussed as follows.

Initialization: All controllers are acssigned with a 3-tuple label. And we divide C intogroups according to their types. Later in each group controllers are sorted in a descending order based on theirThen we pop up the first controller from groups successively till we obtain required sizeNow the initialization is completed.

Switching: There are two mechanisms which lead to controllers’ switch. One is timer mechanism. The other is message-driven mechanism. In the first situation, all running controllers will be switched after a fixed intervalThe switching procedure is similar to the initialization step. While in the latter circumstance, the scheduler need regulate controllersrelying on messages from sensor and decider. And that’s the sensing progress. Then each controllerwill selectto switch and the best circumstance is

The pseudo code of the proposed algorithm is shown in table 2, 3 and 4. Function Init_RunCon_Set whose code is listed in Algorithm 2 is used to initiatefrom C. While the Switch_RunCon_Set function illustrated in Algorithm 3 aims at updatingby eliminating compromised controllers and inserting relatively more reliable controllers.

Considering Mcad-SA equipped withcontrollers, the time complexity of MinFP isat most. Thus, it’s a cost-effective heuristic algorithm.

IV. PERFORMANCE EVALUATION

In this section, we conduct simulation-based experiments to evaluate the effectiveness of the proposed architecture and algorithm.

4.1 Simulation results of MinFP

Simulations are conducted on estimating the effectiveness of MinFP. In the simulation, we presume there are G types of controllers andcontrollers are in each group. Also, we assume that the number of controllers attackers probe each timeis satisfying the similar restraint set for the defender because of attack cost. Specifications of these parameters are listed in table 5.

First of all, we analyze reliability of the control plane when adopting the proposed scheduling strategy. And it’s measured by.The smalleris, the more reliable the control plane is. Next, we compare our proposed scheduling policies (MinFP) to two common methods. One is random switching and the other is without switching which is mostly adopted by current traditional SDN architectures.As to random switching, we divide it into RandomWithRepeat and RandomWithoutRepeat in detail. RandomWithRepeat means we selectuniformly from all the available controllers while the latter will pick uprandomly from the rest controllers to guarantee

As illustrated in figure 5,of traditional control plane goes up tremendously with time,reaching approximately 50% after 10 time units. This phenomenon is predictable because controllers keep stationary all the time. Thus,attackers can enforce persistent probes on same targets till all controllers are compromised, which leads to failure of control plane easily. While in random and MinFP situations,both curves increase slowly and their slopes are relatively small. That’s due to the reason that running controllers are always varying sothat attackers have to restart probes on new added controllers. Especially with time goingon, their advantages are more obvious, which indicates dynamism can intensify security of control plane to some extent. What’s more,of MinFP is the lowest and stable, which is strong evidence on its superiority. This demonstrates MinFP can sense controllers’secure states and always pick up more reliable controllers based on their real-time conditions.Therefore, it reducesfurther compared with random switching (no matter RandomWithRepeat or RandomWithoutRepeat).

Table II Main procedures of MinFP

Table III Initialization of MinFP

Table IV The switch procedure of MinFP

Table 5 Specifications of parameters in simulation

Fig. 5 Failure probability with various switch strategies

Fig. 6in different architectures

In above simulations, we analyze the effectiveness of MinFP. Here, we focus on the overall performance of Mcad-SA compared to traditional architectures.

As stated previously, Mcad-SA employs several entities as running controllers and the running set is varying with time. Thus, the cost of Mcad-SA is obviously increased. Here we define the cost of security gain (to measure the overall performance of different structures. The essence ofcan be regarded as the cost required to acquire security gain.It’s computed via [5].

4.2 Evaluation of overall performance of Mcad-SA

Further, we reveal the relation betweenand diversity. We equip the control plane in Mcad-SA with 12 controllers but in four compositions. And the compositions areandThe bigger G is, the more kinds of controllers are. Then figure 7 indicates there is a negative correlation betweenand G.This phenomenon is intriguing but expected.With more types of controllers existing, the cost of probing, invading and attacking is augmented since attackers have to realize and utilize different bugs and vulnerabilities, which is extremely difficult compared to destroying the same kind of controller. However, this property provides us with inspiration that in order to gain more powerful performance, we should take diversity into consideration when designing the control plane of Mcad-SA. That’s to say, devising and adopting controllers as heterogeneous as possible is a critical point to improve SDN’s security.

V. RELATED WORK

At present, the research on controllers’ security is focused on two aspects. On one hand,it aims at improving personal security of controllers through introducing internal secure mechanism. For example, FortNOX, an intensive secure NOX controller, is proposed in[11] by means of role-based authorization and security constraint enforcement to intensify its security. It’s able to check flow-rule conflicts in real time. Besides, it also implements a robust analysis algorithm to strategically prevent hostile applications from inserting malicious flow rules that will reduce routing efficiency in network. Porras et al. [12] presents SE-Floodlight, a Security Enhanced version of the widely used OpenFlow Floodlight Controller,to provide security management. It extends Floodlight with a security-enforcement kernel(SEK). The SEK consists of a particular set of secure application management policies, such as a permission model for mediating all configuration change requests to the data-plane and a security audit service. However, no matter how powerful a single controller it is, once it has been invaded, the service of the network it supervises no longer can be guaranteed.

Fig. 7with diverse composition of controllers in Mcad-SA adopting MinFP

On the other hand, researchers pay attention to distributed controllers to avoid the single point failure with one controller [13]. And the chief concept is introducing heterogeneity and redundancy to protect the network. ONOS,open network operating system, is designed in[14] to improve the robustness and resiliency of the network. It employs multiple controllers to act as different roles (master controller,backup controller, etc) in case when master controllers are unable to work, backup controllers are switched to master controllers via Zookeeper to maintain the network operate smoothly. Yazici et al. [15] considers the issue that controllers are prone to collapse under heavy data center loads. They propose a distributed and associated coordination framework that has the capability of achieving scalability and reliability even under such situations. This architecture adopts redundancy controllers to balance the load without any interruption to the network operation. It also provides support for adding and removing controllers dynamically with minimum or no required changes. [16] puts forward a secure SDN architecture where each switch is managed with multiple controllers. Further,the number of controllers assigned to devices depends on their status and security requirements in network, which is cost-efficient. Xin Jin et al. [17] proposes CoVisor, a new kind of hypervisor that allows multiple controllers to cooperate on managing the same shared traffic. This implementation can be used to assemble a collection of independently-developed applications and enable multiple controllers to manage the same subnet simultaneously.Although current architectures with multiple controllers can resist a series of attacks to some degree, their systems are entirely operating in a static state. This mechanism is a threat for it’s convenient and low-cost for attackers to probe and acquire useful information. Thus,in [18], we present a security architecture for SDN which exploits heterogeneity and redundancy from multi-controller to intensify security. Besides, a dynamic scheduling mechanism is introduced in this architecture to further improve its performance. And this paper is an extension of research work in [18].

VI. CONCLUSION

Security of controllers is a significant issue for ensuring the network operate effectively. Focusing on the modifying flow rule attack, we propose Mcad-SA, an aware decision-making security architecture with multi-controller,which exploits heterogeneity and redundancy from different controllers to prevent that attack proactively. Further, we devise a sensible,practical and dynamic scheduling mechanism to intensify its security. Simulation results demonstrate validity of the proposed method. Although increasing some additional but controllable cost, this novel architecture significantly improves security of SDN. Furthermore, the defending concept that combines heterogeneity, dynamism and redundancy of existing techniques, means and components can be applied in various fields. In the future,we plan to implement the Mcad-SA with the real experimental platform and pay attention to quantitative measurement on control plane’s security performance.

This work is supported by the Foundation for Innovative Research Groups of the National Natural Science Foundation of China(No.61521003), the National Key R&D Program of China (No.2016YFB0800100,No.2016YFB0800101), and the National Natural Science Foundation of China(No.61602509).

[1] Mckeown N, Anderson T, Balakrishnan H, et al.“OpenFlow:enabling innovation in campus networks”. ACM SIGCOMM Computer Communication Review, vol. 38, no. 2, pp. 69-74, 2008.

[2] Kreutz, D, Ramos F.M.V, and Verissimo P. “Towards secure and dependable software-defined networks.” ACM SIGCOMM Workshop on Hot Topics in Software Defined NETWORKING, pp.55-60, 2013.

[3] POX. “Python network controller”. http://www.noxrepo.org/pox/

[4] Gude N, Koponen T, Pettit J, et al. “NOX: towards an operating system for networks”. ACM SIGCOMM Computer Communication Review,vol. 38, no. 3, pp. 105-110, 2008.

[5] Floodlight. “Open SDN controller”. http://www.projectfloodlight.org/.

[6] Erickson D. “The beacon openflow controller”.ACM SIGCOMM Workshop on Hot Topics in Software Defined NETWORKING. pp. 13-18, 2013.

[7] Sherwood R, Gibb G, Yap K K, et al. “Can the production network be the testbed?”. Usenix Symposium on Operating Systems Design and Implementation. pp. 365-378, 2010.

[8] Jain S, Kumar A, Mandal S, et al. “B4: experience with a globally-deployed software defined wan”. ACM SIGCOMM Computer Communication Review, vol. 43, no. 4, pp. 3-14, 2013.

[9] Cabaj K, Wytr?bowicz J, Kukliński S, et al. “SDN architecture impact on network security”. Federated Conference on Computer Science and Information Systems. pp. 143-148, 2014.

[10] Scott-Hayward S, Natarajan S, Sezer S. “A survey of security in software defined networks”. IEEE Communications Surveys & Tutorials, vol. 18,no. 1, pp. 623-654, 2016.

[11] Porras P, Shin S, Yegneswaran V, et al. “A security enforcement kernel for OpenFlow networks”.ACM SIGCOMM Workshop on Hot Topics in Software Defined NETWORKING. pp. 121-126, 2012.

[12] Porras P, Cheung S, Fong M, et al. “Securing the software-defined network control layer”.Network and Distributed System Security Symposium. 2015.

[13] Open Network Foundation. “SDN security considerations in the data center”. 2015. https://www.opennetworking.org/solution-brief-sdnsecurity-considerations-in-the-data-center.

[14] Berde P, Hart J, Hart J, et al. “ONOS: towards an open, distributed SDN OS”. ACM SIGCOMM Workshop on Hot Topics in Software Defined NETWORKING. pp. 1-6, 2014.

[15] Yazici V, Sunay M O, Ercan A O. “Controlling a software-defined network via distributed controllers”. Proceedings of the NEM Summit. pp.16-20, 2014.

[16] Li H, Li P, Guo S, et al. “Byzantine-resilient secure software-defined networks with multiple controllers in cloud”. IEEE Transactions on Cloud Computing, vol. 2, no. 4, pp. 436-447, 2015.

[17] Jin X, Gossels J, Rexford J, et al. “CoVisor: a compositional hypervisor for software-defined networks”. Usenix Conference on Networked Systems Design and Implementation. pp. 87-101, 2015.

[18] Qi C, Wu J, Hu H, et al. “An intensive security architecture with multi-controller for SDN”. IEEE Computer Communications Workshops. pp. 401-402, 2016.