Software Defined Networking (SDN) has the potential to enable novel security applications that support flexible, on-demand deployment of system elements. It can offer targeted forensic evidence collection and investigation of computer network attacks. Such unique capabilities are instrumental to network intrusion detection that is challenged by large volumes of data and complex network topologies. This paper presents an innovative approach that coordinates distributed network traffic Monitors and attack Correlators supported by Open Virtual Switches (OVS). The Monitors conduct anomaly detection and the Correlators perform deep packet inspection for attack signature recognition. These elements take advantage of complementary views and information availability on both the data and control planes. Moreover, they collaboratively look for network flooding attack signature constituents that possess different characteristics in the level of information abstraction. Therefore, this approach is able to not only quickly raise an alert against potential threats, but also follow it up with careful verification to reduce false alarms. We experiment with this SDN-supported collaborative approach to detect TCP SYN flood attacks on the Global Environment for Network Innovations (GENI), a realistic virtual testbed. The response times and detection accuracy, in the context of a small to medium corporate network, have demonstrated its effectiveness and scalability.
Download Full PDF Version (Non-Commercial Use)