844,279 research outputs found
Verifiably-safe software-defined networks for CPS
Next generation cyber-physical systems (CPS) are expected to be deployed in domains which require scalability as well as performance under dynamic conditions. This scale and dynamicity will require that CPS communication networks be programmatic (i.e., not requiring manual intervention at any stage), but still maintain iron-clad safety guarantees. Software-defined networking standards like OpenFlow provide a means for scalably building tailor-made network architectures, but there is no guarantee that these systems are safe, correct, or secure. In this work we propose a methodology and accompanying tools for specifying and modeling distributed systems such that existing formal verification techniques can be transparently used to analyze critical requirements and properties prior to system implementation. We demonstrate this methodology by iteratively modeling and verifying an OpenFlow learning switch network with respect to network correctness, network convergence, and mobility-related properties. We posit that a design strategy based on the complementary pairing of software-defined networking and formal verification would enable the CPS community to build next-generation systems without sacrificing the safety and reliability that these systems must deliver
Distributed Collaborative Monitoring in Software Defined Networks
We propose a Distributed and Collaborative Monitoring system, DCM, with the
following properties. First, DCM allow switches to collaboratively achieve flow
monitoring tasks and balance measurement load. Second, DCM is able to perform
per-flow monitoring, by which different groups of flows are monitored using
different actions. Third, DCM is a memory-efficient solution for switch data
plane and guarantees system scalability. DCM uses a novel two-stage Bloom
filters to represent monitoring rules using small memory space. It utilizes the
centralized SDN control to install, update, and reconstruct the two-stage Bloom
filters in the switch data plane. We study how DCM performs two representative
monitoring tasks, namely flow size counting and packet sampling, and evaluate
its performance. Experiments using real data center and ISP traffic data on
real network topologies show that DCM achieves highest measurement accuracy
among existing solutions given the same memory budget of switches
NeuRoute: Predictive Dynamic Routing for Software-Defined Networks
This paper introduces NeuRoute, a dynamic routing framework for Software
Defined Networks (SDN) entirely based on machine learning, specifically, Neural
Networks. Current SDN/OpenFlow controllers use a default routing based on
Dijkstra algorithm for shortest paths, and provide APIs to develop custom
routing applications. NeuRoute is a controller-agnostic dynamic routing
framework that (i) predicts traffic matrix in real time, (ii) uses a neural
network to learn traffic characteristics and (iii) generates forwarding rules
accordingly to optimize the network throughput. NeuRoute achieves the same
results as the most efficient dynamic routing heuristic but in much less
execution time.Comment: Accepted for CNSM 201
ANCHOR: logically-centralized security for Software-Defined Networks
While the centralization of SDN brought advantages such as a faster pace of
innovation, it also disrupted some of the natural defenses of traditional
architectures against different threats. The literature on SDN has mostly been
concerned with the functional side, despite some specific works concerning
non-functional properties like 'security' or 'dependability'. Though addressing
the latter in an ad-hoc, piecemeal way, may work, it will most likely lead to
efficiency and effectiveness problems. We claim that the enforcement of
non-functional properties as a pillar of SDN robustness calls for a systemic
approach. As a general concept, we propose ANCHOR, a subsystem architecture
that promotes the logical centralization of non-functional properties. To show
the effectiveness of the concept, we focus on 'security' in this paper: we
identify the current security gaps in SDNs and we populate the architecture
middleware with the appropriate security mechanisms, in a global and consistent
manner. Essential security mechanisms provided by anchor include reliable
entropy and resilient pseudo-random generators, and protocols for secure
registration and association of SDN devices. We claim and justify in the paper
that centralizing such mechanisms is key for their effectiveness, by allowing
us to: define and enforce global policies for those properties; reduce the
complexity of controllers and forwarding devices; ensure higher levels of
robustness for critical services; foster interoperability of the non-functional
property enforcement mechanisms; and promote the security and resilience of the
architecture itself. We discuss design and implementation aspects, and we prove
and evaluate our algorithms and mechanisms, including the formalisation of the
main protocols and the verification of their core security properties using the
Tamarin prover.Comment: 42 pages, 4 figures, 3 tables, 5 algorithms, 139 reference
Self-Modeling Based Diagnosis of Software-Defined Networks
Networks built using SDN (Software-Defined Networks) and NFV (Network
Functions Virtualization) approaches are expected to face several challenges
such as scalability, robustness and resiliency. In this paper, we propose a
self-modeling based diagnosis to enable resilient networks in the context of
SDN and NFV. We focus on solving two major problems: On the one hand, we lack
today of a model or template that describes the managed elements in the context
of SDN and NFV. On the other hand, the highly dynamic networks enabled by the
softwarisation require the generation at runtime of a diagnosis model from
which the root causes can be identified. In this paper, we propose finer
granular templates that do not only model network nodes but also their
sub-components for a more detailed diagnosis suitable in the SDN and NFV
context. In addition, we specify and validate a self-modeling based diagnosis
using Bayesian Networks. This approach differs from the state of the art in the
discovery of network and service dependencies at run-time and the building of
the diagnosis model of any SDN infrastructure using our templates
- …