SDN-Honeypot Integration for DDoS Detection Scheme Using Entropy

Limitations on traditional networks contributed to the development of a new paradigm called Software Defined Network (SDN). The separation of control and data plane provides an advantage as well as a security gap on the SDN network because all controls are centralized on the controller so when the compilation of attacks are directed the controller, the controller will be overburdened and eventually dropped. One of the attacks that can be used is the DDoS attack - ICMP Flood. ICMP Flood is an attack intended to overwhelm the target with a large number of ICMP requests. To overcome this problem, this paper proposes detection and mitigation using the Modern Honey Network (MHN) integration in SDN and then makes reactive applications outside the controller using the entropy method. Entropy is a statistical method used to calculate the randomness level of an incoming packet and use header information as a reference for its calculation. In this study, the variables used are the source of IP, the destination of IP and protocol. The results show that detection and mitigation were successfully carried out with an average value of entropy around 10.830. Moreover, CPU usage either in normal packet delivery or attacks showed insignificant impact from the use of entropy. In addition, it can be concluded that the best data collected in 30 seconds in term of the promptness of mitigation flow installation.

Multi-Level Buffering Services Based on Optical Packet Encoding of Composite Maximal-Length Sequences in a GMPLS Network

Generalized multi-protocol label-switching (GMPLS) provides packet-switching with multiple speeds and quality-of-services (QoSs). Packet buffering in GMPLS reduces packet loss by resolving the conflicts between packets requesting for a common channel. Presently, due to the diversity of multimedia applications, enabling multiple services in networks has become necessary. In this paper, a family of codes known as composite maximal-length sequence (CMLS) codes is introduced into an optical buffering scheme based on code-switching. A given number of available CMLS codes is divided into several code subsets. The buffer selects an unused CMLS code from a code subset and assigns it to the incoming packet. When all codes in a specific subset have been distributed to the queued packets, a free CMLS code in another subset is chosen for the new arrival. To achieve multi-level buffering services, the partition scenario with a lower subset number but with a higher number of codes in an individual subset is used as a code-assigning method for buffering high-QoS users. A two-level buffering system is demonstrated by examining the QoS of each class in terms of packet-dropping probability (PDP). The results show that different levels of PDPs can be effectively supported by a common buffer architecture.

A Fireworks-Based Approach for Efficient Packet Filtering in Firewall

Information protection in computers is gaining a lot of importance in real world applications. To secure the private networks of businesses and institutions, a firewall is installed in a specially designated computer separate from the rest of the network so that no incoming packet can directly get into the private network. The system monitors and blocks the requests from illegal networks. The existing methods of packet filtering algorithms suffer from drawbacks in terms of search space and storage. To overcome the drawbacks, a Fireworks-based approach of packet filtering is proposed in this chapter. Termed Fireworks-based Packet Filtering (FWPF) algorithm, the sparks generated by the fireworks makes a decision about the rule position in the firewall ruleset matching with the incoming packet. The advantage of FWPF is that it reduces the search space when compared to the existing packet filtering algorithms.

SOBM - Server Occupancy Based Migration by Optimizing Link and Storage Capacity in Check Points

Checkpoint (CP) routing requires a procedure for heavy load and dynamic routing packets over a cluster network, by monitoring network load. High traffic CP network does intense transactions by multiple applications and shares the information among the nodes in the network and delivers the same to the server. The Proposed work assigns time slots and each slot checks the path to send or migrate the data to manage the load and data accumulation between servers and if there arises any data loss it recovers from the previous node buffers. Data rate and delay is checked by each link and adjust the data flow to various servers. Based on time, network state, incoming packet rates, server load, link-based migration is applied. It increases network packets receiving rates, and minimizes the delay in checkpoints.

An FPGA-based Network Firewall with Expandable Rule Description

<p>With the rapid growth of communications via the Internet, the need for an effective firewall system which has not badly affect the overall network performances has been increased. In this paper, a Field Programmable Gate Array (FPGA) -based firewall system with high performance has been implemented using Network FPGA (NetFPGA) with Xilinx Kintex-7 XC7K325T FPGA. Based on NetFPGA reference router project, a NetFPGA-based firewall system was implemented. The hardware module performs rule matching operation using content addressable memory (CAM) for higher speed data processing. To evaluate system performance, throughput, latency, and memory utilization were measured for different cases using different tools, also the number of rules that an incoming packet is subjected to was varied to get more readings using both software and hardware features. The results showed that the designed firewall system provides better performance than traditional firewalls. System throughput was doubled times of the one with Linux-Iptables firewalls.</p>

An Efficient and Congestion Aware Fuzzy Based Output Selection Strategy for On-Chip Routers

The network performance of an adaptive router largely depends on well designed selection strategy. The selection function selects one of the accepted output directions returned by the routing function. The effectiveness of any selection strategy relies on its congestion free traffic distribution mechanism for each incoming packet. This article proposes a fuzzy based output selection strategy that considers the congestion information from both neighboring routers as well as routers on global path. The strategy efficiently balances the traffic load by using the knowledge base of fuzzy controllers. Performance evaluation is carried out using a cycle accurate simulator under synthetic traffic conditions. The experimental results show that the fuzzy based selection strategy improves the performance by increased throughput and reduced packet latency when compared with other traditional selection strategies.

Design of an All-Optical Network Based on LCoS Technologies

In this paper, an all-optical network composed of the ROADMs (reconfigurable optical add-drop multiplexer), L2/L3 optical packet switches, and the fiber optical cross-connection for fiber scheduling and measurement based on LCoS (liquid crystal on silicon) technologies is proposed. The L2/L3 optical packet switches are designed with optical output buffers. Only the header of optical packets is converted to electronic signals to control the wavelength of input ports and the packet payloads can be transparently destined to their output ports. An optical output buffer is designed to queue the packets when more than one incoming packet should reach to the same destination output port. For preserving service-packet sequencing and fairness of routing sequence, a priority scheme and a round-robin algorithm are adopted at the optical output buffer. The wavelength of input ports is designed for routing incoming packets using LCoS technologies. Finally, the proposed OFS (optical flow switch) with input buffers can quickly transfer the big data to the output ports and the main purpose of the OFS is to reduce the number of wavelength reflections. The all-optical content delivery network is comprised of the OFSs for a large amount of audio and video data transmissions in the future.

RECONFIGURABLE SELF-ADDRESSABLE MEMORY-BASED FSM A SCALABLE INTRUSION DETECTION ENGINE

One way to detect and thwart a network attack is to compare each incoming packet with predefined patterns, also Called an attack pattern database, and raise an alert upon detecting a match. This article presents a novel pattern-matching Engine that exploits a memory-based, programmable state machine to achieve deterministic processing rates that are Independent of packet and pattern characteristics. Our engine is a self addressable memory based finite state machine (samFsm), whose current state coding exhibits all its possible next states. Moreover, it is fully reconfigurable in that new attack Patterns can be updated easily. A methodology was developed to program the memory and logic. Specifically, we merge “non-equivalent” states by introducing “super characters” on their inputs to further enhance memory efficiency without Adding labels. This is the most high speed self addressable memory based fsm.sam-fsm is one of the most storage-Efficient machines and reduces the memory requirement by 60 times. Experimental results are presented to demonstrate the Validity of sam-fsm.

An Adaptive Approach to Improve the Accuracy of Packet Pre-Filtering

The current day networks are under deliberate, continuous and premeditated attacks such as Hacker attacks, DoS attacks, IP Address Spoofing, Phishing, Sniffer attacks etc. The Network Intrusion Detection Systems (NIDS) proved to be reliable in parrying most of the issues and challenges faced by the corporate network security systems. But, the NID systems fall short in providing a completely fool-proof network security environment. False negatives and false positives proved to be considerable bottle necks in securing the networks from the attacks. This paper deals with the introduction of a software approach for the packet pre-filtering to ease security threats and the introduction of Network Behavior Analysis to enhance the security of the network. The Network Behavior Analysis helps the system to ease the burdens to the network and security of the network by the false positives. The NIDS compares all the incoming packets with the pre-defined rules or signatures to find suspicious patterns. The pre-filtering approach used in this paper is a result of the observation that very rarely an incoming packet matches the signatures or the IDS rules. During the pre-filtering step, a small portion of the packet is compared against the predefined signatures for any suspicious patterns and the initial pre-filtering match is considered for a full match. For time efficiency, this strategy is compared to more optimistic schemes that allow reassignment of flows between threads, and evaluated using several network packet traces.

Intelligent Reasoning Approach for Active Queue Management in Wireless Ad Hoc Networks

Mobile ad hoc network is a network without infrastructure where every node has its own protocols and services for powerful cooperation in the network. Every node also has the ability to handle the congestion in its queues during traffic overflow. Traditionally, this was done through Drop-Tail policy where the node drops the incoming packets to its queues during overflow condition. Many studies showed that early dropping of incoming packet is an effective technique to avoid congestion and to minimize the packet latency. Such approach is known as Active Queue Management (AQM). In this article, an enhanced algorithm called fuzzy-AQM is suggested using a fuzzy logic system to achieve the benefits of AQM. Uncertainty associated with queue congestion estimation and lack of mathematical model for estimating the time to start dropping incoming packets makes the fuzzy-AQM algorithm the best choice. Extensive performance analysis via simulation showed the effectiveness of the proposed method for congestion detection and avoidance improving overall network performance.