VIET NAM NATIONAL UNIVERSITY - HO CHI MINH CITY HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY NGO DUC MINH A HIGH PERFORMANCE ANOMALY-BASED INTRUSION DETECTION SYSTEM FOR SDN NETWORKS MAJOR: COMPUTER SCIENCE MAJOR ID: 60.48.01.01 MASTER THESIS HO CHI MINH City, December 2019 VIET NAM NATIONAL UNIVERSITY - HO CHI MINH CITY HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY NGO DUC MINH A HIGH PERFORMANCE ANOMALY-BASED INTRUSION DETECTION SYSTEM FOR SDN NETWORKS MAJOR: COMPUTER SCIENCE MAJOR ID: 60.48.01.01 MASTER THESIS HO CHI MINH City, December 2019 CƠNG TRÌNH ĐƯỢC HỒN THÀNH TẠI TRƯỜNG ĐẠI HỌC BÁCH KHOA - ĐHQG - HCM Cán hướng dẫn khoa học : (Ghi rõ họ, tên, học hàm, học vị chữ ký) Cán chấm nhận xét : (Ghi rõ họ, tên, học hàm, học vị chữ ký) Cán chấm nhận xét : (Ghi rõ họ, tên, học hàm, học vị chữ ký) Luận văn thạc sĩ bảo vệ Trường Đại học Bách Khoa, ĐHQG Tp HCM ngày tháng năm Thành phần Hội đồng đánh giá luận văn thạc sĩ gồm: (Ghi rõ họ, tên, học hàm, học vị Hội đồng chấm bảo vệ luận văn thạc sĩ) Xác nhận Chủ tịch Hội đồng đánh giá LV Trưởng Khoa quản lý chuyên ngành sau luận văn sửa chữa (nếu có) CHỦ TỊCH HỘI ĐỒNG TRƯỞNG KHOA KH&KTMT ĐẠI HỌC QUỐC GIA TP.HCM CỘNG HÒA XÃ HỘI CHỦ NGHĨA VIỆT NAM TRƯỜNG ĐẠI HỌC BÁCH KHOA Độc lập - Tự - Hạnh phúc NHIỆM VỤ LUẬN VĂN THẠC SĨ Họ tên học viên: NGÔ ĐỨC MINH Ngày, tháng, năm sinh: 05/06/1994 Ngành: Khoa học máy tính MSHV: 1770024 Nơi sinh: Đồng Nai Mã số: 60.48.01.01 I TÊN ĐỀ TÀI: HỆ THỐNG PHÁT HIỆN XÂM NHẬP MẠNG DỰA TRÊN SỰ BẤT THƯỜNG HIỆU NĂNG CAO CHO MẠNG SDN II NHIỆM VỤ VÀ NỘI DUNG: • Nghiên cứu thực giải thuật phát hiện/phịng chống cơng mạng Trong đó, có nghiên cứu kĩ thuật phát dựa bất thường sử dụng kĩ thuật học máy phần cứng NetFPGA • Xây dựng kiến trúc hệ thống chuyển mạch OpenFlow tảng NetFPGA với khả tích hợp khối bảo mật Đo đạc đánh giá tốc độ chuyển mạch hệ thống • Tích hợp khối phát công dựa bất thường vào chuyển mạch OpenFlow tảng NetFPGA • Module hóa cải tiến tài nguyên hệ thống phần cứng NetFPGA Thử nghiệm, đánh giá kết so với cơng trình liên quan III NGÀY GIAO NHIỆM VỤ: 13/08/2018 IV NGÀY HOÀN THÀNH NHIỆM VỤ: 30/12/2019 V CÁN BỘ HƯỚNG DẪN: PGS.TS TRẦN NGỌC THỊNH CÁN BỘ HƯỚNG DẪN (Họ tên chữ ký) Tp HCM, ngày tháng năm 20 TRƯỞNG KHOA KH&KTMT (Họ tên chữ ký) ACKNOWLEDGMENTS Firstly, I would like to express my sincere gratitude to my advisor, Associate Professor Tran Ngoc Thinh for his warmly supports, taking the time from the beginning of my work to orient the research, and during step by step of the dissertation process Besides my advisor, I would like to thank to my teachers at Faculty of Computer Science & Engineering, Ho Chi Minh City University of Technology in providing a lot of knowledge for me during my master course Especially, my sincere thanks also goes to Doctor Cuong Pham-Quoc who has guided me and improved my skill a lot while writing papers and reports To Computer Engineering labmates, I would like to thank Mr Ho Quang Chi Bao, Mr Tran Nguyen Vo, Mrs Tran Thi Thuy Chau, Mr Le Tan Long, Tran Minh Anh Tuan, Dang Ngo Nhat Truong, Nguyen Gia Phuc and the many other individuals for the sleepless nights we were working together before deadlines, and for all the fun we have had in the last three years Last but importantly, I am grateful to the God for the good health and well being that were necessary to complete this dissertation I would like to say thank you so much to my family I could not go far on my way without their supports and encouragements Ho Chi Minh City, December 01st , 2019 Ngo Duc Minh i ABSTRACT Internet has become a global information system that can be accessed publicly by linked computers from all over the world Along with the development of Internet of Things (IoTs) the number of entities in Internet can reach 20-100 billion in 2020 [1] Thus, an alternative approach for traditional network architecture to adapt comprehensive demands is necessary, urgency Software-Defined Networking (SDN) [2] has been investigated by many organizations because of its advantages compared to the traditional approaches Computer networks are configured and operated manually in traditional networks, while SDN provides centralization control, simple hardware devices, and high virtualization SDN decouples network control from forwarding functions, so that network control becomes programmable In SDN, network control contains controllers configured by network administrators through software interfaces Besides, the developing of Artificial Intelligence (AI), which can train a machine to imitate intelligent human behaviors has become a prominent topic AI has achieved several successes in practical applications such as decision making, speech recognition, and also object classification Besides, real-time applications usually require heavy computational tasks; thus, processing on general-purpose processors is not efficiency in performance Meanwhile, hardware accelerators such as Graphics Processing Units (GPUs) and Field-Programmable Gate Arrays (FPGAs) have been employed to improve the throughput of AI algorithms in these applications This work aims to enhance security for SDN by pre-processing and protecting network packets at the data plane using multiple approaches This work introduces an efficient high-throughput and low-latency SYN flood defender architecture, carefully designed with a pipeline model A mathematical model is also added with the architecture for estimating SYN flood protection throughput and latency Our ii ABSTRACT iii experiments with NetFPGA-10G platforms show that the core can protect servers against SYN flood attacks by up to 28+ millions of packets per second In addition, the thesis proposes an architecture for SDN-based secured forwarding devices (switches) by extending our previous architecture - HPOFS with multiple security functions, including lightweight DDoS mechanisms, signature-based, and anomaly-based IDS We implement our architecture on a heterogeneous system, including host processors, GPU, and FPGA boards To the best of our knowledge, this is the first forwarding device for SDN implemented on a heterogeneous system in the literature Our system not only is enhanced security but also provides a high-speed switching capacity based on the OpenFlow standard The implemented design on GTX Geforce 1080 G1 for training phase is 14× faster when compared to CPU Intel Core i7 – 4770, 3,4GHz, 16GB of RAM on Ubuntu version 14.04 The switching function along with three lightweight DDoS detection/prevention mechanisms have processing speed at 39.48 Gbps on NetFPGA-10G board (Xilinx xc5vtx240t FPGA device) Especially, our neural network models on NetFPGA-10G board outperform CPU in processing performance by reaching throughputs at 4.84 Gbps Moreover, the neural network model achieves 99.01% precision with only 0.02% false-positive rate using the created dataset ABSTRACT iv Tóm Tắt Luận Văn Thạc Sĩ Internet trở thành hệ thống thơng tin tồn cầu truy cập lúc nơi máy tính tồn giới Cùng với phát triển internet vạn vật (Internet of things), số lượng kết nối đạt 20-100 tỉ vào năm 2020 [1] Vì thế, giải pháp thay cho kiến trúc mạng truyền thống cần thiết Software-defined Networking (SDN) [2] xem giải pháp thay cho mạng truyền thống nghiên cứu nhiều tổ chức giới với nhiều ưu so với mạng truyền thống Mạng máy tính truyền thống thơng thường cấu hình vận hành tay, người quản trị phải đến thiết bị phần cứng để cấu hình chúng mạng SDN cung cấp khả quản lý tập trung Trong mạng SDN, điều khiển vận hành người quản trị mạng thông qua phần mềm Thêm vào đó, phát triển trí tuệ nhân tạo (Artificial Intelligence - AI) huấn luyện máy tính để bắt chước hành vi người trở thành chủ đề hứa hẹn AI đạt nhiều thành cơng tốn thực tế đưa định, nhận dạng giọng nói, phân loại thực thể Bên cạnh đó, ứng dụng yêu cầu đáp ứng thời gian thực thường u cầu tính tốn phức tạp, dẫn đến việc sử dụng xử lý chung khơng cịn hiệu mặt hiệu suất Trong đó, phần cứng tăng tốc GPU FPGA nghiên cứu sử dụng để cải tiến hiệu suất cho ứng dụng sử dụng giải thuật trí tuệ nhân tạo.Luận văn thạc sỹ với mục tiêu giảm thiểu tính tốn cho đường điều khiển cách tiền xử lý bảo vệ mạng sớm đường liệu sử dụng hướng tiếp cận khác nhau, đặc biệt hướng phát công dựa bất thường Cơng trình giới thiệu kiến trúc hiệu cao cho phịng chống cơng SYN Flood, thiết kế kỹ theo chế xử lý đường ống Một mơ hình tốn học đề xuất để đo đạc đánh giá khả chống chịu khối SYN Flood khía cạnh hiệu suất độ trễ Kết thực nghiệm tảng NetFPGA-10G cho thấy khối bảo mật bảo vệ máy chủ khỏi công SYN Flood tốc độ lên đến 28+ triệu gói tin giây Thêm vào đó, luận văn đề xuất bảo mật cho thiết bị chuyển tiếp liệu theo kiến trúc mạng SDN việc mở rộng công trình trước - có tên HPOFS cách xây dựng máy bảo mật bao gồm khối ABSTRACT v chống công DDoS, phát công dựa chữ ký, phát công dựa dấu hiệu bất thường Tác giả thực kiến trúc đề xuất tảng phần cứng hỗn hợp bao gồm xử lý chủ, board mạch GPU FPGA Đây xem hệ thống có tích hợp khối bảo mật khác phần cứng chuyển mạch theo kiến trúc mạng SDN Hệ thống bảo mật chặt chẽ mà cịn chuyển mạch gói tin, quản lý tập trung theo giao thức OpenFlow Hệ thống huấn luyện mơ hình mạng neural sử dụng GPU GTX Geforce 1080 G1 cho tốc độ nhanh 14 lần so với CPU Intel Core i7 – 4770, 3,4GHz, 16GB RAM hệ điều hành Ubuntu phiên 14.04 Chức chuyển mạch với khối chống cơng DDoS xử lý tốc độ tối đa 39.48 Gbps board mạch NetFPGA-10G (Xilinx xc5vtx240t FPGA device) Đặc biệt, mơ hình học máy board mạch hiệu suất hẳn CPU tốc độ xử lý đạt 4.84 Gbps Hơn nữa, mơ hình học máy tốt cho 99.01% độ xác với 0.02% tỉ lệ cảnh báo sai sử dụng tập liệu thu thập mơi trường phịng thí nghiệm Kỹ thuật máy tính Đại Học Bách Khoa Tp.HCM vi Statement of Originality I certify that the results of this work is the product of my own work and colleagues at the Faculty of Computer Science and Engineering (CSE), Ho Chi Minh City University of Technology (HCMUT), Vietnam National University - Ho Chi Minh City (VNU HCM) All the assistance received in preparing this thesis and sources have been acknowledged Parts of this work have previously been published in scientific papers below: • Duc-Minh Ngo, Cuong Pham-Quoc, and Tran Ngoc Thinh Heterogeneous Hardware-based Network Intrusion Detection System with Multiple Approaches for SDN In: Mobile Networks and Applications - Vol 25; issue 1, 1-15 (2020) -ISBN/ISSN: 1572-8153 (SCIE) • Duc-Minh Ngo, Binh Tran-Thanh, Truong Dang, Tuan Tran, Tran Ngoc Thinh, and Cuong Pham-Quoc High-throughput Machine Learning Aproaches for Network Attacks Detection on FPGA In: ICCASA2019, pp 1–10 Springer (2019) • Cuong Pham-Quoc, Duc-Minh Ngo, Tran Ngoc Thinh HPOFS: A High Performance and Secured OpenFlow Switch Architecture for FPGA In: Advances in Electrical and Computer Engineering - Issue: 3, Volume: 19, 19-28 (2019) -ISBN/ISSN: 1582-7445 (SCIE) • Duc-Minh Ngo, Cuong Pham-Quoc, and Tran Ngoc Thinh An Efficient High-Throughput and Low-Latency SYN Flood Defender for High-Speed Networks In: Security and Communication Networks - Volume 2018, 14 (2018) -ISBN/ISSN: 1939-0122 (SCIE) Ngo Duc Minh [8] R Braga, E Mota, and A Passito, “Lightweight DDoS flooding attack detection using NOX/OpenFlow,” in Local Computer Networks (LCN), 2010 IEEE 35th Conference on IEEE, 2010, pp 408–415 [9] T Dargahi, A Caponi, M Ambrosin, G Bianchi, and M Conti, “A Survey on the Security of Stateful SDN Data Planes,” IEEE Communications Surveys & Tutorials, 2017 [10] C Pham-Quoc, B Nguyen, and T N Thinh, “Fpga-based multicore architecture for integrating multiple ddos defense mechanisms,” SIGARCH Comput Archit News, vol 44, no 4, pp 14–19, Jan 2017 [Online] Available: http://doi.acm.org/10.1145/3039902.3039906 [11] B Ho, C Pham-Quoc, T N Thinh, and N Thoai, “A secured openflowbased switch architecture,” in Advanced Computing and Applications (ACOMP), 2016 International Conference on IEEE, 2016, pp 83–89 [12] NetFPGA, NetFPGA-10G Information, https://netfpga.org/10G specs.html visited on Nov 21, 2018 [13] D J Bernstein, “Syn cookies, 1996,” URL http://cr yp to/syncookies html, 2016 [14] S Ghanti and G Naik, “Defense techniques of SYN flood attack characterization and comparisons,” 2018 [15] C L Schuba, I V Krsul, M G Kuhn, E H Spafford, A Sundaram, and D Zamboni, “Analysis of a denial of service attack on TCP,” in Security and Privacy, 1997 Proceedings., 1997 IEEE Symposium on IEEE, 1997, pp 208–223 [16] J Lemon et al., “Resisting SYN Flood DoS Attacks with a SYN Cache.” in BSDCon, vol 2002, 2002, pp 89–97 [17] M Yasir, Introduction to FPGA Technology, https://www.fpgarelated.com/showarticle/17.php visited on Aug 08, 2018 [18] Techopedia, Application-Specific Integrated Circuit (ASIC), https://www.techopedia.com/definition/2357/application-specificintegrated-circuit-asic visited on Aug 08, 2018 [19] H Wang, C Jin, and K G Shin, “Defense against spoofed IP traffic using hop-count filtering,” IEEE/ACM Transactions on Networking (ToN), vol 15, no 1, pp 40–53, 2007 [20] B Xiao, W Chen, and Y He, “An autonomous defense against SYN flooding attacks: Detect and throttle attacks at the victim side independently,” Journal of parallel and distributed computing, vol 68, no 4, pp 456–470, 2008 [21] W.-c Feng, E Kaiser, and A Luu, “Design and implementation of network puzzles,” in INFOCOM 2005 24th Annual Joint Conference of the IEEE Computer and Communications Societies Proceedings IEEE, vol IEEE, 2005, pp 2372–2382 [22] L Kavisankar and C Chellappan, “A Mitigation model for TCP SYN flooding with IP Spoofing,” in Recent Trends in Information Technology (ICRTIT), 2011 International Conference on IEEE, 2011, pp 251– 256 [23] J J Echevarria, P Garaizar, and J Legarda, “An experimental study on the applicability of SYN cookies to networked constrained devices,” Software: Practice and Experience, vol 48, no 3, pp 740–749, 2018 [24] D Senie and P Ferguson, “Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing,” Network, 1998 [25] V Gulisano, M Callau-Zori, Z Fu, R Jim´enez-Peris, M Papatriantafilou, and M Pati˜no-Mart´ınez, “STONE: A streaming DDoS defense framework,” Expert Systems with Applications, vol 42, no 24, pp 9620–9633, 2015 [26] B Lim and M S Uddin, “Statistical-based SYN-flooding detection using programmable network processor,” in Information Technology and Applications, 2005 ICITA 2005 Third International Conference on, vol IEEE, 2005, pp 465–470 [27] J Mirkovic and P Reiher, “D-WARD: a source-end defense against flooding denial-of-service attacks,” IEEE transactions on Dependable and Secure Computing, vol 2, no 3, pp 216–232, 2005 [28] W Chen and D.-Y Yeung, “Throttling spoofed SYN flooding traffic at the source,” Telecommunication Systems, vol 33, no 1-3, pp 47–65, 2006 [29] C Sun, J Fan, L Shi, and B Liu, “A novel router-based scheme to mitigate SYN flooding DDoS attacks,” IEEE INFOCOM (Student Poster), 2007 [30] R Mohammadi, R Javidan, and M Conti, “SLICOTS: an SDN-based lightweight countermeasure for TCP SYN flooding attacks,” IEEE Transactions on Network and Service Management, vol 14, no 2, pp 487–497, 2017 [31] S Shin, V Yegneswaran, P Porras, and G Gu, “Avant-guard: Scalable and vigilant switch flow management in software-defined networks,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security ACM, 2013, pp 413–424 [32] Y Afek, A Bremler-Barr, and L Shafir, “Network anti-spoofing with SDN data plane,” in INFOCOM 2017-IEEE Conference on Computer Communications, IEEE IEEE, 2017, pp 1–9 [33] S Haddock, InterPacket Gap and Start of Packet Lane Alignment, http://www.ieee802.org/3/ae/public/jul00/haddock 0700.pdf visited on Jul 17, 2018 [34] S Haddock, InterPacket Gap and Start of Packet Lane Alignment, http://www.ieee802.org/3/ae/public/jul00/haddock 0700.pdf visited on Oct 10, 2018 [35] Xilinx, AXI4-Lite IP Interface (IPIF), https://www.xilinx.com/products/intellectual-property/axi lite ipif.html visited on Aug 02, 2018 [36] David Fifield, Matt Baxter, TCP/IP Reference, https://nmap.org/book/tcpip-ref.html visited on Nov 20, 2018 [37] dcs.gla.ac.uk, EthernetFrame 802.3 AT 10Mbps, http://www.dcs.gla.ac.uk/ lewis/networkpages/m04s03EthernetFrame.htm visited on Nov 20, 2018 [38] Github, Standard IP Interfaces, https://github.com/NetFPGA/NetFPGApublic/wiki/Standard-IP-Interfaces visited on Jul 17, 2018 [39] Xilinx, Xilinx Platform Studio (XPS), https://www.xilinx.com/products/design-tools/xps.html visited on Aug 02, 2018 [40] ——, PlanAhead Design and Analysis Tool, https://www.xilinx.com/products/design-tools/planahead.html visited on Aug 02, 2018 [41] Github, OSNT 10G Home, https://github.com/NetFPGA/OSNTPublic/wiki/OSNT-10G-Home visited on Jul 19, 2018 [42] D Moore, C Shannon, D J Brown, G M Voelker, and S Savage, “Inferring internet denial-of-service activity,” ACM Transactions on Computer Systems (TOCS), vol 24, no 2, pp 115139, 2006 [43] A Găunther and C Hoene, “Measuring round trip times to determine the distance between wlan nodes,” in International conference on research in networking Springer, 2005, pp 768–779 [44] Wireshark, Wiresharke Go Deep, https://www.wireshark.org/ visited on Jul 31, 2018 A.4 HPOFS: A H IGH P ERFORMANCE AND S ECURED O PEN F LOW S WITCH A RCHITECTURE FOR FPGA 135 A.4 HPOFS: A H IGH P ERFORMANCE AND S ECURED O PEN F LOW S WITCH A RCHITECTURE FOR FPGA • Cuong Pham-Quoc, Duc-Minh Ngo, Tran Ngoc Thinh HPOFS: A High Performance and Secured OpenFlow Switch Architecture for FPGA Advances in Electrical and Computer Engineering - Issue: 3, Volume: 19, 19-28 (2019) -ISBN/ISSN: 1582-7445 (SCIE) Advances in Electrical and Computer Engineering Volume xx, Number x, 20xx HPOFS: A High Performance and Secured OpenFlow Switch Architecture for FPGA Cuong PHAM-QUOC, Duc-Minh NGO, Tran Ngoc THINH Ho Chi Minh City University of Technology Vietnam National University – Ho Chi Minh City, Vietnam cuongpham@hcmut.edu.vn 1Abstract—Although Software Defined Networking offers many advantages, it suffers from many security issues due to centralized control In this paper, we introduce HPOFS (HighPerformance and Secured OpenFlow Switching Architecture) for FPGA which is not only able to route packets from sources to destinations according to the OpenFlow protocol but also able to protect the system against different attacks efficiently Thanks to FPGA technology, the two processes can be scheduled in parallel; thus, the switch can work at very high throughput We implement the first prototype version on Xilinx xc5vtx240t FPGA device with three different security functions to protect the system against DDoS attack types, including Hop-count filtering, port Ingress/Egress filtering, and SYN Flood attacks defender While the first two protection techniques are adapted from our previous work, the SYN Flood defender core is designed and implemented with a pipeline model in this work The core is able to protect the system against SYN Flood attacks at up to 30,000,000 packets per second with only 0.248 ms overhead The full switch can provide throughput at up to 78.96 Gbps with only 0.0012% drop rate Index Terms—Field programmable gate arrays, Software defined networking, Computer security, High performance computing, Reconfigurable architectures I INTRODUCTION Software-defined networking (SDN) [1] offers many benefits compared to traditional networking by separating the control from the data plane [2] In recent years, SDN becomes more popular in both academia and industry However, there still exist known issues in SDN, especially security vulnerabilities [3-4] The centralized control model of SDN may cause many security issues, since attacks to controllers could break the entire network systems Many previous studies have focused on building secured functions for controllers or increasing strength of controllers [5-6] However, these approaches could lead to performance issues In recent years, many alternatives have been developing intelligent data planes where data is pre-processed to prevent systems from attacking [7-9] Nevertheless, with the fast increasing of the number of network attacks as well as attacking types, a system needs to be augmented with different protection techniques to survive from attacks When building secured functionalities for SDN, one of the critical issues is to not breaking the principles of SDN such as centralization control and monitoring and decoupling controller and data planes Among the others, OpenFlow [10] is one of the most popular and successful SDN instantiates Taking the principles of SDN into design, OpenFlow switches decouple control from data planes While forwarding devices at the data plane are responsible for routing network packets, an associated controller at the control plane handles these devices and makes high-level routing decisions According to SDN principles, the first packet of a new flow coming to a forwarding device will be forwarded to the controller for making the corresponding routing path Due to this regulation, the OpenFlow network as well as SDN is highly sensitive to saturation attacks, such as SYN Flooding, where extreme new flows come to a switch simultaneously In this work, we propose High-Performance Secured OpenFlow Switch Architecture (HPOFS) for building an FPGA-based high-performance and secured OpenFlow switch HPOFS provides not only high-throughput network switching ability but also secured cores that are able to protect the switch against attacks Thanks to FPGA technology, HPOFS can work in a pipeline model for the switching function while multiple secured cores can examine network packets in parallel Therefore, our HPOFS will not introduce any latency when switching packets Moreover, the switch is able to countermeasure many attacking types with a negligible decline in performance We implement a prototype version using a NetFPGA-10G board, containing a Virtex-5 xc5vtx240t device In this prototype, three security functions are implemented as secured cores to protect the switch from DDoS and SYN Flooding attacks Those are SYN Defender, Hop-count Filtering, and Port Ingress/Egress Filtering Experimental results with the first prototype version show that HPOFS in NetFPGA-10G achieved the switching throughput by up to 39.48 Gbps while the maximum throughput supported by the board is 40 Gbps Detection rates with Hop-count Filtering and Port Ingress/Egress Filtering techniques are at 100% with only 2.9% false positive rate while about 30+ millions SYN Flood attacking packets per second are prevented by SYN Defender The main contributions of this work can be categorized into three folds (1) We propose the architecture for High-Performance Secured OpenFlow Switch (HPOFS) that can route packets from sources to destinations according to the OpenFlow protocol and examine these packets to countermeasure different attacks The two behaviors can be executed in both parallel and pipeline models to achieve optimized performance (2) We design and implement an efficient pipelined SYN Defender core in FPGA Our SYN Defender core is Advances in Electrical and Computer Engineering able to prevent the switch from SYN Flooding attacks, one of the most serious attacking methods The core can protect the system against attacks at 30,000,000 packets per second with only 0.248 ms overhead It outperforms most well-known SYN Flood defender systems in the literature (3) We implement and evaluate our proposed HPOFS on the NetFPGA-10G platform that contains a Virtex-5 xc5vtx240t FPGA device In this prototype version, we integrate the SYN Defender core and two DDoS countermeasure cores developed from our previous work, Port Ingress/Egress filtering and Hop-Count filtering [11] To the best of our knowledge, this is the first switch with these secure cores in the literature The switch can provide throughput at up to 78.96 Gbps with only 0.0012% drop rate The rest of the paper is organized as follows Section II summarizes related work and quickly discusses background Section III presents our proposed HPOFS architecture We introduce our prototype version using the NetFPGA-10G board in Section IV Section V analyzes our experimental results Finally, conclusions and future work are introduced in Section VI II BACKGROUND AND RELATED WORK In this section, we summarize background and introduce related work in the literature A Background Reconfigurable technology, for example Field Programmable Gate Array (FPGA), is a dominant technology for building high-performance computing applications as well as reconfigurable computing systems [12-13] Compared to general purpose processors, FPGA provides higher performance and lower energy consumption When compared to Application Specific Integrated Circuits (ASIC), FPGA allows hardware circuits to be reconfigured With these advantages, FPGA is widely used in both academic research and industry products Although FPGA is programmable, the limitation of hardware resources is the main drawback of FPGA technology In other words, FPGA is not suitable for applications that need to store huge amount of data Therefore, in this work, we exploit the parallelism ability of FPGA to efficiently prevent DDoS attacks [14] DDoS attack types are diverse and can be classified based on different parameters such as degrees of automation, exploited weaknesses, source address validity, possibility of characterizations, attack rate dynamics, impact of the victim, victim types, and persistence of agent set [15] Based on attacking levels, DDoS flooding attacks are classified into two categories: (i) Network/transport-level DDoS attacks; and (ii) Application-level DDoS attacks In the literature, several DDoS defense techniques have been proposed to combat DDoS flooding attacks These techniques are also classified into two categories as DDoS attacks: (i) DDoS mechanisms against Network/transport-level DDoS attacks; and (ii) DDoS mechanisms against Application-level DDoS attacks [16] However, systems proposed in the literature using these techniques are either implemented as software programs only or against only one DDoS attack type [17- Volume xx, Number x, 20xx 22] With high-speed networks, software-based DDoS countermeasure systems cannot fully decode and classify all incoming packets Meanwhile, defense against only one DDoS attack technique is not efficient enough Among the DDoS filtering techniques, SYN Cookie (SYNC) is one of the most important techniques SYNC algorithm is usually deployed on a target server to against SYN Flooding attacks [23] Figure 1a illustrates the TCP 3Way Handshake protocol which can be exploited by attackers to make the system unresponsive to legitimate traffics A target server without SYNC deployed has to use hardware resources (memory) to keep track initialized connections when received SYN messages (1) Meanwhile, SYN Cookie (Figure 1b) attempts to protect the target server by sending SYN/ACK message (2) with generated SEQ number The server, then, waits for a reply value (3) from the next user incoming packet to authenticating the user The strengthening of SYNC depends on the complexity level of SEQ creation algorithm The technique inventor proposed a method to generate SEQ number by using the incoming SYN packet header field (IP, Ethernet Port, and Maximum segment size) and current time value [24] The main advantage of SYN Cookie is that the receiver does not need to store any connecting information which is also suitable for FPGA platform Client Side Server Side Client Side Server Side Generate Cookies Y and discard SYN packet Validate Y Data exchange (a) Data exchange (b) Figure The three ways handshaking protocol (a) normal process, (b) with SYN cookies In the literature, there exists a number of studies that build security functions in the control plane of an SDN such as research in [25-28] For example, SLICOTS [29] built a lightweight module on the control plane to prevent TCP SYN Flooding attacks by observing and installing shortterm forwarding rules to the data plane However, the main drawback of these works is the use of controller resources, which are already a target for saturation attacks, for performing security functions In recent years, bringing some intelligent processes from the control to the data plane becomes a trend in SDN called stateful SDN data planes [2] OpenState [7], FAST [30], and SDPA [31] are examples A stateful SDN data plane releases the bottle-neck in the communication channel between the control and the data plane but this approach introduces new securities challenges such as switch memory saturation, CPU exhaustion, and state inconsistency Although implementing SDN switches on FPGA platforms has been investigated for a while, especially Advances in Electrical and Computer Engineering OpenFlow network - an SDN instance such as work in [10], [32-33] These switches lack of security ability, including DDoS protection OFX framework [8] can be considered as one of the first study that proposed to build security functions in the switch The framework allows network administrators to build up security functions on both control plane and data plane by inserting more flow tables on the data plane However, the switches in this work still need general purpose processors to perform software-based security behaviors Regarding to using SYNC in SDN/OpenFlow switches to protect target servers against DDoS attacks, AVANTGUARD [34] developed the Connection Migration module in the data plane This module authenticates legitimate users by using the SYN Cookies algorithm and repeating the 3way handshake protocol with target servers when an user is authenticated AVANT-GUARD uses a mechanism that stores differences between two SEQ numbers in memory to synchronize SEQ numbers from the two sides Due to this mechanism, memory could be overloaded and is the weakness of this approach LineSwitch [35] also prevents SYN Flood attacks by combining SYN proxy technique [36] and probabilistic blacklisting of network traffic The authors in [9] uses the TCP reset technique to prevent SYN Flood attacks by inserting a number of switching rules into flow table Although there exist a number of studies in augmenting security functions for SDN or OpenFlow networks, they suffer from low performance and throughput due to software-based implementation Therefore, a highperformance and secured OpenFlow switch using hardware to achieve optimized performance is an essential demand III PROPOSED ARCHITECTURE In this section, we first introduce an overview about the use of our proposed HPOFS to the data plane of an OpenFlow network We then present in detail the architecture of the proposed switch A Overview Control Plane HPOFS Control Plane SDN Controller Data DataPlane Plane HPOFS Data Plane OpenFlow Protocol OpenFlow Switch OpenFlow Switch Secure Core Monitor SDN Controller Network OpenFlow Switch (a) OpenFlow Protocol OpenFlow Switch HPOFS OpenFlow Switch HPOFS OpenFlow Switch HPOFS HPOFS Network HPOFS HPOFS (b) Figure The overview of our approach: (a) traditional SDN; (b) our switches are used to protect the system Figure 2a depicts the architecture of an OpenFlow network, an instance of SDN The main components are OpenFlow switches that are functioning on the data plane and are connected to the controller through the OpenFlow protocol This traditional architecture illustrates the centralized control of OpenFlow networks, as well as SDN Although centralization provides many advantages, it Volume xx, Number x, 20xx usually suffers from many security vulnerabilities, especially saturation attacks Our HPOFS architecture provides high performance and secured switches based on the OpenFlow infrastructure Moreover, thanks to reconfigurable technology, secure cores in HPOFS are flexible and programmable The proposed switch leverages the parallelism processing ability of FPGA platforms to simultaneously perform security and switching functions As illustrated in Figure 2b, HPOFS allows network administrators to monitor the whole network and manage security functions executing at the data plane Besides, we also develop a Secure Core Monitor running on the control plane to handle security functions of our HPOFS Network administrators could further update or modify these security functions when needed With this ability, the proposed switch is adaptable to different attack types that are one of the main drawbacks of other hardware-based security devices B HPOFS Architecture Figure illustrates in details the FPGA-based architecture of HPOFS HPOFS follows the SDN principal by decoupling HPOFS control plane from HPOFS data plane and using the centralized SDN controller for making routing decisions As stated above, beside the traditional SDN controller at the control plane, we also develop a Secure Core Monitor working at the control plane for monitoring and controlling secure cores in the switches that are functioning at the data plane The communication channel between Secure Core Monitor and secure cores also follows the OpenFlow protocol As presented above, our proposed HPOFSes can be deployed at data plane to protect the entire network as depicted in Figure 2b Each HPOFS consists of one OpenFlow Agent executing on a general-purpose processor and a switch implemented on an FPGA device The Agent is responsible for communicating with the associated controller and managing the flow table inside the switch The switch processes incoming network packets according to OpenFlow protocol and examines these packets to drop attacking ones The FPGA-based architecture of the switch consists of five main blocks, including Ingress, Egress, Packet Management, Switching Management, and Secure Management 1) Ingress block The Ingress block is responsible for receiving incoming packets through the network interfaces InPort_[1,2, ,n] and controlling packets through the InPort_Ctr interface These input packets are arranged by the Input Arbiter module and forwarded one by one to the Packet Management block Due to the reconfigurable technology, this arbiter can schedule packets in round robin or follow a priority model determined by the associated controller 2) Egress block In contrast to the Ingress block, the Egress block receives processed packets from the Packet Management block to store them into the Output Queue The block, then, forwards these packets to the corresponding network output ports OutPort_[1,2, ,n] or the control output interface OutPort_Ctr according to the decision of the Packet Management block Packets arriving the Egress block are Advances in Electrical and Computer Engineering Volume xx, Number x, 20xx Figure The architecture of our high-performance and secured OpenFlow switch – HPOFS legitimate packets, i.e they are safe for the network 3) Switching Management block The Switching Management block can be considered as the main component of the switch The block operating the OpenFlow switching protocol consists of three modules:  OpenFlow Lookup provides interfaces to communicate with the Packet Management block The module is also able to look up or update the Flow Table according to control signals generated by the Packet Management block This module also communicates with the OpenFlow Host Agent module to either send or receive data to/from OpenFlow Agent  Flow Table holds flow table entries according to the OpenFlow protocol including exact and wildcard match table entries for the switching process  OpenFlow Host Agent uses information receiving from OpenFlow Agent for updating Flow Table and collecting statistic information of packet flows 4) Secure Management block The Secure Management block is responsible for examining packets to determine whether a packet is spoofed or harm to the network The block includes a Secure Controller, an OFS Scanner, and multiple Secure Cores:  Secured Controller provides interfaces to communicate with the Packet Management block This module distributes data extracted from network packets by the Packet Management block to Secure Cores and collects scanning results from OFS Scanner  Secure Cores are responsible for examining packets to against different network attack types Each core is implemented for one dedicated attack type By dividing scanning process into particular cores, we aim to apply the partial reconfiguration technique to help the system be more favorable and practical in use in the future OFS Scanner is the main component of the block The module collects scanning results from Secure Cores and feedbacks to Secure Controller When a packet is recognized as an illegitimate packet from any Secure Core, the OFS Scanner module will issue an alert signal to the Packet Management block 5) Packet Management block Packet Management extracts data from incoming packets and delivers required data to both the Switching Management and Secure Management blocks while keeping these original packets in a local buffer When a packet is classified as a legitimate packet, it will be forwarded to the Egress block together with routing information collected from the Switching Management block; otherwise, the packet is removed from the system The block consists of three modules:  Packet Pre-processing receives incoming packets forwarded from Input Arbiter and executes the initial processing step This includes two main tasks, extracting a set of features from header fields of packets and storing incoming packets in the Packet Buffer module  Packet Buffer is a FIFO memory for keeping packets processing by both the Switching Management and Secure Management blocks The main purpose of this FIFO memory is to increase system performance As packets coming to the Packet Pre-processing module frame by frame, the task extracting features from packet header fields could be done before the last frame coming A buffer allows packet flows to be received Advances in Electrical and Computer Engineering Volume xx, Number x, 20xx continuously without any stall  Packet Controller receives results from both Switching Management Secure Management to process corresponding packets stored in Packet Buffer If an alert signal is issued by Secure Management, the corresponding packet is deleted from the buffer immediately Otherwise, the packet together with routing information generated by Switching Management are forwarded to Egress IV PROTOTYPE SYSTEM In this section, we introduce our first prototype system based on the proposed architecture presented in Section III Three different Secure Cores are built for this first prototype version Two of them are Hop-Count filtering (HCF) and Port Ingress/Egress filtering (IEF) adapted from our previous work Besides, we also implement an efficient SYN Defender Secure Core (SYND) in this work This section also presents the core in detail A The prototype switch The first prototype version of HPOFS is built based on the OpenFlow version 1.0.0 on the NetFPGA-10G platform [33] which includes the Xilinx Virtex xc5vtx240t device Hardware Description Languages (HDL) is used to develop modules for this version The prototype version is compatible with various controllers such as OpenFlow Reference controller [37] and any controller platform that supports the OpenFlow version 1.0.0 (Ryu [38], OpenDaylight control platform [39], etc.) Below we highlight primary points of the five blocks in the architecture 1) Ingress and Egress block HPOFS uses all four physical interfaces in the NetFPGA10G platform (InPort_[0,1,2,3]} and (OutPort_[0,1,2,3]) for receiving and forwarding network packets, respectively The PCIe interface (Peripheral Component Interconnect Express) is used for communication between the switch and OpenFlow Agent (InPort_Ctr and OutPort_Ctr) Currently, the round-robin algorithm [40] is used to collect incoming packets from input ports However, this algorithm can be changed without any modification in other modules 2) Switching Management block The block is implemented by HDL according to the original OpenFlow switch [33] We use BlockRAM (onchip memory) to build Flow Table in this prototype The main advantage of BlockRAM is its performance while the main drawback is the size limitation 3) Secure Management block Figure The architecture of the Secure Management block We implement three DDoS protection mechanisms for this prototype version, HCF, IEF, and SYND The efficient SYN Defender Secure Core is the most outstanding feature of HPOFS Besides, OFS Scanner whose features are presented in the previous section is also developed by HDL Figure depicts details of the Secure Management block 4) Packet Management block The Packet Pre-processing module extracts 18 features from header fields of packets [41] Twelve of them are delivered to the Switching Management block while 15 features are forwarded to the Secure Management block as shown in Table I TABLE I FIELDS FROM PACKETS EXTRACTED BY PRE-PROCESSING MODULE Extracted field Protocol IHL TTL IP src IP dst Ethernet src Ethernet dst Packet length ToS TCP/UDP src port TCP/UDP dst port Flag Ingress port VLAN id VLAN priority ACK number MSS TCP header checksum Ethernet type Switching Management            Secure Management                 On-chip memory (BlockRAM) allows memory accesses to be completed in exactly one cycle These properties help improve system performance To allow packets to be processed in pipeline model, BlockRAM is used to build Packet Buffer The width of Packet Buffer is 256 bits while the depth of this buffer can be estimated by Equation This estimation helps us use sufficiently BlockRAM size because small buffer will drop packets or stall the system while large buffer will waste BlockRAM According to the equation, size of the buffer depends on both the size of the largest packet and processing time of Switching Management and Secure Management Advances in Electrical and Computer Engineering 𝐷𝑝 = max(𝑃𝑙, 𝐶𝑠𝑤, 𝐶𝑠𝑐 ) + 𝐶𝑝𝑐 (1) where: Dp Pl Csw : : : Csc Cpc : : Depth of Packet Buffer FIFO Number of frame of largest packet Time of the Switching Management block to process first entry Time of the Secure Management block to process first entry Time of the Packet Controller module to process first frame In our implementation, the Switching Management block takes eight clock cycles to process the first extracted entry; the Secure Management block takes 11 clock cycles; and the Packet Controller module takes only two clock cycles Thus, the Packet Buffer in HPOFS has the optimized depth Dp of 11 in size, which makes the size of Packet Buffer equal to 352 bytes B SYN Defender Secure Core SYN Defender (SYND) Secure Core is an efficient SYN Flood attacks depending core that is designed carefully using the pipeline model and suitable for FPGA The SYND core in our work performs six following tasks for a new incoming SYN packet determined by IP addresses and port header fields to validate legitimate users: Swapping the three header fields: the source and destination IP addresses, the source and destination Ethernet addresses, and the source and destination TCP ports Turning the SYN packet into SYN-ACK packet by setting the ACK bit in the TCP flags Increasing the client SEQ number header field by one and place it in the ACK number field Writing the generated cookie to the SEQ number field Recalculating the IP/TCP checksum values based on the changed fields Sending the packet back to the incoming port on which the SYN packet was received Compared to the work in [9] building a DDoS attack prevention using flow table, our SYND shares the similar mechanism However, we outperform that work in latency Thus, our system prevents SYN Flood attacks more efficient In addition, their system creates flow table rules to against SYN Flood attacks which consumes flow table resources and introduces new issues such as flooding the flow table and decreasing system performance Furthermore, the associated controller has to update periodically the flow table rules to ensure that attackers cannot predict the flow rules In contrast, we design SYND as a reconfigurable core so that it does not require to update the flow table when operating the SYN Flood prevention system In addition, SYND recognizes a trusted client by two stages: cookies generation and authentication The cookies generation stage is illustrated in Figure When a new SYN packet (1) comes to HPFOS, the packet is converted to a SYN/ACK packet (2) in which the SEQ number field is the 32-bit cookies value (Y) This value is constructed by {3-bit encoded MSS, 5-bit timer, 24-bit hash result} After receiving the SYN/ACK packet (2), the client then feedbacks an ACK packet (3) with the ACK number attached, by increasing the value Y one The SYND core again generates the cookies value using information from ACK packet and compares it with the ACK number The Volume xx, Number x, 20xx match comparison means that the user is valid SYND updates two values in Toggle Register and User BlockRAM (on-chip memory) when a user accepted Client Side HPOFS data plane (1) SY N (SE Q=X ) Y EQ = CK (S 1) + YN/A (2) S ACK = X , Y= Generate Y using SYN Cookies User BlockRAM (3) A CK (S ACK EQ = X+ 1, = Y+ 1) Y+1, EQ = ST (S ) (4) R ACK = 31 bit Timer 24 bit Hash CRC32 mod 32 (Timer,SrcIP,Srcport, DstIP,Dstport,Timer) bit encoded MSS Index IpSource-IpDestination -Validate Y -Index = H(SrcIP,DstIP) Toggle value to when user is valid n Toggle Register Index n-1 n Figure Cookies generation stage in SYND Toggle Register is used to keep track users connected to the system The SYND core calculates an index in Toggle Register by hashing the IP address then set the value at that position to Please note that the initial value of Toogle Register is A conflict can happen when hashing to find index for a user in Toggle Register, we create User BlockRAM to overcome this collision issue SYND writes IP addresses of validated users into User BlockRAM If value at bit index-th in Toggle Register is and the index-th entry in User BlockRAM stores valid information (IP addresses), the next SYN packet coming from this source will be sent directly to the control plane without converting it into SYN/ACK packet, i.e., source is validated before After receiving a valid ACK packet (step (3)), SYND will convert the ACK packet to RST packet (4) by using the above six tasks again However, instead of setting the ACK bit in the TCP flags, SYND must erase the TCP flags value and then setting the RST bit in TCP flags Moreover, SYND also needs to set the ACK number of RST packet to to establish a connection reset request Finally, HPOFS sends the RST packet back to the incoming port where the ACK packet was received Figure Authentication stage in SYND The authentication stage (depicted in Figure 6) is to verify SYN packets from validated users using the results from both Toggle Register and User BlockRAM (5) A SYN packet belonging to a known user is bypassed the SYND core The valid SYN packet (6) would be processed using flow table rule (sent to control plane) Meanwhile, the value indicating this SYN packet in Toggle Register will be set to zero so that the next SYN packet belonging to this flow must be validated again through the cookies generation stage Figure presents our proposed 5-stage pipeline architecture for the SYND core Advances in Electrical and Computer Engineering Volume xx, Number x, 20xx extra 50mW in power consumption when compared to HPOFS without any security functions TABLE III COMPARISONS OF DIFFERENT SYSTEMS IN TERMS OF RESOURCES AND POWER CONSUMPTION Systems Simple HPOFS Full HPOFS Figure The architecture of our proposed SYND core V EXPERIMENTS In this section, we analyze the hardware resources usage of the first prototype version We conduct a number of experiments to test system performance as well as the SYN Defender core A Hardware resources usage & power consumption As stated above, we use NetFPGA-10G board with the Xilinx Virtex-5 xc5vtx240t device including 149,760 Registers, 149,760 LUTs, 324 BlockRAMs, and 37,440 Slice in total The prototype system is synthesized with the Xilinx ISE 14.7 withocut any manual optimization The results show that our system can work at up to 100.231 MHz and uses 80,080 (53.47%) Registers, 70,825 (47.29%) LUTs, 200 (61.73%) BlockRAMs, and 29,578 (79.00%) Slices Table II breaks down the hardware resources usage for the main blocks and cores in HPOFS TABLE II HARDWARE RESOURCES USAGE HPOFS blocks/cores Ingress Egress Switching Management Packet Management Secure Management OFS Scanner IEF HCF SYND Register LUT BRAM Slice 17,441 (11.65%) 20,355 (13.59%) 3,930 (2.62%) 4,920 (3.28%) 5,005 (3.34%) 394 (0.26%) 53 (0.04%) 263 (0.18%) 1,959 (1.31%) 14,980 (10.00%) 17,530 (11.71%) 5,421 (3.62%) 5,131 (3.43%) 3,183 (2.13%) 322 (0.22%) 69 (0.05%) 727 (0.49%) 2,205 (1.47%) 52 (16.05%) 45 (13.89%) 27 (8.33%) 19 (5.86%) (0.96%) (0.00%) (0.00%) 17 (5.25%) (0.62%) 3,334 (8.90%) 4,228 (11.29%) 3,885 (10.38%) 4,389 (11.72%) 1,527 (4.08%) 122 (0.33%) 18 (0.05%) 183 (0.49%) 599 (1.60%) We then use the Xilinx Power Analyzer tools to estimate the power consumption of the two systems, the HPOFS without any secured core (simple HPOFS), and the full HPOFS with the aforementioned security functions (full HPOFS) Table III presents hardware resources usage (column 2, 3, and 4) and power consumption (column 5) for the two systems when implemented on the NetFPGA 10G board According to the table, the full HPOFS only needs Registers 49% 55% LUTs 45% 49% BRAM 56% 59% Power 11.990W 12.040W B System performance analysis To evaluate performance of the first prototype version of our HPOFS, we use three NetFPGA-10G boards, one for developing our switch, two for installing OSNT (Open Source Network Tester) [42] to generate and monitor network traffics Figure illustrates the interconnect topology of this test We conduct three testing scenarios for evaluate system throughput The first scenario is to analyze the processing capacity of 1-port of HPOFS while the second scenario tests full 4-port Finally, the third test is to compare HPOFS with the original OpenFlow Switch 1.0.0 (OFW) architecture Figure The testing model used in our experiments In the first testing scenario, we evaluate the processing ability of single port of our HPOFS by measuring throughput of both half-duplex and full-duplex modes Figure shows throughput of a single port in our HPOFS with different packet sizes, ranging from the smallest packet size 62B (SYN packets) to 1500B For each packet size, the left column depicts the total generating speed of the OSNT generators while the middle and right columns show throughput of a single port of HPOFS in half-duplex mode and full-duplex modes, respectively According to the figure, a single port in HPOFS can process at throughput by up to 9.87Gbps in half-duplex and 19.74Gbps in full-duplex Figure Throughput of a single port of our HPOFS In the second testing scenario, we evaluate throughput of our HPOFS when using all ports of the switch Figure 10 illustrates the results of this measurement with various packet sizes For each group, the left column shows the total Advances in Electrical and Computer Engineering sending speed of the OSNT generators; this is also the speed of all incoming packets arriving our HPOFS The right column presents the processing speed of the switch The results show that with the SYN packets (62B), HPOFS is able to process packets at 27.91 Gbps (93.78% of incoming packets) According to the figure, the throughput of the switch is increased when the size of packets is increased Especially, when packet size is larger than 512B, HPOFS throughput is equal to OSNT Generators speed Finally, we compare our switch with the original OFW 1.0.0 architecture built on the same platform Processing speeds and drop rates are analyzed for this comparison Table IV shows the results of this test with the packet sizes from 62B to 1500B For each packet size, we measure three parameters for both our switch and OFW 1.0.0 switch These are the total packet generating speed of the OSNT generators (the Incoming column in the table), the processing speeds (the Outgoing column in the table), and drop rates (the Drop column in the table) According to the table, our HPOFS outperforms OFW 1.0.0 in both processing speed and drop rate Moreover, OFW 1.0.0 is not able to process incoming flows with packets larger than 512B while our switch achieves good results in terms of throughput and drop rate with large size packets We manage to achieve throughput by up to 39.48 Gbps with 1500-byte packets Volume xx, Number x, 20xx C SYN Defender core performance In this section, we present our experiments to evaluate our SYN Defender core in both throughput and accuracy We set up two different testing scenarios for validating and evaluating the SYND core The first testing scenario is used for validating the soundness and correctness as well as evaluating throughput of the core To conduct this testing scenario, three NetFPGA 10-G boards are used with the same interconnect topology as in the previous section In this scenario, boards with OSNT installed generate all SYN Flood attacking packets at different network speeds Figure 11 shows results of this test in both throughput and detection rate The left and the right columns describe speeds of incoming SYN Flood attacking packets and ACK packets responding from our system, respectively Together with throughputs, the two lines illustrate detection rate and packet drop rate According to the figure, our SYN Defender core is able to prevent all SYN Flood attack packets arrived the system (detection rate is 100% at different speeds) When the speed of attack is higher than 27.91 Gbps, some incoming packets are dropped (depicted in the last point) Please note that drop packets mean that packets cannot enter the protected system regardless they are legitimate or not, i.e., the system is not affected by attacks In other words, the core is able to prevent SYN Flood attacks at less than 27.91 Gbps while it still able to process normal packets Figure 10 Throughput of full ports of our HPOFS Figure 11 Throughput of the SYN Defender core TABLE IV COMPARISON RESULTS BETWEEN OUR SWITCH AND THE ORIGINAL OPENFLOW SWITCH System OFW 1.0.0 HPOFS Packet Size (Byte) SYN 64 128 256 512 1024 1500 SYN 64 128 256 512 1024 1500 Incoming (Gbps) 29.76 30.92 34.72 37.16 38.52 39.24 39.48 29.76 30.92 34.72 37.16 38.52 39.24 39.48 Outgoing (Gbps) 25.76 26.78 32.18 36.04 0 27.91 29.01 33.79 36.98 38.51 39.24 39.48 Drop (%) 13.44 13.39 7.32 3.01 100 100 100 6.21 6.18 2.69 0.48 0.03 0.0012 0.0012 The second scenario is to deploy the core in a real physical network system to compare with other works in the literature in terms of packet per second (pps), response time (ms), and overhead for defending (ms, %) Figure 12 depicts our testing model for this scenario We set up a web server with a NIC-10G card, two NetFPGA-10G boards, a Cisco Catalyst 2960-s Series Switch, and several user computers for the following purposes:  Web server (IP address: 172.28.25.185): deployed on CPU Intel core i5-6500 3.2GHz, 8GB of RAM on Ubuntu 16.04, running web services (updated to XAMPP for Linux 5.6.20-0) and connected to HPOFS through the NIC-10G card This web server is the target server protected by our HPOFS  NIC-10G card (Intel E10G42BTDA Server Adapter X520-DA2): used as an interface to connect the Advances in Electrical and Computer Engineering Volume xx, Number x, 20xx web server and our HPOFS  NetFPGA-10G boards: one board (integrated in CPU Intel core i3-2120, 3.2GHz x 4, 4GB of RAM on Fedora version 14) is used to install OSNT and generate SYN Flood attacks at high speed while the rest NetFPGA-10G board is used to build our HPOFS (integrated in CPU Intel Core i7 – 4770, 3,4GHz x 8, 16GB of RAM on Ubuntu version 14.04) to protect both the web server and the control plane  Cisco Catalyst 2960-s Series switch (WS-C2960S24TD-L): used as an interface to connect our HPOFS to the network This Switch operates as a layer switch to exchange network packets between devices with two different interfaces: Rj-45 and SFP+  User computers (IP address: 172.28.25.0/255): including both normal clients and attackers connect to the web server The attackers in the network used hping3 tool to generate SYN flood attack to the web server at IP address 172.28.25.185 Avant Guard OFX NAS OFW 1.0.0 HPOFS 800 50,000 200,000 300 29,062,50 399 400.1 4.581 6.581 N/A N/A 0.935 ∞ 1.047 7.3 8.4 0.31 2.31 0.033 0.034 ∞ 0.002 1.86 2.14 7.26 46.83 N/A N/A ∞ 11.98 1.183 0.248 26.52 Due to the platform, SLICOTS only is able to protect their systems against attacks at less than 350 pps while the latency is around 1,700-1,900 ms; thus, giving the Overhead value up to 1361.54% Avant Guard can serve client requests during SYN Flood attacks at 800 pps when only 7.3 ms overhead introduced OFX is tested at 50,000 pps to 100,000 pps and produces 2.31 ms overhead NAS uses a flow table to filter attacks with only 0.034 ms overhead at 200,000 pps before dropping the packet However, the authors not show response time of their system According to the results, our HPOFS built on the NetFPGA10G platform outperforms most famous SYN Flood defender systems in the literature when it is able to protect the system against attacks at 30,000,000 pps with only 0.248 ms overhead VI CONCLUSION AND FUTURE WORK Figure 12 The physical system used for validating and evaluating the SYND core We use OSNT to generate SYN Flood attack packets at throughput from 3.72 Gbps to 14.88 Gbps, which is approximate to about 30,000,000 packets per second (pps) The experimental results show that legitimate clients from user computers are able to establish connections to the web server in spite of the SYN Flood attacks by up to 14.88 Gbps happening Table V compares five proposals in the literature including SLICOTS [29], Avant Guard [34], OFX [8], NAS (Network Acti-Spoofing with SDN data plane) [9], and OFW 1.0.0 [33] with our system HPOFS in the case of SYN Flood defending The SYN Flood column shows the number of SYN Flood attack packets per second sent to the system The Respond Time column is the time for a normal client retrieving web services under the corresponding attack The Overhead columns (in ms and %) are the latencies for the systems to operate secure functions in millisecond These overhead values are used for comparison between our work and proposals in the literature The less TABLE V COMPARISON BETWEEN OUR PROPOSED SYND CORE AND OTHER PROPOSALS IN THE LITERATURE System SLICOTS SYN Flood (pps) 350 Response Time (ms) 240 190 In this paper, we proposed a high performance and secured OpenFlow switch for FPGA devices The switch not only is able to route packets from source to destination but also is able to examine network packets to prevent the system against different network attacks The two processes can be executed in parallel on FPGA technology We implement our first prototype version in Xilinx xc5vtx240t FPGA device with three different secure cores for DDoS protection Those are Hop-count filtering, port Ingress/Egress filtering, and SYN Flood attack defender in which the two first cores are adapted from our previous work In this work, we design and implement a pipeline SYN defender core for our switch The core is able to protect the system against attacks at up 30,000,000 packets per second with only 0.248 ms overhead, which fully outperform well-known cores in the literature The first prototype version switch can function at 100.321 MHz and achieve 78.96 Gbps throughput in full-duplex mode REFERENCES [1] [2] [3] [4] Overhead (ms) (%) 110 1,770 84.62 1,361.54 [5] Opennetworking, "Software-Defined Networking (SDN) Definition," [Online] Available: https://www.opennetworking.org/sdn-definition/ [Accessed 28 December 2017] T Dargahi, A Caponi, M Ambrosin, G Bianchi and M Conti, "A Survey on the Security of Stateful SDN Data Planes," IEEE Communications Surveys & Tutorials, 2017 doi:10.1109/comst.2017.2689819 S Scott-Hayward, G O'Callaghan and S Sezer, "Sdn Security: A Survey," in 2013 IEEE SDN for Future Networks and Services (SDN4FNS), 2013 doi:10.1109/sdn4fns.2013.6702553 S Scott-Hayward, S Natarajan and S Sezer, "A Survey of Security in Software Defined Networks," IEEE Communications Surveys Tutorials, vol 18, pp 623-654, 2016 doi:10.1109/comst.2015.2453114 Y Hu, W Wang, X Gong, X Que and S Cheng, "BalanceFlow: Controller load balancing for OpenFlow networks," in 2012 IEEE 2nd Advances in Electrical and Computer Engineering [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] 10 International Conference on Cloud Computing and Intelligence Systems, 2012 doi:10.1109/ccis.2012.6664282 T Koponen, M Casado, N Gude, J Stribling, L Poutievski, M Zhu, R Ramanathan, Y Iwata, H Inoue, T Hama and others, "A distributed control platform for large-scale production networks," in Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, 2014 G Bianchi, M Bonola, A Capone and C Cascone, "OpenState: programming platform-independent stateful openflow applications inside the switch," ACM SIGCOMM Computer Communication Review, vol 44, pp 44-51, 2014 doi:10.1145/2602204.2602211 J Sonchack, J M Smith, A J Aviv and E Keller, "Enabling Practical Software-defined Networking Security Applications with OFX.," in NDSS, 2016 Y Afek, A Bremler-Barr and L Shafir, "Network anti-spoofing with SDN data plane," in INFOCOM 2017-IEEE Conference on Computer Communications, IEEE, 2017 doi:10.1109/infocom.2017.8057008 N McKeown, T Anderson, H Balakrishnan, G Parulkar, L Peterson, J Rexford, S Shenker and J Turner, "OpenFlow: Enabling Innovation in Campus Networks," SIGCOMM Comput Commun Rev., vol 38, pp 69-74, 2008 doi:10.1145/1355734.1355746 C Pham-Quoc, B Nguyen and T N Thinh, "FPGA-based Multicore Architecture for Integrating Multiple DDoS Defense Mechanisms," SIGARCH Comput Archit News, vol 44, pp 14-19, 2017 doi:10.1145/3039902.3039906 M C Herbordt, T VanCourt, Y Gu, B Sukhwani, A Conti, J Model and D DiSabello, "Achieving high performance with FPGAbased computing," Computer, vol 40, 2007 doi:10.1109/mc.2007.79 T El-Ghazawi, E El-Araby, M Huang, K Gaj, V Kindratenko and D Buell, "The promise of high-performance reconfigurable computing," Computer, vol 41, 2008 doi:10.1109/mc.2008.65 K B Margaret Rouse, "Distributed denial of service attack," [Online] Available: http://whatis.techtarget.com/definition/roundrobin [Accessed 16 November 2017] J Mirkovic and P Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Computer Communication Review, vol 34, pp 39-53, 2004 doi:10.1145/997150.997156 S T Zargar, J Joshi and D Tipper, "A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks," Communications Surveys Tutorials, IEEE, vol 15, pp 2046-2069, 2013 doi:10.1109/surv.2013.031413.00127 P Ferguson and D Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing," Internet RFC2827, 2000 Y Xiang and W Zhou, "Classifying DDoS packets in high-speed networks," Computer science and network security, vol 6, pp 107115, 2006 T Katashita, Y Yamaguchi, A Maeda and T O D A Kenji, "FPGA-based intrusion detection system for 10 gigabit ethernet," Information and systems, vol 90, pp 1923-1931, 2007 X Wang, M Li and M Li, "A scheme of distributed hop-count filtering of traffic," in Wireless Mobile and Computing, 2009 doi:10.1049/cp.2009.2004 M Ayman, E Imad, K Ayman and C Ali, "IP Spoofing Detection Using Modified Hop Count," IEEE Advanced Information Networking and Applications, 2014 doi:10.1109/aina.2014.62 R Maheshwari, C R Krishna and M S Brahma, "Defending network system against IP spoofing based distributed DoS attacks using DPHCF-RTT packet filtering technique," in Issues and Challenges in Intelligent Computing Techniques, 2014 doi:10.1109/icicict.2014.6781280 TechTerms, "SYN Flood," [Online] Available: https://techterms.com/definition/syn_flood [Accessed 19 October 2017] D J Bernstein, "Syn cookies, 1996," http://cr yp to/syncookies html, 2016 Volume xx, Number x, 20xx [25] S Shin, P A Porras, V Yegneswaran, M W Fong, G Gu and M Tyson, "FRESCO: Modular Composable Security Services for Software-Defined Networks.," in NDSS, 2013 [26] S Hong, L Xu, H Wang and G Gu, "Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures.," in NDSS, 2015 [27] P Porras, S Shin, V Yegneswaran, M Fong, M Tyson and G Gu, "A security enforcement kernel for OpenFlow networks," in Proceedings of the first workshop on Hot topics in software defined networks, 2012 doi:10.1145/2342441.2342466 [28] R Braga, E Mota and A Passito, "Lightweight DDoS flooding attack detection using NOX/OpenFlow," in Local Computer Networks (LCN), 2010 IEEE 35th Conference on, 2010 doi:10.1109/lcn.2010.5735752 [29] R Mohammadi, R Javidan and M Conti, "SLICOTS: An SDNBased Lightweight Countermeasure for TCP SYN Flooding Attacks," IEEE Transactions on Network and Service Management, 2017 doi:10.1109/tnsm.2017.2701549 [30] M Moshref, A Bhargava, A Gupta, M Yu and R Govindan, "Flowlevel state transition as a new switch primitive for SDN," in Proceedings of the third workshop on Hot topics in software defined networking, 2014 doi:10.1145/2620728.2620729 [31] S Zhu, J Bi, C Sun, C Wu and H Hu, "Sdpa: Enhancing stateful forwarding for software-defined networking," in Network Protocols (ICNP), 2015 IEEE 23rd International Conference on, 2015 doi:10.1109/icnp.2015.45 [32] J Naous, D Erickson, G A Covington, G Appenzeller and N McKeown, "Implementing an OpenFlow switch on the NetFPGA platform," in Proceedings of the 4th ACM/IEEE Symposium on Architectures for Networking and Communications Systems, 2008 doi:10.1145/1477942.1477944 [33] T Yabe, "OpenFlow implementation on NetFPGA-10G: Design Document," [Online] Available: https://docs.google.com/document/d/1ZwHXQZocKwQls6Ted8VZO 8h9MjBtu9WxV2fAY44eOgE/edit [Accessed November 2017] [34] S Shin, V Yegneswaran, P Porras and G Gu, "Avant-guard: Scalable and vigilant switch flow management in software-defined networks," in Proceedings of the 2013 ACM SIGSAC conference on Computer \& communications security, 2013 doi:10.1145/2508859.2516684 [35] M Ambrosin, M Conti, F De Gaspari and R Poovendran, "LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking While Effectively Tackling DoS Attacks," in Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, New York, NY, USA, 2015 doi:10.1145/2714576.2714612 [36] Github, "Working with SYNPROXY," [Online] Available: https://github.com/firehol/firehol/wiki/Working-with-SYNPROXY [Accessed November 2017] [37] OpenFlow, "OpenFlow Switching Reference System," [Online] Available: http://archive.openflow.org/wp/downloads/ [Accessed 16 November 2017] [38] Github, "Ryu," [Online] Available: https://osrg.github.io/ryu/ [Accessed 16 November 2017] [39] "OpenDaylight," [Online] Available: https://www.opendaylight.org/ [Accessed 16 November 2017] [40] M Rouse, "Round Robin," [Online] Available: http://whatis.techtarget.com/definition/round-robin [Accessed 16 November 2017] [41] "Ethernet II – Frame Types, Packet details," [Online] Available: https://vijayababuj.wordpress.com/2015/04/05/ethernet-ii-frametypes-packet-details/ [Accessed 16 November 2017] [42] C University, "Open Source Network Tester," [Online] Available: http://osnt.org/ [Accessed January 2018] C URRICULUM V ITỈ 146 DUC MINH NGO personal information Born in Vietnam, 05 June 1994 email ndminh@hcmut.edu.vn phone (+84) 9825 078 23 work experience 2018–Present Vietnam National University Engineering, Vietnam National University Working in the Computer Engineering Lab of Vietnam National University for managing and preparing Lab’s equipment for experiment classes Participated in NetFPGA research group and also worked as a teacher assistant Reference: VNU · +98 (028) 3864 7256 · Web site (Online) 2017–2018 Teacher Assistant, Vietnam National University Vietnam National University Participated in research projects and also worked as a teacher assistant Reference: VNU · +98 (028) 3864 7256 · Web site (Online) education 2017-Present Masters of Computer Science GPA: 8.38 (NOT YET GRADUATED) Thesis: A High-Performance Anomaly-based Intrusion Detection System for SDN Networks Description: This thesis invest in detecting network intruder for Software-defined networking (SDN) architecture The main contribution of this research thesis is applying machine learning techniques (classification and neural network) to the data plane of SDN on parallel platforms (FPGA and GPU) Advisors: Assoc Prof Dr Tran Ngoc Thinh 2012-2017 Bachelor of Computer Engineering Vietnam National University, Ho Chi Minh City Vietnam National University, Ho Chi Minh City GPA: 8.39 (GRADUATED) · Honor Class Description: This degree focussed heavily on important things such as fundamental knowledge of computer and personal skills publications December 2018 Security and Communication Networks An Efficient High-Throughput and Low-Latency SYN Flood Defender for High-Speed Networks, Security and Communication Networks, Volume 2018, 2018 Authors: Duc-Minh Ngo, Cuong Pham-Quoc, and Tran Ngoc Thinh computer skills Intermediate Advanced python, html, LATEX, Microsoft Windows FPGA, Computer Hardware, Machine learning, Linux, Verilog (Hardware description language), C, C++ other information Languages · Mothertongue Vietnamese English · Intermediate (conversationally fluent) Interests Guitar · Volleyball · Running · Swimming · Traveling October 29, 2019 ... far as I am concerned, this thesis proposes a high performance anomaly- based intrusion detection system for SDN networks In details, acceleration hardware platforms which are FPGA and GPU are used... application, control plane, and data plane layers attacks and anomaly- based attacks) that are deployed in hardware platform are discussed and compared 2.8.1 S ECURITY ON THE CONTROL PLANE Many studies propose... SDN DATA PLANE FORWARDING DEVICES This part proposes a hardware -based architecture for secured SDN forwarding devices in the data planes The hardware -based forwarding devices are targeted for implementing