S ECURED SDN DATA PL ANE FORWARDING DEVICES

Một phần của tài liệu A high performance anomaly based intrusion detection system for sdn networks (Trang 48 - 52)

This part proposes a hardware-based architecture for secured SDN forwarding devices in the data planes. The hardware-based forwarding devices are targeted for implementing on parallel computing platforms like FPGA and GPU. Using parallel computing hardware platforms allows switching and security tasks to be performed concurrently and to increase performance in filtering and detecting malicious packets. This work is developed from previous system - [27] that has proposed a hardware-based architecture for a secured OpenFlow switch. This work will extend the architecture to accommodate two more security methods to protect the system against multiform of attacks. Figure3.1depicts our proposed architecture which includes four main components as follows.

(1) OpenFlow Function: containing a flow-table and performing flows lookup for new incoming packets;

(2) Pre-scanner: including lightweight scanning cores which focus on prevention DDoS attacks;

29

(3) F-NIDS(FPGA-based - Network Intrusion Detection System): using installed snort rules to detect matched packets;

(4) F-ANIDS (FPGA-based - Anomaly-based Network Intrusion Detection System): detecting harmful packets based on trained neural network models.

Header Extraction

Packet Controller

OpenFlow Function

E_Pkt

Hardware-based architecture FIFO

Ethernet Packet (Epkt) System Bus

Packet Queue F-NIDS Header Payload

Packaging

F-ANIDS

FEM

Trained Model Pre-scanner

Core 1 Detector

Core 2

Distributor

Collector Normalization Model Construction

Packaging Buffer Buffer

Controller

Core n

. . . Collector

Generated Packet (Gpkt)

Figure 3.1: Hardware-based forwarding device architecture with OpenFlow Function and three secure methods including Pre-scanner, F-NIDS, and F-ANIDS.

The following paragraphs present details of blocks in our proposed architecture.

Header extraction block has connections to five other blocks including F-ANIDS, F-NIDS, Pre-scanner, OpenFlow function, and FIFO. To execute scanning and provide switching decisions, three security mechanisms and the OpenFlow Function need header fields of incoming packets. Header extraction receives network packets and is responsible for extracting necessary header fields forF-ANIDS,F-NIDS,Pre-scanner, andOpenFlow function. Besides, after extracting header fields, this block forwards payloads of packets toF-NIDS(with snort rules installed) for contents matching purpose. Furthermore, we create a FIFO memory for storing packets; thus, theHeader extractionblock can process new incoming packets during the execution of security and switching blocks in pipeline.

F-ANIDS block is designed for a complete progression from training to inference of an ANN including following modules:

• The FEM module (Feature Extraction Module) receives extracted header fields from the Header extraction block and creates a statistic report of

3.1.SECUREDSDNDATA PLANE FORWARDING DEVICES 31

each connection in an identical interval (k clocks). This module consists twoBuffersto store statistic reports and to ensure the responsive time of the system by swapping their roles. One buffer operates as a memory to collect the statistical data while the other executes as an output memory.

• The Normalizationmodule receives reports from theFEMmodule and performs two tasks including integer to floating-point number conversion and floating-point values normalization.

• The Model Constructionmodule is responsible for building a neural network model based on normalized data from the Normalization module.

• The Trained Model module accepts the constructed model from the Model Construction module and executes the inference phase with data fromNormalization.

• The Packaging module collects both data from Normalization and scanning results from Trained Modelto pack them into packets which are sent to the controller or administrator.

F-NIDSblock detects attacks based on snort rules. This component consists of five modules as follows.

• TheControllermodule collects extracted data which are header fields and payloads (packet contents) from the Header Extraction block and forwards them to theHeaderandPayloadmodules.

• TheHeadermodule detects attacks by matching header fields with snort header rules.

• ThePayloadmodule compares the payload with snort payload rules.

• The Collector module collects both packet fields and results from HeaderandPayload.

• The Packaging module obtains data from Collector to build packets which are sent to the controller or administrator.

Pre-scanner block takes advantages of hardware-based architecture to operate scanning cores in parallel. The component includes three main modules and several DDoS scanning cores as follows.

• TheDistributormodule receives extracted fields fromHeader extraction and distributes to theDetectormodule and all scanning cores.

• TheCollectormodule collects scanning results from all scanning cores and gives feedback to thePacket controllerblock (discussed later). When a packet is supposed to be a potential risk, theCollectormodule issues an alert signal to thePacket controllerblock.

• The Detectormodule can be used to detect attacks and to prompt the Distributor block to enable scanning cores that can handle corresponding attacks.

• Core i modules are used to prevent DDoS attacks. Each core should be lightweight and can operate a unique DDoS prevention mechanism. In this chapter, we also introduce the SYN flood defender (SYND) core architecture in the standalone mode.

OpenFlow Function block holds a flow-table to produce forwarding decisions. This block receives collected header fields from theHeader extraction block and look-ups for decisions in the flow-table.

FIFO memory block helps keep packets being processed by other blocks.

FIFO memory can effectively increase system performance because the task extracting header fields can process next incoming packets while security and switching blocks are busy. A buffer allows packet flows to be forwarded continuously.

Packet Controller block receives scanning results from two blocks, Pre-scanner and OpenFlow Function, to execute decisions for corresponding packets stored inFIFOmemory. If a packet is marked as harmful byPre-scanner, the corresponding packet is dropped or forwarded directly to the administrator depending on the flow configuration. Otherwise, the packet is transferred to the proper port based on routing information found byOpenFlow Function.

Packet Queueblock receives results (output packets and decisions) from the F-ANIDS,F-NIDS, andPacket controller blocks. There are two types of output packets including: (1) Ethernet Packet (Epk t) presenting for original incoming packets from Packet Controller; and (2) Generated Packet (Gpkt) containing scanning results and information from F-ANIDS andF-NIDS. Output packets are forwarded to corresponding network output ports or network administrator (control plane).

Một phần của tài liệu A high performance anomaly based intrusion detection system for sdn networks (Trang 48 - 52)

Tải bản đầy đủ (PDF)

(167 trang)