Skip to main content
SpringerLink
Log in

An elastic intrusion detection system for software networks

  • Published:
Annals of Telecommunications Aims and scope Submit manuscript

Abstract

Internal users are the main causes of anomalous and suspicious behaviors in a communication network. Even when traditional security middleboxes are present, internal attacks may lead the network to outages or to leakage of sensitive information. In this article, we propose BroFlow, an Intrusion Detection and Prevention System based on Bro traffic analyzer and on the global network view of the software-defined networks (SDN) which is provided by the OpenFlow. BroFlow main contributions are (i) dynamic and elastic resource provision of traffic-analyzing machines under demand; (ii) real-time detection of DoS attacks through simple algorithms implemented in a policy language for network events; (iii) immediate reaction to DoS attacks, dropping malicious flows close of their sources, and (iv) near-optimal placement of sensors through a proposed heuristic for strategically positioning sensors in the network infrastructure, which is shared by multi-tenants, with a minimum number of sensors. We developed a prototype of the proposed system, and we evaluated it in a virtual environment of the Future Internet Testbed with Security (FITS). An evaluation of the system under attack shows that BroFlow guarantees the forwarding of legitimate packets at the maximal link rate, reducing up to 90 % of the maximal network delay caused by the attack. BroFlow reaches 50 % of bandwidth gain when compared with conventional firewalls approaches, even when the attackers are legitimate tenants acting in collusion. In addition, the system reduces the sensors number, while keeping full coverage of network flows.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

Notes

  1. http://www.noxrepo.org/pox/about-pox/.

  2. http://openvswitch.org/

  3. http://www.gta.ufrj.br/fits.

  4. www.topology-zoo.org

References

  1. Che X, Lopez J, Maag S, Morales G (2015) Testing trust properties using a formal distributed network monitoring approach. Ann Telecommun 70(3–4):95–105

    Article  Google Scholar 

  2. Chen H, Clark JA, Tapiador JE, Shaikh SA, Chivers H, Nobles P (2009) A multi-objective optimisation approach to IDS sensor placement. In: Computational intelligence in security for information systems. Springer, pp 101–108

  3. Coutinho E, de Carvalho Sousa F, Rego P, Gomes D, de Souza J (2015) Elasticity in cloud computing: a survey. Ann Telecommun 70(7–8):289–309

    Article  Google Scholar 

  4. Fernandes NC, Moreira MDD, Moraes IM, Ferraz LHG, Couto RS, Carvalho HET, Campista MEM, Costa LHMK, Duarte OMB (2011) Virtual networks: isolation, performance, and trends. Ann Telecommun 66(5-6):339–355

    Article  Google Scholar 

  5. Ferraz LHG, Mattos DMF, Duarte OCMB (2014) A two-phase multipathing scheme based on genetic algorithm for data center networking. In: IEEE global communications conference - GLOBECOM, pp 2270–2275

  6. Giotis K, Argyropoulos C, Androulidakis G, Kalogeras D, Maglaris V (2014) Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw 62:122–136

    Article  Google Scholar 

  7. Hu H, Han W, Ahn GJ, Zhao Z (2014) FLOWGUARD: building robust firewalls for Software-Defined Networks. In: Proceedings of the 3rd workshop on hot topics in SDN. ACM, pp 97–102

  8. Mattos DMF, Duarte OCMB (2014) XenFlow: Seamless migration primitive and Quality of Service for virtual networks. In: IEEE global communications conference - GLOBECOM

  9. McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J (2008) OpenFlow: enabling innovation in campus networks. SIGCOMM Comput Commun 38:69–74

    Article  Google Scholar 

  10. Mehdi SA, Khalid J, Khayam SA (2011) Revisiting traffic anomaly detection using software defined networking. In: Recent advances in intrusion detection. Springer, pp 161–180

  11. Moraes IM, Mattos DM, Ferraz LHG, Campista MEM, Rubinstein MG, Costa LHM, de Amorim MD, Velloso PB, Duarte OC, Pujolle G (2014) FITS: a flexible virtual network testbed architecture. Comput Netw 63:221–237

    Article  Google Scholar 

  12. Nam J, Jamshed M, Choi B, Han D, Park K (2015) Scaling the performance of network intrusion detection with many-core processors. In: ACM/IEEE symposium on architectures for networking and communications systems (ANCS) , pp 191–192

  13. Paxson V (1999) Bro: a system for detecting network intruders in real-time. Comput Netw 31(23–24):2435–2463

    Article  Google Scholar 

  14. Piedrahita AFM, Rueda S, Mattos DM, Duarte OCM (2015) FlowFence: a denial of service defense system for software defined networking. In: Global information infrastructure and networking symposium -GIIS, p 6

  15. Shanmugam PK, Subramanyam ND, Breen J, Roach C, Van der Merwe J (2014) DEIDtect: towards distributed elastic intrusion detection. In: Proceedings of the 2014 ACM SIGCOMM workshop on distributed cloud computing - DCC , pp 17–24

  16. Siris VA, Papagalou F (2006) Application of anomaly detection algorithms for detecting SYN flooding attacks. Comput Commun 29:1433–1442

    Article  Google Scholar 

  17. Sommer R, Paxson V (2010) Outside the closed world: on using machine learning for network intrusion detection. In: IEEE symposium on security and privacy, pp 305–316

  18. Weaver N, Sommer R (2007) Stress testing cluster Bro. In: Proceedings of the DETER community workshop on cyber security experimentation and test. USENIX Association , pp 9–9

  19. Xing T, Huang D, Xu L, Chung CJ, Khatkar P (2013) SnortFlow: a OpenFlow-based intrusion prevention system in cloud environment. In: 2nd GENI research and educational experiment workshop, pp 89–92

  20. Yoon C, Park T, Lee S, Kang H, Shin S, Zhang Z (2015) Enabling security functions with SDN: a feasibility study. Computer Networks 1(1)

Download references

Acknowledgment

We also thank Lyno Henrique Gonçalves Ferraz, Antonio Lobato and Ulisses Figueredo for their significant contributions to obtain the results.

Author information

Authors and Affiliations

  1. Grupo de Teleinformática e Automação (GTA), Universidade Federal do Rio de Janeiro (UFRJ), Rio de Janeiro, Brazil

    Martin Andreoni Lopez, Diogo Menezes Ferrazani Mattos & Otto Carlos M. B. Duarte

Authors
  1. Martin Andreoni Lopez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Diogo Menezes Ferrazani Mattos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Otto Carlos M. B. Duarte
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Martin Andreoni Lopez.

Additional information

This work was supported by CNPq, CAPES, and FAPERJ.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lopez, M.A., Ferrazani Mattos, D.M. & Duarte, O.C.M.B. An elastic intrusion detection system for software networks. Ann. Telecommun. 71, 595–605 (2016). https://doi.org/10.1007/s12243-016-0506-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12243-016-0506-y

Keywords

Search

Navigation