Computer Science and Information Systems 2021 Volume 18, Issue 3, Pages: 867-891
https://doi.org/10.2298/CSIS200206049G
Full text ( 1096 KB)


Intrusion prevention with attack traceback and software-defined control plane for campus networks

Guo Guangfeng (College of Computer Science, Inner Mongolia University Hohhot, China + Baotou Teachers’ College, Inner Mongolia University of Science & Technology, Baotou, China), guoguangfeng@163.com, junxing@imu.edu.cn
Zhang Junxing (College of Computer Science, Inner Mongolia University Hohhot, China), mazhanfei@163.com
Ma Zhanfei (Baotou Teachers’ College, Inner Mongolia University of Science & Technology, Baotou, China)

As traditional networks, the software-defined campus network also suffers from intrusion attacks. Current solutions for intrusion prevention cannot meet the requirements of the campus network. Existing methods of attack traceback are either limited to specific protocols or incur high overhead. To protect the data center (DC) of the campus network from internal and external attacks, we propose an Intrusion Prevention System (IPS) based on the coordinated control between the detection engine, the attack traceback agent, and the software-defined control plane. Our solution includes a novel algorithm to infer the best switch port for defending different attacks of varied scales based on the inverse HSA (Header Space Analysis) and the global view of the software-defined controller. The proposed scheme can effectively and timely block the malicious traffic not only protecting victim hosts from attacks but also preventing the whole network from suffering unwanted transmission burden. The proposed IPS is deployed on the bypass of the DC switch and collects network traffic by port mirroring. Compared with the traditional serial deployment, the new design helps defend the DC internal attacks, reduce the probability of network congestion, and avoid the single point of failure. The experimental results show that the overhead of our IPS is very low, which enables it to meet the real-time requirements. The average defense time is between 10 and 14 ms for the data center internal attacks of different scales. For external attacks, the maximum defense time is about 76 ms for a large-scale network with 100 switches.

Keywords: IPS, Intrusion Prevention System, SDN, Software-defined Network, Attack Traceback, Inverse Forwarding Function, HSA, Header Space Analysis, Campus Networks, DC, Data Center