Intrusion tolerant architecture for SDN networks through flow monitoring

Security is of paramount importance to any system to function without disruptions of any kind. But protection of the underlying infrastructure from the diverse types of attacks is not easy to tackle. While complete protection is still a distant reality, the notion of tolerance to intrusion is a compelling concept. In intrusion tolerant architectures, instead of trying to prevent every single intrusion, these are allowed but tolerated. The system has the means to trigger mechanisms that prevent the intrusion from generating a system failure. There are a lot of papers in classical IP-based networks regarding intrusion tolerant system but a very few introduce the concept of intrusion tolerance in software define networks(SDN). Software-defined networks (SDN) is an emerging architecture that detach control plane from the data plane. SDN control plane consists of controller which can control the entire network. This centralized view of the network with the ability to program the network through external applications can be used for developing intrusion tolerant architecture. In this proposed architecture, Intrusion Detection Module needs to be developed in the Opendaylight SDN controller. It monitors the packet count for flows. The packet rate is calculated by requesting flow statistics from the switch and monitoring packet counts at different intervals. If the rate exceeds the threshold value, a higher priority flow with the same match criteria is added with action as punt to controller. This flow will have an idle timeout of 5secs which prevents overburdening of sending a lot of packets to controller. The next few packets are thus punted to controller. Controller will perform deep packet inspection and if the packet is from a known sender, then appropriate rate limiting is done at the beginning of the pipeline. Else if the packet is from an unknown source, a new flow is added with relevant match details and an action of drop is added. This will drop all the packets sent from the unknown sender and thereby protecting the system from failure