VARMAN: Multi-plane security framework for software defined networks

In the context of future networking technologies, Software-Defined paradigm offers compelling solutions and advantages for traffic orchestration and shaping, flexible and dynamic routing, programmable control and smart application-driven resource management. But the SDN operation has to confront critical issues and technical vulnerabilities, security problems and threats in the enabling technical architecture itself. To address the critical security problems in SDN enabled data centers, we propose a collaborative "Network Security and Intrusion Detection System(NIDS)" scheme called "VARMAN: adVanced multi-plAne secuRity fraMework for softwAre defined Networks'. The SDN security scheme comprises of coarse-grained flow monitoring algorithms on the dataplane for rapid anomaly detection and prediction of network-centric DDoS/botnet attacks. In addition, this is combined with a fine-grained hybrid deep-learning based classifier pipeline on the control plane. It is observed that existing ML-based classifiers improve the accuracy of NIDS, however, at the cost of higher processing power and memory requirement, thus unrealistic for real-time solutions. To address these problems and still achieve accuracy and speed, we designed a hybrid model, combining both deep and shallow learning techniques, that are implemented in an improved SDN stack. The data plane deploys attack prediction and behavioral trigger mechanisms, efficient data filtering, feature selection, and data reduction techniques. To demonstrate the practical feasibility of our security scheme in real modern datacenters, we utilized the popular NSL-KDD dataset, most recent CICIDS2017 dataset, and refined it to a balanced dataset containing a comparable number of normal traffic and malware samples. We further augmented the training by organically generating datasets from lab-simulated and public-network hosted hackathon websites. The results show that VARMAN framework is capable of detecting attacks in real-time with accuracy more than 98% under attack intensities up to 50k packets/second. In a multi-controller interconnected SDN domain, the flow setup time improves by 70% on an average, and controller response time reduces by 40%, without incurring additional latency due to security intelligence processing overhead in SDN stack. The comparisons of VARMAN under similar attack scenarios and test environment, with related recent works that utilized ML-based NIDS, demonstrate that our scheme offers higher accuracy, less than 5% false positive rate for various attack intensities and significant training space/time reduction.