Intrusion Prevention with Attack Traceback and Software-defined Control Plane for Campus Networks
- College of Computer Science, Inner Mongolia University
010021 Hohhot, China
guoguangfeng@163.com, junxing@imu.edu.cn - Baotou Teachers’ College, Inner Mongolia University of Science & Technology
014030 Baotou, China
mazhanfei@163.com
Abstract
As traditional networks, the software-defined campus network also suffers from intrusion attacks. Current solutions for intrusion prevention cannot meet the requirements of the campus network. Existing methods of attack traceback are either limited to specific protocols or incur high overhead. To protect the data center (DC) of the campus network from internal and external attacks, we propose an Intrusion Prevention System (IPS) based on the coordinated control between the detection engine, the attack traceback agent, and the software-defined control plane. Our solution includes a novel algorithm to infer the best switch port for defending different attacks of varied scales based on the inverse HSA (Header Space Analysis) and the global view of the software-defined controller. The proposed scheme can effectively and timely block the malicious traffic not only protecting victim hosts from attacks but also preventing the whole network from suffering unwanted transmission burden. The proposed IPS is deployed on the bypass of the DC switch and collects network traffic by port mirroring. Compared with the traditional serial deployment, the new design helps defend the DC internal attacks, reduce the probability of network congestion, and avoid the single point of failure. The experimental results show that the overhead of our IPS is very low, which enables it to meet the real-time requirements. The average defense time is between 10 and 14 ms for the data center internal attacks of different scales. For external attacks, the maximum defense time is about 76 ms for a large-scale network with 100 switches.
Key words
IPS, Intrusion Prevention System, SDN, Software-defined Network, Attack Traceback, Inverse Forwarding Function, HSA, Header Space Analysis, Campus Networks, DC, Data Center
Digital Object Identifier (DOI)
https://doi.org/10.2298/CSIS200206049G
Publication information
Volume 18, Issue 3 (June 2021)
Year of Publication: 2021
ISSN: 2406-1018 (Online)
Publisher: ComSIS Consortium
Full text
Available in PDF
Portable Document Format
How to cite
Guo, G., Zhang, J., Ma, Z.: Intrusion Prevention with Attack Traceback and Software-defined Control Plane for Campus Networks. Computer Science and Information Systems, Vol. 18, No. 3, 867–891. (2021), https://doi.org/10.2298/CSIS200206049G