SDN-Based Kernel Modular Countermeasure for Intrusion Detection

  • Tommy Chin
  • Kaiqi XiongEmail author
  • Mohamed Rahouti
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 238)


Software-Defined Networking (SDN) is a core technology. However, Denial of Service (DoS) has been proved a serious attack in SDN environments. A variety of Intrusion Detection and Prevention Systems (IDPS) have been proposed for the detection and mitigation of DoS threats, but they often present significant performance overhead and long mitigation time so as to be impractical. To address these issues, we propose KernelDetect, a lightweight kernel-level intrusion detection and prevention framework. KernelDetect leverages modular string searching and filtering mechanisms with SDN techniques. By considering that the Aho-Corasick and Bloom filter are exact string matching and partial matching techniques respectively, we design KernelDetect to leverage the strengths of both algorithms with SDN. Moreover, we compare KernelDetect with traditional IDPS: SNORT and BRO, using a real-world testbed. Comprehensive experimental studies demonstrate that KernelDetect is an efficient mechanism and performs better than SNORT and BRO in threat detection and mitigation.


Aho-Corasick Bloom filters Intrusion detection system Security Software Defined Networking (SDN) 



We acknowledge National Science Foundation (NSF) to partially sponsor the work under grants #1633978, #1620871, #1620862, and #1636622, and BBN/GPO project #1936 through NSF/CNS grant. We also thank the Florida Center for Cybersecurity for a seed grant. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied of NSF.


  1. 1.
    Apache Spam Assassin Public Corpus.
  2. 2.
    DDoS attack 2007 dataset, CAIDA, UCSD.
  3. 3.
  4. 4.
    Mininet: an instant virtual network on your laptop (or other PC).
  5. 5.
    Akella, A.V., Xiong, K.: Quality of service (QoS)-guaranteed network resource allocation via software defined networking (SDN). In: DASC 2014. IEEE (2014)Google Scholar
  6. 6.
    Chin, T., et al.: An SDN-supported collaborative approach for DDoS flooding detection and containment. In: MILCOM 2015. IEEE (2015)Google Scholar
  7. 7.
    Chin, T., et al.: Selective packet inspection to detect DoS flooding using software defined networking (SDN). In: ICDCSW 2015. IEEE (2015)Google Scholar
  8. 8.
    Chin, T., Xiong, K.: Dynamic generation containment systems (DGCS): a moving target defense approach. In: CPS Week EITEC 2016. IEEE (2016)Google Scholar
  9. 9.
    Chin, T., Xiong, K.: A forensic methodology for software-defined network switches. Advances in Digital Forensics XIII. IAICT, vol. 511, pp. 97–110. Springer, Cham (2017). Scholar
  10. 10.
    Chin, T., Xiong, K., Rahouti, M.: End-to-end delay minimization approaches using software-defined networking. In: RACS 2017. ACM (2017)Google Scholar
  11. 11.
    Dharmapurikar, S., Lockwood, J.W.: Fast and scalable pattern matching for network intrusion detection systems. JSAC 24, 1781–1792 (2006)Google Scholar
  12. 12.
    Jackson, E.J., et al.: SoftFlow: a middlebox architecture for Open vSwitch. In: USENIX ATC (2016)Google Scholar
  13. 13.
    Curtis, A.R., et al.: Mahout: low-overhead datacenter traffic management using end-host-based elephant detection. In: INFOCOM (2011)Google Scholar
  14. 14.
    Tirumala, A., et al.: iPerf: the TCP/UDP bandwidth measurement tool (2005).
  15. 15.
    Pfaff, B., et al.: The design and implementation of Open vSwitch. In: USENIX Symposium on NSDI (2015)Google Scholar
  16. 16.
    Chung, C.-J., et al.: NICE: network intrusion detection and counter-measure selection in virtual network systems. TDSC 10, 198–211 (2013)Google Scholar
  17. 17.
    Vasiliadis, G., Antonatos, S., Polychronakis, M., Markatos, E.P., Ioannidis, S.: Gnort: high performance network intrusion detection using graphics processors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 116–134. Springer, Heidelberg (2008). Scholar
  18. 18.
    Mekky, H., et al.: Application-aware data plane processing in SDN. In: HotSDN (2014)Google Scholar
  19. 19.
    Wang, H., et al.: FloodGuard: a DoS attack prevention extension in software-defined networks. In: DSN (2015)Google Scholar
  20. 20.
    Ahrenholz, J., et al.: CORE: a real-time network emulator. In: MILCOM (2008)Google Scholar
  21. 21.
    Amann, J., Sommer, R.: Providing dynamic control to passive network security monitoring. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 133–152. Springer, Cham (2015). Scholar
  22. 22.
    Ballard, J.R., et al.: Extensible and scalable network monitoring using OpenSAFE. In: INM/WREN (2010)Google Scholar
  23. 23.
    Ko, C., et al.: Detecting and countering system intrusions using software wrappers. In: USENIX Security Symposium (2000)Google Scholar
  24. 24.
    Giotis, K., et al.: Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput. Netw. 62, 122–136 (2014)CrossRefGoogle Scholar
  25. 25.
    Khurshid, K., et al.: VeriFlow: verifying network-wide invariants in real time. In: NSDI (2013)Google Scholar
  26. 26.
    Alicherry, M., et al.: High speed pattern matching for network IDS/IPS. In: ICNP (2006)Google Scholar
  27. 27.
    Berman, M., et al.: GENI: a federated testbed for innovative network experiments. Comput. Netw. 61, 5–23 (2014)CrossRefGoogle Scholar
  28. 28.
    Dhawan, M., et al.: SPHINX: detecting security attacks in software-defined networks. In: NDSS (2015)Google Scholar
  29. 29.
    Roesch, M., et al.: SNORT-lightweight intrusion detection for networks. In: USENIX LISA (1999)Google Scholar
  30. 30.
    Kazemian, P., et al.: Real time network policy checking using header space analysis. In: NSDI (2013)Google Scholar
  31. 31.
    Porras, P., et al.: A security enforcement kernel for OpenFlow networks. In: HotSDN (2012)Google Scholar
  32. 32.
    Wang, R., et al.: An entropy-based distributed DDoS detection mechanism in software-defined networking. In: Trustcom/BigDataSE/ISPA (2015)Google Scholar
  33. 33.
    Avallone, S., et al.: D-ITG: distributed internet traffic generator. In: QEST (2004)Google Scholar
  34. 34.
    Hong, S., et al.: Poisoning network visibility in software-defined networks: new attacks and countermeasures. In: NDSS (2015)Google Scholar
  35. 35.
    Scott-Hayward, S., et al.: A survey of security in software defined networks. IEEE Commun. Surv. Tutor. 18, 623–654 (2016)CrossRefGoogle Scholar
  36. 36.
    Shin, S., et al.: AVANT-GUARD: scalable and vigilant switch flow management in software-defined networks. In: CCS (2013)Google Scholar
  37. 37.
    Shin, S., et al.: FRESCO: modular composable security services for software-defined networks. In: NDSS (2013)Google Scholar
  38. 38.
    Shin, S., et al.: Rosemary: a robust, secure, and high-performance network operating system. In CCS (2014)Google Scholar
  39. 39.
    Paxson, V.: BRO: a system for detecting network intruders in real-time. Computer Networks (1999)CrossRefGoogle Scholar
  40. 40.
    Shin, S., Gu, G.: Attacking software-defined networks: a first feasibility study. In: HotSDN. ACM (2013)Google Scholar
  41. 41.
    Xiong, K.: Multiple priority customer service guarantees in cluster computing. In: IEEE IPDPS, pp. 1–12 (2009)Google Scholar
  42. 42.
    Xiong, K., Wang, R., Du, W., Ning, P.: Containing bogus packet insertion attacks for broadcast authentication in sensor networks. In: TOSN 2012 (2012)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  1. 1.Rochester Institute of TechnologyRochesterUSA
  2. 2.University of South FloridaTampaUSA

Personalised recommendations