This article is by Paulo Torres Gouveia of Novabase,  one of the companies joining us at Cisco Live Milan in the DevNet Zone. Will you be joining us as well?

Over the past three decades, computer science has advanced rapidly. More specifically, the last decade has been the place of the end user equipment revolution. Our servers have grown a thousand-fold in their intelligence and computing capacity. The links have also undergone similar transformation. However, the way that networking is made didn’t experience this evolution thought the decades until now. The lack of flexibility become a restraint to create innovative services within datacenters and enterprises, also keeping in mind that networks are an important part of the emerging public and private clouds. Moreover, operators don’t have the possibility to optimize their networks for their specific use cases, relevant to their business, reducing the opportunity to customize solutions to their clients.

Software Defined Networks (SDN) paradigm is a huge opportunity to transform and evolve how nowadays networks works. SDN is an operational and programming network architecture that facilitates new opportunities for networking solutions and for innovative applications. SDN is a new approach to IP networks that centralizes all management and control in a unique centralized entity - the controller - decoupling the data/forwarding plane from the control plane.

Novabase began to work on SDN to build more capable and reliable network solutions. We believe this new paradigm will change the way that networking is made to get better performance in security and quality of service. SDN will demand complicated data processing. Moreover, complicated data processing takes a lot of time. If SDN is to be useful, then processing must be speeded up, and SDN data processing algorithms and protocols would be a natural evolutionary direction to SDN current stage. Furthermore, statistical analysis within network security can track efficiently changes on networks. These changes may mean that an attack is taking place or some other anomaly is occurring.

Novabase have started building SDN based solutions that can leverage the security analysis and lower the impact of attacks to infrastructures. Our first work was to investigate, test and develop a network security sensor application to illustrate the flexibility and ease of anomaly detection algorithm implementation on a SDN architecture using the standardized protocol, Openflow. Accessing to the Openflow statistics (counters) existing on the controller, the algorithm can analyze real-time information about the network. For this, we investigate the applicability of nonparametric statistics to detect network security changes on a SDN environment, namely Denial-of Service attacks (DoS). Under a simulated attack, is expected to see much more packets on the network (in almost cases, thousands of SYN packets) with uniform size (near 50 bytes) and long stream flows (more than 5 minutes). Considering this, the variation of these variables can be tested on time looking for this kind of change using nonparametric statistical hypothesis tests. If a change occurs it’s expected to find some of these variables associated indicating a possible attack.

The collection of data for use in analysis and response can be obtained either on specific SDN flows or on the physical switch ports, since Openflow can deliver statistics from these two elements. The flows only have the destination IP address (webserver address) and the service type (port 80 for http traffic). Analyzing the flow statistics, the application “knows” that if the algorithm detects a network state change (an association among those three counters), it could be only on traffic directed to the webserver. After the detection of an attack, multiple actions can be performed. For instance, given a specific flow or physical port, the identified attacker traffic can be redirected to a fictional destination network (ghost network), leading the attacker to think that the attack is taking effect, or can be simply dropped. In both cases the webserver DoS attack is mitigated.