{"title":"FloRa: Flow Table Low-Rate Overflow Reconnaissance and Detection in SDN","authors":"Ankur Mudgal;Abhishek Verma;Munesh Singh;Kshira Sagar Sahoo;Erik Elmroth;Monowar Bhuyan","doi":"10.1109/TNSM.2024.3446178","DOIUrl":null,"url":null,"abstract":"SDN has evolved to revolutionize next-generation networks, offering programmability for on-the-fly service provisioning, primarily supported by the OpenFlow (OF) protocol. The limited storage capacity of Ternary Content Addressable Memory (TCAM) for storing flow tables in OF switches introduces vulnerabilities, notably the Low-Rate Flow Table Overflow (LOFT) attacks. LOFT exploits the flow table’s storage capacity by occupying a substantial amount of space with malicious flow, leading to a gradual degradation in the flow-forwarding performance of OF switches. To mitigate this threat, we propose FloRa, a machine learning-based solution designed for monitoring and detecting LOFT attacks in SDN. FloRa continuously examines and determines the status of the flow table by closely examining the features of the flow table entries. When suspicious activity is identified, FloRa promptly activates the machine-learning based detection module. The module monitors flow properties, identifies malicious flows, and blacklists them, facilitating their eviction from the flow table. Incorporating novel features such as Packet Arrival Frequency, Content Relevance Score, and Possible Spoofed IP along with Cat Boost employed as the attack detection method. The proposed method reduces CPU overhead, memory overhead, and classification latency significantly and achieves a detection accuracy of 99.49% which is more than the state-of-the-art methods to the best of our knowledge. This approach not only protects the integrity of the flow tables but also guarantees the uninterrupted flow of legitimate traffic. Experimental results indicate the effectiveness of FloRa in LOFT attack detection, ensuring uninterrupted data forwarding and continuous availability of flow table resources in SDN.","PeriodicalId":13423,"journal":{"name":"IEEE Transactions on Network and Service Management","volume":"21 6","pages":"6670-6683"},"PeriodicalIF":4.7000,"publicationDate":"2024-08-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Network and Service Management","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10640115/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
SDN has evolved to revolutionize next-generation networks, offering programmability for on-the-fly service provisioning, primarily supported by the OpenFlow (OF) protocol. The limited storage capacity of Ternary Content Addressable Memory (TCAM) for storing flow tables in OF switches introduces vulnerabilities, notably the Low-Rate Flow Table Overflow (LOFT) attacks. LOFT exploits the flow table’s storage capacity by occupying a substantial amount of space with malicious flow, leading to a gradual degradation in the flow-forwarding performance of OF switches. To mitigate this threat, we propose FloRa, a machine learning-based solution designed for monitoring and detecting LOFT attacks in SDN. FloRa continuously examines and determines the status of the flow table by closely examining the features of the flow table entries. When suspicious activity is identified, FloRa promptly activates the machine-learning based detection module. The module monitors flow properties, identifies malicious flows, and blacklists them, facilitating their eviction from the flow table. Incorporating novel features such as Packet Arrival Frequency, Content Relevance Score, and Possible Spoofed IP along with Cat Boost employed as the attack detection method. The proposed method reduces CPU overhead, memory overhead, and classification latency significantly and achieves a detection accuracy of 99.49% which is more than the state-of-the-art methods to the best of our knowledge. This approach not only protects the integrity of the flow tables but also guarantees the uninterrupted flow of legitimate traffic. Experimental results indicate the effectiveness of FloRa in LOFT attack detection, ensuring uninterrupted data forwarding and continuous availability of flow table resources in SDN.
期刊介绍:
IEEE Transactions on Network and Service Management will publish (online only) peerreviewed archival quality papers that advance the state-of-the-art and practical applications of network and service management. Theoretical research contributions (presenting new concepts and techniques) and applied contributions (reporting on experiences and experiments with actual systems) will be encouraged. These transactions will focus on the key technical issues related to: Management Models, Architectures and Frameworks; Service Provisioning, Reliability and Quality Assurance; Management Functions; Enabling Technologies; Information and Communication Models; Policies; Applications and Case Studies; Emerging Technologies and Standards.