Edge-Computing with Graph Computation: A Novel Mechanism to Handle Network Intrusion and Address Spoofing in SDN

摘要

Software Defined Networking (SDN) being an emerging network control model is widely recognized as a control and management platform. This model provides efficient techniques to control and manage the enterprise network. Another emerging paradigm is edge computing in which data processing is performed at the edges of the network instead of a central controller. This data processing at the edge nodes reduces the latency and bandwidth requirements. In SDN, the controller is a single point of failure. Several security issues related to the traditional network can be solved by using SDN central management and control. Address Spoofing and Network Intrusion are the most common attacks. These attacks severely degrade performance and security. We propose an edge computing-based mechanism that automatically detects and mitigates those attacks. In this mechanism, an edge system gets the network topology from the controller and the Address Resolution Protocol (ARP) traffic is directed to it for further analysis. As such, the controller is saved from unnecessary processing related to addressing translation. We propose a graph computation based method to identify the location of an attacker or intruder by implementing a graph difference method. By using the correct location information, the exact attacker or intruder is blocked, while the legitimate users get access to the network resources. The proposed mechanism is evaluated in a Mininet simulator and a POX controller. The results show that it improves system performance in terms of attack mitigation time, attack detection time, and bandwidth requirements.