Table of Contents
Fetching ...

Safeguard: Security Controls at the Software Defined Network Layer

Yi Lyu, Shichun Yu, Joe Catudal

TL;DR

This work tackles the risk that data-driven SDN policies may overreact to edge-case traffic, potentially degrading security. It introduces Safeguard, a rule-based overlay that mitigates over-correction by overlapping with data-driven policies and a reference implementation combining a traffic classifier with firewall-rule enforcement. The system architecture comprises a CloudLab-based SDN topology, a DDoS attack demonstration, and an intelligence layer that applies Safeguard rules to influence controller policy in real-time. Experimental results show that incorporating Safeguard reduces false positives by excluding known-good traffic from adjudication, offering a practical path toward safer, adaptable SDN security policies.

Abstract

Improvements in software defined networking allow for policy to be informed and modified by data-driven applications that can adjust policy to accommodate fluctuating requirements at line speed. However, there is some concern that over-correction can occur and cause unintended consequences depending on the data received. This is particularly problematic for network security features, such as machine-learning intrusion detection systems. We present Safeguard, a rule-based policy that overlaps a data-driven policy to prevent unintended responses for edge cases in network traffic. We develop a reference implementation of a network traffic classifier that enforces firewall rules for malicious traffic, and show how additional rulesets to allow known-good traffic are essential in utilizing a data-driven network policy.

Safeguard: Security Controls at the Software Defined Network Layer

TL;DR

This work tackles the risk that data-driven SDN policies may overreact to edge-case traffic, potentially degrading security. It introduces Safeguard, a rule-based overlay that mitigates over-correction by overlapping with data-driven policies and a reference implementation combining a traffic classifier with firewall-rule enforcement. The system architecture comprises a CloudLab-based SDN topology, a DDoS attack demonstration, and an intelligence layer that applies Safeguard rules to influence controller policy in real-time. Experimental results show that incorporating Safeguard reduces false positives by excluding known-good traffic from adjudication, offering a practical path toward safer, adaptable SDN security policies.

Abstract

Improvements in software defined networking allow for policy to be informed and modified by data-driven applications that can adjust policy to accommodate fluctuating requirements at line speed. However, there is some concern that over-correction can occur and cause unintended consequences depending on the data received. This is particularly problematic for network security features, such as machine-learning intrusion detection systems. We present Safeguard, a rule-based policy that overlaps a data-driven policy to prevent unintended responses for edge cases in network traffic. We develop a reference implementation of a network traffic classifier that enforces firewall rules for malicious traffic, and show how additional rulesets to allow known-good traffic are essential in utilizing a data-driven network policy.
Paper Structure (10 sections, 4 figures)

This paper contains 10 sections, 4 figures.

Figures (4)

  • Figure 1: Overall System Architecture
  • Figure 2: Experiment Environment overview
  • Figure 3: Threat Model
  • Figure 4: Results of Intelligence Layer with and without Safeguard rules.