A Study of Basic Architecture for Big-Data Security Analysis in SDN Environment

Transcription

1 Int'l Conf. Security and Management SAM' A Study of Basic Architecture for Big-Data Security Analysis in SDN Environment Seong-Ho Choi 1,Jun-Sub Kim 2, and Jin Kwak 3 1 ISAA Lab., Department of Information and Computer Engineering, Ajou University, Suwon, Korea 2 IT Convergence Research Institute, Sungkyunkwan University, Suwon, Korea 3 Department of Information and Computer Engineering, Ajou University, Suwon, Korea Abstract - The first purpose of our project is to find a way to reduce overhead for big-data security analysis in an SDN environment. The second purpose of our project is to support a multi-sdn environment. The SDN is a technology that enables users to control networks by software. Accordingly, the security services would be provided by security software of the SDN controller. However, the process of data analysis for a network security service can generate a large overhead. In addition, big-data security analysis requires more data. This problem such as large overhead and suspension of control systems can arise. Therefore, we need an architecture to reduce the overhead in the controller system. In this study, the architecture is based on a distributed system. It operates on the basis of a virtualization OS. As a result, the architecture uses a disjunct system that consists of control system and data analysis areas. This concept can be developed into a cloud environment, and multiple controllers can be installed and used. A test for the architecture is carried out by a simulation on the basis of the distribution system architecture. We built a distributed system based on KVM, and we was each configure for System of Security, Hadoop, control. As a result, we could reduce the overhead in the control system area. In addition, we could add a new SDN controller. Keywords: Distributed System, Virtualization, Cloud, Big- Data Security Analysis, Security Service, SDN 1. Introduction The number of network devices is growing rapidly. Accordingly, SDN technology is drawing more attention than ever as a means of mitigating problems caused by variable traffic from by diverse types of packet and network environments. SDN is technology that controls the network by using software, it is a concept that separates the control plane from the transport plane. By using this information, software in the control area enables users to configure various networking movements, simplify complex network environment, and manage variable traffic and diverse types of packets efficiently [1-4]. Recently, there is a trend of more security threats as the number of network-connected devices increases. Security threats is evolve through diverse environments. It problem will be limiting the signature based security operation service. Currently, security operation services detect security threats by filtering the signature. However, detecting the attack from a non-registered signature is difficult. This problem can be resolved with big-data security analysis, which provides functions to collect various service and security event logs generated from the network, and discover symptoms by a correlation analysis of collected data. In an SDN environment, where users can control a network with software, the security service provided by an existing security device can be configured as software. This characteristic makes it possible to provide a security service such as IDS/IPS, implement a software firewall, form special systems, and execute big-data security analysis. However, overhead interruption can occur during the data analysis for the security service and the big-data security analysis. The overhead causes a system load for the network controller that results in system suspension. Therefore, we must be Study for decrease to overhead. In this paper, we study a basic Architecture to distributed system for decreased overhead. This paper is organized as follows. In Section 2, we study for distributed SDN, and Big-data Security Analysis. In Section 3, we studied the basic architecture for Big Data security analysis. Section 4 shows the results of the implementation and testing of the architecture. Our conclusions are presented in Section Background Study 2.1. Distributed Security in SDN An SDN environment is a next-generation network technology in which a network can be controlled by software. A security service provided by existing security devices can be configured as software by this technology and the security policy on a network device connected with a controller is applicable [5-8]. s in an SDN environment can provide security service after collecting and analyzing the packets flowing through the network. However, a large overhead against the controller can occur during the process of data collection and analysis. The solution to this problem is to convert the controller system into a distribution system [9-12]. When the controller system is converted into a distribution system, users can protect the control function from the overhead by distinguishing the core area, which controls the

2 138 Int'l Conf. Security and Management SAM'15 network directly, from the analysis area. Table I shows the result of the provision of the security service to the network through the controller after simple realization of IDS and the comparison between the share of CPU and that of memory. The test is executed with the normal application model applied by a distribution environment, which is configured with a simple IDS module from the controller system [13-16]. Consequently, a high share has been recorded from the IDS, which operates in the single controller system and a significantly low share has been shown when operated as a system in a distributed environment. In conclusion, it is more efficient to provide service within the distributed environment to supply security service in the SDN environment. Attack name SYN Flooding TABLE I. RESULTS OF PERFORMANCE ANALYSIS Switch HOST Single CPU Shared 2.2. Big-Data Security Analysis Distributed CPU Shared % 1.0% % 1.4% % 2.3% Big-data security analysis is a technology that can overcome the limits of existing network security analysis. Various solutions including SIEM are in use and are considered important in overcoming the flows of existing network security technology [17-20]. A summary of big-data security analyses is shown in Figure 1. The big-data security analysis model detects symptoms through the collection of network control and security devices, log data such as the server, and then through a correlation analysis engine. This provides the functions to discover symptoms from an undetected cyber-attack in the security equipment. Therefore, the big-data security analysis platform will be an essential factor in future security monitoring and control systems. 3. Architecture of the Prototype This paper discusses how to implement the big-data security analysis in an SDN environment. The architecture can execute big-data security analysis and the security service for the device connected with the network through the controller. The controller is essentially an important system that controls the network. Therefore, the overhead in the controller should not increase during the security analysis process. The previous study reached a conclusion, after realizing the simple IDS in the controller, that the CPU and memory use increase rapidly when analyzing in the single controller. Problems such as system interruption can occur if an analysis system is applied that deals with a large amount of security data. Therefore, a distributed system is needed to minimize the negative effect on the controller system when analyzing data for security. This study hereafter focuses on the core controller system, which controls the network by configured controller system in a distributed environment, and on decreasing the overhead generated from it. The architecture of the prototype is as follows Architecture of Prototype In this research, the controller system is configured with a distributed environment by a simple method derived from advanced research. The architecture is composed of a network control area, and the normal security service area, such as the IPS/IDS, firewall, and big-data security analysis area. See Fig. 2 for the architecture. An explanation for each system area follows. Fig. 1. Big-Data Security Analysis System Control area This system is a core function of the controller and it provides network device management, host management, and various network services. It can be considered as a normal controller environment that controls connected network resources. Security service area The security service area forms a system by using the RPC protocol to minimize the effect on the core controller. The security service, which is executed in the form of an application, records the security events in a log after analyzing packets for the network.

3 Int'l Conf. Security and Management SAM' Big-data security analysis area The big-data security analysis area conducts correlation analysis with the collected data generated from the core controller system and the security event log information recorded in the distributed application system area. This area is managed separately from the controller because it is an environment that can be applied in the network environment, where single controllers and controllers connected with multiple domains control the network. The controllers connected with multiple domains may need to share the outcomes with the big-data security analysis system area. This architecture provide multi SDN environment. Just we will the connected other with This architecture. Fig. 3. Multi SDN Environment Fig. 2. Architecture of Prototype 3.2. Multi-SDN Environment A multi-sdn can provide an environment with which it is possible to execute big-data security analysis by using the prototype architecture. It can also collect data needed for the big-data security analysis by gathering a log for each network by using the controllers in a multi-domain environment. It helps to increase the accuracy of the anticipation of possible attacks by collecting data to detect symptoms more efficiently. This means that users can transform the big-data security analysis system into a server and form it as a single data center in the prototype architecture. The controller can remotely connect from the OFswitch for network control. Another approach is that the controller system may be connected to a remote server with big-data security analysis. However, we need more research for effective measures. See Fig. 3 for the implementation of big-data security in the environment composed of a multi-sdn controller. 4. Implementation This section describes tests carried out on the basis of the architecture introduced in Section 3. It presumes that the security service operates well and that log data for various network services from the controller system can be collected; it also illustrates the process of detecting symptoms by transmitting data generated from the SDN controller to the big-data security analysis server. An overload test for the controller system and the analysis of CPU and memory share are included in the process. An SDN environment forms the status in which an SDN controller-based network environment and interhost correspondence are available. It shows the procedure of a SYN flooding attack from host A to host B and collects event log data about the attack. It also generates massive data to show the process of producing log data in the controller and functions as a data transmitter to the security analysis server. The big-data security analysis server collects security event logs and massive files and is saved as a log file in the non-relational database. Big-data security analysis is a condition precedent TEST The test realizes each system as a virtual environment. We realize each system in the architecture on virtualization. We used KVM technology for this environment [21-24]. The core control system and security analyzer system are configured in VM instances on the Hadoop file system for big-data analysis. In addition, we configure Mininet from the Hadoop system, and mininet is connecting the core control system of VM instance environment from Hadoop. We used network bridge technology in this architecture. Next, we obtained the result of the SYN flooding attack and log file for the network service from the Hadoop file system. In addition, we checked the CPU and memory share. The realized function is for checking the effect of the overhead from the controller system.

4 140 Int'l Conf. Security and Management SAM' % 10.3% 5.2% 10.5% % 10.8% 6.1% 10.7% 4 8.0% 11.2% 6.3% 10.7% % 12.3% 6.5% 10.8% Figs. 5 and 6 graphically depict the change in usage. Fig. 4. Test Environment See Fig. 4 for the network structure. This Result is CPU and memory usage from the core control system. After setting up the test environment as seen in Fig 4, we generated a large amount of log data as more network devices were connected to the controller, and then proceeded to test the CPU and memory share while sending the log data to the big-data security analysis server. The comparison target is the result of CPU and memory, which provide a single system security service. See Table II for the test results. This result is CPU and memory usage from the core control system. Fig. 5. Cpu Usage TABLE II. RESULT OF PERFORMANCE Switch Host Single System Distributed System CPU Mem CPU Mem % 8.0% 4.0% 9.2% 4 2.6% 7.8% 4.5% 9.3% 8 4.2% 7.7% 4.7% 9.3% 1 3.0% 9.9% 4.8% 10.1% 4 5.3% 10.2% 5.0% 10.1% Fig. 6. Memory Usage We were observe that when the Data analysis function is executed. Single System is CPU usage amount increase that if the number of switches and hosts increases, or if the

5 Int'l Conf. Security and Management SAM' Submit a lot of data. But, Distributed System is CPU usage the little increases. We reached the conclusion that forming an individual service system with a distributed system and running it helped to reduce the overhead. 5. Conclusion In this paper, we carried out a study of an architecture for implementing big-data security analysis in an SDN environment. We studied the architecture for the distributed system environment. In addition, we studied a multi-sdn environment for services provided by the big-data security analysis system. We formulated the control system as a distributed system to reduce the overhead generated from the big-data security analysis, and showed the possibility through simulation testing. Security service and big-data security analysis functions were not formulated in the simulation test. Nonetheless, we succeeded in reducing the overhead from the control system by handling the overhead with the distributed system. Even though the individual security service and bigdata security analysis system were formed, possible problems were removed by minimizing the overhead on the control area system. However, the security service system and the big-data security analysis system should be formed with a high quality system that is dependent on the number of connected network devices. This paper, in its initial procedure, would not provide significant help to the industry, but it suggests a method for reducing big-data analysis overhead. We hope that further study on this subject will enable a stable big-data security analysis through the expansion and verification of the architecture. 6. Acknowledgment This work was supported by the ICT R&D program of MSIP/IITP, Republic of Korea. [ , Development of Mobile S/W Security Testing Tools for Detecting New Vulnerabilities of Android] 7. References [1] Yu, J. H., Kim, W. S. and Yun C. H., A Technical Trend and Prospect of Software Defined Network and OpenFlow, KNOM Review, , [2] Lantz, Bob, Brandon Heller, and Nick McKeown, A network in a laptop: rapid prototyping for software-defined networks, Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks. ACM, [3] Handigol, Nikhil, et al., Where is the debugger for my software-defined network?, Proceedings of the first workshop on Hot topics in software defined networks. ACM, [4] ONF, Software-Defined Networking: The New Norm for Networks, ONF White Paper, 4 (2012), [5] Kim, H. and Feamster, N., Improving Network Management with Software Defined Networking, Communications Magazine, IEEE, 51 (2013), [6] Fernando, N. N. Farias, Joao J. Salvatti, Eduardo Cerqueira, and Antonio Jorge Gomes Abelem, Management of the Existing Network Environment Using Openflow Control Plane, IEEE NOMS, 2012, [7] Oueslati, S. and Roberts, J., A New Direction for Quality of Service:Flow-aware Networking, In Proc. NGI, 2014, [8] Hata, H., A Study of Requirements for SDN Switch Platform, ISPACS 2013, 2013, [9] Dixit, Advait, et al., Towards an elastic distributed SDN controller, ACM SIGCOMM Computer Communication Review. Vol. 43. No. 4. ACM, [10] Schmid, Stefan, and Jukka Suomela, Exploiting locality in distributed sdn control, Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking. ACM, [11] Berde, Pankaj, et al., ONOS: towards an open, distributed SDN OS. Proceedings of the third workshop on Hot topics in software defined networking. ACM, 2014 [12] Phemius, Kévin, Mathieu Bouet, and Jérémie Leguay. Disco: Distributed multi-domain sdn controllers, Network Operations and Management Symposium (NOMS), 2014 IEEE. IEEE, [13] Gupta, P., SS-IDS: Statistical Signature Based IDS, ICIW 09, 2009, [14] Ozgur Depren, Murat Topallar, Emin Anarim, M. Kemal Ciliz, An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks, Expert Systems with Applications, November,2005, [15] S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, D. Zerkle, Gr., IDS-A GRAPH BASED INTRUSION DETECTION SYSTEM FOR LARGE NETWORKS, NISSC 96, 1996, [16] Weijian Huang, YanAn, Wei Du, A Multi-Agent-Based Distributed Intrusion Detection System, ICACTE,2010 3rd International Conference on, 2010, [17] Wang, Guohui, T. S. Ng, and Anees Shaikh, Programming your network at run-time for big data applications, Proceedings of the first workshop on Hot topics in software defined networks. ACM, [18] Qin, Peng, et al., Bandwidth-Aware Scheduling with SDN in Hadoop: A New Trend for Big Data, arxiv preprint arxiv: (2014). [19] Tankard, Colin. "Big data security." Network security (2012): 5-8. [20] Bhatti, Rafae, et al., Emerging trends around big data analytics and security: panel. Proceedings of the 17th ACM symposium on Access Control Models and Technologies. ACM, [21] Jain, Raj, and Subharthi Paul., Network virtualization and software defined networking for cloud computing: a survey, Communications Magazine, IEEE51.11 (2013): [22] Lin, Pingping, Jun Bi, and Hongyu Hu., VCP: A virtualization cloud platform for SDN intra-domain production network, Network Protocols (ICNP), th IEEE International Conference on. IEEE, [23] Habib, Irfan. "Virtualization with kvm." Linux Journal (2008): 8. [24] Kivity, Avi, et al., kvm: the Linux virtual machine monitor, Proceedings of the Linux Symposium. Vol