Could Network View Inconsistency Affect Virtualized Network Security Functions?

TL;DR

This paper investigates how outdated network views in SDN controllers can negatively affect the performance of virtualized network security functions, specifically IDS, during DDoS and TCP SYN flood attacks.

Contribution

It studies the impact of network view inconsistency on IDS performance, focusing on controller state distribution and network state collection in security scenarios.

Findings

Outdated network views reduce IDS anomaly detection accuracy.

Controller state distribution impacts IDS performance during DDoS attacks.

Network state collection affects IDS detection during TCP SYN flood attacks.

Abstract

With SDN increasingly becoming an enabling technology for NFV in the cloud, many virtualized network functions need to monitor the network state in order to function properly. An outdated network view at the controllers can impact the performance of those virtualized network functions. In earlier work, we identified two main factors contributing to an outdated network view in the case of a load-balancer: network state collection and controllers' state distribution. In this paper, we anticipate that the impact might be different in case of security functions. Therefore, we study the impact of an outdated network view on an anomaly-based IDS application. In particular, we investigate: (1) the impact of controllers' state distribution on the performance of a distributed IDS in the case of a DDoS attack; and (2) the impact of network state collection on the performance of an IDS in the case of a TCP SYN flood attack. Our results showed that the outdated network view had negative impact on the IDS anomaly-detection performance in the experiments that we conducted.