Safeguard: Security Controls at the Software Defined Network Layer

TL;DR

Safeguard introduces a rule-based policy layer in software defined networks to prevent unintended security responses caused by over-correction in data-driven policies, enhancing network security reliability.

Contribution

The paper proposes a novel rule-based policy framework that overlays data-driven policies to improve security control accuracy in SDN environments.

Findings

Implemented a network traffic classifier enforcing firewall rules.

Demonstrated the importance of additional rulesets for known-good traffic.

Showed how Safeguard prevents unintended responses in network security.

Abstract

Improvements in software defined networking allow for policy to be informed and modified by data-driven applications that can adjust policy to accommodate fluctuating requirements at line speed. However, there is some concern that over-correction can occur and cause unintended consequences depending on the data received. This is particularly problematic for network security features, such as machine-learning intrusion detection systems. We present Safeguard, a rule-based policy that overlaps a data-driven policy to prevent unintended responses for edge cases in network traffic. We develop a reference implementation of a network traffic classifier that enforces firewall rules for malicious traffic, and show how additional rulesets to allow known-good traffic are essential in utilizing a data-driven network policy.