See discussions, stats, and author profiles for this publication at: [Link]

net/publication/313483576

Defending Against New-Flow Attack in SDN-Based Internet of Things

Article in IEEE Access · February 2017

DOI: 10.1109/ACCESS.2017.2666270

CITATIONS READS
57 1,315

6 authors, including:

Deyun Gao Hongke Zhang

Beijing Jiaotong University Beijing Jiaotong University
116 PUBLICATIONS 1,784 CITATIONS 357 PUBLICATIONS 4,576 CITATIONS

SEE PROFILE SEE PROFILE

Chuan Heng Foh

University of Surrey
198 PUBLICATIONS 5,037 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

IEEE International Workshop on Data Driven Intelligence for Networks and Systems (DDINS) View project

All content following this page was uploaded by Chuan Heng Foh on 02 June 2017.

The user has requested enhancement of the downloaded file.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 1

Defending against New-flow Attack in SDN-based Internet of Things

Tong Xu, Deyun Gao, Ping Dong, Hongke Zhang, Chuan Heng Foh, Han-Chieh Chao

Recently, the Internet of Things (IoT) is attracting significant attention from both academia and industry. To connect the huge
amount of IoT devices effectively, software-defined networking (SDN) is considered as a promising way because of its centralized
network management and programable routing logic. However, due to the limited resources in both the data plane and the control
plane, SDN is vulnerable to the new-flow attack, which can disable the SDN-based IoT by exhausting the switches or the controller.
Therefore, in this paper, we propose a smart security mechanism (SSM) to defend against the new-flow attack. SSM uses the
standard southbound and northbound interfaces of SDN, and it includes a low cost method that monitors the new-flow attack by
reusing the asynchronous messages on the control link. The monitor method can differentiate the new-flow attack from the normal
flow burst by checking the hit rate of the flow entries. Based on the monitoring result, SSM uses a dynamic access control method to
mitigate the new-flow attack by perceiving the behavior of the security middleware in the IoT. The dynamic access control method
can intercept the attack flows at their access switch. Extensive simulations and testbed-based experiments are conducted and the
corresponding results verify the feasibility of our claims.

Index Terms—Internet of Things, Software-defined networking, OpenFlow, Communication system security, New-flow attack.

I. I NTRODUCTION Motivated by this advantage, lots of studies [7-11] try to

improve the IoT using the SDN architecture. As presented
HE Internet of Things (IoT) is considered as one future
T networking paradigm because of its promise that people
and things can be connected at anytime and anyplace. To fulfill
in Fig. 1, we summarize the differences between the legacy
IoT and the software defined IoT. In SDN-based IoT, the SDN
architecture serves as a bridge between the IoT communication
this promise, heterogeneous communication technologies such scenario and the middleware. The IoT participants can send
as wireless sensor networks (WSNs), radio frequency identifi- packets directly to the SDN-enabled switch instead of sending
cation (RFID), and machine-to-machine (M2M) are integrated to the specific IoT gateway. Moreover, the SDN architecture
in the IoT [1]. As a result, much more users with different supports fine-grained flow classification and flexible routing
service requirements are connected to the forwarding devices management. With highly customized routing logics that are
in the public network. That makes traditional IP networking programmed as applications in the SDN architecture, the data
unsuitable when dealing with various IoT scenarios. In order from various IoT communication scenarios can be easily and
to connect IoT scenarios effectively, different communication orderly guided to the server or middleware.
protocols are proposed in physical and network layers [2-4].
It should be noted that, the flexible and effective SDN-based
However, due to the vendor-driven property of traditional IP
IoT also inherits the security issue of the SDN architecture. In
networking, these proposals are not widely deployed.
the SDN routing system, the switches request the controller to
Recently, software-defined networking (SDN) provides a
assign routing rules actively and cache routing rules passively
new way to achieve the idea of IoT. The main difference
through the control link. However, the control link bandwidth
between SDN and traditional IP networking is the decoupling
of the data plane and the control plane [5]. In the SDN
architecture, the control logic is decoupled from the underlying
switches and centralized in the network controller. Therefore,
the switches are free from routing calculation and focused Server/Middleware

on packet forwarding, the controller can decide the routing

path of a flow according to its communication context. That
Software defined

makes SDN become custom-driven and show great advantage

in routing and management for zillions of devices in the IoT Level 2 Controller
IoT

IoT

switch
[6].
Level 3
router IoT SDN-enabled
gateway switch
Tong Xu (e-mail: 14111037@[Link]), Deyun Gao (e-
mail: gaody@[Link], Corresponding Author), Ping Dong
(e-mail: pdong@[Link]) and Hongke Zhang (e-mail:
hkzhang@[Link]) are with the National Engineering Laboratory
for Next Generation Internet Interconnection Devices, School of Electronic
and Information Engineering, Beijing Jiaotong University, Beijing 100044,
China.
Chuan Heng Foh (e-mail: [Link]@[Link]) is with 5G-IC, In-
WSNs RFID M2M
stitute for Communication Systems, Department of Electrical and Electronic
Engineering, University of Surrey, Surrey GU1 2UX, UK.
Han-Chieh Chao (e-mail: hcchao@[Link]) is with National Dong
Hwa University, Taiwan Fig. 1. The paradigms of the legacy IoT and the software-defined IoT.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 2

and the cache space that are regulated by the southbound new-flow attack, which can cut off the communication
interface (e.g., OpenFlow [12]) have been proved to be limited between IoT devices and IoT servers in SDN-based IoT.
[13]. That provokes cyber attackers to find better solutions • We propose a smart security mechanism (SSM) to mon-
to attack the public network, such as the infrastructure layer itor and mitigate the new-flow attack using the standard
DDoS attack [14], controller-switch communication flooding southbound and northbound interfaces. SSM achieves a
and switch flow table flooding attacks [15]. These cyber low cost monitoring and makes the SDN controller aware
attacks can cut off the bridge between IoT devices and IoT of the filtering results of the security middleware in SDN-
servers in SDN-based IoT [6]. based IoT.
We carefully studied this security issue of the SDN archi- • We conduct extensive simulations and the corresponding
tecture and the corresponding suggestions. We believe that the results show that, SSM achieves more than 85% precision
aforementioned cyber attacks belong to the new-flow attack, rate and it can intercept the attack flows dynamically at
because the attackers must send lots of unmatched packets to their access switch in SDN-based IoT.
the SDN-enable switch. These unmatched packets are treated • We develop SSM as an application and test SSM in
as new flows by the SDN routing system and lead to a our testbed, the experiment results prove that SSM is a
series of subsequent processes in both the data plane and the practical solution to defend against the new-flow attack.
control plane [16, 17]. The attackers aim to exhaust either The rest of this paper is organized as follows. Section 2
the SDN-enabled switch or the controller with intensive new summarizes the related work. In Section 3, we briefly review
flows. According to the valuable suggestions [18], to defend the preliminary knowledge of SDN and OpenFlow protocol
against such an new-flow attack that targets the data plane that we use in this paper. In Section 4, we propose the smart
and the control plane, attack detection and access control are security mechanism to defend against the new-flow attack in
promising approaches. SDN-based IoT. Simulations and testbed-based experiments
In the literature, existing solutions [19-21] that detect attacks are presented in Section 5 and Section 6. Finally, we conclude
with the SDN architecture usually invoke lots of controller- this paper and discuss future work in Section 7.
switch communication to acquire the network statistics and
they may aggravate the control link bandwidth consumption II. R ELATED W ORK
during the new-flow attack. Meanwhile, a few proposals [22, Below we briefly summarize the recent security studies about
23] rebuild the access control rules in the controller to inter- both the SDN architecture and the IoT.
cept attack flows at the boundary switches of SDN. Although
these proposals intercept prescribed packets, they cannot adapt
A. Securing the IoT with the SDN architecture
to the constantly changing attack packets since they use
static access control rules. The static access control rules are The combination of IoT and SDN definitely brings tremendous
not effective when attack packets are disguised as various advantage in network resources visualization and network
normal flows. Recently, powerful IoT security middleware management simplification. As a result, lots of studies try to
is considered as a promising way to deal with suspicious securing the IoT with the SDN architecture.
flows [24, 25]. However, because of its physical location and Chakrabarty et al. [26] express concern about the security
the absence of unified interface, it is hard for the security functions provided by the existing IoT protocols. They propose
middleware to intercept the attack flows at their access switch Black SDN, which is an SDN-based architecture for secure
actively. IoT communication. In their proposal, both the packet header
Therefore, in order to defend against the new-flow attack and payload are encrypted. To forward the encrypted packets
with the consideration of low cost monitoring and dynamic efficiently, they use the SDN controller as the trusted third
access control at the attackers’ access switch, in this paper, party. They try to mitigate the passive attacks, such as traffic
we propose a smart security mechanism (SSM). With SSM, analysis and inference attack.
the controller can detect the new-flow attack by reusing the Bull et al. [27] summarise the security issues of both the
standard asynchronous messages on the control link. Two IoT device and the IoT network. Based on their previous work
specific traffic features are designed to monitor the new-flow [28], they propose a method to detect and mitigate anomalous
attack. According to the monitoring results, SSM first redirects behaviour at the SDN-based IoT gateway. By presetting flow
suspicious flows to the security middleware in the IoT, then it entries in the SDN-based IoT gateway, they gather source and
perceives the filtering results of the security middleware. Based destination statistics of flows and classify the network state. In
on that, SSM assigns the access control rules to intercept the addition, three possible mintage actions are prepared to deal
attack flows at their access switch in SDN-based IoT. with the detected anomalous behaviour.
Flauzac et al. [29] emphasize that the traditional Ad-Hoc
With the SSM, we established a executable and practical
network is lack of traffic monitoring and access control, due
simulation environment to represent the SDN routing system.
to the absence of the network infrastructure. To this end, they
Extensive simulations and testbed-based experiments are con-
propose an SDN-based IoT architecture. In their proposed
ducted to prove the performance of SSM. Here we summarize
architecture, each node in the Ad-Hoc network is viewed as a
the main contributions of this paper as follows.
combination of SDN-enable switch and legacy host. Then they
• We prove that, the limited resources in both the data use security controllers to monitor traffic and execute security
plane and the control plane make SDN vulnerable to the polices in the Ad-Hoc network.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 3

Sandor et al. [30] try to improve the resilience of IoT Probability Ration Test (SPRT) to control the false negative
communication by using SDN’s flexible routing feature. They and false positive error rates. However, the monitoring cost
assume that there are serval redundant routers for the commu- and mitigation strategy are not well considered.
nication in IoT networks. When the original communication Therefore, in this paper, based on the careful study of the
link is disabled by cyber attacks, they use the SDN controller novel DoS attacks in SDN, we believe that the novel DoS
to select a new link for the communication. attacks aiming at the data plane and the control plane of SDN
Choi et al. [31] present a secure SDN-based IoT framework, essentially belong to the new-flow attack, and we propose a
in which the SDN control plane is rebuilt to provide secu- smart security mechanism (SSM) to defend against the new-
rity services such as authentication/access control, IDS/IPS, flow attack.
and lightweight encryption. Based on that, they explain the
working processes of these security services and evaluate their III. P RELIMINARY K NOWLEDGE
proposal under an SYN flooding attack. In this section, we briefly review the working principle of
SDN and the control link messages of the standard OpenFlow
B. Novel DoS Attacks Aiming for the SDN architecture protocol that we use in this paper.
A Denial of Service (DoS) attack is an attack with the purpose
of preventing legitimate users from using a specified network A. Working Principle of SDN
resource [32]. Different with the traditional DoS attacks that In the SDN paradigm, as shown in Fig. 2, the network
target the special hosts, the novel DoS attacks aim to exhaust architecture consists of three planes. The data plane is the
the network resources of the data plane and the control plane in bottom plane that is made up of SDN-enabled switches. The
the SDN architecture. This kind of attacks threats the working SDN-enabled switches send routing requests to the control
foundation of the SDN archtecture. Therefore, many studies plane instead of calculating routing rules by themselves when
try to discuss and defend against the novel DoS attacks in they receive new flows. Then the control plane calculates paths
SDN. for the requests and assigns the routing rules in compliance
Kandoi et al. [33] discuss the DoS attack to the control link with the applications in the top application plane.
bandwidth and the switch’s flow table. They prove that the
timeout value of flow entries, and the control pane bandwidth
effect the performance of such an attack. If not configured
appropriately, SDN can be disabled by such an attack. They
propose some possible mitigation strategies based on their
simulations.
FlowRanger [34] tries to improve the controller performance
when the controller is under attack. When the controller is busy
processing the requests from the data plane, FlowRanger sets
priority to the request. The request from the user which has
appeared many times during the normal condition (no sign of
attacks) has a higher priority. The request from the user which
appears during the attack has a lower priority. In this way, it
improves the serving rate of the normal users’ requests.
Mousavi et al. [35] show how the DoS attack exhausts
controller resources and propose a solution to detect such Fig. 2. The SDN architecture.
an attack. They monitor the entropy features of the requests
All the routing requests from the data plane and the
received by the controller. They assume that, when the attack
switch configurations from the control plane are transmitted
flows use spoofed destination addresses, the randomness of
through the southbound interface, corresponding messages on
flows and the entropy features decrease obviously. Their
the control link are regulated by the southbound protocol
method aims to detect the attack within the first five hundred
such as OpenFlow. All the controller configurations are sent
packets of the attack traffic.
through the northbound interface, corresponding messages are
Yu et al. [36] pay attention to the DoS attack to the
regulated by the northbound protocol such as REST [38].
OpenFlow-enabled switch. They propose a QoS-aware peer
support strategy that integrates idle flow table resources to
mitigate the flow table overloading attack. They try to make B. OpenFlow Protocol
SDN more resistant to such an attack and avoid severe According to the OpenFlow specification [12], the control link
damages at the beginning the attack. messages mainly include the Asynchronous Messages and the
Xu et al. [37] propose a detection method for the DoS Controller-to-Switch Messages. The Asynchronous Messages
attack to the controller by monitoring the low-traffic flows. are used by the OpenFlow-enabled switches to notify the
The low-traffic flows have fewer packets than the normal controller of a network event, such as flow arrival and flow
flows and can lead to significant resources consumption in the termination. They are inevitable control link cost for the SDN
control plane. We detected such an attack by using Sequential system. The Controller-to-Switch Messages are used by the

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 4

controller to configure the OpenFlow-enabled switches, such

as installing flow enties and pulling statistics. It should be
noted that an application must pay attention to its invocations
of the Controller-to-Switch Messages, because the control link
bandwidth is limited. Here we list the OpenFlow messages that
our SSM mainly uses in this paper.
1) Packet-In Message
The Packet-In Message belongs to the Asynchronous Mes-
sages. When a switch receives a packet and can not match
it with any cached flow entries, the switch sends a Packet-In
Message to the controller.
As shown in Fig. 3, we present a Packet-In Message Fig. 4. The structure of Flow Removed Message.
captured in our testbed. We can see that, the unmatched packet
is encapsulated in the Packet-In Message and sent to the
controller. The packet header of the Packet-In Message records flow table snapshot in the OpenDaylight [39] controller. We
the source address of the switch, and the payload of the Packet- can see that, these Multipart Messages are used to update the
In Message records the whole unmatched packet and its buffer flow table statistics in the controller. In the flow table, each
information. flow entry has its own match fields, counters, and actions. For
example, the duration counter records the active time of the
flow, the packet counter records the matched packet amount
of the flow. The match fields are used to differentiate each
fine-grained flow.

Fig. 3. The structure of Packet-In Message.

2) Flow Removed Message

The Flow Removed Message also belongs to the Asynchronous
Messages. When a flow leaves from a switch, the switch sends
Fig. 5. The structures of Multipart Messages and flow entry in the Open-
a Flow Removed Message to the controller. Daylight controller.
According to the OpenFlow protocol, the statistics of the
removed flow are sent to the controller using the corresponding
fields in the Flow Removed Message. As shown in Fig. 4, we IV. D EFEND AGAINST N EW- FLOW ATTACK IN SDN
present a Flow Removed Message captured in our testbed. We
In this section, we first explain the new-flow attack in SDN
can see that, the flow duration field records the time length of
and show how to launch such an attack. Then, we propose
the removed flow, the packet count field records the packet
our smart security mechanism to defend against the new-flow
number of the removed flow. In addition, the reason field
attack. SSM includes a low cost monitoring method and a
explains why the flow leaves the switch. When the reason field
dynamic access control method.
indicates an idle timeout, it means the flow entry is removed
since there is no packet of that flow for a certain length of
time. For the other reasons, it means the flow entry is evicted A. New-flow Attack in SDN
actively according to the flow delete order as shown in Fig. 4. The new-flow attackers aim to inject lots of unmatched pack-
ets to the SDN-enabled switches. According to the working
3) Multipart Messages principle of SDN, these unmatched packets are treated as new
The Multipart Messages belong to the Controller-to-Switch flows. Therefore, these packets are encapsulated in the Packet-
Messages, they are designed to encode requests or replies that In Messages and sent to the controller, the controller calculates
have a large amount of data and cannot fit in a single Open- the routing paths and sends Controller-to-Switch Messages to
Flow message. The Multipart Messages are primarily used for each switch in the paths to forward the new flows, i.e., install
the controller to gather the statistics from the switches. flow entries.
In order to maintain a global view of the data plane, the To demonstrate that the SDN architecture is vulnerable to
controller periodically gathers the statistics from the switches the new-flow attack, and to make our work practical and
using the Multipart Messages. As shown in Fig. 5, we present meaningful, we have conducted two experiments to illustrate
a series of Multipart Messages captured in our testbed and the the impact of the new-flow attack.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 5

First, we develop a REST-base program, which forces the 1) Overall Architecture and Working principle of SSM
controller, i.e., OpenDaylight, to assign static flow entries, to As shown in Fig. 7, SSM belongs to the application plane,
test the flow entry capacity of the switch. The static flow and it consists of two parts: the detection module and the
entries will not be removed until we delete them. In this mitigation module. The detection module monitors the new-
experiment, two laptops communicate with each other through flow attack by listening to the Asynchronous Messages on the
the test OvS-based switch [40], we observe the communication control link. It notifies the mitigation module when it detects
breakdowns when 15000-20000 flow entries are assigned to an attack. The mitigation module is responsible for assigning
the test switch. However, it should be noted that the OvS- dynamic access control rules.
based switch dose not use TCAM to cache flow entries, most
of the commercial switches are equipped with small TCAMs
that support about 8000 flow entries [41, 42].
Second, we inject attack packets to the SDN-enabled switch
to simulate the new-flow attack. In order to confuse the
controller, we make two laptops with Linux system to send
packets to each other through our testbed. Each attack pack-
et holds a different source IP address and asks the SDN
routing system to assign a specific flow entry. Fig. 6 shows
the impacts on the data plane and the control plane. The
idle timeout value and the new-flow attack rate decide the
number of flow entries consumed in the victim switch. By
calculating the Asynchronous Messages and the Controller-
to-Switch Messages invoked by the injected packets, we get a
conservative estimation of the consumption on the control link. Fig. 7. The overall architecture and working principle of SSM.
The average length of the routing paths for the injected packets
and the attack rate decide the amount of messages invoked In order to make sure that the detection module is practical,
on the control link. As discussed in the related study [33], we pay our attention to the monitoring features and monitoring
the bandwidth of the control link is usually set as 100Mbps. cost for the new-flow attack, because the detection module
Therefore, the new-flow attack is an obvious threaten for SDN. faces the challenges that are summarized below.
• First, the new-flow attack is difficult to detect. Traditional
monitoring features, such as destination IP entropy [43]
Consumption in the flow table (flow entry)

and TCP protocol proportion [44], are not effective when

10000 dealing with the arbitrary injected packets of the new-flow
attack, because the attack flows perform like the normal
5000
flow burst.
0 • Second, the monitoring cost is limited. Even the injected
25
20
Idle tim 250 300 packets trigger abnormal traditional monitoring features,
eout 15
value 10 100 150 200
)
(secon
d) 5 0 50
attack rate (flow/second statistics collection processes of the existing methods
New−flow
invoke lots of control link messages that may overload
the control link bandwidth during the new-flow attack.
Consumption on the control link (Mbps)

10 As a daily running module in the application plane, the

detection module should control its monitoring cost.
5
• Last, the detection process should provide input to the
0 mitigation process. Since the new-flow attack threats the
10
Averag 8
e leng 6 150 200 250 300 working foundation of SDN, it should be mitigated quick-
th of ro
uting p4 50 100 cond)
aths (ho 2
p)
0
New− flo w att ack rate (flow/se ly before the switch or controller is disabled. Therefore,
the detection module should notify the mitigation module
of the victim switch and the attacker’s location.
Fig. 6. For a single new-flow attacker, its consumption in both the data plane
and the control plane. To deal with these challenges, we propose two monitoring
features: the request rate of switch and the match efficiency
of switch. The request rate of switch represents the amount of
unmatched packets during a period of time. It is an important
B. Defend against New-flow Attack with SSM feature for both the new-flow attack and the normal flow burst.
In this subsection, we first present the overall architecture and Besides, the match efficiency of switch represents the average
working principle of our smart security mechanism. Then we hit rate of the flow entries during a period of time. It is
propose a low cost monitoring method to detect the new-flow designed to differentiate the new-flow attack from the normal
attack. Finally, we propose a dynamic access control method flow burst. Since the arbitrary injected packets aim to generate
to mitigate the new-flow attack. new flows in SDN, these injected packets hit no flow entries

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 6

that are assigned to the victim switch. On the contrary, the Algorithm 1: Baseline establishment
packets of the burst normal flows hit their flow entries fast. Input: Packet-In Message, Flow Removed Message,
Meanwhile, most of the network statistics that our monitor- Percentage of valid samples (i.e., α)
ing features need can be acquired through the Asynchronous Output: RiT , EiT
Messages on the control link, In this way, the detection module Ri = ∅, Ei = ∅;
can control its monitoring cost. When the monitoring features for t = 1; t 6 T ; t + + do
indicate a new-flow attack, the detection module gives a victim Calculate Ri (t) by listening the Packet-In Message;
port list to the mitigation module to activate the mitigation Ri = Ri ∪ Ri (t);
process. The detail implementation of the detection module is Calculate Ei (t) by listening the Flow Removed
described in Section 4.2.2. Message;
In the mitigation module, we focus on the dynamic access Ei = Ei ∪ Ei (t);
control because of the following properties. end
• First, static access control in the controller [22, 23] is not RiT = CDFR−1 i
(α);
effective, since the injected packets can be disguised as EiT = CDFE−1 i
(1 − α);
different normal flows.
• Second, the attack rate is so high that we cannot allow
the controller to assign a flow entry for each attack flow During a time slot, e.g., time slot t, the detection module
whether the action is forwarding or dropping. inspects the source address of the Packet-In Message. All the
However, the controller only checks the integrity of the Packet-In Messages sent from switch i are considered as a set
packet encapsulated in the Packet-In Message [12], it cannot P IMit . Then, the request rate of switch i for time slot t is
differentiate the attack flows from the normal flows effectively. defined as
card(P IMit )
Therefore, we redirect the suspicious flows from the victim Ri (t) = (1)
w
port to the security middleware, which can filter out attack
flows. Then, we perceive the behavior of the security mid- where, card(P IMit ) represents the amount of routing requests
dleware by analyzing the flow tables in its directly connected that are sent from switch i in time slot t. For T time slots, we
switches. Finally, the perceived behavior can be assigned as get a set of request rates of switch i that
the dynamic access control rules to the victim switches. The Ri = {Ri (t)|t = 1, 2, ...T }. (2)
detail implementation of the mitigation module is described in
Meanwhile, the detection module inspects the source address,
Section 4.2.3.
packet count, duration and reason fields of the the Flow
2) New-flow Attack Detection
Removed Message. All the Flow Removed Messages sent from
As aforementioned, we use the request rate of switch to mon- switch i are considered as a set F RMit . Then, the match
itor the flow burst in the data plane, and the match efficiency efficiency of switch i for time slot t is defined as
of switch to differentiate the new-flow attack from the normal
flow burst. As shown in Fig. 8, the detection module first card(F RMit )
establishes the baselines of the proposed monitoring features w ∑ Lk
Ei (t) = (3)
during the normal condition (no sign of attacks), then it card(F RMit ) T k − ek · w
k=1
monitors the real time values of these features to detect the
new-flow attack. where, card(F RMit ) represents the amount of removed flows
from switch i in time slot t. Lk , Tk , and ek represent the packet
count (i.e., the final number of matched packets), flow duration
(i.e., the final number of seconds) and reason fields in the kth
Flow Removed Message, respectively. ek is a Boolean value,
which will be set to 1 only if the reason filed declares an idle
timeout. For T time slots, we get a set of match efficiencies
of switch i that
Ei = {Ei (t)|t = 1, 2, ...T }. (4)
To set baselines for the request rate and match efficiency of
switch i, we consider the percentage of valid samples for set
Ri and Ei , and denote it as the parameter α. For example, in
Ri , some outliers caused by the novel flow burst are excluded,
Fig. 8. Different ways to gather statistics for the monitoring features.
and the valid request rate samples account for α percent.
Therefore, the baselines, i.e., RiT and EiT , can be calculated
When the detection module establishes the baselines, we use by the cumulative distribution functions (CDFs) of Ri and Ei ,
a discrete time model where the time horizon is divided into and they satisfy that
T time slots. Each time slot has equal length w, which is the {
idle timeout value of the SDN system. Based on the discrete CDFRi (RiT ) = α
(5)
time model, Algorithm 1 shows the establishment process. CDFEi (EiT ) = 1 − α.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 7

The baselines RiT and EiT indicate the maximum allowed mitigation module assigns flow entries on the compromised
request rate and the minimum allowed match efficiency of switch to intercept the attack flows.
switch i.

Algorithm 2: Victim port location

Input: Packet-In Message, Flow table statistics, RiT , EiT
Output: V P
Calculate Ri (t) by listening the Packet-In Message;
if Ri (t) > RiT then
Calculate Ei (t) by pulling flow table statistics from
controller;
if Ei (t) 6 EiT then
Calculate Ei,p (t) ;
Add port to V P when Ei,p (t) 6 EiT ;
end
end
Fig. 9. Working principle of the dynamic access control.

When the detection module monitors the new-flow attack, Given the redirection order, the unmatched packets (wether
it determines the location of the victim port using Algorithm legitimate or illegal) are redirected to the security middleware.
2. The detection module first calculates the real time request Therefore, the injected packets on V Pi,p cannot invoke a series
rate of switch i using equation (1). When the real time request of subsequent processes in both the data plane and the control
rate Ri (t) is bigger than its RiT , there is flow burst at switch plane. Comparing to the controller, the security middleware
i. To determine wether switch i is compromised by the new- is more powerful and accurate when dealing with the illegal
flow attack, the detection module gets flow table statistics of packets [44].
switch i from the controller and calculates the current match However, the security middleware cannot report its filtering
efficiency of switch i by logs to the controller according to the current southbound
interface. To make the controller aware of the filtering results,
w ∑
card(F Ei )
lk we propose Algorithm 3 to perceive the access control rules
Ei (t) = (6) on the security middleware.
card(F Ei ) tk
k=1

where, F Ei represents the set of flow entries in switch i. Algorithm 3: Access control rule perceiving
lk and tk are values in the packet counter (i.e., the current Input: Flow table statistics
number of matched packets) and duration counter (i.e., the Output: White list (W L); Black list (BL)
current number of seconds) of the kth flow entry. When the if F Ein (k) has corresponding flow entry F Eout (n) then
current match efficiency of switch i is smaller than its EiT , Compare their packet counters ;
which means lots of flow entries in switch i are hardly hit, if Their packet counters record the small value then
the detection module confirms a new-flow attack and locates F Ein (k) belongs to W L;
the victim port using the port’s match efficiency that end
∑
card(F Ei,p ) end
w lk
Ei,p (t) = , (7) else
card(F Ei,p ) tk F Ein (k) belongs to BL;
k=1

where F Ei,p represents the set of flow entries in switch i for end
port p. When Ei,p (t) 6 EiT , we denote it as victim port V Pi,p
and mitigate the new-flow attack for it. The mitigation module first gets flow table statistics of the
Since the baseline establishment process reuses the Asyn- switches that are directly connected to the security middle-
chronous Messages and the monitoring process only sends ware. Then, it finds all flow entries that guide flows into the
Multipart Messages to the switch when its request rate exceeds security middleware by checking the out port in the actions,
the corresponding baseline, the detection module achieves a we denote these flow entries as
low cost on the control link.
F Ein = {F Ein (k)|k = 1, 2, ...}. (8)
3) New-flow Attack Mitigation
As aforementioned, the preset static access control rules are Further, it finds all flow entries that guide flows out of the
not effective to deal with the new-flow attack, and we cannot security middleware by checking the in port in the match
assign a flow entry for each attack flow to mitigate the victim fields, we denote these flow entries as
port. Therefore, as shown in Fig. 9, the mitigation module
F Eout = {F Eout (n)|n = 1, 2, ...}. (9)
first redirects the suspicious flows from V Pi,p to the security
middleware, then it begins to perceive the behavior of the It should be noted that, the legitimate packets can pass through
security middleware. Based on the perceiving results, the the security middleware while the illegal packets are inter-

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 8

cepted. This means the legitimate packets have flow entries

in both F Ein and F Eout while the illegal packets only have
flow entries in F Ein .
Therefore, the mitigation module then checks the match
fields of F Ein and F Eout . It decides whether F Ein (k) servers
for the illegal packets and belongs to the black list (BL) by
∀F Ein (k) ∈ BL, F Ein (k) ∩ F Eout = ∅. (10)
Likewise, by checking both match fields and packet counter,
the mitigation module decides whether F Ein (k) servers for Fig. 10. Timing diagram of three typical flows in SDN.
the legitime packets and belongs to the white list (WL) by
∀F Ein (k) ∈ W L, F Ein (k) ∩ F Eout = F Eout (n). (11)
In this way, the mitigation module perceives the behavior of
security middleware.
Since the packets are redirected from V Pi,p , we can execute
the BL and W L on switch i to intercept the illegal packets
and protect the legitimate packets at the attackers’ access
switch. During this process, the mitigation module controls
the assignment rate to avoid making the flow table full. In
addition, it updates the BL and W L by periodically perceiving
the behavior of the security middleware.

V. S IMULATION AND R ESULT

Fig. 11. Simulation topology and baseline establishment.
In this section, we conduct extensive simulations to evaluate
the performance of our proposed method. First, we build an
SDN environment using MATLAB, and establish the baselines
request rate of switch shows a great difference between the
of our monitoring features using the 24-hour data mirrored
daytime and nighttime, the maximum Ri is 130 per second at
from our campus boundary routers. Then, we evaluate SSM
1 pm while the minimum Ri is almost 0 per second at night.
for both new-flow detection and mitigation using the attack
In this paper, we set α to 0.9. As aforementioned in Algorithm
records from our testbed.
1, we calculate the baseline for Ri (i.e., RiT ) according to its
CDF. As shown in Fig. 12, the value of RiT is 84.
A. Simulation environment and baseline establishment
To simulate the SDN system, we mainly focus on the flow
150
Request rate of switch

table and the Asynchronous Messages at time t. As the timing

diagram shown in Fig. 10, we use w to represent the idle 100
timeout value. Black, gray and white rectangles indicate the CDF(Ri)=0.9

packets of flow a, flow b and flow c, respectively. In order to 50

calculate the flow table at time t, we count the active flows

0
during w. For example in Fig. 10, there will be two flow
00:00
01:00
02:00
03:00
04:00
05:00
06:00
07:00
08:00
09:00
10:00
11:00
12:00
13:00
14:00
15:00
16:00
17:00
18:00
19:00
20:00
21:00
22:00
23:00
24:00

entries for a and b at time t, even their packet numbers show Time
a great difference. Meanwhile, we recreate the Asynchronous 1

Messages, such as Packet-In Message and Flow Removed 0.8

CDF(Ri)=0.9
Message. Since there is no active packet of flow c during the 0.6
CDF

time window w, flow c should be removed at time t by sending 0.4

the Flow Removed Message. In a particular case, packets of 0.2

0
flow c may arrive at time t. Since there is no suitable flow 0 20 40 60 80 100 120
entry for flow c, flow c should be treated as a new flow by Request rate of switch

sending the Packet-In Message.

Based on that, we build an SDN environment shown in Fig. 12. Request rate of switch in a day and its baseline, α = 0.9, w = 10s.
Fig. 11 and adopt the 24-hour data mirrored from our campus
boundary routers. The dataset records the arrival time and IP Likewise, for the second monitoring feature, i.e., match
header of each packet. We replay the dataset in the SDN efficiency of switch, we get Ei and its CDF shown in Fig.
environment to establish the baselines for our monitoring 13. We can see that, the maximum Ei achieves almost 30
features. packets per flow per time slot while the minimum Ei is less
For the first monitoring feature, i.e. request rate of switch, than 7 packets per flow per time slot. As shown in Fig. 13,
we get Ri and its CDF shown in Fig. 12. We can see that, the the value of EiT is 7.5.

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 9

Match efficiency of switch

30

20 30

10
20
CDF(Ei)=1−0.9

Ei(t)
0
00:00
01:00
02:00
03:00
04:00
05:00
06:00
07:00
08:00
09:00
10:00
11:00
12:00
13:00
14:00
15:00
16:00
17:00
18:00
19:00
20:00
21:00
22:00
23:00
24:00
10
Time Baseline
1

0.8 0
400
0.6 New 300
CDF

−flo 20:00
0.4 w a 200 15:00
ttac 10:00
k ra 100
0.2 CDF(Ei)=1−0.9 te
0 0
5:00 Time
0
0 5 10 15 20 25 30
Match efficiency of switch
Fig. 15. Match efficiency of switch for different attack rates and times, α =
0.9, w = 10s.
Fig. 13. Match efficiency of switch in a day and its baseline, α = 0.9,
w = 10s.
the gray and back rectangles indicate the wrong judgements.
B. New-flow attack detection and mitigation We can see that, both the false positive (FP) and false negative
(FN) errors are distributed in the area that the attack rates are
To simulate the new-flow attack at different rates, we adopt the relatively low. The FP errors are mainly caused by the normal
packet records of new-flow attacks in our testbed, and replay flow burst in the daytime while the FN errors are mainly
it with our normal dataset at different times. caused by the low request rate of switch at nighttime. During
When we monitor the new-flow attack, we get Ri for the simulation, the precision rate of our monitoring method
different attack rates and times shown in Fig. 14. We can achieves 86.32%.
see that the request rate of switch increases linearly with
increasing attack rate. For the request rate of switch that stays
400
above the baseline plane, our algorithm, i.e., Algorithm 2,
views it as the flow burst in the data plane. 350 Accuracy
False positive
False negative
300
New−flow attack rate

250

600 200

150
400
Ri(t)

100
200
50
Baseline
0 0
400 0 5:00 10:00 15:00 20:00
New 300 Time
−flo 20:00
w a 200 15:00
ttac 10:00
k ra 100
te
0 0
5:00 Time Fig. 16. Monitoring results for different attack rates and times, α = 0.9,
w = 10s.

Fig. 14. Request rate of switch for different attack rates and times, α = 0.9, When we mitigate the new-flow attack, we first redirect the
w = 10s.
suspicious packets from the victim port to the security middle-
It should be mentioned that, in the real world, the normal ware and then execute dynamic access control by perceiving
flow burst also triggers a large request rate of switch. To the behavior of the security middleware. Here we simulate the
differentiate the normal flow burst and new-flow attack, we new-flow attack at 10 am, the simulation settings are shown
calculate the match efficiency of switch and we get Fig. 15. We in Table 1.
can see that the match efficiency of switch decreases greatly
TABLE I
with increasing attack rate. For a flow burst in the data plane, N EW- FLOW ATTACK SETTINGS AT 10 AM .
when the match efficiency of switch stays below the baseline
plane, our algorithm, i.e., Algorithm 2, views it as the new- Feature Value
flow attack. Attack rate on V P1,2 150 packets per second
Attack rate on V P2,1 50 packets per second
To illustrate how accurate our monitoring method is to the Attack rate on V P2,2 100 packets per second
simulation scenarios, we present the monitoring results in Fig. Attack duration 3 minutes
16. The white rectangles indicate the correct judgements while Length of time slot 10 seconds

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 10

From Fig. 16 and Table 1, we can see that our monitoring shown in Fig. 19(a), has four components: one SDN controller
method confirms the new-flow attacks. As aforementioned, our and three SDN-enabled switches. Each component has an Intel
algorithm, i.e., Algorithm 2, begins to build victim port set V P Xeon E5606 CPU working at 2.13GHz and an 8G memory
according to the match efficiency of port. The corresponding chip. We use OpenDaylight as the centralized controller and
values and the mitigation effects are presented in Fig. 17. OpenvSwitch as the SDN-enabled switch. These components
From Fig. 17, we can see that, when the attack flows are are operated with Ubuntu Linux 12.04. We develop SSM in
injected to S1 and S2 , the match efficiency of port decreases the application plane and rebuild OpenDaylight to fit for SSM.
obviously at the 3rd time slot. According to the baseline We also develop a website shown in Fig. 19(b) to control SSM
EiT , the victim port set is {V P1,2 , V P2,1 , V P2,2 }. Then the and display the statistics of the testbed.
redirection orders are assigned to these ports to mitigate the
new-flow attacks. Since the attack flows cannot generate barely
hit flow entries, the match efficiency of port increases.

9.5 12

9 10
E1,1

E1,2

8.5 8

8 With mitigation 6
Without mitigation
7.5 4
00:00

00:20

00:40

01:00

01:20

01:40

02:00
00:00

00:20

00:40

01:00

01:20

01:40

02:00

Time Time
10 12

9 10 Fig. 19. SDN testbed and the graphical interfaces of SSM.

E2,2
E2,1

8 8 During the experiments, we set one SDN-enabled switch as

7 6 the security middleware by assigning filtering rules as static
6 4
flow entries in it. An attacker and a FTP server are connected
00:00

00:20

00:40

01:00

01:20

01:40

02:00
00:00

00:20

00:40

01:00

01:20

01:40

02:00

to our testbed. The attacker communicates with the FTP server

Time Time and sends attack flows during the normal session. The attack
rate is set as 50 packets per second using Hping [45]. To make
Fig. 17. Match efficiency of port and mitigation effects, α = 0.9, w = 10s. our SSM work effectively with the OpenDaylight controller,
we consider the valid sample proportion α as 0.9 and the
Meanwhile, our algorithm, i.e., Algorithm 3, begins to length of each time slot is 10 seconds. We summarise the
gather flow table statistics from S3 and S4 . Then it perceives statistics records in SSM as Fig. 20.
the behavior of the security middleware and executes dynamic
access control. We compare the redirected flow amounts of 40
situations that with and without the dynamic access control in
Fig. 18.
30
Corresponding values
Redirected flow amount per time slot

5000
20
4000 Cumulative number of requests (100/slot)
Match efficiecy of switch (10/slot)
3000 Redirected flow amount (10/second)
10
2000

1000 With dynamic access control

Without dynamic access control
0
00:00

00:20

00:40

01:00

01:20

01:40

02:00

0
00:00

00:20

00:40

01:00

01:20

01:40

02:00

Time
Time

Fig. 20. New-flow attack detection and mitigation results of SSM on the
Fig. 18. Redirected flow amounts for situations both with and without testbed, α = 0.9, w = 10s.
dynamic access control, α = 0.9, w = 10s.
From Fig. 20, we can see that, during the 1∼4th time slots,
Since the access control rules are assigned, the attack flows the attacker communicates with the server normally and there
are intercepted at S1 and S2 , and less flows are redirected to is no flow redirected to the security middleware. During the
the security middleware comparing to the situation that without 5∼7th time slots, the attacker injects fabricated packets and
the dynamic access control. SSM monitors the anomaly in the data plane. By redirecting
suspicious flows to the security middleware and executing
VI. E XPERIMENT AND R ESULT dynamic access control, SSM begins to mitigate the new-flow
In this section, we focus on the feasibility of our smart security attack at the 8th time slot.
mechanism (SSM) in both new-flow detection and mitigation. It should be mentioned that, SSM controls the assignment
Therefore, we implement SSM in our testbed. The testbed, as rate of access control rules to avoid consuming the flow

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 11

table in the compromised switch intensively. That explains the [8] Y. Jararweh, M. Al-ayyoub, Ala’Darabseh, E. Benkhelifa, M. Vouk,
gradual decrement of redirected flow amount. and A. Rindos, “SDIoT: A software defined based Internet of Things
framework,” Journal of Ambient Intelligence and Humanized Computing,
vol. 6, no. 4, pp. 453-461, 2015.
VII. C ONCLUSION [9] D. Wu, D. Arkhipov, E. Asmare, Z. Qin, and J. McCann, “UbiFlow: Mo-
bility management in urban-scale software defined IoT,” in Proceedings
In this paper, we prove that, because of SDN’s inherent of IEEE INFOCOM, Hongkong, [Link], 2015, pp. 208-216.
[10] N. Bizanis, F. Kuipers, “SDN and virtualization solutions for the Internet
limitations in both the data plane and the control plane, of Things: A survey,” IEEE Access, vol. 4, pp. 5591-5606, 2016.
SDN-based IoT is suffering from the new-flow attack, which [11] J. Liu, Y. Li, M. Chen, W. Dong, and D. Jin, “Software-defined Internet
injects lots of unmatched packets to exhaust the SDN routing of Things for smart urban sensing,” IEEE Communications Magazine,
vol. 53, no. 9, pp. 55-63, 2015.
system and cut off the communication between IoT devices [12] Openflow switch specification [Online]. Available: [Link]
and IoT servers. Based on the careful study of existing [Link]/.
work, we propose the smart security mechanism (SSM) to [13] D. Kreutz, F. M. V. Ramos, P. E. Verı́ssimo, C. E. Rothenberg,
S. Azodolmolky, and S. Uhlig, “Software-defined networking: A com-
defend against the new-flow attack. SSM includes a monitoring prehensive survey,” Proceedings of the IEEE, vol. 103, no. 1, pp. 14-76,
method and a mitigation method. The monitoring method 2015.
reuses the standard Asynchronous Messages and controls the [14] Q. Yan and F. R. Yu, “Distributed denial of service attacks in software-
defined networking with cloud computing,” IEEE Communications Mag-
invocation of Controller-to-Switch Messages to achieve the azine, vol. 53, no. 4, pp. 52-59, 2015.
low monitoring cost. It can differentiate the new-flow attack [15] S. Scott-Hayward, G. O’Callaghan, and S. Sezer, “SDN security: A
from the normal flow bust. The mitigation method redirects survey,” in Proceedings of the IEEE SDN for Future Networks and
the suspicious flows to the security middleware in the IoT and Services, Trento, Italy, 2013, pp. 1-7.
[16] S. Shin and G. Gu, “Attacking software-defined networks: A first
makes the controller aware of the filtering results. Based on feasibility study,” in Proceedings of the 2nd ACM SIGCOMM Workshop
that, the mitigation method executes dynamic access control on Hot Topics in Software Defined Networking, New York, USA, 2013,
at the attackers’ access switch in SDN-based IoT. We conduct pp. 165-166.
[17] K. Benton, L. J. Camp, and C. Small, “Openflow vulnerability assess-
extensive simulations and the results confirm that SSM can ment,” in Proceedings of the 2nd ACM SIGCOMM Workshop on Hot
detect and mitigate the new-flow attack systematically. We also Topics in Software Defined Networking, New York, USA, 2013, pp. 151-
develop SSM as an application in our testbed using OpenFlow 152.
[18] R. Klöti, V. Kotronis, and P. Smith, “OpenFlow: A security analysis,”
and REST interfaces, the experiment results from our testbed in Proceedings of the 8th IEEE ICNP Workshop on Secure Network
prove the feasibility of SSM. Protocols, Gőttingen, GERMANY, 2013, pp. 1-6.
We believe that, our work provides a practical direction to [19] R. Braga, E. Mota, and A. Passito, “Lightweight DDos flooding attack
detection using nox/openflow,” in Proceedings of the 35th IEEE Confer-
defend against the new-flow attack. Therefore, some further ence on Local Computer Networks, Denver, USA, 2010, pp. 408-415.
researches are expected to improve the calculation process of [20] S. Mehdi, J. Khalid, and S. Khayam, “Revisiting traffic anomaly detec-
the normal baselines and the perceiving of the filtering results. tion using software defined networking,” Recent Advances in Intrusion
Detection, vol. 6961, no. 2, pp. 161-180, 2011.
[21] Y. Xu and Y. Liu, “DDoS attack detection under SDN context,” in
ACKNOWLEDGMENT Proceedings of the 35th Annual IEEE International Conference on
Computer Communications, San Francisco, USA, 2016, pp. 1-9.
This work was supported by the 973 Program under Grant No. [22] T. Javid, T. Riaz, and A. RasheedA, “Layer2 firewall for software defined
network,” in Proceedings of IEEE Conference on Information Assurance
2013CB329100, NSFC under Grant No. 61232017, 61272504 and Cyber Security, Rawalpindi, Pakistan, 2014, pp. 39-42.
and the Fundamental Research Funds for Central Universities [23] J. Pena and W. Yu, “Development of a distributed firewall using software
under Grant No. 2016YJS018. defined networking technology,” in Proceedings of the 4th IEEE Inter-
national Conference on Information Science and Technology, Shenzhen,
[Link], 2014, pp. 449-452.
R EFERENCES [24] M. Razzaque, M. Milojevic-Jevric, A. Palade, and S. Clarke, “Middle-
ware for Internet of Things: A survey,” IEEE Internet of Things Journal,
[1] J. Granjal, E. Monteiro, and J. Silva, “Security for the Internet of vol. 3, no. 1, pp. 70-95, 2016.
Things: A survey of existing protocols and open research issues,” IEEE [25] A. Ngu, M. Gutierrez, V. Metsis, S. Nepal, and Q. Sheng, “IoT Mid-
Communications Surveys & Tutorials, vol. 17, no. 3, pp. 1294-1312, 2015. dleware: A survey on issues and enabling technologies,” IEEE Internet
[2] IEEE Standard for Local and Metropolitan Area NetworksłPart 15.4: of Things Journal, vol. PP, 2016.
Low-Rate Wireless Personal Area Networks (LR-WPANs) Amendment 1: [26] S. Chakrabarty, D, Engels, and S. Thathapudi, “Black SDN for the
MAC Sublayer, IEEE Std. 802.15.4e-2012 (Amendment to IEEE Std. Internet of Things,” in Proceedings of the 12th IEEE International
802.15.4-2011), (2011) 1-225, 2012. Conference on Mobile Ad Hoc and Sensor Systems, Dallas, USA, 2015,
[3] G. Montenegro, N. Kushalnagar, J. Hui, and D. Culler, Transmission of pp. 190-198.
IPv6 Packets Over IEEE 802.15.4 Networks, RFC 4944, 2007. [27] P. Bull, R. Austin, E. Popov, M. Sharma, and R. Watson, “Flow based
[4] E. Kim, D. Kaspar, C. Gomez, and C. Bormann, Problem Statement and security for IoT devices using an SDN gateway,” in Proceedings of the 4th
Requirements for IPv6 over Low-Power Wireless Personal Area Network IEEE International Conference on Future Internet of Things and Cloud,
(6LoWPAN) Routing, RFC 6606, 2012. Vienna, Austria, 2016, pp. 157-163.
[5] M. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, [28] P. Bull, R. Austin, and M. Sharma, “Pre-emptive flow installation
J. Rexford, S. Shenker, and J. Turner, “Openflow: Enabling innovation in for Internet of Things devices within software defined networks, in
campus networks,” ACM SIGCOMM Computer Communication Review, Proceedings of the 3rd IEEE International Conference on Future Internet
vol. 38, no. 2, pp. 69-74, 2008. of Things and Cloud, Rome, Italy, 2015, pp. 124-130.
[6] K. Sood, S. Yu, and Y. Xiang, “Software-defined wireless networking [29] O. Flauzac, C. Gonzalez, A. Hachani, and F. Nolot, “SDN based
opportunities and challenges for Internet-of-Things: A review,” IEEE architecture for IoT and improvement of the security,” in Proceedings
Internet of Things Journal, vol. 3, no. 4, pp. 453-463, 2016. of the 29th IEEE International Conference on Advanced Information
[7] A. Hakiri, P. Berthou, A. Gokhale, and S. Abdellatif, “Publish/subscribe- Networking and Applications Workshops, Gwangiu, South Korea, 2015,
enabled software defined networking for efficient and scalable IoT com- pp. 688-693.
munications,” IEEE Communications Magazine, vol. 53, no. 9, pp. 48-54, [30] H. Sandor, B. Genge, and G. Sebestyen-Pal, “Resilience in the Internet
2015. of Things: The software defined networking approach,”in Proceedings of

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
[Link] for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2017.2666270, IEEE Access

JOURNAL OF LATEX CLASS FILES, VOL. XX, NO. Y, DECEMBER 201Z 12

IEEE International Conference on Intelligent Computer Communication

and Processing, Cluj-Napoca, Romania, 2015, pp. 545-552.
[31] S. Choi and J. Kwak, “Enhanced SDIoT security framework models,”
International Journal of Distributed Sensor Networks, pp. 1-12, 2016.
[32] J. Mirkovic and P. Reiher, “A taxonomy of DDoS attack and DDoS de-
fense mechanisms,” ACM SIGCOMM Computer Communication Review,
vol. 34, no. 2, pp. 39-53, 2004.
[33] R. Kandoi and M. Antikainen, “Denial-of-service attacks in OpenFlow
SDN networks,” in Proceedings of IFIP/IEEE International Symposium
on Integrated Network Management, Ottawa, Canada, 2015, pp. 1322-
1326.
[34] L. Wei and C. Fung, “FlowRanger: A request prioritizing algorithm
for controller DoS attacks in software defined networks,” in Proceedings
of IEEE International Conference on Communications, London, United
Kindom, 2015, pp. 5254-5259.
[35] S. Mousavi and M. St-Hilaire, “Early detection of DDoS attacks against
SDN controllers,” in Proceedings of IEEE International Conference on
Computing, Networking and Communications, Venice, Italy, 2015, pp.
77-81.
[36] B. Yuan, D. Zou, S. Yu, H. Jin, W. Qiang, and J. Shen, “Defending
against flow table overloading attack in software-defined networks,” IEEE
Transactions on Services Computing, vol. PP, no. 99, 2016.
[37] P. Dong, X. Du, H. Zhang and T. Xu, “A detection method for a novel
DDoS attack against SDN controllers by vast new low-traffic flows,”
in Proceedings of IEEE International Conference on Communications,
Kuala Lumpur, Malaysia, 2016, pp. 1-6.
[38] L. Richardson and S. Ruby, RESTful Web Services. Sebastopol, CA,
USA: OReilly Media, 2008.
[39] OpenDaylight, A Linux Foundation Collaborative Project [Online].
Available: [Link]
[40] OpenvSwitch [Online]. Available: [Link]
[41] K. Kannan and S. Banerjee, “Compact TCAM: Flow entry compaction in
TCAM for power aware SDN,” Distributed Computing and Networking,
vol. 7730, pp. 439-444, 2013.
[42] J. Huang, G. Chang, C. Wang, and C. Lin, “Heterogeneous flow
table distribution in software-defined networks,” IEEE Transactions on
Emerging Topics Computing, vol. 4, no. 2, pp. 252-261, 2015.
[43] K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and
V. Maglaris, “Combining OpenFlow and sFlow for an effective and
scalable anomaly detection and mitigation mechanism on SDN environ-
ments,” Computer Networks, vo. 62, no. 5, pp. 122-136, 2014.
[44] Defense4All [Online]. Available: [Link]
[45] Hping [Online]. Available: [Link]

2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
View publication stats [Link] for more information.