Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

  • Be the first to comment


  1. 1. Improving Internet of Things Security with Sofware Defined Networking Master Degree in Applied Telecommunication Engineering and Management Specialization: Telecommunication Policies and Business Management Date : 4th of March 2016 Student: Raluca Ciungu Tutors: Ricard Vilalta (CTTC), David Pubill (CTTC), David Ricon (UPC) 1
  2. 2. Motivation: Why this Project? Really??? 2
  3. 3. Outline Introduction 1. State of the art Internet of Things Software Defined Networking Security applied in Internet of Things 2. IoT Security with SDN 3. Experimental results 4. Conclusions and future lines 3
  4. 4. Planning of the Master Thesis Begin: July 2015 November 2015 January 2016 SDN, IOT, Algorithms , Methods SDN, IOT, Algorithms, Methods Python, Mininet, Opendaylight October 2015 Security algorithm End: February 2016 Agile 4
  5. 5. IoT is here now-and Growing! Cisco: “50 billions smart devices by 2020” HP: “A couple of security concerns on a single device such as a mobile phone can quickly turn to 50 or 60 concerns when considering multiple IoT devices in an interconnected home or business.” Mario Campolargo, DG Connect, European Commission: “IoT will boost the economy while improving our citizens’ lives. In order to enable a fast uptake of the IoT, key issues like identification, privacy and security and semantic interoperability have to be tackled. “ 5
  6. 6. Section 1. State of the Art 6
  7. 7. Internet of Things (IoT) ITU-IoT: “global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies” Sensors Gateways Actuators WSN IoT applications  Smart Cities  Smart Lighting  Air pollution  Smart roads  River floods  … 7
  8. 8. Sofware Defined Networking SDN: viable alternative network architecture that splits the network control and forwarding functions enabling the network control to become directly programmable and the underlying infrastructure to be abstracted for applications and network services. SDN architecture - Directly programmable - Agile - Centraly managed - Programmatically configured - Open standards based and Vendor neutral 8
  9. 9. SDN Controller SW1 CISCO SW2 Alcatel SW3 Juniper ADMIN 9
  10. 10. OpenFlow OpenFlow: provides an open protocol to program the flow-table in different switches and routers and establish a shared management of the traffic flow. For example, a network administrator can partition traffic into production and research flows. Communication of OF Switch with a Controller - Flow Table with an action associated to each flow entry, to tell the switch to process the flow - Secure channel connects the switch to a remote control process (called the controller) - The OpenFlow Protocol, which provides an open and standard way for a controller to communicate with a switch. 10
  11. 11. IoT Security Architecture Malware MonitorGeneric Architecture Network Intrusion Detection System (ANIDS) - Anomaly detection engine: detects any occurence of intrusion either online or offline. - Pre-processing: misuse detection aproach - Matching mechanism: attacks can be detected using anomaly-based approach - Elastic load balancer: network traffic slicing – SDN controller -Detectors: OF_SW inspect each packet received and mantain flow statistics -Decision module: performs correlation between flows to detect attacks. 11
  12. 12. IoT Security Architecture Simplified model of Architecture Intrusion Detection System - Collector module: collects flow and periodically export it to Anomaly Detection module - Anomaly Detection module: for every time window this module inspects the flows received from the Collector modules - Anomaly Mitigation module: neutralize indentified attacks, inserting flow-entries in the flow table of the of the Open Flow switch in order to block the undesired attacks 12
  13. 13. Anomaly detection and mitigation Anomaly detection methods - Statistical methods and systems - Classification-based methods and systems - Clustering and Outlier-based methods and systems - Soft computing methods and systems - Knowledge-based methods and systems Anomaly mitigation methods - Rate Limitting : regulation of the rate at which flows are allowed to inject packets into the network - Flow interruption : the flow rule is directly removed from the SDN controller 13
  14. 14. Section 2. IoT Security with SDN 14
  15. 15. IoT Security architecture SDN/NFV Edge Node Temperature Sensor Air pollution Sensor Gateways Condition Standard Deviation 15
  16. 16. E2E security App • Collector Module – This module collects flow information and periodically exports them to the Anomaly Detection module. – From the SDN controller flow information we can estimate the following data per flow: • Packets per second. • Bytes per second. • Anomaly Detection Module – For every time window this module inspects all flow entries, exposing any flow-related network anomaly and identifying a potential attacker or the victim of the attack. • Anomaly Mitigation Module – Neutralizes identified attacks. – Inserts flow meters in the flow table of the Open Flow switch (or removes existing flows) in order to block/mitigate the desired malicious traffic. 16
  17. 17. Algorithm evaluation • Objective 1: Evaluate the performance of the algorithm  Is it capable of detecting attacks? • Objective 2: detect the ideal length of window and standard deviation for which the error to detect the traffic malware is the smallest. Methodology: - Modeling of dangerous flows • A bad flow is created with a probability of 10%. A bad flow has different properties: – The number of packets per second are duplicated (in comparison with a conformant flow). – Packet size is also 50% increased. - Comparison of obtained result with generated result: False positives, False negatives. 17
  18. 18. Evaluation Results 0.0 50.0 100.0 2 4 8 10 12 Error (%) vs N_SIGMA 0.0 10.0 20.0 5 10 20 Error (%) vs WINDOW a) N_SIGMA, pkts/s, error (%) b) N_SIGMA=10, pkts/s, window, error (%) - Best Results  N_SIGMA=10  Detected malware error=13,8% - Observations:  N_SIGMA too low detects false positives - Best Results  Window size=10 s  Detected malware error= 3,9% - Observations :  Small window size doesn’t leave time to measure the flow N_SIGMA 18
  19. 19. Evaluation Results 0.0 50.0 100.0 2 4 8 10 12 Error (%) vs N_SIGMA 0.00 5.00 10.00 5 10 20 Error (%) vs WINDOW c) N_SIGMA, bytes/s, error (%) d) N_SIGMA=10, bytes/s, window, error (%) - Best Results  N_SIGMA=10  Detected malware error=6,5% - Observations:  N_SIGMA too low detects false positives - Best Results  Window size =10 s  Detected malware error=0,03% - Observations:  Small window size doesn’t leave time to measure the flow N_SIGMA 19
  20. 20. Section 3. Experimental results 20
  21. 21. CTTC ADRENALINE-IoT world Testbeds WSON/SSON GMPLS Controller GMPLS Controller GMPLS Controller GMPLS Controller CoreAggregationIoTworld SDN/NFV edge node Metro DC Core DC Integrated Cloud and Network Orchestrator Active Stateful PCE TED DC SDN Ctl Metro SDN Ctl Edge SDN Ctl Edge Cloud Ctl Metro Cloud Ctl Core Cloud Ctl Multi-domain SDN OrchestratorCloud Orchestrator IoT CO2 WSN IoT Heat WSN IoT GW 1 IoT GW 2 21
  22. 22. 5G Cloud/Fog and SDN/NFV orchestrator • Provides E2E connections interacting with several controllers. • Security app is only local to the edge SDN controller. ¸ 22
  23. 23. Experimental results Testbed description Flow description Gateway 1 Gateway 2 SDN/NFV Edge Node 23
  24. 24. Experimental results IoT SQL Database 24
  25. 25. Experimental results Wireshark: Anomaly Mitigation Flow eliminated From SW1. 25
  26. 26. Conclusions • Detection of the ideal parameters, window length and standard deviation are of paramount importance in detecting the outliers • Small standard deviation Algorithm efficiency • To small window size doesn’t leave time to properly measure the standard deviation 26
  27. 27. Future Lines • Apply the algorithm to a higher number of sensors • Apply a analyse a different type of security architecture, as for example Generic Architecture Network Intrusion Detection System (ANIDS) • Apply a different anomaly method – K-means 27
  28. 28. Thank you for your attention! Q&A 28