Providing elasticity to intrusion detection systems in virtualized Software Defined Networks

This paper presents BroFlow, an Intrusion Detection and Prevention System based on Bro traffic analyzer, and on the global network-view feature of OpenFlow Application Programming Interface. BroFlow main contributions are: i) dynamic and elastic resource provision of machines under demand; ii) real-time detection of DoS attacks through simple algorithms implemented in a policy language for network events; iii) immediate reaction to DoS attacks and malicious packets, dropping flows close from their source; iv) strategic sensor positioning for attack detection in the network infrastructure shared by multi-tenants. A system prototype was developed and evaluated in the virtual environment Future Testbed Internet with Security (FITS). An evaluation of the system under attack shows that BroFlow guarantees the forwarding of legitimate packets at the maximal link rate, up to 90% reduction of the maximal network delay caused by the attack, and 50% of bandwidth gain compared with conventional firewalls approaches, even when the attackers are legitimate tenants acting in collusion.