Design of software-defined network experimental teaching scheme based on virtualised Environment

We design two innovative experimental projects in the synthesis phase: SDN-based network load balancing and SDN-based malicious attack detection. These projects mainly include grasping the mechanism of SDN load balancing and the malicious attack detection, the installation and commonly used commands of Mininet, the use of Mininet to create a custom network topology, the installation and use of Floodlight, the use of Wireshark, the coding of Java programs to deliver OpenFlow flow tables etc.

Load balancing refers to processing the load received from the outside and distributing it to multiple servers to maximise the use of servers, improve data transmission efficiency and enhance network stability [16]. Malicious attack detection is an important part of network supervision. The basic idea is to use mathematical metrics to describe the network traffic pattern. If there is a deviation from the normal pattern far or close to the abnormal pattern, the network is considered to be under malicious attack [17]. The difference between SDN and traditional networks is that SDN separates the data plane from the control plane of the network, thereby achieving flexible and effective control of network traffic. The typical functions in the SDN architecture are load balancing and malicious attack detection, which are closely related to the stability of the entire network. Therefore, this scheme designs an SDN load balancing experiment based on dynamic forwarding rules and an SDN malicious attack detection based on the confidence-based filtering (CBF) method. The network topology of this experiment is shown in Figure 3; the two hosts – H1, H2 – and the five switches – S1, S2, S3, S4, S5 – constitute the network topology. H1 and H2 can communicate through three different paths: S1-S2-S5, S1-S3-S5, S1-S4-S5. The experiment develops a lightweight routing control application based on the northbound API to achieve SDN load balancing efficiently, based on dynamic forwarding path rules. Further, the experiment can accurately implement the malicious attack detection and defence base through the CBF method. These projects demonstrate the complete process of the SDN experimental teaching scheme.

Fig. 3

In the experiment, Mininet is used to simulate the hosts and OpenFlow switches and to create the experiment network topology. The memory of Mininet is 1GB. Floodlight is used as a remote controller to communicate with the switches. Floodlight1.2 and Mininet2.3.0 are both mature and stable versions, which have abundant functions. They are deployed on an Ubuntu 16.04 version host with 8G memory. The specific environment is shown in Table 4.

The flow table is an abstraction of the data forwarding function of the network device, and integrates the configuration information of each plane in the network. Therefore, rich data forwarding rules can be used. OpenFlow flow table delivery is divided into active delivery and passive delivery. Passive delivery means that when the switch receives a message that does not match the flow table record, it will forward the message to the controller, and the controller will make the decision. Active delivery means that the controller actively delivers the flow table information to the switches. There are four main methods of delivery: 1)

Use Floodlight visual interface to operate experiments through web pages.

This experiment uses the OpenFlow flow table module provided by Floodlight REST API to write a Java program to actively deliver the flow table and dynamically change the forwarding rules by sending a custom flow table to the switches S1 and S5. The experimental process is shown in Figure 4. In the first T seconds, we set the flow table matching domain ipv4_src = 10.0.0.1, ipv4_dst = 10.0.0.2, inport = 1, flow table survival time hard_timeout = T, action set out put = 2 and deliver it to S1. Further, we set the flow table matching domain ipv4_src = 10.0.0.2, ipv4_dst = 10.0.0.1, inport = 1, flow table survival time hard_timeout = T, action set out put = 2 and deliver it to S5. When H1 pings H2, the data packet from H1 to S1 will match the actively delivered flow table and forward the data packet from S1 to S2. Since there is no corresponding flow table on S2 and S5, the Floodlight controller will deliver the passive flow table to make the data packet pass and finally make the data packet reach H2. Similarly, the corresponding flow table is also delivered in the second T seconds and the third T seconds to realise the different paths of data packets in different periods. The experiment distributes concentrated traffic to different switches to achieve SDN load balancing. The number of packets on each port in S1 is monitored by Wireshark to verify the experimental effect. The experimental results are shown in Figures 5 and 6. We use the command H1 ping H2 to simulate normal user access, and set T = 10 s. Figure 5 describes the number of packets in S1 without load balancing. We find that the system always selects the path S1-S2-S5 by default, because the packets always come out from port eth2 of S1. Further, Figure 6 indicates the number of packets in S1 with load balancing, based on dynamic forwarding rules. The packets come out from different ports every 10 s, which proves that the system is dynamically changing forwarding path rules to efficiently achieve load balancing.

Fig. 4

Fig. 5

Fig. 6

Dou et al. [18] proposed the CBF method based on packet filtering to detect malicious attack packets. The CBF method selects six attributes: Total Length, TTL, Protocol Type, Source IP Address in the IP header and Flag and Destination Port Number in the TCP header, which make up a total of 15 attribute pairs in 2 pairs. The higher frequency of the attribute pairs’ value indicates the corresponding high confidence level. Malicious attack packets are filtered by calculating the CBF score of the packet to determine the legitimacy of the packet.

Confidence values for single attributes are calculated as: (1) Conf(Bi=bi,j)=N(Bi=bi,j)Nn Conf({B_i} = {b_{i,j}}) = {{N({B_i} = {b_{i,j}})} \over {{N_n}}} where i = 1,2,3,...,n, j = 1,2,3,...,m_i.

Confidence values for attribute pairs are calculated as: (2) Conf(Bi1=bi1,j1,Bi2=bi2,j2)=N(Bi1=bi1,j1,Bi2=bi2,j2)Nn Conf({B_{{i_1}}} = {b_{{i_1},{j_1}}},{B_{{i_2}}} = {b_{{i_2},{j_2}}}) = {{N({B_{{i_1}}} = {b_{{i_1},{j_1}}},{B_{{i_2}}} = {b_{{i_2},{j_2}}})} \over {{N_n}}} where i₁ = 1,2,3,...,n,i₂ = 1,2,3,...,n, j₁ = 1,2,3,...,m₁, j₂ = 1,2,3,...,m₂.

In Eqs (1) and (2), n is the number of the attributes under consideration in the method, B_i is the i-th attribute in the packet, m_i is the number of values which attributes B_i can have, b_i,j is the j-th value of attribute B_i, N_n is the total number of packets in the packet flow in one time interval, N(B_i = b_i,j) is the number of packets whose attribute B_i has value b_i,j in this packet flow in one time interval, N(B_r = b_r,x,B_s = b_s,y) is the number of packets whose attribute B_r has value b_r,x and attribute B_s has value b_s,y in this packet flow in one time interval.

The CBF score is calculated as: (3) Score(p)=∑k=1dW(Bk1,Bk2)Conf(Bk1=p(k1),Bk2=p(k2))∑k=1dW(Bk1,Bk2) Score(p) = {{\sum\limits_{k = 1}^d W({B_{{k_1}}},{B_{{k_2}}})Conf({B_{{k_1}}} = p({k_1}),{B_{{k_2}}} = p({k_2}))} \over {\sum\limits_{k = 1}^d W({B_{{k_1}}},{B_{{k_2}}})}}

In formula 3, d is the total number of the attribute pairs, W (B_k1,B_k2) is the weight of the attribute pair (B_k1, B_k2), p(k₁) is the value of B_k1 in the data packet and Conf (B_k1 = p(k₁), B_k2 = p(k₂)) is the Conf of the attribute pair (A_k1 = p(k₁), A_k2 = p(k₂)).

In this experiment, H1 sends TCP data packets through the hping3 tool to H2, to simulate malicious attacks. The hping3 is a packet generation and analysis tool for the TCP/IP protocol, which can be used to simulate SYN flood attacks, ICMP flood attacks and UDP flood attacks etc. [19] The attack density refers to the number of attack packets sent per second. We design the low-rate malicious attack experiment by the density of 100 packets per second and high-rate malicious attack experiment by the density of 10⁶ packets per second. The specific function is realised by writing the Java program to monitoring network topology, link utilisation, traffic and other information in real time. In the experiment of low-rate malicious attacks, H1 sends a large number of attack packets to S1 from the 3rd second, as shown in Figure 7. At the 5th second, the traffic in port 1 exceeds the attack threshold. The system detects malicious attacks and enters the defence state, and the attack packets sent by H1 will be intercepted. In the experiment of high-rate malicious attacks, H1 also sends a large number of attack packets to S1 from the 3rd second, as shown in Figure 8. At the 14th second, the traffic in port 1 exceeds the attack threshold. The system detects malicious attacks accurately and enters the defence state, and the attack packets sent by H1 will be intercepted.

Fig. 7

Fig. 8