An Incremental Approach for Swift OpenFlow Anomaly Detection

Abstract

Software Defined Networking (SDN) is designed for dynamic policy update where frequent changes are pushed to the forwarding devices. Different offline approaches for detecting misconfiguration anomalies in SDN by taking a snapshot of the state of the network have been developed in the literature. However, the detection process is time-consuming and unfeasible in the case of frequent changes to the OpenFlow tables as well in big size networks containing a large number of rules. This paper presents an incremental method for detecting potential anomalies in an online manner, i.e., after one or multiple simultaneous updates in the SDN policy. Whenever the OpenFlow tables are dynamically changed, a static approach that rechecks the whole policy is unnecessarily redundant in a sense that most of the policy remains intact. Hence the need for incremental verification method to reduce this overhead, and only the subset of the policy that is affected by the update is checked. Two different solutions are proposed based on whether the policy modifications take place in the ingress switches or in the middle switches. We provide some comprehensive experiments to demonstrate the detection performance for the case of single or multiple simultaneous changes in forwarding devices. The experiment results show that the incremental method is drastically faster than the static parallel approach, with a factor up to about 450 times in some cases.