Advanced SearchSearch Tips
SDN-Based Intrusion Prevention System for Science DMZ
facebook(new window)  Pirnt(new window) E-mail(new window) Excel Download
 Title & Authors
SDN-Based Intrusion Prevention System for Science DMZ
Jo, Jinyong; Jang, Heejin; Lee, Kyungmin; Kong, JongUk;
  PDF(new window)
In this paper, we introduce an SDN-based intrusion prevention system for more secure Science DMZ with no performance limits. The proposed system is structured with intrusion-prevention, intrusion-detection, and prevention-decision subsystems which are physically distributed but informationally connected by an SDN interface. The functional distribution and the application of SDN technology increase the flexibility and extensibility of the proposed system and prevent performance degradation possibly caused by network security equipments on Science DMZ. We verified the feasibility and performance of the proposed system over a testbed set up at KREONET.
Software defined networking;science DMZ;intrusion detection and prevention;
 Cited by
SD-WAN 기반의 사용자 중심 가상 전용 네트워크 시스템 설계 및 구현,김용환;김동균;

한국통신학회논문지, 2016. vol.41. 9, pp.1081-1094 crossref(new window)
E. Dart, L. Rotman, B. Tierney, M. Hester, and J. Zurawski, "The science DMZ: A network design pattern for data-intensive science," Scientific Programming, vol. 22, no. 2, pp. 173-185, 2014. crossref(new window)

N. McKeown, "Software-defined networking," Keynote Talk at IEEE INFOCOM 2009, Retrieved Aug., 27, 2014, from http://tiny-tera.stanford.-edu/-nickm/talks/

I. Monga, E. Pouyoul, and C. Guok, "Software defined networking for big-data science - Architectural models from campus to the WAN," in Proc. High Perf. Comput., Netw. Storage and Anal. (SCC), pp. 1629- 1635, Salt Lake City, USA, Nov. 2012.

J. Zurawski, "The science DMZ - introduction and architecture," in Proc. Operating Innovative Netw. (OIN), Oct. 2013.

P. Calym, A. Berryman, E. Saule, H. Subramoni, P. Schopis, G. Springer, U. Catalyurek, and D. K. Panda, "Wide-area overlay networking to manage science DMZ accelerated flows," in Proc. IEEE Int. Conf. Comput. Netw. Commun. (ICNC), pp. 269- 275, Feb. 2014.

B. Allen, J. Bresnahan, L. Childers, I. Foster, G. Kandaswamy, R. Kettimuthu, J. Kordas, M. Link, S. Martin, K. Pickett, and S. Tuecke, "Software as a service for data scientists," ACM Commun. Mag., vol. 55, no. 2, pp. 81- 88, Feb. 2012.

N. Mckeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford, S. Shenker, and J. Turner, "OpenFlow: enabling innovation in campus networks," ACM SIGCOMM Comput. Commun. Rev., vol. 38, no. 2, pp. 69-74, Apr. 2008.

K. Curran, "An online collaboration environment," Edu. Inf. Technol., vol. 7, no. 1, pp. 41-53, Mar. 2002. crossref(new window)

X. Gou and W. Jin, "Multi-agent system for multimedia communications traversing NAT/firewall in next generation networks," in Proc. CNSR, pp. 99-104, May 2004.

A. Nayak, A. Reimers, N. Feamster, and R. Clark, "Resonance: dynamic access control for enterprise networks," in Proc. 1st ACM Workshop on Research on Enterprise Netw., pp. 11-18, 2009.

Z. A. Qazi, C. Tu, L. Chiang, R. Miao, V. Sekar, and M. Yu, "SIMPLE-fying middlebox policy enforcement using SDN," in Proc. ACM SIGCOMM, vol. 43, no. 4, pp. 27-38, Oct. 2013.

H. Hu, W. Han, G. Ahn, and Z. Zhao, "FLOWGUARD: building roubust firewalls for software-defined networks," in Proc. HotSDN, pp. 97-102, Aug. 2014.

R. Berthier, W. H. Sanders, and H. Khurana, "Intrusion detection for advanced metering infrastructures: requirements and architectural directions," in Proc. IEEE SmartGridComm, pp. 350-355, Oct. 2010.

Sourcefire, Snort, Retrieved June 2, 2015, from

TrendMicro, OSSEC(open source host-based intrusion detection system), Retrieved June 2, 2015, from

Trustwave, Modsecurity, Retrieved June 2, 2015, from

J. Mirkovic and P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Comput. Commun. Rev., vol. 32, no. 2, pp. 39-53, Apr. 2004.

D. Hoffman, D. Prabhakar, and P. Strooper, "Testing iptables," in Proc. CASCON, pp. 80-91, 2003.

B. Astuto, A. Nunes, M. Mendonca, X. Nguyen, K. Obraczka, and T. Turletti, "A survey of software-defined networking: past, present, and future of programmable networks," IEEE Commun. Survey & Tutorials, vol. 16, no. 3, pp. 1617-1634, Feb. 2014. crossref(new window)

A. Broder and M. Mitzenmacher, "Network applications of bloom filters: a survey," Internet Math., vol. 1, no. 4, pp. 485-509, 2004. crossref(new window)

F. Bonomi, M. Mitzenmacher, R. Panigraphy, S. Singh, and G. Varghese, "An improved construction for counting bloom filters," in Proc. 14th Conf. Annu. Eur. Symp., vol. 14, pp. 684-695, 2006.

K. Bauer, Logwatch, Retrieved June 2, 2015, from

D. B. Cid, Log analysis using OSSEC, Retrieved June 2, 2015, from

J. W. Lockwood, N. McKeown, G. Watson, G. Gibb, P. Hartke, J. Naous, R. Raghuraman, and L. Jianying, "NetFPGA - An open platform for Gigabit-rate network switching and routing," in Proc. IEEE Conf. Microelectronic Syst. Edu. (MSE '07), pp. 160-161, San Diego, Jun. 2007.

J. Jo, S. Lee, and J. Kim, "Programmable IP service gateway for software-defined networking: assisting easy composition of service overlays," IEICE Trans. Commun., vol. E96-B, no. 7, pp. 1918-1929, Jul. 2013. crossref(new window)

R. C. Andrew, C. M. Jeffrey, T. Jean, Y. Praveen, S. Puneet, and B. Sujata, "DevoFlow: scaling flow management for high-performance networks," in Proc. ACM SIGCOMM, vol. 41, no. 4, pp. 254-265, Aug. 2011.

L. Dan, W. Andreas, H. Brandon, H. Nikhil, and F. Anja, "Logically centralized?: state distribution trade-off in software defined networks," in Proc. Hot Topics in Software Defined Netw., pp. 1-6, Jan. 2012.

L. Fan, P. Cao, J. Almeida, and A. Z. Broder, "Summary cache: a scalable wide-area Web cache sharing protocol," IEEE/ACM Trans. Netw., vol. 8, no. 3, pp. 281-293, Jun. 2000. crossref(new window)