Mohamed Aslan

Mohamed Aslan, Ashraf Matrawy

With SDN increasingly becoming an enabling technology for NFV in the cloud, many virtualized network functions need to monitor the network state in order to function properly. An outdated network view at the controllers can impact the performance of those virtualized network functions. In earlier work, we identified two main factors contributing to an outdated network view in the case of a load-balancer: network state collection and controllers' state distribution. In this paper, we anticipate that the impact might be different in case of security functions. Therefore, we study the impact of an outdated network view on an anomaly-based IDS application. In particular, we investigate: (1) the impact of controllers' state distribution on the performance of a distributed IDS in the case of a DDoS attack; and (2) the impact of network state collection on the performance of an IDS in the case of a TCP SYN flood attack. Our results showed that the outdated network view had negative impact on the IDS anomaly-detection performance in the experiments that we conducted.

Mohamed Aslan, Ashraf Matrawy

Distributed controllers are oftentimes used in large-scale SDN deployments where they run a myriad of network applications simultaneously. Such applications could have different consistency and availability preferences. These controllers need to communicate via east/west interfaces in order to synchronize their state information. The consistency and the availability of the distributed state information are governed by an underlying consistency model. Earlier, we suggested the use of adaptively-consistent controllers that can autonomously tune their consistency parameters in order to meet the performance requirements of a certain application. In this paper, we examine the feasibility of employing adaptive controllers that are built on-top of tunable consistency models similar to that of Apache Cassandra. We present an adaptation strategy that uses clustering techniques (sequential k-means and incremental k-means) in order to map a given application performance indicator into a feasible consistency level that can be used with the underlying tunable consistency model. In the cases that we modeled and tested, our results show that in the case of sequential k-means, with a reasonable number of clusters (>= 50), a plausible mapping (low RMSE) could be estimated between the application performance indicators and the consistency level indicator. In the case of incremental k-means, the results also showed that a plausible mapping (low RMSE) could be estimated using a similar number of clusters (>= 50) by using a small threshold (~$ 0.01).