Could Network View Inconsistency Affect Virtualized Network Security Functions?
This addresses a specific problem for network security in SDN/NFV environments, but it is incremental as it extends prior work on load-balancers to security functions.
The paper studied how outdated network views affect anomaly-based intrusion detection systems (IDS) in virtualized networks, finding that they negatively impact IDS performance during DDoS and TCP SYN flood attacks.
With SDN increasingly becoming an enabling technology for NFV in the cloud, many virtualized network functions need to monitor the network state in order to function properly. An outdated network view at the controllers can impact the performance of those virtualized network functions. In earlier work, we identified two main factors contributing to an outdated network view in the case of a load-balancer: network state collection and controllers' state distribution. In this paper, we anticipate that the impact might be different in case of security functions. Therefore, we study the impact of an outdated network view on an anomaly-based IDS application. In particular, we investigate: (1) the impact of controllers' state distribution on the performance of a distributed IDS in the case of a DDoS attack; and (2) the impact of network state collection on the performance of an IDS in the case of a TCP SYN flood attack. Our results showed that the outdated network view had negative impact on the IDS anomaly-detection performance in the experiments that we conducted.