Software Defined Networking (SDN), a new network architecture, allows for centralized network management by separating the control plane from the forwarding plane. Because forwarding and control is separated, distributed denial of service (DDoS) assaults provide a greater threat to SDN networks. To address the problem, this paper uses a joint high-precision attack detection combining self-attentive mechanism and support vector machine: a trigger mechanism deployed at both control and data layers is proposed to trigger the initial detection of DDoS attacks; the data in the network under attack is screened in detail using a combination of self-attentive mechanism and support vector machine; the control plane is proposed to initiate attack defense using the OpenFlow protocol features to issue flow tables for accurate classification results. The experimental results show that the trigger mechanism can react to the attack in time with less than 20% load, and the accurate detection mechanism is better than the existing inspection and testing methods, with a precision rate of 98.95% and a false alarm rate of only 1.04%. At the same time, the defense strategy can achieve timely recovery of network characteristics.

With the development of network technology, next-generation networks must satisfy many new requirements for network functions and performance. The processing of overlong packet fields is one of the requirements and is also the basis for ID-based routing and content lookup, and packet field addition/deletion mechanisms. The current SDN switches do not provide good support for the processing of overlong fields. In this paper, we propose a series of optimization mechanisms for protocol-oblivious instructions, in which we address the problem of insufficient support for overlong data in existing SDN switches by extending the bit width of instructions and accelerating them using SIMD instruction sets. We also provide an intermediate representation of the protocol-oblivious instruction set to improve the efficiency of storing and reading instruction blocks, and further reduce the execution time of instruction blocks by preprocessing them. The experiments show that our approach improves the performance of overlong data processing by 56%. For instructions involving packet field addition and deletion, the improvement in performance reaches 455%. In normal forwarding scenarios, our solution reduces the packet forwarding latency by around 30%.

Industrial networks need to provide reliable communication services, usually in a redundant transmission (RT) manner. In the past few years, several device-redundancy-based, layer 2 solutions have been proposed. However, with the evolution of industrial networks to the Industrial Internet, these methods can no longer work properly in the non-redundancy, layer 3 environments. In this paper, an SDN-based reliable communication framework is proposed for the Industrial Internet. It can provide reliable communication guarantees for mission-critical applications while servicing non-critical applications in a best-effort transmission manner. Specifically, it first implements an RT-based reliable communication method using the Industrial Internet's link-redundancy feature. Next, it presents a redundant synchronization mechanism to prevent end systems from receiving duplicate data. Finally, to maximize the number of critical flows in it (an NP-hard problem), two ILP-based routing & scheduling algorithms are also put forward. These two algorithms are optimal (Scheduling with Unconstrained Routing, SUR) and suboptimal (Scheduling with Minimum length Routing, SMR). Numerous simulations are conducted to evaluate its effectiveness. The results show that it can provide reliable, duplicate-free services to end systems. Its reliable communication method performs better than the conventional best-effort transmission method in terms of packet delivery success ratio in layer 3 networks. In addition, its scheduling algorithm, SMR, performs well on the experimental topologies (with average quality of 93% when compared to SUR), and the time overhead is acceptable.

This paper proposes a Software-Defined Network (SDN)-based Moving Target Defense (MTD) to protect the network from potential scans in a compromised network. As a unique feature, contrary to traditional MTDs, the proposed MTD can work alongside other tools and countermeasures already deployed in the network (e.g., Intrusion Protection and Detection Systems) without affecting its behavior. Through extensive evaluation, we showed the effectiveness of the proposed mechanism compared to existing solutions in preventing scans of different rates without affecting the network and controller performance.

Software-defined networking (SDN) decouples the control and forwarding of network devices, providing benefits such as simplified control. However, due to cost constraints and other factors, SDN is difficult to fully deploy. It has been proposed that SDN devices can be incrementally deployed in a traditional IP network, i.e., hybrid SDN, to provide partial SDN benefits. Studies have shown that better traffic engineering performance can be achieved by modifying the coverage and placement of SDN devices in hybrid SDN, because they can influence the behavior of legacy switches through certain strategies. However, it is difficult to develop and execute a traffic engineering strategy in hybrid SDN. This article proposes a routing algorithm to achieve approximate load balancing, which minimizes the maximum link utilization by using the optimal solution of linear programming and merging the minimum split traffic flows. A multipath forwarding mechanism under the same problem is designed to optimize transmission time. Experiments show that our algorithm has certain advantages in link utilization and transmission time compared to traditional distributed routing algorithms like OSPF and some hybrid SDN routing mechanisms. Furthermore, our algorithm can approximate the control effect of full SDN when the deployment rate of SDN devices is 40%.

Real-time and scalable multicast services are of paramount importance to Industrial Internet of Things (IIoT) applications. To realize these services, the multicast algorithm should, on the one hand, ensure the maximum delay of a multicast session not exceeding its upper delay bound. On the other hand, the algorithm should minimize session costs. As an emerging networking paradigm, Software-defined Networking (SDN) can provide a global view of the network to multicast algorithms, thereby bringing new opportunities for realizing the desired multicast services in IIoT environments. Unfortunately, existing SDN-based multicast (SDM) algorithms cannot meet the real-time and scalable requirements simultaneously. Therefore, in this paper, we focus on SDM algorithm design for IIoT environments. To be specific, the paper first converts the multicast tree construction problem for SDM in IIoT environments into a delay-bounded least-cost shared tree problem and proves that it is an NP-complete problem. Then, the paper puts forward a shared tree (ST) algorithm called SDM4IIoT to compute suboptimal solutions to the problem. The algorithm consists of five steps: 1) construct a delay-optimal shared tree; 2) divide the tree into a set of subpaths and a subtree; 3) optimize the cost of each subpath by relaxing the delay constraint; 4) optimize the subtree cost in the same manner; 5) recombine them into a shared tree. Simulation results show that the algorithm can provide real-time support that other ST algorithms cannot. In addition, it can achieve good scalability. Its cost is only 20.56% higher than the cost-optimal ST algorithm. Furthermore, its computation time is also acceptable. The algorithm can help to realize real-time and scalable multicast services for IIoT applications.

OpenFlow is a widely adopted implementation of the Software-Defined Networking (SDN) architecture. Since conventional network monitoring systems are unable to cope with OpenFlow networks, researchers have developed various monitoring systems tailored for OpenFlow networks. However, these existing systems either rely on a specific controller framework or an API, both of which are not part of the OpenFlow specification, and thus limit their applicability. This article proposes a transparent and low-overhead monitoring system for OpenFlow networks, referred to as Opimon. Opimon monitors the network topology, switch statistics, and flow tables in an OpenFlow network and visualizes the result through a web interface in real-time. Opimon monitors a network by interposing a proxy between the controller and switches and intercepting every OpenFlow message exchanged. This design allows Opimon to be compatible with any OpenFlow switch or controller. We tested the functionalities of Opimon on a virtual network built using Mininet and a large-scale international OpenFlow testbed (PRAGMA-ENT). Furthermore, we measured the performance overhead incurred by Opimon and demonstrated that the overhead in terms of latency and throughput was less than 3% and 5%, respectively.

Through the concept of network slicing, a single physical network infrastructure can be split into multiple logically-independent Network Slices (NS), each of which is customized for the needs of its respective individual user or industrial vertical. In the beyond 5G (B5G) system, this customization can be done for many targeted services, including, but not limited to, 5G use cases and beyond 5G. The network slices should be optimized and customized to stitch a suitable environment for targeted industrial services and verticals. This paper proposes a novel Quality of Service (QoS) framework that optimizes and customizes the network slices to ensure the service level agreement (SLA) in terms of end-to-end reliability, delay, and bandwidth communication. The proposed framework makes use of network softwarization technologies, including software-defined networking (SDN) and network function virtualization (NFV), to preserve the SLA and ensure elasticity in managing the NS. This paper also mathematically models the end-to-end network by considering three parts: radio access network (RAN), transport network (TN), and core network (CN). The network is modeled in an abstract manner based on these three parts. Finally, we develop a prototype system to implement these algorithms using the open network operating system (ONOS) as a SDN controller. Simulations are conducted using the Mininet simulator. The results show that our QoS framework and the proposed resource allocation algorithms can effectively schedule network resources for various NS types and provide reliable E2E QoS services to end-users.

In this paper, a novel method of resource abstraction and an abstracted-resource model for dynamic resource control in optical access networks are proposed. Based on this proposal, an implementation assuming application to 5G mobile fronthaul and backhaul is presented. Finally, an evaluation of the processing time for resource allocation using this method is performed using a software prototype of the control function. From the results of the evaluation, it is confirmed that the proposed method offers better characteristics than former approaches, and is suitable for dynamic resource control in 5G applications.

HTTP Distributed Denial of Service (DDoS) flooding attack aims to deplete the connection resources of a targeted web server by transmitting a massive amount of HTTP request packets using botnets. This type of attack seriously deteriorates the service quality of the web server by tying up its connection resources and uselessly holds up lots of network resources like link capacity and switching capability. This paper proposes a defense method for mitigating HTTP DDoS flooding attack based on software-defined networking (SDN). It is demonstrated in this paper that the proposed method can effectively defend the web server and preserve network resources against HTTP DDoS flooding attacks.

The Software-defined network (SDN) uses a centralized SDN controller to store flow entries in the flow table of each SDN switch; the entries in the switch control packet flows. When a multicast service is provided in an SDN, the SDN controller stores a multicast entry dedicated for a multicast group in each SDN switch. Due to the limited capacity of each flow table, the number of flow entries required to set up a multicast tree must be suppressed. A conventional multicast routing scheme suppresses the number of multicast entries in one multicast tree by replacing some of them with unicast entries. However, since the conventional scheme individually determines a multicast tree for each request, unicast entries dedicated to the same receiver are distributed to various SDN switches if there are multiple multicast service requests. Therefore, further reduction in the number of flow entries is still possible. In this paper, we propose a multicast routing model for multiple multicast requests that minimizes the number of flow entries. This model determines multiple multicast trees simultaneously so that a unicast entry dedicated to the same receiver and stored in the same SDN switch is shared by multicast trees. We formulate the proposed model as an integer linear programming (ILP) problem. In addition, we develop a heuristic algorithm which can be used when the ILP problem cannot be solved in practical time. Numerical results show that the proposed model reduces the required number of flow entries compared to two benchmark models; the maximum reduction ratio is 49.3% when the number of multicast requests is 40.

In this paper, a Proof-of-Concept (PoC) architecture is constructed, and the effectiveness of mmWave overlay heterogeneous network (HetNet) with mesh backhaul utilizing route-multiplexing and Multi-access Edge Computing (MEC) utilizing prefetching algorithm is verified by measuring the throughput and the download time of real contents. The architecture can cope with the intensive mobile data traffic since data delivery utilizes multiple backhaul routes based on the mesh topology, i.e. route-multiplexing mechanism. On the other hand, MEC deploys the network edge contents requested in advance by nearby User Equipment (UE) based on pre-registered context information such as location, destination, demand application, etc. to the network edge, which is called prefetching algorithm. Therefore, mmWave access can be fully exploited even with capacity-limited backhaul networks by introducing the proposed algorithm. These technologies solve the problems in conventional mmWave HetNet to reduce mobile data traffic on backhaul networks to cloud networks. In addition, the proposed architecture is realized by introducing wireless Software Defined Network (SDN) and Network Function Virtualization (NFV). In our architecture, the network is dynamically controlled via wide-coverage microwave band links by which UE's context information is collected for optimizing the network resources and controlling network infrastructures to establish backhaul routes and MEC servers. In this paper, we develop the hardware equipment and middleware systems, and introduce these algorithms which are used as a driver of IEEE802.11ad and open source software. For 5G and beyond, the architecture integrated in mmWave backhaul, MEC and SDN/NFV will support some scenarios and use cases.

The need of telecommunications operators to reduce Capital and Operational Expenditures in networks which traffic is continuously growing has made them search for new alternatives to simplify and automate their procedures. Because of the different transport network segments and multiple layers, the deployment of end-to-end services is a complex task. Also, because of the multiple vendor existence, the control plane has not been fully homogenized, making end-to-end connectivity services a manual and slow process, and the allocation of computing resources across the entire network a difficult task. The new massive capacity requested by Data Centers and the new 5G connectivity services will urge for a better solution to orchestrate the transport network and the distributed computing resources. This article presents and demonstrates a Network Slicing solution together with an end-to-end service orchestration for transport networks. The Network Slicing solution permits the co-existence of virtual networks (one per service) over the same physical network to ensure the specific service requirements. The network orchestrator allows automated end-to-end services across multi-layer multi-domain network segments making use of the standard Transport API (TAPI) data model for both l0 and l2 layers. Both solutions will allow to keep up with beyond 5G services and the higher and faster demand of network and computing resources.

With the spread of smart cities through 5G and the development of IoT devices, the number of services requiring firm assurance of high capacity and ultra-low delay quality in various forms is increasing. However, continuous growth of large data makes it difficult for a centralized cloud to ensure quality of service. For this, a variety of distributed application architecture researches, such as MEC (Mobile|Mutli-access Edge Computing), are in progress. However, vendor-dependent MEC technology based on VNF (Virtual Network Function) has performance and scalability issues when deploying a variety of 5G-based services. This paper proposes PRISM-MECR, an SDN (Software Defined Network) based hardware accelerated MEC router using P4[3] programmable chip, to improve forwarding performance while minimizing load of host CPU cores in charge of forwarding among MEC technologies.

Large-scale disasters can lead to a severe damage or destruction of optical transport networks including the data-plane (D-plane) and control and management-plane (C/M-plane). In addition to D-plane recovery, quick recovery of the C/M-plane network in modern software-defined networking (SDN)-based fiber optical networks is essential not only for emergency control of surviving optical network resources, but also for quick collection of information related to network damage/survivability to enable the optimal recovery plan to be decided as early as possible. With the advent of the Internet of Things (IoT) technologies, low energy consumption, and low-cost IoT devices have been more common. Corresponding long-distance networking technologies such as low-power wide-area (LPWA) and LPWA-based mesh (LPWA-mesh) networks promise wide coverage sensing and environment data collection capabilities. We are motivated to take an infrastructure-less IoT approach to provide long-distance, low-power and inexpensive wireless connectivity and create an emergency C/M-plane network for early disaster recovery. In this paper, we investigate the feasibility of fiber networks C/M-plane recovery using an IoT-based extremely narrow-band, and lossy links system (FRENLL). For the first time, we demonstrate a field-trial experiment of a long-latency/loss tolerable SDN C/M-plane that can take advantage of widely available IoT resources and easy-to-create wireless mesh networks to enable the timely recovery of the C/M-plane after disaster.

The static deployment of Virtualized Network Functions (VNFs) introduces 1) significant degradation of Quality of Service (QoS), 2) inefficiency in the network and computing resource utilization, and 3) Network Function Virtualization (NFV)-based services with insufficient scalability, optimality, and flexibility. Caching VNFs is a promising solution to satisfy the dynamic demand to deploy a variety of VNFs and to maximize the performance as well as cost effectiveness. Although the concept of Content Delivery Network (CDN) is popular for efficiently caching and distributing contents, VNF deployment does not realize the benefit of CDN-based caching approaches. The challenges to caching VNFs are 1) to cover the large variety of VNFs and their properties, including the necessity of service chaining, and 2) to achieve high acceptance ratio given the limited availability of resources. This paper proposes Function Delivery Network (FDN), which is a cluster of distributed edge hypervisors for caching VNFs over a Software-Defined Network (SDN). The deployment and quality of the network function can be significantly improved by serving them closer to the end-users from the cached VNFs. FDN introduces a new strategy called Value-based caching that considers 1) the locality of reference and performance parameters of network and edge hypervisors together and 2) a partial deployment of service chains across multiple edge hypervisors for further efficient utilization of hypervisors resources. Evaluations on different patterns of input requests confirm that Value-based caching introduces significant improvement on both QoS and resource utilization in NFV.

In the coming smart-home era, more and more household electrical appliances are generating more and more sensor data and transmitting them over the home networks, which are often connected to Internet through Point-to-Point Protocol over Ethernet (PPPoE) for desirable authentication and accounting. However, according to our knowledge, high-speed commercial home PPPoE router is still absent for a home network environment. In this paper, we first introduce and evaluate our programmable platform FLARE-DPDK for ease of programming network functions. Then we introduce our effort to build a compact 10Gbps software FLARE PPPoE router on a commercial mini-PC. In our implementation, the control plane is implemented with Linux PPPoE software for authentication-like signaling control. The data plane is implemented over FLARE-DPDK platform, where we get packets from physical network interfaces directly bypassing Linux kernel and distribute packets to multiple CPU cores for data processing in parallel. We verify our software PPPoE router in both lab and production network environment. The experimental results show that our FLARE software PPPoE router can achieve much higher throughput than a commercial PPPoE router tested in a production environment.

The success and scale of the Internet and its protocol IP has spurred emergent distributed technologies such as fog/edge computing and new application models based on distributed containerized microservices. The Internet of Things and Connected Communities are poised to build on these technologies and models and to benefit from the ability to communicate in a peer-to-peer (P2P) fashion. Ubiquitous sensing, actuating and computing implies a scale that breaks the centralized cloud computing model. Challenges stemming from limited IPv4 public addresses, the need for transport layer authentication, confidentiality and integrity become a burden on developing new middleware and applications designed for the network's edge. One approach - not reliant on the slow adoption of IPv6 - is the use of virtualized overlay networks, which abstract the complexities of the underlying heterogeneous networks that span the components of distributed fog applications and middleware. This paper describes the evolution of the design and implementation of IP-over-P2P (IPOP) - from its purist P2P inception, to a pragmatic hybrid model which is influenced by and incorporates standards. The hybrid client-server/P2P approach allows IPOP to leverage existing robust and mature cloud infrastructure, while still providing the characteristics needed at the edge. IPOP is networking cyber infrastructure that presents an overlay virtual private network which self-organizes with dynamic membership of peer nodes into a scalable structure. IPOP is resilient to partitioning, supports redundant paths within its fabric, and provides software defined programming of switching rules to utilize these properties of its topology.

Recently, Network Function Virtualization (NFV) has drawn attentions of many network researchers with great deal of flexibilities, and various network service chains can be used in an SDN/NFV environment. With the flexibility of virtual middlebox placement, how to place virtual middleboxes in order to optimize the performance of service chains becomes essential. Some past studies focused on placement problem of consolidated middleboxes which combine multiple functions into a virtual middlebox. However, when a virtual middlebox providing only a single function is considered, the placement problem becomes much more complex. In this paper, we propose a new heuristic method, the gradual switch clustering based virtual middlebox placement method, in order to improve the performance of service chains, with the constraints of end-to-end delay, bandwidth, and operation cost of deploying a virtual middlebox on a switch. The proposed method gradually finds candidate places for each type of virtual middlebox along with the sequential order of service chains, by clustering candidate switches which satisfy the constraints. Finally, among candidate places for each type of virtual middlebox, the best places are selected in order to minimize the end-to-end delays of service chains. The evaluation results, which are obtained through Mininet based extensive emulations, show that the proposed method outperforms than other methods, and specifically it achieves around 25% less end-to-end delay than other methods.

The ability of Software Defined Networking (SDN) to dynamically adjust the network behaviour and to support fine-grained routing policies becomes increasingly attractive beyond the boundaries of Data Centre domains, where SDN has already gained enormous momentum. However, the wider adoption of SDN in ISP (Internet Service Provider) networks is still uncertain due to concerns about the scalability of a centralized traffic management in large-scale environments. This is particularly problematic when ISP offers virtual-link services, which imply a performance guaranteed data transfer between two network points. Our solution is a new approach to virtual-link mapping in SDN-based ISP networks. Within the problem's scope, we address traffic engineering (TE), QoS provisioning and failure recovery issues. In order to decrease the controller load, computational effort, and processing delay, we introduce a function split between online routing and TE. The TE functions are performed periodically, with configurable periodicity. In order to reduce the control overhead, we restrict the traffic optimization problem to load balancing over multiple static tunnels. This allows retention of the traditional MPLS routers in the network core and to achieve fast virtual-link restoration in case of physical-link failures. The online routing and admission control algorithms have been designed with the goal of low complexity, and to minimize Flow-table updates. In our simulation study, we compare the proposed virtual-link mapping solution with the solutions that exploit routing flexibility in fully SDN-enabled networks. We find that the throughput loss due to the use of static traffic tunnels is relatively small, while the control overhead is reduced significantly. A prototype of the proposed SDN control-plane is developed and validated in the Mininet emulator.