SDN Dynamic Access Control Scheme Based on Prediction

Abstract

Through research on the access control of software defined network (SDN) northbound interfaces, we found that malicious OpenFlow applications (OF applications) abuse the northbound interfaces with ADD permissions, which can cause the controllers function failure and other serious harm or even crash directly. Most previous studies of this issue, such as those resulting in the ControllerDAC scheme, set static thresholds; and did not find effective solutions to those problems. This paper analyzes the characteristics of the input flows and proposes an SDN dynamic access control scheme based on prediction and dynamic adjustment of the load threshold. By examining the access characteristics of the OF application, we use a prediction algorithm to determine whether the application will disrupt the API with ADD permissions. This algorithm enables us to perform targeted dynamic access control for different types of applications. Experimental results show that compared with the aforementioned ControllerDAC scheme, our scheme effectively reduces the malicious flow table rate and limits the delivery of malicious flow tables, and the extra delay generated by our scheme is less than 10%.