A Fine-Grained Detection Mechanism for SDN Rule Collision

Abstract

The rules issued by third-party applications may have direct violations or indirect violations with existing security flow rules in the SDN (software-defined network), thereby leading to the failure of security rules. Currently, existing methods cannot detect the rule collision in a comprehensive and fine-grained manner. This paper proposes a deep detection mechanism for rule collision that can detect grammatical errors in the flow rules themselves, and can also detect direct and indirect rule collisions between third-party and security applications based on the set intersection method. In addition, our mechanism can effectively and automatically resolve the rule collision. Finally, we implement the detection mechanism in the RYU controller, and use Mininet to evaluate the function and performance. The results show that the mechanism proposed in this paper can accurately detect the static, dynamic and dependency collisions of flow rules, and ensure that the decline of throughput of the northbound interface of the SDN network is controlled at 20%.