Efficient Forwarding Anomaly Detection in Software-Defined Networks

Data centers, the critical infrastructure underpinning Cloud computing, often employ Software-Defined Networks (SDN) to manage cluster, wide-area and enterprise networks. As the network forwarding in SDN is dynamically programmed by controllers, it is crucial to ensure that the controller intent is correctly translated into underlying forwarding rules. Therefore, detecting and locating forwarding anomalies in SDN is a fundamental problem in production networks. Existing research proposals, roughly categorized into probing-based, packet piggybacking-based, and flow statistics analysis-based, either impose significant overhead or do not provide sufficient coverage for certain forwarding anomalies. In this article, we propose ${\sf FADE}$ FADE , a controllable and passive measuring scheme to simultaneously deliver detection efficiency and accuracy. ${\sf FADE}$ FADE first analyzes the entire network topology and flow rules, and then computes a minimal set of flows that can cover all forwarding rules. For each selected network flow, ${\sf FADE}$ FADE decides the optimal number of monitoring positions on its path (much less than total number of hops), and installs dedicated rules to collect flow statistics. ${\sf FADE}$ FADE controls the installation and expiration of these rules, along with unique flow labels, to guarantee the accuracy of collected statistics, based on which ${\sf FADE}$ FADE algorithmically decides whether a forwarding anomaly is detected, and if so it further locates the anomaly. On top of ${\sf FADE}$ FADE , we propose ${\sf iFADE}$ iFADE (a more scalable version of ${\sf FADE}$ FADE ) to further optimize the usage and deployment of dedicated measurement rules. ${\sf iFADE}$ iFADE achieves over 40 percent rule reduction compared with ${\sf FADE}$ FADE . We implement a prototype of both ${\sf FADE}$ FADE and ${\sf iFADE}$ iFADE in about 12000 lines of code and evaluate the prototype extensively. The experiment results demonstrate ${\sf (i)}$ ( i ) ${\sf FADE}$ FADE and ${\sf iFADE}$ iFADE are accurate, e.g., they achieve over 95 percent true positive rate and 99 percent true negative rate in anomaly detection; ${\sf (ii)}$ ( ii ) ${\sf FADE}$ FADE and ${\sf iFADE}$ iFADE are lightweight, e.g., they reduce the overhead of control messages compared with state-of-the-art by about 50 and 90 percent, respectively.