An event-based SDN architecture for network security analysis

Software-defined networking (SDN), which decouples the control plane from traditionally proprietary network devices, is highly flexible and suitable for flow management. However, if the policy depends on the results of network security analysis, the controller will perform complicated packet processing such as packet reassembly and protocol analysis. Such processing will easily overburden the controller, and passing raw packets to the controller will result in large communications overheads. In this work, we propose an event-based SDN architecture for network security analysis. This architecture comes with an event extractor on the network device that performs protocol analysis to extract policy neutral events from network traffic. The network device looks up an extracted event in an event table to see whether a policy exists for the event. If not, it will ask the controller about the policy corresponding to this event and configure the policy in the event table accordingly. Since the controller deals with only high-level event descriptions, it is free from low-level packet processing. We evaluate this architecture by emulating it with the Bro intrusion detection system for event extraction from real traffic. The experimental results show the communication overheads between the network devices and the controller can be effectively reduced.