SDN/NFV-Based Security Service Function Tree for Cloud

Network security for cloud computing is very important. Service function chain (SFC) that integrates software defined network (SDN) and network function virtualization (NFV) can provide a new approach for solving the network security issues for cloud computing. In this paper, we combine multiple SFCs into a security service function tree (or SecSFT, for short) to reduce requirement for resources in allocating virtual security functions. According to the idea of decision tree used for classification, we assign decision rules and detection rules to the nodes of the SecSFT so that they can identify and split suspicious flows from the mixed traffic and detect/prevent intrusions in the suspicious ones. The nodes of the SecSFT implement various virtualized functions including security-related network functions (e.g., load balancing, and traffic shaping), network security functions (e.g., intrusion detection, firewall), and virtualized network security hardware. Finally, we build a SecSFT in an experiment cloud and test and validate its security services in detection and mitigation of network attacks.


I. INTRODUCTION
The widespread use of cloud computing services has brought a series of security problems. Due to abstracting and decoupling computing, storage and network resources from dedicated hardware devices, the traditional network security boundaries deployed around the target devices have vanished. The security issues faced by cloud computing come from both internal and external. The internal security threats come from the lack of isolation within the cloud hosts, and external ones come from all directions in the cloud environment. Therefore, security of cloud computing has become a general concern of government, enterprise and academia.
Software defined network (SDN) is an emerging architecture that is manageable, cost-effective and adoptable. It has separate control plane and data plane so that an external controller can manage network traffic in a unified manner [1]. Virtual network function (VNF) [2] was first proposed in the NFV (network function virtualization) white paper published by ETSI (European Telecom Standards Institute) in October 2010. The essence of NFV is to decouple the network The associate editor coordinating the review of this manuscript and approving it for publication was Jiafeng Xie. functions from dedicated network devices through virtualization. Traditional dedicated network devices like firewall, deep packet inspection, intrusion detection and network address translation, are virtualized as VNFs, which can be deployed throughout a cloud to implement corresponding network security services.
SDN and NFV integration gives power of virtualization and improves network services. Service function chain (SFC) is a mechanism that provides abilities to define an ordered list of service functions and dynamically lead network traffic through various service function paths [3]. Therefore, an SFC can be established to sequentially implement the virtual security functions to provide security services for tenants of the cloud. However, to satisfy a variety of tenants and to prevent all sorts of attacks, a lot of security service function chains are required. Existing works that use SFCs for providing security services over the cloud are still limited in the manner of one SFC per security service [4]- [15]. In this paper, we propose a novel security service function tree architecture (or SecSFT, for short) to overcome this limitation. In the novel architecture, VNF nodes in multiple SFCs are merged to one VNF node if they implement the same network security function.
There are a few of related works that focus on the detection and prevention of few types of attacks using an SFC [4]- [7]. Since a full-functioned virtual security function may require a high capacity of computation and the traffic led to it may consume a large amount of network resources, the resource allocation optimization and performance enhancement of an SFC is the main concern [8]- [15]. In contrast, we reduce the requirement for the resources by merging similar VNF nodes of multiple SFCs and allocating the virtual security functions close to targets. The merged SFCs form a distributed decision tree, and the performance of the security services is enhanced due to the distributed processing manner. Since the security situation in cloud environment is complex and network attacks can aim at multiple targets, the distributed decision tree is thus more suitable than a chain.
The main contributions of our paper can be summarized as follows: (1) In considering that a lot of security service function chains are required to satisfy a variety of tenants and to prevent all sorts of attacks on a cloud, and most of VNF nodes among the chains implement the same functions with very low reuse rates, we propose a novel SecSFT architecture. The same functioned VNF nodes are merged as many as possible, and the tree/trees are optimally deployed in the sense of resource consumption and efficient delivering and filtering of network traffic.
(2) We propose a distributed model for the SecSFT according to the decision tree classification algorithm, which associates decision rules to the corresponding VNF nodes of the SecSFT. Network flow attribute values are collected and analyzed in each of the VNF nodes. The network flows are identified and divided by matching the decision rules, and suspicious network flows are detected and filtered at the current node or forwarded to the next nodes for more fine-grained division and detection.

II. THE RELATED WORK
There are a few of the related works using SFC to provide security services for the networks. For example, Xing et al. [4] proposed an intrusion detection system framework, SnortFlow, using a combination of OpenFlow and Snort in a cloud environment. Snort is used to identify intrusion behaviors in network messages. SDN controller is responsible for distributing flow tables to reconfigure the network. Phan and Park [5] proposed a solution to tackle DDoS attacks in the SDN-based cloud environment. The traffic classification is made based on the support vector machine and self-organizing map algorithms, and the attack detection is performed by an enhanced history-based IP filtering scheme. An SFC was formed in an SDN-based cloud to defend different level DDoS attack. Nguyen et al. [6] used DES, AES and other encryption algorithms to encrypt the message headers that contains the forwarding path information in the SFC messages, thereby preventing information eavesdropping or threat of man-in-the-middle attack. Li et al. [7] proposed an automatic selection scheme for security service function chain that uses Q-learning reinforcement learning algorithm to analyze and weight the network states, so as to achieve a diversified network defense solution. In contrast to the existing works that use one SFC to provide a security service, we use a tree that combines multiple SFCs to provide a collection of security services for the cloud.
Different from the fewer works focusing on security issues in security service chaining, the major works in this area concern the optimization of resource allocation for the security service function chains, and their performance enhancement. For example, Ye [8] proposed a scheme that lets every two VNFs share one server to minimize bandwidth resource consumption. Lin et al. [9] constructed a game model to coordinate the deployment of network service. Liu et al. [10] proposed a system architecture solution that uses SDN and NFV to control virtualized security resources for security service function chain construction. Dwiardhika and Tachibana [11] proposed an optimal placement of security virtual network functions for the security service function chains based on the security level. Shameli-Sendi et al. [12] proposed a security approach for cloud infrastructure that incorporates the best practice, know-how of the security experts, and various security constraints into a network security pattern. The optimal placement of compliant security functions in the cloud is believed to be a NP-Hard problem, and so a scalable networking and computing resources aware optimization framework was proposed in the work. A heuristic solution based on the breadth first search algorithm was proposed by Liu et al. [13] to optimize the resource allocation with the constraints that do not violate security and resource requirements. Pei et al. [14] studied the dynamic VNF placement in geo-distributed cloud system. It is formulated as a Binary Integer Programming model to minimize the embedding cost in the embed SFC requests, and optimize the number of placed VNF instances. Li et al. [15] realized context-based and dynamic SFC over multi-domain networks by allocating metadata to share context information of packets among those networks. In contrast to the existing works, we use the tree architecture to reduce the resource consumption in duplicated deploying of same-functioned virtual security functions.

III. ARCHITECTURE OF SECURITY SERVICE FUNCTION TREE
In this section, we propose a security service function tree (SecSFT) architecture that combines multiple SFCs to provide a variety of security services and to reuse security resources. It allows to be flexibly deployed close to multiple targets to detect and prevent network attacks coming from multiple directions.

A. DECISION TREE
We design the service function tree based on the decision tree to classify the network attack traffic. Correspondingly assign the rules of the decision tree to VNF nodes of the SecSFT. Specifically, C4.5 decision tree algorithm [16] is VOLUME 8, 2020 used to construct the SecSFT. C4.5 algorithm determines the attribute value of each internal node according to Information Gain Ratio. To avoid over-fitting, we adopt Pessimistic Error Pruning (PEP) algorithm [17]. PEP doesn't need extra test data set, pruning from top to bottom. For a leaf node numbered i with n i samples and e i errors, the error rate was (e i +0.5)/n i , where 0.5 is the penalty factor. Then for a subtree with L leaf nodes, its misjudgment rate is: When ErrorRatio of a sample equals 1, it means that the subtree has misclassified the sample; when the value equals 0, the sample is properly classified. The number of misjudgments of the subtree can be expressed by Bernoulli distribution. The mean and standard deviation of the misjudgment for the subtree are: Replace the subtree with a leaf node, then the error rate of the leaf node is: where e = Therefore, when the original subtree meets the following conditions, the subtree will be pruned.

B. CONSTRUCTION OF SecSFT
The SecSFT architecture has a control and management plane which consists of orchestration and global monitoring modules. The global monitoring module mainly provides a global perspective for control and management, collects the entire network topology, finds network-wide available computing resources, and obtains the entire network security status. The orchestration module mainly formulates orchestration schemes of SecSFTs according to the current security situation, performs VNF resource mapping and scheduling according to the orchestration schemes and available resources, and defines flow tables to construct the tree topologies so that data flows are transmitted through the SecSFTs.
The SDN controller plays an important role in the control and management plane. The SDN controller uses Open-Flow [18] network protocol to communicate with networking devices. There are several popular SDN controllers, such as POX, Floodlight, OpenDayLight, ONOS, etc. By taking account of the performance among those controllers, ONOS is selected in this paper. ONOS has the advantages of open source ecosystem, supporting controller cluster environment, and full open programmability.
The SDN controller can send different flow tables to Open-Flow switches according to the types of security services and the tree topologies. When network traffic arrives at the entry of a SecSFT, it will be led to different branches of the tree according to the decision rules.
The SecSFT architecture uses JSON (JavaScript Object Notation) as the standard format for data storage and exchange. Its text record mode has the advantages of clear structure and concise layers. It can be used for network-wide topological structure records, updates of infrastructure resources, and templates of OpenFlow flow tables, etc. Restful API is utilized to achieve real-time data communication between modules.
We construct a virtual network for each SFC to ensure that network traffic passing through different chains can be isolated by identifying the virtual logic network IDs. To detect and prevent network attacks, security resources of the cloud are deployed near the potential attack targets and integrated into the SecSFT. As Figure 1 shows, two SFCs are deployed in the same cloud across multiple network domains. The first two VNFs in the two SFCs shown in Figure 1 have the same network security functions, and so they are merged into the same VNF. The merging approach is illustrated in Figure 2. We create several virtual network cards (vNICs) for the merged VNF. Virtual network ports (vPorts) corresponding to these vNICs are mounted on the virtual bridge of the virtual switch. VLAN IDs are set for the virtual logic subnets that are connected to the vPorts.
When a frame arrives from the inbound port to a VNF, VLAN ID in its header is stripped at vPort. After the frame is processed in the VNF, one vPort is selected as the forwarding port, and a new VLAN ID belonging to the next virtual network is added to the header of the frame before it is forwarded.

C. COLLECTION AND CLASSIFICATION OF TRAFFIC
Typical network attack types include DoS (Denial of Service), port scanning, unauthorized remote access and unauthorized super user privilege access, etc. In this paper, we choose four specific network attacks, SYN Flood, UDP Flood, IPsweep and Portscan, to test the SecSFT architecture.
When a new network attack arrives, the network traffic attribute values will be significantly different from normal network traffic at some network nodes. Referring to the network intrusions provided by KDDCUP 99 [19], there are up to 41 attributes of network intrusion behaviors. For the four specific network attacks we choose, eleven of the 41 attributes are most suitable for the SecSFT to construct the decision tree, as listed in Table 1.
The attributes have varying values over time. By using time-based statistical attribute values, the abnormal behavior of network attacks can be dynamically captured. In this paper, a 1-second sliding window is used for collecting the flow attribute values.
Network flow attribute values are collected in the VNF nodes corresponding to those of the decision tree. By collecting the attribute values of the network traffic passing through a VNF node in the time window and matching them with the decision rules of the VNF node, a decision can be made that determines whether a flow is forwarded to the next hop or stopped to process locally. For the flow to be processed locally, intrusion detection/prevention rules corresponding to the virtual security functions of the current VNF are applied. Though we can combine the decision rules and the intrusion detection rules to determine forwarding or dropping a flow, the matching time against a lot of rules may cause additional delay for the traffic.
We use open source libpcap (a network packet capture function library) to sniff the network traffic delivering to specific VNF nodes, statistic the relative attribute values, and forward the traffic to the virtual networks. The virtualized network functions in this paper use Docker as the container.  An example of the SecSFT is shown in Figure 3. Different color lines represent different SFCs, and each chain provides a set of specific security services. VNF 01 is the root of the tree. When network traffic arrives at the entry of the tree, it is subdivided into smaller and smaller streams while they pass through the tree.

D. COMMUNICATION BETWEEN VNFs
For communication between VNFs in the virtual environment, we use OVS as multi-layer virtual switch. To ensure high availability and scalability, an OVS double bridge architecture scheme is designed. We construct two OVS virtual bridges on a host. The br-int virtual bridge mainly completes the adding and stripping of the VLAN IDs of the virtual networks and the normal forwarding operation of data packets. However, in the br-tun virtual bridge, OpenFlow multi-level flow table [20] is adopted to group and process data packets from different sources. The header of each data packet is matched with the matching field of the flow table of OpenFlow protocol. The corresponding operation such as forwarding, discarding and modifying, are executed if the match is successful. OVS establishes a pair of patch ports between br-int and br-tun to realize the delivery of the packets.
To meet the requirement of communication among VNFs distributed in multiple data centers, we use overlay network to maintain multiple data centers in a broadcast domain. The broadcast packets from the VNFs can reach all the data centers, realizing a large layer-2 extended network. It allows all servers, containers, virtual machines, etc. to communicate within the scope of the large layer-2 extended network.
VxLAN (Virtual Extensible LAN) [21] is used to abstract the underlay physical network, build up virtual tunnel and a large layer-2 virtual network, and to realize layer-2 message transmission across layer-3 networks.

IV. EXPERIMENT OF SecSFT
We used six servers and several switching devices. One of the servers is used as the control center of the SecSFT. We chose Docker container to implement VNF and to manage virtualized security resources. The multi-layer virtual switch scheme of OpenvSwitch is adopted to construct virtual network of containers. The open source SDN operating system ONOS was deployed in the control center. The experiment cloud and the SecSFT are shown in Figure 4. The experiment protype uses VxLAN tunnels to abstract the underlay physical network and construct a large layer-2 virtual network. Isolation among different types of network traffic is achieved by dividing VLANs. The containers communicate with each other through the virtual network.
The construction and training of the SecSFT needs sample sets of corresponding network attacks traffic. We collected a variety of flow attribute values of the network attack flows and stored them in a database. In the experiment, we selected 500 training samples for each type of attack.
Four types of attacks were used to verify the SecSFT. SYN Flood and UDP Flood are selected from the DDoS attack types, and IPsweep and Portscan are selected from the scanning attack types.
We generated SYN Flood, UDP Flood, IPsweep and Portscan attacks through the raw socket of Linux. Normal traffic is obtained by collecting the network traffic in the real network and re-launching it to the experiment cloud. The network traffic attribute values are extracted and analyzed in the VNF nodes of the SecSFT.
The network traffic attribute values versus the four network attacks were collected in the controller, as shown in Figure 5 and Figure 6.  To verify whether the SecSFT can correctly identify and process the network attack traffic, we respectively send the Normal network traffic, SYN Flood attack traffic, UDP Flood attack traffic, IPsweep attack traffic, and Portscan attack traffic to the root node of the SecSFT. In the virtual resource global monitoring module of the control center, we check the packet rate delivering into each VNF node in the SecSFT. The rates are used to show different network traffic paths, and to verify whether the network traffic is forwarded to more fine-grained branches based on the decision rules.
As an example of the results, the flow of the SYN Flood attack is shown in Figures 7 and 8. We can find that a chain of VNFs in the service function tree is VNF01 − > VNF03 − > VNF06. The intrusion detection alarm for the SYN Flood attack is issued by VNF06, as shown in Figure 8.
Similarly, as shown in Figures 9-14, different attacks are led to different chains of VNFs of the SecSFT and alarms for     the attacks are issued, respectively, by corresponding security VNFs. In contrast, the normal traffic passes through the tree without any alarm, as shown in Figure 15.
The traffic mixed with the normal network traffic, SYN Flood attack traffic, UDP Flood attack traffic, IPsweep attack traffic, and Portscan attack traffic are similarly drawn to five different types of network flows after passing through the SecSFT. During the processing of the SecSFT, the attribute    values of the network flows passing through the VNF nodes are collected and matched with the decision rules, and undetermined ones are forwarded to the next hop for finer-grained check. Each VNF chain in the SecSFT perform a sort of intrusion detection and prevention.
Finally, we use accuracy, false alarm, and miss alarm to evaluate the detection results of the SecSFT. The accuracy reflects the proportion in the samples of the mixed flows that correctly identifies the attack and the normal traffic, the false alarm reflects the proportion in the samples of normal traffic that is falsely identified as the attack, and the miss alarm reflects the proportion in the samples of the attack that is falsely identified as the normal traffic.
The confusion matrix for evaluating the detection results of the SecSFT against attacks is shown in Table 2, and  the accuracy, false alarm, and miss alarm are shown in Table 3.
The evaluation results show that the SecSFT designed in this paper has a high identification accuracy for the four types of network attacks, and the system has a good intrusion detection capability.

V. CONCLUSION
In this paper, we designed an architecture of distributed decision tree based on SDN/NFV and SFC for security services in a cloud. We deployed the SecSFT in an experimental cloud and successfully implemented it in classification, detection and filtering of four types of network attacks. Finally, we evaluated it with three performance indicators.
For the future work, we will evaluate SecSFT with more types of attacks and compare it with the existing attack detection schemes.