Design of Event-Based Intrusion Detection System on

OpenFlow Network
Yung-Li Hu1,2, Wei-Bing Su1, Li-Ying Wu1, Yennun Huang2, Sy-Yen Kuo1
Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan 1
d99921027@ntu.edu.tw, d01921026@ntu.edu.tw, r01921037@ntu.edu.tw, sykuo@cc.ee.ntu.edu.tw
Research Center for Information Technology Innovation, Academia Sinica, Taipei, Taiwan 2
yennunhuang@citi.sinica.edu.tw
AbstractOpenFlow (OF) Network is a novel network
architecture many famous cloud service providers have applied it
to build their data center network. The difference between OF
Network and traditional network architecture is the decoupling
of controller planes and data planes for network management.
Intrusion detection is very important in cloud computing to
improve system security. Because OF network can improve the
response time of an alert by efficiently configuring network flows,
we design an event-based Intrusion Detection System (IDS)
architecture on OF network.
KeywordsOpenFlow Network, Intrusion Detection Systems

I.

INTRODUCTION

OpenFlow (OF) Network is a novel network architecture

proposed by Open Network Foundation (ONF) and many
famous cloud service providers such as Google, Facebook, and
Microsoft have applied it to build their data center networks.
The difference between an OF Network and a traditional
network architecture is the decoupling of controller planes and
data planes for network management [1,2]. Figure 1 illustrates
the scenario of the OF network.

OF switches are controlled by a logically centralized

controller in a network infrastructure so that resource allocation
and service configuration can be more scalable and flexible.
Flow table maintains many flow entries which record the
features of packets received by an OF switch. Every flow entry
records three fields: header, counter, and action, which
illustrate in Table 1.
Table 1. Illustration of Fields in Flow Entry
Field Name

Illustration

Header

It represents the unique ID for the type of packets

received by the OF switch.

Counter

It records how many packets have be received by

the OF switch in a specific time interval.

Action

It defines the associated actions when a packet is

received during a specific time interval.

When a new packet arrives at the OF switch, it is compared

against all flow entries in the flow table. If the new packet
matches one of these flow entries in the flow table, this flow
entry will update its counter and trigger associated actions. If
the new packet is not matched by any flow entries, it will be
sent to the OF controller through a secure channel. OF
controller will decide whether or not to add a new flow entry
for a new type of this new packet to the flow table. The
operation records of flow entry in flow table can be used to
analyze anomaly traffic flow and detect network intrusion [3].
To observe variations of flow entry for intrusion detection is a
lightweight approach because it is not necessary to spend more
computation resource on packet parsing.
The threat of network attacks, such as a volume of
requests linking to a network service during a short time
interval or the occurrences of unauthorized access in some
service nodes frequently, may lead to serious disaster on cloud
computing. Network anomaly events detection is an important
task in cloud computing because it is necessary for a cloud
system to maintain its network security at any time. Therefore,
Intrusion Detection Systems (IDS) in cloud system have to
process anomaly events immediately and response alert to
administrators.

Fig. 1. Scenario of OpenFlow Network

978-1-4799-0181-4/13/$31.00 2013 IEEE

The advantage of OF network is that the controller is

programmable so that it is able to dynamically adjust network

configurations such as network topology and routing paths.

On the other hand, flow entries in flow table can be considered
as events which reflect the states of network flows. Therefore,
the OF network can configure the amount of network traffic to
an intrusion detection system efficiently so that response time
of alerts is improved.
Therefore, we propose an event-based IDS architecture
on OF network. With the proposed IDS architecture, attack
events can be detected from a large number of traffic flows
and flow entries. The architecture of our IDS are distributed,
event-based and hierarchical so that it can detect and report an
intrusion alert immediately.
II.

ARCHTECTURE DESIGN OF ITRUSION

DETECTION SYSTEM

Figure 2 shows the design of event-based IDS

architecture operated on OpenFlow Network. The concepts of
our design for are distributed architecture and coordinated
operations. The functions of the components in this
architecture are illustrated as follows:
-

Sub-Controller: This component is an OpenFlow

controller which connects to one or more OF switches in
OpenFlow network. Sub-Controller collects traffic flows
and flow entries from OF switches, and then forwards
the data to Event Bus through a publish/subscribe
mechanism.
Event Bus: This component is a gateway which routes
data to Event Processing Agent (EPA) in Event
Processing Engine or Event Channel through the
publish/subscribe mechanism.
Event Channel: This component is used to buffer
events which are ready to be processed by EPA. The
objective of the Event Channel is to support complex
computation with anomaly detection or alert correlations.
Event Processing Engine: This Engine is constituted
of a set of Event Processing Agents (EPA). EPA is a
software component which is responsible for the
detection of network attacks and plays a role of hypercontroller to coordinate tasks of Sub-Controller.

The rule pattern of EPA is formulated by Event

Processing Language (EPL), such as Esper [4], which is stored
in the Event Pattern repository. Network administrators can
use EPL to define policy-based intrusion detection rules for
EPA. A set of EPAs can realize the work of collaborative
intrusion detection to analyze and correlate alert events from
multiple results of attack detection through user-defined
intrusion detection rules. This approach can improve the
ability of isolated intrusion detection components which only
monitors a limited portion of the Internet.

Fig. 2. Event-Based IDS Architecture

III.

CONCLUSION

The contribution of our research is to design an eventbased Intrusion Detection Systems (IDS) architecture on OF network
for better network security. In future work, we will extend this
research to realize collaborative intrusion detection, which can
analyze and correlate alert events from multiple results of
attacks detected by many independent IDSs to reduce the rate
of false positive alerts and decrease the response time of attack
detections.
REFERENCES
[1]

[2]

[3]

[4]
[5]

[6]
[7]

N. McKeown, T. Anderson, H. Balakrishnan, G. Peterson, J. Rexford,

S. Shenker, and J. Turner, OpenFlow: Enabling Innovation in
Campus Networks, ACM SIGCOMM Computer Communication
Review, Volume. 38, Issue. 2, pages 69-74, April, 2008.
Tootoonchian and Y. Ganjali, HyperFlow: A Distributed Control
Plane for OpenFlow, in Proceedings of 2010 Internet Network
Management Conference on Research on Enterprise Networking
(INM/WREN), 2010.
R. Braga, E. Mota, and A. Passito, Lightweigh DDoS Flooding
Attack Detection Using NOX/OpenFlow, in Proceedings of 35th
IEEE International Conference on Local Computer Network (LCN),
pages 408-415, 2010.
EsperTech, 2013. [Online] Available : http://esper.codehaus.org/
A. Hofmann and B. Sick, Online Intrusion Alert Aggregation with
Generative Data Stream Modeling, IEEE Transactions on
Dependable and Secure Computing, Volume 8, Issue 2, pages 282-294,
2011.
M. Sifalakis, M. Fry, and D. Hutchison, Event Detection and
Correlation for Network Environments, IEEE Journal on Selected
Areas in Communications, Volume. 28, NO. 1, January, 2010.
G. Wang, T.S. E. Ng, and A. Shaikh, Programming Your Network
at Run-Time for Big Data Applications, in Proceedings of First
Workshop on Hot Topics in Software Defined Networks (HotSDN),
2012.