A Traffic Tracking Algorithm for a Fast Detection of Active Network Sources Ayah Atiyah
Sufyan Almajali
King Hussein School of Computing Sciences Princess Sumaya University for Technology Amman, Jordan
[email protected]
King Hussein School of Computing Sciences Princess Sumaya University for Technology Amman, Jordan
[email protected]
ABSTRACT
1
Denial of Service attack is a cyber-attack that overwhelms the victim resources (system resources and network bandwidth) and makes them unavailable to legitimate users. To take the edge of this problem, packet filtering schemes at the front end of network monitoring systems (such as an Intrusion Detection System) have been proposed. Detecting suspicious activities and abnormal high traffic activities are challenging tasks as existing packet filtering and monitoring algorithms perform poorly when the given time budget of execution is minimum. Satisfying such a standard requires a packet filtering algorithm to be capable of controlling its execution time to provide much superior average case performance. Our proposal consists of developing a traffic monitoring algorithm that uses Binary Search Tree along with a shortcut to speed up the detection of active traffic sources in the network. The research paper presents the performance efficiency and the time complexity of the proposed algorithm. Results show that the shortcut traffic monitoring algorithm will result in performance improvement compared to the conventional algorithms of detecting top active nodes. This can be utilized in detecting quickly suspicious active nodes and take early actions.
As more essential services become depending on the Internet as part of their communication infrastructure, the effects of Denial of Service (DoS) attacks can be very damaging. Therefore, it is necessary to prevent and mitigate the damage caused by DoS attacks. Firewalls restrict the data traffic flowing from and into the system to deny unauthorized access [21]. Firewalls may also be used in securing against DoS attacks. DoS attack traffic with spoofed source addresses can be prevented using several techniques such as rejecting packets with wrong IP addresses [20, 28]. Besides doing the normal traffic routing, router devices can filter traffic by comparing the source IP address of each packet received with a predefined access control lists (ACLs) [10]. Whether done at a firewall or a router, fast intrusion detection is required in order to prevent or mitigate the damage that could result from a DoS attack [18]. The attack affect degree is determined by many significant elements. One of them is the size of the attack traffic relayed undiscovered by the firewall [25]. In DoS context, the more traffic to hit the target, the bigger the damage to the cause [16]. In this work, we propose a DoS mitigating technique that allows efficient detection of malicious active network hosts. Binary search tree (BST) is a data structure that supports efficient search, insert, and delete operations [3, 6, 24]. We propose in this paper to use BST to track IP addresses and have a counter to track the frequency of IP addresses appearance in the network traffic. Most active nodes are tracked by tracking the IPs of top counters. Along with the BST structure, our solution employs a customized array to sort them and read counters constantly, the attacker could be cached by the maximum value traced in the sorted array. The array of a small size decreases the number of memory accesses, and accordingly the time to calculate the repetition of IPs within traffic packets. Another way of storing the values in the array is by creating a sorted array that contains most M active points that are edited instantly each time a new packet request arrived. In other words, the array elements contain pointers to nodes with the maximum counters. The array plays a shortcut role in detecting the attacker. We compare the two techniques, the one with a shortcut, and the one without. The proposed shortcut reduces the time complexity to O(1) which is certainly better compared with the normal technique. By tracking all the packets, if the packet source IP is in the shortcut array , it directly increments its counter without the need to traverse BST nodes in the case of the normal tree. 96 different experiments are applied to a different number of IPs, a number of IP packets senders, shortcut array sizes and percentages of heavily used IPs in
CCS CONCEPTS • Networks → Packet Filtering; • Network Security → Firewall; IDS; • Active Network Sources → Detection;
KEYWORDS Network Security, DoS, IDS, Firewall, Network Monitoring, Packet Filtering, DoS Detection ACM Reference Format: Ayah Atiyah and Sufyan Almajali. 2018. A Traffic Tracking Algorithm for a Fast Detection of Active Network Sources. In ICFNDS’18: International Conference on Future Networks and Distributed Systems, June 26–27, 2018, Amman, Jordan. ACM, 6 pages. https://doi.org/10.1145/3231053.3231069
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from
[email protected]. ICFNDS’18, June 26–27, 2018, Amman, Jordan © 2018 Association for Computing Machinery. ACM ISBN 978-1-4503-6428-7/18/06. . . $15.00 https://doi.org/10.1145/3231053.3231069
INTRODUCTION
ICFNDS’18, June 26–27, 2018, Amman, Jordan each packet flow. During experiments, the time taken to insert a node is calculated. A map is used to generate unique IP addresses. The duplications of IPs is randomly generated and smart enough to be able to make data packets. We conducted many experiments on the percentage of the heaviness of each packet. 5% heaviness means half of the packet flow will be from the first 5% of IP addresses and the rest will be from the other 95% of IP addresses. The paper is structured as the following. Related work is reviewed in section 2. Section 3 presents the the proposed algorithm for efficient network monitoring. Followed by Experiments and results in section 4. Finally, the paper is concluded in section 5.
2
RELATED WORK
We classify the literature into three broad categories and differentiate our work with them: Signature-based solutions, Rule-based solutions, and Other solutions. Signature-based solution [19] suffers the issue of being unable to detect newly generated types of attacks unless new signatures of attacks are loaded. The number of signatures can be huge, this will require resources to store it and to process it [1] [11]. Many research projects focused on packet classification for the purpose of detecting abnormal behavior. This was done by checking some of the packet header fields and comparing them with rules in a classification table and take an action accordingly. The rules can be based on different formats such as a range that matches multiple packet header fields. It can be fixed or prefix as well. Classification rule based can be of huge number of rules which makes it an inefficient solution. For instance, 32k rules [17]. The efficiency of rule-based filtering of traffic packets has been considered in previous research project [7] [8] [13] [23]. Some research projects utilized the concept of trees data structure to optimize the data inspection and monitoring such as in [8] [13] [23] methods. The worst case scenario is optimized for analyzing the performance of such methods and for reducing the search tree depth. On the other hand, they do not consider the randomness of traffic and traffic flow.Rule based systems face in general two major issues. First, they can generate large number of rules. The more the rules, the worse the classification performance in terms of execution time. The second major issue is in the accuracy of the classification as false alarms can be generated. Our proposed solution is not about rules but rather detecting most active nodes efficiently. It is a statistics-based solution. Our proposed solution provides useful network information that can be utilized in attack detection and in other scenarios. The only resource type needed by our solution is memory to store the BST and shortcut. In general, we can refresh the tree periodically. Other Solutions can be classified into four categories; Load Balancing Solutions, Statistical Analysis Solutions, Architectural models Solutions, and Artificial Intelligence (AI) Algorithms. The first category goes under reducing the load solutions, to minimize the controller overhead that in most cases resulted from DoS attacks, they suggested multiple approaches such as: scheduling controller traffic into multiple queues to the switches. Hsu et al. (2015) and Lim et al. (2015) considered such works [9] [14].
Ayah Atiyah and Sufyan Almajali Some works -such as Belyaev and Gaivoronsk (2014)- proposed a Load-Balancing technique in aim to distributing the traffic between different routes from the controller [2]. Hsu et al. (2015) suggested a hash-based method that aims to maximize the network scalability, especially in the control plane module [9]. In their model, in order to solve the congested switches problem, a hash-based round-robin is applied to pass the incoming packets into multiple queues. Their goal is different from ours, while they aim to keep the communication between the controller and the switch during the large amount of traffic. Our goal is to maximize the network utilization by proposing an efficient detection mechanism for DoS attacks. In [14], Lim et al. (2015) suggested to increase the survival time during an attack using a scheduling mechanism that holds most of the attack traffic at the attack ingress switches so that the normal network operation can be continued. Also, to solve Distributed DoS problem, multiple queues are created for each switch. Whereas [9], aimed at introducing scalability to the network, [14] aimed at increasing the survival time under the attack and the continuity of the network operation. In [2], Belyaev and Gaivoronsk (2014) proposed a method that includes both the balancing between devices and the traditional balancing between servers. Their method helps in distributing the traffic between the alternatives routes. Another category deals with the statistical analysis of the switches data. For instance, Yu et al. (2013) uses the counter requests in the switch to perform statisticalbased operation in one of the steps of their method [29]. Wang et al. (2015), on the other hand, uses entropy value as a lightweight detection model [27]. Architectural-based solutions are related to the paradigm and characteristics of the network components for providing solutions against Distributed Denial of Service (DDoS) attacks such as [22]. [22] proposed a model that consists of two main parts; connection migration (CM) and actuating triggers (ATs). Using this model, the large number of TCP SYN flood requests are recognized and classified, this can help in reducing the response time towards the attack. However, only a single type of DDoS attack can be defended against in their model. whereas our mechanism acts as a general detection method for DoS attacks. Their work is completely different from ours. Another study is done by [26]. They proposed Scotch: a mitigation method that increases the scalability by introducing vSwitch based network. Moreover, the new flows are tunneled to and handled by several vSwitches. Both Zaalouk et al. (2014) [30] and Chourishi et al. (2015) [5]. The latter suggested a solution that decouples monitoring and controlling properties of the controller. This work proposed that the controller responsibilities are limited to inserting the control messages such as flow rules, whereas the monitoring functions are the monitors main function. Their work focus on the overhead problem that comes as a result from the continuous communication with the network devices. By contrast, our work focuses on the attack detection efficiency problem in the network devices. Another model that suggests splitting the controller functions is presented in [5]. Similar to [30], [5] suggested to separate application monitoring and packet monitoring in the controller. They also propose that the controller should be replicated for security
A Traffic Tracking Algorithm for a Fast Detection of Active Network Sources and load balancing purposes. Also, if one of the controllers have failure, the other one runs as the main one. There are some limited yet efficient research works that uses AI Algorithms such as Self Organizing Maps (SOM) and Support Vector Machine (SVM) as attack detection and mitigation classifiers. [4] is one among them. The authors defined a flow collector module which is frequently requests all flow tables entries from the OpenFlow switches and does an analysis by SOM. They use the flow statistics character of OpenFlow switch. In [15] and [12] , use support vector machine (SVM) classifier to detect the attack.
3
THE PROPOSED ALGORITHM
We propose a novel method to help in detecting DoS attacks efficiently. The idea revolves around the concept of detecting most active sources of network traffic in an efficient way. The idea is to employ BST to track top M active sources of traffic in the network. When BST data structure is used, in order to decrease the number of memory entries, the tree depth should be decreased. Typically, each IP address is stored in a node and is considered as the node key. In addition to the IP address, each node tracks a counter of the number of packets that had an IP appears in the traffic for a specific time period. Whenever a data packet is received, it will be inserted into the tree. Counters are placed into the tree node in order to read the frequency of packet flows of the IP addresses. Each node in the BST stores a value and has two subtrees, denoted left and right. Tree traversal costs O(log N ) time complexity in the case of Balanced BST and O(N ) in the case of unbalanced one, (where N is the total number of nodes) [6]. The proposed algorithm reduces that time complexity to a constant time which shows a major performance improvement as explained in section 4. The proposed algorithm uses a limited size array to track the top M frequent appearing IPs in the traffic. The array includes IPs values along with node pointers to reach to this actual nodes values inside the BST as shown in figure 1. This array acts as a shortcut to reach top M active nodes inside the current BST. The purpose of BST in the context of our problem is to track top M active IPs by tracking their traffic frequency. Whenever a new packet request arrives, the algorithm searches for IP address, if it exists, its frequency is increased by one. Otherwise, a new node with that IP is added with frequency 1. The issue with this default behavior is the need for order O(M log N ) in the best case and O(M.N ) in the worst case to compute top M active IP addresses where N is the number of IPs in total. A shortcut is inserted into the tree in order to decrease the time taken in traversing nodes in the tree when searching for that IP address if the IP address happens to be an active one. This reduces the search time to a constant time when the searched IP address happened to be within the shortcut array assuming M is a small constant. Next includes the psedo code of the main algorithm steps. IP := SourceIPAddress IPp := PreviousIPAddress SC := Shortcut Each time a new packet arrives, its source IP address is extracted, compared to the previously seen IP, if a match, the node is quickly
ICFNDS’18, June 26–27, 2018, Amman, Jordan
Algorithm 1 Insert with a Shortcut Algorithm Require: SC ← {} where SC is shortcut array while New Packet Arrive do P ← N ewArrivedPacket Read Source IP address IP Compare IP to IPp Previous Packet IP if IP = IPp then Node ← lastNode Nodecounter ← Nodecounter + 1 if Node 1 SC then if Nodecounter ≥ SCnodeo f mincounter then SC ← Add Node Nodecounter ← nodecounter + 1 end if end if LastNode ← Node else Do normal BST insert end if end while
determined and its counter is increased. Otherwise, a node search is performed by IP where the shortcut array is searched first. If the IP address is within the shortcut, the search stops and no need to search through the BST. An update procedure will be executed to keep track of all packets flows and knows the last packet arrived, if the new packet is the same as the last one tracked by knowing its index, Instead of traversing all tree nodes, it directly calls Update procedure which goes to the array and updates the node counter. Shortcut Index is −1 if it is not a replicated packet. Thus, each packet comes will go into one of three scenarios. The first scenario is when the packet happens to belong to a traffic of an active flow/attack. In this case, the IP will be the same as the IP coming from previous check and the BST node is already marked. In the second scenario, the node is not the last one, accordingly we check for the value of the IP inside the shortcut array. If it exists inside shortcut array, the search will stop as well. In the last case, if neither cases happen, it will require us to perform a traditional BST search and insert in some cases.
4
EXPERIMENTS AND RESULTS
The traffic tracking Algorithm was implemented and testing in C++ programming language for real-life experiments. 96 different experiments have been applied using four different parameters: Number of IPs, Number of Packets, Shortcut Array Size and percentage of replicated IPs in all data flows. Two trees are built, in the first one we applied the normal insert, and Insert with shortcut is applied on the other tree. The time is calculated and compared for both. In order to generate data packets, GenereateDataPackets procedure is built with five parameters: the array built in the previous procedure (GenerateUniqueIPs), the number of IPs, a new array of strings (contains traffic packets), the number of data packets and the percentage of replicated IPs in all data flows. In other words, if percentage was 5% that means half of the traffic will be from the first 5% IP addresses and 95% will be from the rest of IP addresses.
ICFNDS’18, June 26–27, 2018, Amman, Jordan
Ayah Atiyah and Sufyan Almajali
Figure 1: Illustration Graph of the Proposed Algorithm Mod is used to make sure that even number of packets is applied (half of the traffic).
Figure 3: Experiments with 1000 IPs and shortcut size of 7
Figure 2: Experiments with 1000 IPs and shortcut size of 5 As shown from figures 2 to 4, when the network has a few nodes, 1000 in this case, the time decreases by decreasing the shortcut array size and the percentage of heaviness. It shows little difference between the normal and shortcut approaches. However, in figures 5 to 7, we can see that the number of IPs senders increases to 100 thousands, the shortcut results started to outperform the normal one. When shortcut array size equals to 5 shortcut tree takes approximately half the time spent on the normal tree. Increasing it to 7, shortcut takes less than half of the time when percentages of heaviness are 15 and 20. On the other hand, it takes almost the same time when the percentage of heaviness is equals to 1 and 2. In other words, raising the percentage in this particular
array size gives a better performance to the shortcut. Raising the shortcut array size to 10 gives the same results as in 5 and 7.
5
CONCLUSION
Based on simulation results, the network performance has been examined in several DoS attack situations. It is shown that the shortcut traffic tracking algorithm detects top M active nodes efficiently and saves many memory accesses. The algorithm does especially well when the attack traffic rate is high. However, the other adaptive algorithm may overcome the shortcut traffic tracking algorithm when the attack traffic rate is low. The overall decline of the network performance produced by DoS attacks may rise with the increased number of the nodes. The proposed algorithm uses approaches to verify the uniqueness of generated IP address matching with its existing addresses database
A Traffic Tracking Algorithm for a Fast Detection of Active Network Sources
Figure 4: Experiments with 1000 IPs and shortcut size of 10
Figure 5: Experiments with 100,000 IPs and shortcut size of 5
Figure 6: Experiments with 100,000 IPs and shortcut size of 7
Figure 7: Experiments with 100,000 IPs and shortcut size of 10
to detect the DoS attacks. The shortcut traffic tracking algorithm can be very effective in boosting the monitoring performance under the DoS attack traffic conditions in the case of Internet Service Providers (ISPs) and large networks. [6]
REFERENCES [1] Zeeshan Afzal and Stefan Lindskog. 2016. IDS rule management made easy. In 2016 8th International Conference on Electronics, Computers and Artificial Intelligence (ECAI). IEEE. https://doi.org/10.1109/ecai.2016.7861119 [2] M. Belyaev and S. Gaivoronski. 2014. Towards load balancing in SDN-networks during DDoS-attacks. In 2014 First International Science and Technology Conference (Modern Networking Technologies) (MoNeTeC). IEEE. https://doi.org/10.1109/ monetec.2014.6995578 [3] Jon Louis Bentley. 1975. Multidimensional binary search trees used for associative searching. Commun. ACM 18, 9 (1975), 509–517. [4] Rodrigo Braga, Edjard Mota, and Alexandre Passito. 2010. Lightweight DDoS flooding attack detection using NOX/OpenFlow. In IEEE Local Computer Network Conference. IEEE. https://doi.org/10.1109/lcn.2010.5735752 [5] Dharmendra Chourishi, Ali Miri, Mihailo Milic, and Salam Ismaeel. 2015. Rolebased multiple controllers for load balancing and security in SDN. In 2015 IEEE
ICFNDS’18, June 26–27, 2018, Amman, Jordan
[7]
[8] [9]
[10]
Canada International Humanitarian Technology Conference (IHTC2015). IEEE. https://doi.org/10.1109/ihtc.2015.7238045 Thomas H. Cormen, Charles E. Leiserson, Ronald L. Rivest, and Clifford Stein. 2001. Introduction to Algorithms (2nd ed.). MIT Press, Cambridge, MA, USA. A. Feldman and S. Muthukrishnan. [n. d.]. Tradeoffs for packet classification. In Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064). IEEE. https://doi.org/10.1109/infcom.2000.832493 Pankaj Gupta, , Pankaj Gupta, and Nick Mckeown. 1999. Packet Classification using Hierarchical Intelligent Cuttings. In in Hot Interconnects VII. 34–41. Shih-Wen Hsu, Tseng-Yi Chen, Yun-Chun Chang, Shuo-Han Chen, Han-Chieh Chao, Tsen-Yeh Lin, and Wei-Kuan Shih. 2015. Design a Hash-Based Control Mechanism in vSwitch for Software-Defined Networking Environment. In 2015 IEEE International Conference on Cluster Computing. IEEE. https://doi.org/10. 1109/cluster.2015.81 Lukas Kencl and Christian Schwarzer. 2006. Traffic-adaptive packet filtering of denial of service attacks. In Proceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks. IEEE Computer Society, 485–489.
ICFNDS’18, June 26–27, 2018, Amman, Jordan [11] Poonam Sinai Kenkre, Anusha Pai, and Louella Colaco. 2015. Real Time Intrusion Detection and Prevention System. Springer International Publishing, Cham, 405– 411. https://doi.org/10.1007/978-3-319-11933-5_44 [12] R. T. Kokila, S. Thamarai Selvi, and Kannan Govindarajan. 2014. DDoS detection and analysis in SDN-based environment using support vector machine classifier. In 2014 Sixth International Conference on Advanced Computing (ICoAC). IEEE. https://doi.org/10.1109/icoac.2014.7229711 [13] Michael E. Kounavis, Alok Kumar, Harrick Vin, Raj Yavatkar, and Andrew T. Campbell. 2004. Directions in Packet Classification for Network Processors. In Network Processor Design. Elsevier, 273–298. https://doi.org/10.1016/ b978-012198157-0/50015-5 [14] Sungheon Lim, Sunhee Yang, Younghwa Kim, Hyogon Kim, and Seungnam Yang. 2015. Controller scheduling for continued SDN operation under DDoS attacks. Electronics Letters 51, 16 (aug 2015), 1259–1261. https://doi.org/10.1049/el.2015. 0334 [15] Jing Liu, Yingxu Lai, and Shixuan Zhang. 2017. FL-GUARD: A Detection and Defense System for DDoS Attack in SDN. In Proceedings of the 2017 International Conference on Cryptography, Security and Privacy (ICCSP ’17). ACM, New York, NY, USA, 107–111. https://doi.org/10.1145/3058060.3058074 [16] Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher. 2004. Internet Denial of Service: Attack and Defense Mechanisms (Radia Perlman Computer Networking and Security). (2004). [17] Sriram Ramabhadran and George Varghese. 2003. Efficient Implementation of a Statistics Counter Architecture. In in Proc. ACM SIGMETRICS. [18] Martin Roesch et al. 1999. Snort: Lightweight intrusion detection for networks.. In Lisa, Vol. 99. 229–238. [19] Pornruthai Saelee and Piboonlit Viriyaphol. 2012. Signature-based IDS using Boolean Weighted Score multiple classifiers. In 2012 International Conference on Computer & Information Science (ICCIS). IEEE. https://doi.org/10.1109/iccisci. 2012.6297119 [20] D Senie and P Ferguson. 1998. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. Network (1998). [21] Rupam Kumar Sharma, Hemanta Kumar Kalita, and Biju Issac. 2014. Different firewall techniques: A survey. In Fifth International Conference on Computing, Communications and Networking Technologies (ICCCNT). IEEE. https://doi.org/ 10.1109/icccnt.2014.6963102 [22] Seungwon Shin, Vinod Yegneswaran, Phillip Porras, and Guofei Gu. 2013. AVANTGUARD: Scalable and Vigilant Switch Flow Management in Software-defined Networks. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS ’13). ACM, New York, NY, USA, 413–424. https: //doi.org/10.1145/2508859.2516684 [23] Sumeet Singh, Florin Baboescu, George Varghese, and Jia Wang. 2003. Packet Classification Using Multidimensional Cutting. In Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM ’03). ACM, New York, NY, USA, 213–224. https: //doi.org/10.1145/863955.863980 [24] Daniel Dominic Sleator and Robert Endre Tarjan. 1985. Self-adjusting binary search trees. Journal of the ACM (JACM) 32, 3 (1985), 652–686. [25] Theerasak Thapngam, Shui Yu, Wanlei Zhou, and Gleb Beliakov. 2011. Discriminating DDoS attack traffic from flash crowd through packet arrival patterns. In Computer Communications Workshops (INFOCOM WKSHPS), 2011 IEEE Conference on. IEEE, 952–957. [26] An Wang, Yang Guo, Fang Hao, T.V. Lakshman, and Songqing Chen. 2014. Scotch: Elastically Scaling Up SDN Control-Plane Using vSwitch Based Overlay. In Proceedings of the 10th ACM International on Conference on Emerging Networking Experiments and Technologies (CoNEXT ’14). ACM, New York, NY, USA, 403–414. https://doi.org/10.1145/2674005.2675002 [27] Rui Wang, Zhiping Jia, and Lei Ju. 2015. An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking. In 2015 IEEE Trustcom/BigDataSE/ISPA. IEEE. https://doi.org/10.1109/trustcom.2015.389 [28] Abraham Yaar, Adrian Perrig, and Dawn Song. 2006. StackPi: New packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE Journal on Selected Areas in Communications 24, 10 (2006), 1853–1863. [29] Minlan Yu, Lavanya Jose, and Rui Miao. 2013. Software Defined Traffic Measurement with OpenSketch. In Presented as part of the 10th USENIX Symposium on Networked Systems Design and Implementation (NSDI 13). USENIX, Lombard, IL, 29– 42. https://www.usenix.org/conference/nsdi13/technical-sessions/presentation/ yu [30] Adel Zaalouk, Rahamatullah Khondoker, Ronald Marx, and Kpatcha Bayarou. 2014. OrchSec: An orchestrator-based architecture for enhancing networksecurity using Network Monitoring and SDN Control functions. In 2014 IEEE Network Operations and Management Symposium (NOMS). IEEE. https://doi.org/ 10.1109/noms.2014.6838409
Ayah Atiyah and Sufyan Almajali
