End-to-End and Network-wide Attack Defense Solution -Overhaul Carrier Network Security


Jul 18, 2016 posted by Fabian FU, Fixed Network Security Principal Architect of Huawei Technologies, China Comments

DOI: 10.13052/popcas006 | Read[470]

The increasing distributed denial of service (DDoS) attacks, particularly web session attacks, may overwhelm existing attack detection and cleaning capacity of customers. According to statistics of Verisign, more than 70% DDoS attacks target on IT Services/Cloud/SaaS, financial services and Public sector. Such attacks are mainly covert and destructive session attacks, such as the well-known SYN flood, HTTP Get flood, CC, and retransmission attacks. An unconventional, end-to-end, and network-wide attack defense solution is provided to carriers for addressing these attacks.

This solution leverages software-defined networking (SDN) and big data analysis capabilities to provide powerful detection and cleaning capacity against network attacks, particularly session attacks.

Solution Highlights
1. One Net: Provides an end-to-end and network-wide security defense by incorporating security capabilities into core network elements (NEs) like routers, which collaborate with service awareness and anti-DDoS devices to form an in-depth defense system.

2. One Brain: Collects traffic samples from the entire network and uses big data techniques for centralized data process and machine learning for in-depth analysis to understand the network security posture in real time.

3. One Conductor: Uses SDN for network control to implement secure and effective operation.

4. One Platform: Migrates security value-added services to the cloud to provide customers with a better security experience.

Architecture of end-to-end and network-wide attack defense solution based on SDN and big data analysis

  • Sampling: Small Change, Big Difference
    • A session-based sampling technique extends session signatures in security inspection to detect light-traffic and massive-sessions attacks. Together with existing traffic-based detection techniques, the solution greatly improves the capability of network attack detection.
  • Data Processing: Big Data, Various Clusters
    • The solution uses big data platform with mainstream Hadoop/Spark cluster techniques in the industry to concurrently process massive sampled network data. The processing performance can be increased linearly with adding servers for future expansion.
  • Attack detection: Machine Learning, Dynamic Identification
    • Based on expert rules created based on years' of networking experience, the analysis system identifies typical attacks and effectively detects deep attacks through dynamic baselines of hundreds of signatures. The solution utilizes machine learning for in-depth data mining, which can discover more valuable signatures, identify various signature anomalies, and more accurately identify attacks. The solution generates objects dynamically based on network situations and develops a baseline based on historical traffic patterns to detect new attacks (such as LFA).
  • Rapid Response: Traffic Diversion and Cleaning, Rate Limiting for Defense
    • The solution utilizes SDN for centralized control and unified management of network control policies. It generates new policies quickly and automatically according to network topology and attack traffic, and implements traffic blocking, rate limiting, and traffic diversion and cleaning in an intelligent manner.
  • Open Platform: Cloud Cleaning, Win-Win Cooperation
    • Security value-added services can be deployed on cloud in a unified manner. Leveraging SDN's flexibility and service chain scheduling, the solution implements cleaning of attack traffic in the cloud. The solution launches security solutions with other security vendors, to develop a complete security ecosystem and provide customers with more security services.
By means of big data and machine learning technology, it can analysis NetFlow and IPFIX data through building millions of security features to detect attacks accurately without the packet-depth analysis, under the whole detection and defense policy orchestration of SDN controller, it only cost 10 percent of the cost compared with traditional DPI solutions without sacrificing performance, it suite for low-cost security services provide by carriers of telecom in case of the rapid growth of traffic and the bandwidth, which is not accompanying with revenue growth accordingly (MSSP services).