Lightweight IPS for Port Scan in Openflow SDN networks

Security has been one of the major concerns for the computer network community due to resource abuse and malicious flows intrusion. Before a network or a system is attacked, a port scan is typically performed to discover vulnerabilities, like open ports, which may be used to access and control them. Several studies have addressed Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) methods for detecting malicious activities, based on received flows or packet data analysis. However, those methods lead to an increase in switching latency, due to the need to analyze flows or packets before routing them. This may also increase network overhead when flows or packets are duplicated to be parsed by an external IDS. On the one hand, an IDS/IPS may be a bottleneck on the network and may not be useful. On the other hand, the new paradigm called Software Defined Networking (SDN) and the OpenFlow protocol provide some statistical information about the network that may be used for detecting malicious activities. Hence, this work presents a new port scan IPS for SDN based on the OpenFlow switch counters data. A non-intrusive and lightweight method was developed and implemented, with low network overhead, and low memory and processing power consumption. The results showed that our method is effective on detecting and preventing port scan attacks.