Attribute-Guard: Attribute-Based Flow Access Control Framework in Software-Defined Networking

Zhu, Xianwei; Chang, Chaowen; Qin, Xi; Zuo, Zhibin

doi:10.1155/2020/6302739

Cited by 8 publications

(7 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the table, l denotes the number of switches in the forwarding path, and M denotes the computation process of a message authentication code. It can be seen from Table 3 that the extra header overhead and the verification overhead of data packets for SDNsec ( Sasaki et al, 2016 ) grow linearly with l , which will incur large overhead when the forwarding path is long; P4Label ( Zuo et al, 2020 ) introduces large extra header overhead and requires three pairing bilinear operations at the egress switch; Attribute-Guard’s ( Zhu et al, 2020 ) verification overhead of data packets increases linearly with the number of attribute features, when the value of | S Υ | is large, it will cause huge cost to the controller. Compared to related schemes, AISCF incurs less extra header overhead and has smaller and more stable time overhead for data packet verification.…”

Section: Analysis and Discussionmentioning

confidence: 99%

“…To enable users to flexibly use data streams on demand, Halpern & Pignataro (2015) proposed service function chain (SFC), which built the SDN flow table and controlled and forwarded data streams according to different user needs, but SFC did not analyze the security of the scheme. Zhu et al ’s ( 2020 ) Attribute-Guard used attribute features to classify rules issued by SDN controller into fine-grained categories, improving the drawback of fixed OpenFlow match item categories, and combined digital signature to verify the source of different types of data streams, but the scheme executed signature verification process on switches, introducing large forwarding delay.…”

Section: Related Workmentioning

confidence: 99%

“…AISCF only performs sampling at the switching devices, and delegates the signature verification process to the controller. Attribute-Guard ( Zhu et al, 2020 ) has a large time overhead in the verification process, because it involves multiple bilinear pairings and polynomial calculations in the signature verification process, and the number of calculations is linearly related to the number of attributes, which increases the forwarding delay of data packets. Compared with Attribute-Guard, AISCF only performs one bilinear pairing and one exponentiation in the signature verification process, which significantly improves the signature verification overhead.…”

Section: Experiments and Evaluationmentioning

confidence: 99%

See 2 more Smart Citations

Attribute identification based IoT fog data security control and forwarding

Xiao,

Chang,

et al. 2023

PeerJ Computer Science

Self Cite

View full text Add to dashboard Cite

As Internet of Things (IoT) applications continue to proliferate, traditional cloud computing is increasingly unable to meet the low-latency demands of these applications. The IoT fog architecture solves this limitation by introducing fog servers in the fog layer that are closer to the IoT devices. However, this architecture lacks authentication mechanisms for information sources, security verification for information transmission, and reasonable allocation of fog nodes. To ensure the secure transmission of end-to-end information in the IoT fog architecture, an attribute identification based security control and forwarding method for IoT fog data (AISCF) is proposed. AISCF applies attribute signatures to the IoT fog architecture and uses software defined network (SDN) to control and forward fog layer data flows. Firstly, IoT devices add attribute identifiers to the data they send based on attribute features. The ingress switch then performs fine-grained access control on the data based on these attribute identifiers. Secondly, SDN uses attribute features as flow table matching items to achieve fine-grained control and forwarding of fog layer data flows based on attribute identifiers. Lastly, the egress switch dynamically samples data flows and verifies the attribute signatures of the sampled data packets at the controller end. Experimental validation has demonstrated that AISCF can effectively detect attacks such as data tampering and forged matching items. Moreover, AISCF imposes minimal overhead on network throughput, CPU utilization and packet forwarding latency, and has practicality in IoT fog architecture.

show abstract

Section: Analysis and Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Experiments and Evaluationmentioning

confidence: 99%

See 1 more Smart Citation

Attribute identification based IoT fog data security control and forwarding

Xiao,

Chang,

et al. 2023

PeerJ Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Password identification enabled a more accurate representation of the data flow and ensured the integrity of the message. Previous studies [28] introduced an attribute-based group signature algorithm to verify the data packet forwarding process, signed data packets flowing into the network according to the user identity and other attributes, and controlled and forwarded data flows based on user attributes, achieving fine-grained secure data flow forwarding and verification. However, the methods proposed in [27,28] only signed the message load, which could not guarantee the security of the matches as the basis for forwarding and could not defend against network attacks launched by attackers through match tampering or forgery.…”

Section: Related Workmentioning

confidence: 99%

“…Previous studies [28] introduced an attribute-based group signature algorithm to verify the data packet forwarding process, signed data packets flowing into the network according to the user identity and other attributes, and controlled and forwarded data flows based on user attributes, achieving fine-grained secure data flow forwarding and verification. However, the methods proposed in [27,28] only signed the message load, which could not guarantee the security of the matches as the basis for forwarding and could not defend against network attacks launched by attackers through match tampering or forgery. SDNsec [29] added a code containing the transmission path information to the data packet; thus, the switch could verify this field of data packets that pass through the switch in the network, discard those that violated the path rules, and ensure data packet forwarding according to the path specified path in the SDN.…”

Section: Related Workmentioning

confidence: 99%

A Secure Data Flow Forwarding Method Based on Service Ordering Management

Xiao

Chang

et al. 2022

Electronics

Self Cite

View full text Add to dashboard Cite

The transmission of data flows in current networks is in a scattered and disordered state, which makes it difficult to effectively discover and defend against network attacks in a timely manner, while network managers lack the tools for the secure and orderly management of data flows. To solve this problem, a secure data flow forwarding method based on service ordering management is proposed in this paper. By defining the service header, the scheme realizes a fine-grained service-based division of data flows. The rules for services in the network are formulated, and orderly control over data flows based on the rules is implemented through the software-defined network architecture, such that only data flows meeting the rules are allowed to pass through the network. Meanwhile, to achieve secure data flow forwarding, data flow is signed, and the signature fields are sampled and verified on the forwarding device to ensure the correctness and tamperproof nature of the data flow forwarding process. The experimental results reveal that the proposed method based on service ordering management can achieve fine-grained and orderly secure data flow control forwarding, effectively defending against network attacks and improving network security. Furthermore, the additional forwarding delay introduced by the scheme is in the controllable range, making the approach practical.

show abstract

Authentication-Centric and Access-Controlled Architecture for Edge-Empowered SDN-IoT Networks

Sahana,

Brahmananda

2024

J. Inst. Eng. India Ser. B

View full text Add to dashboard Cite

Attribute-Guard: Attribute-Based Flow Access Control Framework in Software-Defined Networking

Cited by 8 publications

References 15 publications

Attribute identification based IoT fog data security control and forwarding

Attribute identification based IoT fog data security control and forwarding

A Secure Data Flow Forwarding Method Based on Service Ordering Management

Authentication-Centric and Access-Controlled Architecture for Edge-Empowered SDN-IoT Networks

Contact Info

Product

Resources

About