軟體定義網路（SDN）是一種新興網路架構，它可以用來解決現今網路因高頻寬和多樣性所帶來的問題。在此架構中，控制平面與資料平面分開運作。許多文獻曾探討過怎樣用SDN來解決傳統網路中最為棘手的安全問題，但是鮮有觸及雲端安全威脅，尤其是殭屍網絡和惡意程式的偵測，以及雲端內部的攻擊問題。因此本文提出以SDN為解法的雲端網路入侵防禦系統。
本文提出的系統，有賴SDN架構的集中控制，可程式化和虛擬化的性質。系統分為兩個不同的階段，它們之間透過預先定義的應用程式介面（APIs）來溝通。在偵測階段中，偵測程式可以是像Snort那樣的開放原始碼軟體或是本文提出的輕量級掃描過濾程式。控制階段由控制器（控制平面）和OpenFlow交換機（資料平面）構成，根據定義好的應用模組來事先決定flow的插入。
殭屍網路及惡意程式阻隔，掃描過濾和蜜罐機制的實作可以確保協同式防禦。惡意流量被阻隔的同時會產生深度事件預警訊息，可以有效移除私有雲端內部感染成肉雞的虛擬機器；因掃描行徑會被盡早阻隔，虛擬機器本身的漏洞難以被攻破；蜜罐機制用來誘捕攻擊者。實驗結果證實了系統的高偵測率，防禦精準度和低弱點性。

Software-Defined Networking (SDN) is an emerging architecture that is ideal for the high-bandwidth, dynamic nature of today's network environments. In this architecture, the control and data planes are decoupled. Although much research has been done about how SDN can resolve some of traditional networking's most-glaring security issues, less has touched the cloud security threats, especially the issues of botnet/malware detection and in-cloud attacks. In this thesis, an intrusion prevention system for cloud networking with SDN solutions is proposed.
The proposed system benefits from the key attributes of logically centralized intelligence, programmability, and abstraction of SDN architecture. The system consists of two distinct phases that are accessible through pre-defined Application Programming Interfaces (APIs). Within the detection phase, the detector can be whether existing detection software like the open-source Snort IDS or the designed lightweight scan-filtering program. The control phase is composed of the controller (the control plane) and the OpenFlow-based switch (the data plane), which deals with the flow insertion proactively according to the defined application module.
In order to achieve collaborative defense, the mechanisms of botnet/malware blocking, scan filtering and honeypot are implemented. Malicious traffic is isolated with in-depth incident reporting information designed to remove bot-infected VMs from the private cloud effectively and efficiently. The scanning behavior can be filtered at very early stage which makes the VMs less exploitable. A honeypot mechanism is also deployed to trap the attackers. Experimental results show the high detection rate, exact prevention accuracy and low vulnerability of the proposed system.

Chapter 1 Introduction 1
Chapter 2 Related Works 3
2.1 Review of Literature 3
2.2 Floodlight OpenFlow Controller 6
2.3 Snort 7
2.4 CloudStack 8
Chapter 3 System Design and Architecture 12
3.1 System Architecture Overview 12
3.2 System Procedure 14
3.2.1 Procedure of Botnet/Malware Blocking Mechanism 14
3.2.2 Procedure of Scan Filtering Mechanism 16
3.2.3 Procedure of Honeypot Mechanism 17
3.3 Design of Control Phase 18
3.3.1 The Controller Side Design 18
3.3.2 The OpenFlow-hybrid Switch 19
3.4 Design of Detection Phase 21
Chapter 4 Implementation and Experiments 23
4.1 Environment 23
4.2 Botnet/Malware Blocking Implementation 23
4.3 Scan Filtering Implementation 29
4.4 Honeypot Implementation 31
4.5 CTDA Implementation 32
4.6 Experimental Results 34
4.6.1 The Botnet/Malware Blocking Result 34
4.6.2 The Scan Filtering Result 35
4.6.3 The Anti-flooding (Honeypot) Result 37
4.6.4 Evaluation of Prevention Latency 39
4.6.5 Evaluation of VM Vulnerability 40
Chapter 5 Conclusion and Future work 43

[1] Open Networking Foundation, available at: https://www.opennetworking.org/
[2] N. McKeown et al., “OpenFlow: Enabling Innovation in. Campus Networks,” ACM SIGCOMM Computer. Commun. Rev., vol. 38, no. 2, Apr. 2008, pp. 69-74.
[3] Cloud Computing Security Considerations, A Microsoft Perspective, Microsoft Whitepaper, 2010, available at: http://www.microsoft.com/malaysia/ea/whitepapers.aspx
[4] J. Brodkin, Gartner: Seven cloud-computing security risks, available at: http://www.infoworld.com/d/security-central/gartner-seven-cloud-computing-security-risks-853
[5] Cloud Computing: Benefits, Risks and Recommendations for Information Security, ENISA Report, 2009, available at: http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment
[6] Cloud Security Alliance, “Top Threats to Cloud Computing v1.0”, Mar. 2010, available at: https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
[7] Amazon EC2, available at: http://aws.amazon.com/cn/ec2/
[8] Microsoft Azure, available at: https://azure.microsoft.com/en-us/
[9] "Amazon ec2 sip brute force attacks on rise", available at: http://www.voiptechchat.com/voip/457/amazon-ec2-sipbrute-force-attacks-on-rise/
[10] "Sip attacks from amazon ec2 cloud continue", available at: http://www.voiptechchat.com/voip/538/sip-attacks-fromamazon-ec2-cloud-continue/
[11] S. Scott-Hayward, G. O’Callaghan, and S. Sezer. SDN Security: A Survey. In IEEE SDN for Future Networks and Services (SDN4FNS), 2013, pp. 1-7, 2013.
[12] S. Shin, P.A. Porras, V. Yegneswaran, M.W. Fong, G. Gu, M. Tyson, "FRESCO: Modular Composable Security Services for Software-Defined Networks," in Proceedings of the ISOC Network and Distributed System Security Symposium, San Diego, CA, February 2013.
[13] Porras, P., et al. A security enforcement kernel for OpenFlow networks. Proceedings of the first workshop on Hot topics in software defined networks. Helsinki, Finland, ACM: 121-126, 2012.
[14] Ozcelik, I., et al. DoS Detection is Easier Now. Second GENI Research and Educational Experiment Workshop (GREE), pp. 50-55, 2013.
[15] Giotis, K., et al. "Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments." Computer Networks 62(0): 122-136, 2014.
[16] Chun-Jen Chung; Khatkar, P.; Tianyi Xing; Jeongkeun Lee; Dijiang Huang, "NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems," Dependable and Secure Computing, IEEE Transactions on, vol.10, no.4, pp.198,211, July-Aug. 2013.
[17] D. Huang, L. Xu, C. Chung T. Xing, "SnortFlow: A openflow-based Intrusion Prevention System in Cloud Environment," Second GENI Research and Educational Experiment Workshop, pp. 89-92, 2013.
[18] C.N. Hoefer and G. Karagiannis, Taxonomy of cloud computing services. In: Proceedings of the 4th IEEE workshop on enabling the future service-oriented Internet (EFSOI’10), Workshop of IEEE GLOBECOM 2010, pp 1345–1350, 2010.
[19] Marotta, A., et al. An OpenFlow-based architecture for IaaS security. Proceedings of the 3rd International Conference on Application and Theory of Automation in Command and Control Systems. Naples, Italy, ACM: 118-121, 2013.
[20] Floodlight. Available: http://www.projectfloodlight.org/
[21] Snort. Available: http://www.snort.org/
[22] Adeeb Alhomoud, Rashid Munir, Jules Pagna Disso, Irfan Awan, A. Al-Dhelaan, Performance Evaluation Study of Intrusion Detection Systems, Procedia Computer Science, Volume 5, 2011, pp. 173-180.
[23] CloudStack. Available: http://cloudstack.apache.org/
[24] Pica8 3290 datasheet. Available: http://www.pica8.com/documents/pica8-datasheet-48x1gbe-p3290-p3295.pdf
[25] Open vSwitch. Available: http://openvswitch.org/
[26] IRC. Available: http://www.irc.org/
[27] P. Barford and V. Yegneswaran, “An Inside Look at Botnets,” in Special Workshop on Malware Detection, Advances in Information Security, Volume 27, 2007, pp. 171-191.
[28] Backdoor.Sdbot. Symantec. Available: http://www.symantec.com/security_response/writeup.jsp?docid=2002-051312-3628-99
[29] HTTP File Server. Available: http://www.rejetto.com/hfs/
[30] OpenFlow 1.3 Spec. Available: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.3.0.pdf
[31] IRC Server. Available: https://help.ubuntu.com/10.04/serverguide/irc-server.html
[32] XChat. Available: http://xchat.org/
[33] Nmap. Available: http://nmap.org/
[34] UDP Network Tester. Available: http://startrinity.com/VoIP/NetworkTester/NetworkTester.aspx
[35] Taiwan Anti-Botnet Project. Available: http://www.anti-botnet.edu.tw/
[36] Third-party packet trace. Available: http://contagiodump.blogspot.tw/2013/04/collection-of-pcap-files-from-malware.html
[37] Trend Micro NetKeeper IPS. Available: http://www.trendmicro.tw/tw/enterprise/broadweb-ips/netkeeper/
[38] P. Mell, K. Scarfone, and S. Romanosky, “Common Vulnerability Scoring System (CVSS),” http://www.first.org/cvss/cvss-guide.html, May 2010.
[39] National Institute of Standards and Technology, “National Vulnerability Database, NVD,” http://nvd.nist. gov, 2012.
[40] Mitre Corporation, “Common Vulnerabilities and Exposures, CVE,” http://cve.mitre.org/, 2012.
[41] M. Tupper and A. Zincir-Heywood, “VEA-bility Security Metric: A Network Security Analysis Tool,” Proc. IEEE Third Int’l Conf. Availability, Reliability and Security (ARES ’08), pp. 950-957, Mar. 2008.
[42] OpenDaylight. Available: http://www.opendaylight.org/
[43] Ryu. Available: http://osrg.github.io/ryu/