HSDT: Table-Overflow Attack Defender with Historical Statistics Based Dynamic Timeout in Software Defined Networks^†

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

It is a remarkable issue that a hybrid defense solution is proposed on SDN networks, especially by detecting vulnerabilities in flow tables well. In this study, which may attract the attention of readers, motivation and contributions to the literature are well emphasized. I have a few small suggestions to make the work even more valuable.

-At least a little information about the results obtained should be given in the summary section of the study.

-More current publications should be included in the Related works section, and it would be better to give a comparative table of all studies at the end of this section.

-4. Having a flow chart at the beginning of the chapter will allow readers to understand the subject better.

-The resolution of figures and graphics should be increased slightly.

- Maybe the experiment topology can be made more comprehensive (more nodes) and seen how it affects the results.

-The conclusion section is very short, it needs to be expanded and given more information about the proposed method and especially the results obtained as a result of the tests performed.

-More current publications should be added to the references.

Author Response

Thank you for taking time to review our manuscript. The detailed responses are below and the corresponding highlighted in re-submitted file.

 

Comment 1: At least a little information about the results obtained should be given in the summary section of the study.

Response 1: We've added a line that briefly explain the experiment result in Abstract.

Comment 2: More current publications should be included in the Related works section, and it would be better to give a comparative table of all studies at the end of this section.

Response 2: We included a few recent research papers in the related works section and added a comparative table as well.

Comment 3: Having a flow chart at the beginning of the chapter will allow readers to understand the subject better.

Response 3: We thought that our scheme is straightforward but added a simple flow chart that shows the overall control flow of the scheme at the Introduction section.

Comment 4: Maybe the experiment topology can be made more comprehensive (more nodes) and seen how it affects the results.

Response 4: We used a very simple experiment topology: one normal host and one attacker host. But this is because our scheme are not blocking port or dropping packets etc. Instead, it adjusts timeout for each flow rules. And the pcap file we used has 40467 flows with about 2000 different IP addresses. So we believe that using more complicated topology is not necessary.

Comment 5: The conclusion section is very short, it needs to be expanded and given more information about the proposed method and especially the results obtained as a result of the tests performed.

Response 5: We put additional information in the discussion and conclusion sections.

 

Reviewer 2 Report

Comments and Suggestions for Authors

The proposed approach to mitigating flow table overflow attacks. However, it is important to note that the strategy is based on the assumption that attackers will spoof a number of packets with different match fields. If attackers are able to learn the match fields of legitimate flows, they may be able to evade the proposed strategy. Therefore, it is important to use the proposed strategy in conjunction with other security measures, such as intrusion detection systems and traffic filtering.

More details about how the index of trust is derived from history and how the index of trust is calculated for each flow? Also, how the timeout value is set based on the index of trust.

As mentioned that “Our work was inspired by some research utilizing dynamic timeouts [7] – [10]. it would be beneficial to provide a more comprehensive comparison with this related work, highlighting advantages of your proposed scheme.

The paper could be improved by discussing the limitations of the proposed scheme in more detail.

 

Some non-technical comments:

State of the art is very limited. All most all the cited references are from conferences and proceedings.

Rephrase the citing sentences such as “[8], [9], [10] proposed mechanisms adjusting timeouts dynamically, etc.,”

Paper is not formated as per journal requirement

Author Response

Thank you for taking time to review our manuscript. The detailed responses are below and the corresponding highlighted in re-submitted file.

 

Comment 1: More details about how the index of trust is derived from history and how the index of trust is calculated for each flow? Also, how the timeout value is set based on the index of trust.

Response 1: Apologies for the inconvenience. There were formatting problems in our equations but the answers for these questions are now in section 2.2.2 - Statistics Module. Basically AFD is the fluctuate baseline of the timeouts (moving average of the flow durations in the network) and hard/idle timeout for flow rules are determined based on the AFD and their history (cumulative packet counts).

Comment 2: As mentioned that “Our work was inspired by some research utilizing dynamic timeouts [7] – [10]. it would be beneficial to provide a more comprehensive comparison with this related work, highlighting advantages of your proposed scheme

Response 2: Really appreciate this comment. We have a paragraph that compares our scheme to the research and we added a comparison table of related works as well in Relate work section.

Comment 3: The paper could be improved by discussing the limitations of the proposed scheme in more detail.

Response 3: Added a paragraph that discusses the memory efficiency of our scheme in the conclusion section.

Comment 4: Rephrase the citing sentences such as “[8], [9], [10] proposed mechanisms adjusting timeouts dynamically, etc.,”

Response 4: Thanks for pointing this out, rephrased some of them.

Comment 5: Paper is not formatted as per journal requirement.

Response 5: Revised the manuscript to follow the template.

 

Reviewer 3 Report

Comments and Suggestions for Authors

This paper proposes a history-based dynamic timeout scheme to mitigate the flow table overflow attack. While it serves as a useful starting point, in my opinion, the contributions are not valuable enough for publication.

My comments are as follows:

1. I question the assumption made in the manuscript that "a flow having more packets in the past is less suspicious or more trustworthy." In my opinion, this assumption is not true when a deliberate attack occurs.

2. The manuscript focuses more on explaining the strategy rather than its implementation and verification in real-world experiments.

3. The Introduction section is lengthier than necessary.

4. The authors should conduct repeated experiments to compare the statistical results.

5. There are several formatting errors, such as Table IV and the misplaced parentheses in Eq. (7, 8) .

Author Response

Thank you for taking time to review our manuscript. The detailed responses are below and the corresponding highlighted in re-submitted file.

 

Comment 1: I question the assumption made in the manuscript that "a flow having more packets in the past is less suspicious or more trustworthy." In my opinion, this assumption is not true when a deliberate attack occurs.

Response 1: I agree. However, even if a sophisticated attacker performs a deliberate attack, he want to stand on the boundary, i.e., consistently send the least number of packets which is similar to that of the normal flows to minimize the attack cost. And to get long enough timeout value, the attacker must increase AFD (average flow duration in the network) by sending packets consistently for very long time. Then the attack flows will get smaller timeout value than elephant flows or the most of the normal flows, the attack flows will expire first. The proposed scheme still be able to mitigate deliberate attack decently while the attacker has to spend high attack cost. This will make the scheme to be less tempting target.

Comment 2: The manuscript focuses more on explaining the strategy rather than its implementation and verification in real-world experiments

Response 2: Agree. But the paper gives the intuition which is overlooked by other researchers and the experiment was for proof-of-concept.

Comment 3: The Introduction section is lengthier than necessary.

Response 3: We agree but we wanted to provide enough information for the readers who don't have related backgrounds. And it was important to explain our simple yet solid and effective scheme.

Comment 4: The authors should conduct repeated experiments to compare the statistical results.

Response 4: In the result section, figure 8 and 9, we can clearly see the correlation between each timeout strategy and legit/attack flow rules ratio. So we believe that repeated experiments are not necessary.

Comment 5: There are several formatting errors, such as Table IV and the misplaced parentheses in Eq. (7, 8) 

Response 5: We are sorry about this errors. All errors in tables and equations are gone now.

 

Reviewer 4 Report

Comments and Suggestions for Authors

In this paper, the authors proposed an approach based on dynamic time out for preventing table-overflow network attacks. Although the authors have tried to propose a new method for overcoming one of the critical issues of SDN, the paper should be improved quite a lot with the following aspects:

- The references are quite old. There exist many publications discussing signature-based network intrusion detection/prevention with very good results.

- To show to advantages of the method, the experimental results in terms of accuracy and throughput/bandwidth must be compared with other works because signature-based approaches have been studied well in recent years. 

- In the experiment section, the reviewer cannot see anything related to the experimental platforms for testing the proposed approach. Is it a simple computer or FPGA/GPU-based high-speed network systems? It is very important to know the testing system to evaluate the bandwidth.

 

Comments on the Quality of English Language

English is good enough.

Author Response

Thank you for taking time to review our manuscript. The detailed responses are below and the corresponding highlighted in re-submitted file.

 

Comment 1: The references are quite old. There exist many publications discussing signature-based network intrusion detection/prevention with very good results.

Response 1: We've added a few papers proposed ML-based DoS protection in Related works section.

Comment 2: To show to advantages of the method, the experimental results in terms of accuracy and throughput/bandwidth must be compared with other works because signature-based approaches have been studied well in recent years.

Response 2: Due to lack of time, we could only reproduce an environment for FTGuard. However, the purpose of our scheme is not thoroughly filtering attack flows out. The advantage of our scheme is that it is able to get rid of possible attack flows (or even short normal flows) from flow tables with a very simple yet solid implementation. And that is why we didn't show the accuracy of the scheme. There are possibilities of hash collisions (from bloom filter), or evicting short normal flows instead of attack flows. However, in a big picture sense, it filtered out the most of the attack flow while it preserves a great part of normal flows. Also, signature-based or ML-based approaches require much more computational power. Meanwhile, our lightweight scheme can be deploy at edge network or sensor networks where the lightness and efficiency is the top priority.

Comment 3: In the experiment section, the reviewer cannot see anything related to the experimental platforms for testing the proposed approach. Is it a simple computer or FPGA/GPU-based high-speed network systems? It is very important to know the testing system to evaluate the bandwidth.

Response 3: There was a sentence mentioning the setup but we think that was not clear enough. We revised the first line of the section 2.3.1. It is a simple computer and the experiment was conducted with 4 virtual machines in the computer.

 

Round 2

Reviewer 2 Report

Comments and Suggestions for Authors

The authors have addressed all my comments. It may be considered for publication in response to other reviewer's comments/suggestions

Author Response

Thanks for taking time to review my answers.

 

 

Reviewer 3 Report

Comments and Suggestions for Authors

Although the revised manuscript has shown improvement compared to the previous version, the previous concerns have not been effectively addressed. Therefore, after careful consideration, I still insist on rejecting the submission.

Author Response

Thanks for taking time to review my answers.

 

Reviewer 4 Report

Comments and Suggestions for Authors

I am not satisfied with the answers of the authors for my comments especially for my second comment.

Actually, a lot of studies in the literature try to apply ML-based or signature-based NIDS for edge computing already. Here is an example:FPGA Hardware Acceleration Framework for Anomaly-based Intrusion Detection System in IoT

Added text and modification do not thoroughly provide a comprehensive review in this topic. Please spend more time to conduct an up-to-date literature review and compare the results of this paper to some of them. Otherwise, the reviewer cannot see any new contribution from the paper. 

Comments on the Quality of English Language

English is good enough

Author Response

Thank you for the review. The detailed responses are below and the corresponding highlighted in re-submitted file.

 

Comment 1: Actually, a lot of studies in the literature try to apply ML-based or signature-based NIDS for edge computing already. Here is an example:FPGA Hardware Acceleration Framework for Anomaly-based Intrusion Detection System in IoT.

Response 1: Thanks for providing a specific example of the related papers. The paper showed remarkable performance but they evaluated the metrics (accuracy, F1 score, etc.) with the same dataset they used for the training so this cannot be considered as a good experiment. Although other papers show great performance in the research area, our opinion about applying ML techniques is still the same. It not only opens additional attack surfaces (e.g., adversarial attacks like poisoning/invasion/model extraction attacks) but also requires additional efforts for deployment (e.g., maintaining ML model consistency among the edge nodes for the consistent detection results).

 

Comment 2: Added text and modification do not thoroughly provide a comprehensive review in this topic. Please spend more time to conduct an up-to-date literature review and compare the results of this paper to some of them. Otherwise, the reviewer cannot see any new contribution from the paper. 

Response 2: We added more in the related works section.

 

 

Author Response File: Author Response.pdf

Round 3

Reviewer 4 Report

Comments and Suggestions for Authors

I agree with modifications the authors have made. I think the article is sufficient enough for publish.