Joint Controller Placement and Intrusion Detection System Enablement in Software Defined Mobile Ad Hoc Networks

Inhalt:
This work contributes towards improving the security infrastructure in Software-Defined Networking (SDN) enabled Mobile Ad Hoc Networks (MANETs), emphasizing efficient deployment of a reactive firewall. This is a defense system that comprises an SDN controller and several Intrusion Detection Systems (IDSs), and it operates in real-time to detect potential threats and respond to them. IDSs detect network cyber attacks and policy violations, and inform the controller about detected attacks in real-time. We introduce a model and an algorithmic framework for deciding where to place the SDN controller and IDS modules in a network graph. The constraints include a maximum number of IDS modules to place, and a minimum required attack traffic path coverage by IDSs, where a path is said to be covered if there exists at least an IDS placed on a node across the path. We propose two algorithms: a Greedy Heuristic and a Simulated Annealing one. Our approaches are evaluated in terms of attack mitigation delay, and they provide IDS deployments with high network path coverage. Validation results using a custom Python simulator and real-world scenarios demonstrate the efficiency of our solutions in comparison to a solution where all nodes are IDS-enabled, and to another one with random IDS modules placement. Our algorithms significantly outperform these baselines in terms of delay and achieve attack path coverage of more than 90%. Additionally, the Simulated Annealing algorithm shows superiority in terms of run-time, and thus it is an attractive candidate for real-world implementations.