Data centers, the critical infrastructure underpinning Cloud computing, often employ Software-Defined Networks (SDN) to manage cluster, wide-area and enterprise networks. As the network forwarding in SDN is dynamically programmed by controllers, it is crucial to ensure that the controller intent is correctly translated into underlying forwarding rules. Therefore, detecting and locating forwarding anomalies in SDN is a fundamental problem in production networks. Existing research proposals, roughly categorized into probing-based, packet piggybacking-based, and flow statistics analysis-based, either impose significant overhead or do not provide sufficient coverage for certain forwarding anomalies. In this article, we propose ${\sf FADE}$, a controllable and passive measuring scheme to simultaneously deliver detection efficiency and accuracy. ${\sf FADE}$ first analyzes the entire network topology and flow rules, and then computes a minimal set of flows that can cover all forwarding rules. For each selected network flow, ${\sf FADE}$ decides the optimal number of monitoring positions on its path (much less than total number of hops), and installs dedicated rules to collect flow statistics. ${\sf FADE}$ controls the installation and expiration of these rules, along with unique flow labels, to guarantee the accuracy of collected statistics, based on which ${\sf FADE}$ algorithmically decides whether a forwarding anomaly is detected, and if so it further locates the anomaly. On top of ${\sf FADE}$, we propose ${\sf iFADE}$ (a more scalable version of ${\sf FADE}$) to further optimize the usage and deployment of dedicated measurement rules. ${\sf iFADE}$ achieves over 40 percent rule reduction compared with ${\sf FADE}$ . We implement a prototype of both ${\sf FADE}$ and ${\sf iFADE}$ in about 12000 lines of code and evaluate the prototype extensively. The experiment results demonstrate ${\sf (i)}$ ${\sf FADE}$ and ${\sf iFADE}$ are accurate, e.g., they achieve over 95 percent true positive rate and 99 percent true negative rate in anomaly detection; ${\sf (ii)}$ ${\sf FADE}$ and ${\sf iFADE}$ are lightweight, e.g., they reduce the overhead of control messages compared with state-of-the-art by about 50 and 90 percent, respectively.

中文翻译：

---

软件定义网络中的高效转发异常检测


数据中心是支撑云计算的关键基础设施，通常采用软件定义网络 (SDN) 来管理集群、广域网和企业网络。由于SDN中的网络转发是由控制器动态编程的，因此确保控制器意图正确转换为底层转发规则至关重要。因此，SDN中转发异常的检测和定位是生产网络中的一个基本问题。现有的研究建议大致分为基于探测的、基于数据包捎带的和基于流统计分析的，要么带来巨大的开销，要么没有为某些转发异常提供足够的覆盖范围。在本文中，我们提出了${\sf FADE}$，一种可控的被动测量方案，可同时提供检测效率和准确性。 ${\sf FADE}$首先分析整个网络拓扑和流规则，然后计算能够覆盖所有转发规则的最小流集。对于每个选定的网络流，${\sf FADE}$决定其路径上的最佳监视位置数（远小于总跳数），并安装专用规则来收集流统计信息。 ${\sf FADE}$ 控制这些规则的安装和过期，以及唯一的流标签，以保证收集的统计数据的准确性，${\sf FADE}$ 根据这些统计数据通过算法决定是否检测到转发异常，并如果是，则进一步定位异常。在${\sf FADE}$之上，我们提出${\sf iFADE}$（${\sf FADE}$的更具可扩展性的版本）来进一步优化专用测量规则的使用和部署。与 ${\sf FADE}$ 相比，${\sf iFADE}$ 实现了超过 40% 的规则减少。 我们用大约 12000 行代码实现了 ${\sf FADE}$ 和 ${\sf iFADE}$ 的原型，并对原型进行了广泛的评估。实验结果表明${\sf (i)}$ ${\sf FADE}$和${\sf iFADE}$是准确的，例如，它们在异常检测中实现了95%以上的真阳性率和99%以上的真阴性率; ${\sf (ii)}$ ${\sf FADE}$ 和 ${\sf iFADE}$ 是轻量级的，例如，与最先进的技术相比，它们将控制消息的开销减少了大约 50 和 90分别为百分比。