In order to support a variety of Internet of Things (IoT) and smart city applications, it is necessary to provide computing and networking resources at cloud, fog and edge levels. Fortunately, evolution of Network Function Virtualization (NFV) and Software Defined Networking (SDN) technologies are greatly supporting operators to deploy their data centers at reduced expenditures by integrating cloud, fog and edge (Cloud-Fog-Edge) platforms. Although Cloud-Fog-Edge environments provide economic platforms, due to their multi-tenant sharing platforms customer applications could face a variety of security issues in terms of networking and computing resources. For instance, in cloud environments Intrusion Detection Systems (IDS) and authentication mechanisms are useful for enforcing security policies and improving operational security, but internal malicious users can do Address Resolution Protocol (ARP) spoofing attacks by exploiting shared networking environments. Mainly, ARP spoofing attacks could lead to VLAN-ID spoofing, Denial of Service (DoS) and distributed DoS (DDoS), Man in the Middle (MITM) and session hijack attacks in the network. In this work we are proposing a Denial of ARP Spoofing (D-ARPSpoof) approach to prevent ARP spoofing in SDN and NFV enabled Cloud-Fog-Edge platforms. Unlike existing IDS and anomaly detection systems, D-ARPSpoof prevents ARP spoofing attacks by reducing overhead towards the centralized controllers and OpenFlow switches. In this work, D-ARPSpoof performance is compared with recent ARP spoofing mitigation approaches and anomaly detection systems using important metrics like number of successful connections, controller processing messages overhead and number of flow rules installed in OpenFlow switches. In results, we found that in comparison with existing approaches D-ARPSpoof successfully prevents all malicious connections at reduced overhead towards controllers and switches.

为了支持各种物联网（IoT）和智慧城市应用，需要提供云、雾和边缘级别的计算和网络资源。幸运的是，网络功能虚拟化 (NFV) 和软件定义网络 (SDN) 技术的发展极大地支持运营商通过集成云、雾和边缘 (Cloud-Fog-Edge) 平台，以更低的支出部署其数据中心。尽管 Cloud-Fog-Edge 环境提供经济平台，但由于其多租户共享平台，客户应用程序可能会面临网络和计算资源方面的各种安全问题。例如，在云环境中，入侵检测系统 (IDS) 和身份验证机制可用于实施安全策略和提高操作安全性，但内部恶意用户可以通过利用共享网络环境进行地址解析协议 (ARP) 欺骗攻击。主要是ARP欺骗攻击可能导致网络中的VLAN-ID欺骗、拒绝服务（DoS）和分布式DoS（DDoS）、中间人（MITM）和会话劫持攻击。在这项工作中，我们提出了一种拒绝 ARP 欺骗 (D-ARPSpoof) 方法，以防止 SDN 和支持 NFV 的 Cloud-Fog-Edge 平台中的 ARP 欺骗。与现有的 IDS 和异常检测系统不同，D-ARPSpoof 通过减少集中控制器和 OpenFlow 交换机的开销来防止 ARP 欺骗攻击。在这项工作中，将 D-ARPSpoof 性能与最近的 ARP 欺骗缓解方法和异常检测系统进行比较，使用重要指标，如成功连接数，控制器处理消息开销和安装在 OpenFlow 交换机中的流规则数量。结果，我们发现与现有方法相比，D-ARPSpoof 成功地阻止了所有恶意连接，同时减少了对控制器和交换机的开销。