Next Article in Journal
A Hierarchical Security Event Correlation Model for Real-Time Threat Detection and Response
Previous Article in Journal
A Study of Ethereum’s Transition from Proof-of-Work to Proof-of-Stake in Preventing Smart Contracts Criminal Activities
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Network
Volume 4
Issue 1
10.3390/network4010003
Review Report
network-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

IDSMatch: A Novel Deployment Method for IDS Chains in SDNs†

Network 2024, 4(1), 48-67; https://doi.org/10.3390/network4010003
by Nadia Niknami * and Jie Wu
Reviewer 1: Anonymous
Reviewer 2: Anonymous
Reviewer 3:
Yunmin Wang
Reviewer 4: Anonymous
Network 2024, 4(1), 48-67; https://doi.org/10.3390/network4010003
Submission received: 13 October 2023 / Revised: 17 January 2024 / Accepted: 4 February 2024 / Published: 7 February 2024

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

This work aims to demonstrate how deploying instances of IDS across the data plane of a software defined nework can enhance processing power and detection rates while alleviating the load of the SDN controller. The authors present the proposal of deploying IDS chains to minimize costs associated with installing IDS at each switch. Furthermore, the authors introduce a method to balance flow distribution and assign them to specific IDS chains for improved transmission efficiency. As supported by the study's testing and evaluation using a test bed and trace-based simulation, the experiment results demonstrate the effectiveness of the proposed method in reducing delays and hop counts across different traffic scenarios.

Although the authors present a IDS solution for SDN data plane, the overall idea is identical to  the deployment of a chain of VNFs, or service function chain (SFC) , where the IDS is a VNF. Currently, there are numerous research of SFC deployment with the consideration of node and link capacity. The authors should consider the related SFC research and highlight the contribution of their work. 

The experiment settings are not clearly described. For example, the traffic volume of small/medium/large traffic is not introduced. How many flows are there in each topology?  What is the definition of sparsity?

Moreover, although the deployment of IDSs in data plane could alleviate the overhead of centralized IDS, the communication overhead among IDSs should be considered since the detection of some attacks requires coordination among different network nodes. 

When the number of flows increases, it seems it is unavoidable that a flow passes through multiple IDS chains. What issues would this condition cause?

Comments on the Quality of English Language

The presentation of this work is general fine. However, some paragraphs could be shortened by reorganization. 

Author Response

Hi, 

Thank you for your valuable comments. We have incorporated your suggestions into our paper. We have provided responses to your questions below:

1) We have revised the related work section to encompass research on SFC. Additionally, in the introduction section, we have emphasized the contribution of our work.

2) We considered traffic scenarios in three sizes: small (500 flows), medium (2000 flows), and large (4000 flows), each tailored for various network topologies with distinct sparsity levels. Sparsity is defined as the ratio of the number of direct connections between servers to the total number of possible direct connections.

3)Due to the global view and control capabilities of the controller in SDN, significant communication overhead among switches in the data plane is minimized. In the control plane, we offer an application that orchestrates detection actions to facilitate coordination among various IDS in the event of an attack detection. Hence, there isn't a significant deal in terms of communication overhead for the data plane.

4)As the number of flows increases, the assigned IDSs within the chain experience a higher load. Consequently, there is a need for balancing, leading to an increase in the number of hops. This, in turn, results in a heightened delay in both detection and transmission.

Reviewer 2 Report

Comments and Suggestions for Authors

This paper has proposed an IDSMatch method for IDS chains in SDNs, the topic is interesting.

However, there are some issues to be addressed:

1. The motivation of the paper is vague. In abstract and introduction parts of the paper, the authors claimed that deploying IDSs for improving detection rates while avoiding overloading, however, in page 3 of the paper, reducing dropped data packets, reducing transmission delays are also the objectives of IDS, in addition, in the simulation part, only network delay, number of hops and unbalancing factor performance are given, which are difficult to directly relate to the objects in terms of detection rates, dropped packets. So, what indeed is the motivation of the paper?

2. The novelty of the paper is limited. From the proof of theorem 1, it seems that Theorem 1 has been proofed by existing reference [28, 29]; In addition, it seems that Theorem 2 was from existing reference [34]. And the novelty of algorithms 1-2 is also not obvious.

3.  The readability of the manuscript should be improved, in particular, the structure of the article lacks of logic, for example, Section 3 should merge with Section 1; why problem formulation (e.g., problems 1-2) located behind the algorithms 1-2? What is indeed the problem of the paper? How to solve? It is difficult to answer the above questions in present version of the paper.

4. Related references in recent 3-5 years should be added and discussed.

Comments on the Quality of English Language

The readability of the manuscript should be improved.

Author Response

Thank you for your valuable comments. We have incorporated your suggestions into our paper. Subsequently, we have provided responses to your questions below:

1)Deploying the IDS chain in the data plane aims to enhance attack detection rates while preventing controller overload. By minimizing dropped data packets in IDSs, the likelihood of detecting attacks is increased. So minimizing dropped data packets can be one of the objective. However, we must also address delays caused by retransmitting traffic through a IDS chain, potentially elongating the path to the destination. The matching step is integral in reducing this transmission delay.

This paper serves as an extension of a conference paper where we assessed missing rate, detection rate, overhead, and delay. But in this paper, we explore different measurements to evaluate the approach. While the motivation aligns with the previous paper, we endeavor to make improvements in terms of delay and balancing factors. The introduction and abstract have been revised to provide clearer explanations of the motivation behind this paper.

2) In Theorem 1, we utilized references [28] and [29] to establish a proof demonstrating the NP-hardness of the flow grouping problem. For Theorem 2, we formulated a 3-approximation algorithm for our proposed approach, drawing inspiration from the concepts presented in [34].

3)The paper's structure has been adjusted in response to your feedback.

4) The related work section has been revised to encompass more recent papers.

Thanks

Reviewer 3 Report

Comments and Suggestions for Authors

In today's interconnected environment, network security and information security is essential. The authors propose an intrusion detection system chain on SDN. Such a system typically consists of three parts: a flow collector, a feature extractor, and an anomaly detector, such as the following proposals:

[1] Albahar M A. Recurrent neural network model based on a new regularization technique for real-time intrusion detection in SDN environments[J]. Security and Communication Networks, 2019, 2019.

[2] Phan X T, Fukuda K. Sdn-mon: Fine-grained traffic monitoring framework in software-defined networks[J]. Journal of Information Processing, 2017, 25: 182-190.

[3] Cheng T Y, Jia X. Compressive traffic monitoring in hybrid SDN[J]. IEEE Journal on Selected Areas in Communications, 2018, 36(12): 2731-2743.

[4] Sultana N, Chilamkurti N, Peng W, et al. Survey on SDN based network intrusion detection system using machine learning approaches[J]. Peer-to-Peer Networking and Applications, 2019, 12(2): 493-501.

[5] Hashemi M J, Keller E. Enhancing robustness against adversarial examples in network intrusion detection systems[C]//2020 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN). IEEE, 2020: 37-43.

[6] Tang T A, Mhamdi L, McLernon D, et al. Deep recurrent neural network for intrusion detection in sdn-based networks[C]//2018 4th IEEE Conference on Network Softwarization and Workshops (NetSoft). IEEE, 2018: 202-206.

 

As shown in this paper, the K-means clustering method is applied to group incoming data flows. Furthermore, the minimum cost 2-D matching and the minimum cost 3-D matching are adopted to associate flow groups with IDS chains. Although the author has provided many experiments, there is a lack of performance comparison with the state-of-the-art intrusion detection systems,which the author should supplement.

Comments on the Quality of English Language

It would be better for the authors to present their paper in short sentences, which makes it easier to read and understand.

Author Response

First of all, thank you very much for the helpful comments. We revised our paper based on your comments. In follows, we provided the answer to your questions:

1)We have revised the related work section to encompass the proposals and researches that you mentioned. 

2)We added some more performance comparison with the state-of-the-art intrusion detection systems in evaluation section.

Thanks

Reviewer 4 Report

Comments and Suggestions for Authors

 

This article proposes the concept of deploying instances of the IDS across the data plane, which would improve processing power and detection rates while reducing the load on the controller. The proposed method is tested and evaluated using a test bed and trace-based simulation, and it has been shown to effectively reduce delays and hop counts across various traffic scenarios.

Although this paper is structurally complete and logically clear, there are a few problems in the manuscript, which needs the author to modify for being accepted. The problems in the manuscript are shown below in detail.

1.       Without specific distance comparison in Algorithm 1 and 2, assigning flows to the exact cluster correctly seems impractical. It is suggested that the authors make it more explicit in the pseudo code.

2.       This paper is expanded version of the reference paper[4], it is recommended that authors should further emphasize what differences they make in this paper compared to the reference paper[4].

3.       In line 155, There may be some errors in language expression, hence the sentence is incomplete. Language needs to be strengthened. There are some grammatical errors in the article.

4.       It is advisable for the author to cite the latest literature to introduce the relate works in this field. Such as Secure data storage based on blockchain and coding in edge computing, and Multiple cloud storage mechanism based on blockchain in smart homes.

5.       The type of brackets used in 8th line of Algorithm 1 and 7th line of Algorithm 2 should be consistent. In problem 1 and 2, the equation set (1) and (2) are best enclosed in left curly braces.

 

6.       There are image annotations in small image (a)(b)(c) of Figure 6 and 7, but no annotations in Figure 8 - 11, which is inconsistent. There are errors in annotation of Figure 12, please check carefully. 

 

 

Comments on the Quality of English Language

minor editing

Author Response

Thank you for your valuable comments. We have incorporated your suggestions into our paper. Subsequently, we have provided responses to your questions below:

1) We revised pseudo code based on your suggestion.

2) Deploying the IDS chain in the data plane aims to enhance attack detection rates while preventing controller overload. By minimizing dropped data packets in IDSs, the likelihood of detecting attacks is increased. So minimizing dropped data packets can be one of the objective. However, we must also address delays caused by retransmitting traffic through a IDS chain, potentially elongating the path to the destination. The matching step is integral in reducing this transmission delay.

This paper serves as an extension of a conference paper where we assessed missing rate, detection rate, overhead, and delay. But in this paper, we explore different measurements to evaluate the approach. While the motivation aligns with the previous paper, we endeavor to make improvements in terms of delay and balancing factors. The introduction and abstract have been revised to provide clearer explanations of the motivation behind this paper.

3)We fixed it. Thanks.

4)We updated related work section to cover more recently papers.

5)We fixed them. Thanks.

6) We fixed them. Thanks.

 

Thanks again.

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

The authors improve the overall quality of the manuscript; however, there are still key concerns not addressed.

First, this paper is basically a SFC research. The authors should introduce the related work.

Second, the communication overhead between each IDS and the controller should be revealed to support the authors' claim.

Third, as the number of flow increases, more IDSs could be deployed to balance the overhead. Consequently, a flow may pass through multiple IDS to result in redundant packet inspection and affect the overall throughput.

 

Comments on the Quality of English Language

The English presentation of this paper is fine.

Author Response

Thank you so much for your helpful comments. We revised paper based on your comments.

 

  1. We incorporated additional references pertaining to SFC in the related work section.

  2. The communication load is minimal since the controller already engages in communication with devices in the data plane. Our idea is exactly related to routing, which is the main task of the controller. Could you please specify the type of communication you have in mind?

  3. Figures 6-11 present our analysis of traffic scale and IDS chain length variations.

Reviewer 2 Report

Comments and Suggestions for Authors

The issues have been addressed.

Comments on the Quality of English Language

Minor editing of English language is required.

Author Response

Thanks for your helpful comments.

Reviewer 3 Report

Comments and Suggestions for Authors

The authors have advised some comments of mine. 

1. It would be better if the authors could compare their evaluation results with the recent few years' proposals.

2. Although the authors have conducted extensive experiments, the experimental results analysis is insufficient for figures 9,10,11,12,13,14.

Author Response

Thank you for the helpful comments. We revised paper based on your comments.

1-We have figure 14 for comparing our method with others regarding intrusion detection in SDN

2-We revise the experiment parts to have sufficient explanation.

 

Thanks

Round 3

Reviewer 1 Report

Comments and Suggestions for Authors

The revised version has addressed most of my previous concerns. However, it is still unclear whether a flow may traverse multiple IDSs to result in redundant packet inspection. Please show the ratios of redundant packet inspection with respect to different number of deployed IDSs and describe the impact of redundant packet inspection. 

Author Response

Hi,

Thank you for the helpful comments. We added one more subsection regarding redundant packet inspection to the evaluation section. You can find the revised section in red color.

 

Nadia

Reviewer 3 Report

Comments and Suggestions for Authors

The authors have revised their paper based on my comments. 

And some legends cover the bar in Figures 7,8,9,10,11,14. Please fix them. Thanks.

Author Response

Thank you so much for your helpful comments.

Back to TopTop