Scalable Traffic Sampling Using Centrality Measure on Software-Defined Networks

With regard to cyber security, pervasive traffic visibility is one of the most essential functionalities for complex network systems. A traditional network system has limited access to core and edge switches on the network; on the other hand, SDN technology can provide flexible and programmable network management operations. In this article, we consider the practical problem concerning how to achieve scalable traffic measurement using SDN functionalities. Less intrusive traffic monitoring can be achieved by using a packet sampling technique that probabilistically captures data packets at switches, and the sampled traffic is steered toward a traffic analyzer such as an IDS on SDN. We propose the use of a centrality measure in graph theory for deciding the traffic sampling points among the switches. In addition, we discuss how to decide the traffic sampling rates at the selected switches. The results of the simulation and SDN testbed experiments indicate that the proposed sampling point and rate decision methods enhance the intrusion detection performance of an IDS in terms of malicious traffic flows in large-scale networks.