Embodiments of the inventive concept described herein relate to a method for detecting network anomaly, an apparatus therefor, and a computer program therefor, and more particularly, relate to a method for detecting network anomaly in a distributed software defined networking (SDN) environment, an apparatus therefor, and a computer program therefor.
SDN has been a new paradigm of separating a data transmission function and a control function of conventional network equipment such that a central controller controls a network and has become more attractive in a network field. In the SDN, information about the entire network may be maintained based on information collected from a plurality of network equipment by a central SDN controller, and a variety of network services may be provided based on the information.
Communication between a controller which is responsible for a control plane and a switch which is responsible for a data plane in the SDN may be performed through an OpenFlow protocol which is an international standard. If receiving a packet, the switch which supports the OpenFlow protocol may perform a simple operation of transmitting the packet to another switch or the controller or discarding the packet according to a rule predefined by the controller.
In the SDN, a function of each network switch or router may be dynamically set in an environment such as a cloud network to reduce energy consumption and a desired access control scheme may be implemented in each switch or router in an enterprise network environment. Further, in the SDN, the number of equipment used in a conventional network and the cost of managing equipment may be reduced using each switch or router. Further, the SDN may support to freely test a newly developed function in a network environment.
Meanwhile, there is a fatal single point of failure problem in which the entire network is down upon occurrence of a controller fault in a structure of controlling the entire network at a single SDN controller. Further, there is an issue for scalability because processing capacity of the single SDN controller is limited.
Therefore, to address this issue, research and development have been conducted for a distributed SDN controller structure of configuring a cluster using a plurality of SDN controllers and providing high availability and high scalability. In this case, the distributed SDN controller structure should be able to detect network anomaly although a large-scale network data set is used and should be able to support a variety of networks. Further, the distributed SDN controller structure should be able to provide an application programming interface (API) changeable as much as a user wants, a high-level script, or the like to detect various attacks.
However, since only a limited network function (feature) for only a specific attack scenario may be defined in conventional research, it is insufficient to detect a variety of symptoms. Further, it may be impossible to distribute a framework, such as OpenSketch, implemented by customizing a switch in an OpenFlow based environment.