1) Packet Parser

This entity in the controller is responsible for predicting the irregular behavior of devices in the network. The packets from devices are dynamically monitored by packet parser.

The OpenFlow messages are involved in SDN, which exchanges messages between switch-to-controller and controller-to-switch. The message field includes Flow_Mod, Packet_In, Stats_Reply and other necessary packet features. In this place, the packets are transmitted into the next entity of the feature analyzer.

2) Feature Analyzer

The feature analyzer is responsible for extracting the packet features from each arrived packet. The significant features present in a packet are extracted. The packet features include source_port_number, source_IP, destination_port_number, destination_IP, header_length, protocol, time_to_live, service_type and more. This entity is required for extracting the packet features for classification.

3) Authentication

Authentication is performed using LHS algorithm in which a unique identity and the elliptic point is considered to authenticate individual IoT device. The signature present in each block is verified with the corresponding IoT user. The packet parser and feature analyzer extract the packet features and then the IoT is authenticated using the proposed algorithm.

4) Packet Classification

The proposed Neuro Multi-Fuzzy is used for classifying the packets based on their packet features. A device may produce fake identity to cheat the network, but the packet features are too complex to be changed and so classification is performed by using packet features.

5) Evidence Collections

The controllers designed in this architecture are enabled to collect evidence which is utilized for diagnosing forensics. In this proposed design, the controllers classify the packets and later they are gathered and stored as data logs. The data logs stored in SDN controllers are facilitated to be accessed by a forensic investigator who is responsible for detecting forensics. The controllers also store hash of the evidence for ensuring secure access in blockchain. Hereby, the data logs collected in accordance with user’s transactions require updating which will be periodically updated into new logs in controllers.

The data packets entering into the controller are verified by signature in the blockchain and then it is classified. Before computing the signature, each device is required to choose a unique elliptic curve point $P$ . For determining a point $P$ , consider the following curve equation,

View Source\begin{equation*} y^{2}=x^{3}+ax+b\tag{1}\end{equation*}

The terms $x$ and $y$ are the standard variables and $a$ , $b$ are the constant coefficient respectively. Let $\left ({x_{M},y_{M} }\right)$ and $\left ({x_{L},y_{L} }\right)$ be two non-symmetric points from the elliptic curve. From the two points determined point $P$ as follows,

View Source\begin{equation*} P=\frac {y_{M}-y_{L}}{x_{M}-x_{L}}\tag{2}\end{equation*}

This point $P$ is taken into account for estimating the signature for authentication. This LHS algorithm uses unique identity and the elliptic point is secured and assured to be against forgery of data [48]. This LHS algorithm is supported with bilinear pairings. Consider $G_{1}$ and $G_{2}$ as two bilinear groups which are $\left |{ G_{1} }\right |=\left |{ G_{2} }\right |=p$ , where $p$ is the prime number. Further, define hash function $H_{1}$ and $H_{2}$ respectively. Let the secret key be $sk$ and public key be $pk$ . Then using the device identity and $P$ the signature is generated.

Select a random number $R$ from $Z_{q}^{\ast }$ i.e. random number having prime order of $q$ , and define a value $w$ from $G^{R}$ , where $G$ is the generator. Let the generated signature be expressed as,

View Source\begin{equation*} St=\left ({H_{1}\left ({ID }\right), H_{2}\left ({P }\right),w }\right)\tag{3}\end{equation*}

The generated Signature $St$ being verified by the blockchain and it permits authenticated users for transactions after classification. In general, the blockchain technology uses the conventional signature algorithm which is not supportable in forensic design, so LHS algorithm using unique identity and the elliptic point is proposed. The elliptic point is unique and hence the forgery of user is impossible in this proposed Forensic SDN-IoT.

Neuro Multi-Fuzzy model in forensic architecture is present for classifying the legitimate user that has involved in the network. Once the device is authenticated from the blockchain, they are analyzed on the neuro multi-fuzzy model. This model works as a combination of neural network and fuzzy logic systems. Parallel processing of fuzzy logic tends to mitigate the processing time of classification. Fuzzy take into account of six significant packet features for classification.

Multi-fuzzy is designed with the participation of more than one fuzzy in which each has three inputs. A set of three features in deployed in one fuzzy and the other set in another fuzzy as shown in Fig. 4. The output from two fuzzy is given as input into a decision making fuzzy for authenticating packets. However authentication is performed, the packets are verified with their features to achieve a better design of forensic architecture in SDN enabled IoT environment.

FIGURE 4.

Multi-Fuzzy model.

Show All

Fuzzy rules on each fuzzy block are illustrated in Table 2, based on that the decision on each packet is made. The major features that are considered in multi-fuzzy design are source IP address, destination IP address, flow duration, packet size, sequence number and service type.

• Source IP address – This source IP address plays a significant role among all the other features. This address represents the particular device and fake IP address could be identified.

• Destination IP address – This packet feature denotes the destination to which the requested packet needs to be reached.

• Flow duration – flow duration represents the time consumed by the packet to reach the control plane. If the flow duration is very high or very low, it is suspected to be suspicious.

• Packet size – In this forensic architecture, three different traffics are taken into account. Each traffic type has a peculiar maximum size, exceeding the size for the corresponding traffic, which is suspected.

• Sequence number – This feature denotes the sequence number of the packet from the corresponding device Identity (ID).

• Service type – Service type is one of the significant packet features that represents the required network service for the particular device.

TABLE 2 Multi-Fuzzy Rules

Fuzzy logic considers the input as high, low and very low based on which the output is given in terms of high, medium, low and very low. Table 3 represents the probability values of output that are used for decision making. According to the rule, the probability values are predicted for classifying the packets.

TABLE 3 Probability Values of Fuzzy Output

By using all the above mentioned six features, the classifier is executed. These features are extracted in a feature analyzer that is present in each controller. The decision of high in fuzzy denotes that the device is assumed to be legitimate and the condition of medium is also taken into account since it has passed the signature-based authentication. But if the very low condition obtained in the final fuzzy, the packet from the particular device will be ignored.

However fuzzy is a well-known algorithm, using many numbers of a rule on single fuzzy consumes little higher time. So, in this work, multiple fuzzy is introduced with a neural network for faster processing and accurate detection of forged packets injected into the system. An adaptive- network-based fuzzy interference system (ANFIS) is used based on the Takagi-Sugeno interference system.

In ANFIS, the membership parameters are tuned using back-propagation algorithm and assisted with hybrid learning [49]. The ANFIS is faster in learning and it is operable with the knowledge on both linguistic and numeric. The IF-THEN fuzzy rules in ANFIS is determined using the Sugeno model as,

Rule: IF $x$ is $A_{1}$ AND $y$ is $B_{1}$ THEN

View Source\begin{equation*} F_{o}=p_{1}x+q_{1}y+r_{1}\end{equation*}

Let $x$ and $y$ be the input parameters that obtains $F_{o}$ as output from $A_{1}$ and $B_{1}$ fuzzy sets with $p_{1}, q_{1}$ and ${r}_{1}$ design parameter. A set of six neurons are present in the hidden layer using which the features are extracted in the proposed work. In the proposed forensic architecture, the neuro multi-fuzzy logic model is used as shown in Fig. 5. The benefit of the neural network and fuzzy are faster processing speed and take into account multiple parameters. Both the potential benefits are combined and constructed as a neuro multi-fuzzy logic model. In this model, six significant parameters are considered for making a faster decision. Most of the packets are addressed to be legitimate after authentication, but in some cases, the malicious activity can find only using the packet features. Then the designed forensic architecture on SDN enabled IoT environment. Security is achieved by means of blockchain technology. Hereby, finally, the evidence is stored on SDN-controllers that are present in the control plane. The stored evidence will include hash values; here the maintenance of evidence is carried over by the establishment of CoC. In this architecture switches also play a vital role in inhibiting the growth of malicious users on the control layer. The complete forensic network architecture is developed under SDN based IoT environment. The majority of the proposed Forensic SDN-IoT is handled by using packet features which are the key with which a fake person can enter into the system.

FIGURE 5.

Neuro Multi-Fuzzy logic Model.

Show All

Due to this reason, we have contributed our entire work with a detailed analysis of packet features on algorithms. The previous work SDN-Fog was also involved with the processing of packet features but it was enabled to identify specify security threats and the maintenance of data log was not discussed which is essential in blockchain technology. The evidence as data logs is the change of status representation along with the actions that are taken for the status. Storing of these logs is available for forensic investigators.

Let Packet Parser be PP, Feature analyzer is FA, source IP be Scr_IP, destination IP be Dst_IP, flow duration is Flw_Dur, packet sized be Pck_Size, sequence number be Seq_Nub, Service type be Srv_type, Fuzzy Output 1 be FO₁, Fuzzy Output 2 be FO₂ in pseudo code 2. This depicts the proposed SDN-controller’s working procedure. Packet Parser and Feature analyzer in controller monitors the behavior of packet and extracts features, then the packet allowed into the blockchain. The signature of each user is validated in the blockchain using LHS algorithm for authenticating the user. After authentication, the user’s packets are classified with neuro-fuzzy based on the defined fuzzy membership functions. Six different packet features are taken into account for classifying the packets.

In this Forensic-SDN-IoT, the packets are classified and the evidence is stored into the SDN-controllers. The evidence in the controller is stored with the hashes of the corresponding evidence for maintaining CoC in the blockchain. Evidence is stored in the pre-configured location in a controller, the data logs include user identity, Source IP address, Destination IP address, local time of event occurrence, location and action. Each entity in the record as defined above based on which those data are stored.

1) Delay

Delay is one of the significant metrics that is measured in the developed network environment. A well-designed network is supposed to have less delay, since the delay is a metric which is required to lessen in order to achieve a better quality of service. The variation in delay with respect to the number of IoT devices is shown in Fig. 7(a).

FIGURE 7.

Delay incurred by a) increasing the number of devices; and b) increasing the number of requests.

Show All

This comparison shows that the proposed Forensic SDN-IoT with minimized delay. In previous SDN-Fog design delay is higher, since it focused on the identification of attacks which increases the delay. Whereas in this proposed forensic architecture, the packets are verified by using simple rules and hence they are forwarded into a control plane without any delay. The value of delay gradually increases while the number of devices increases.

The variation in delay is only a few milliseconds of 0.1 – 0.2 after beginning packet transmission from the end user. However this is a minor change in values, it will be large if the number of devices is further increased. In the proposed SDN forensic architecture, three different traffics are taken into account; if any one type of traffic is involved, the delay could be minimized more. Delay is also plotted with respect to the arrival of the number of requests. The number of requests denotes the arrival of packets at each second into a gateway from each device.

Fig. 7(b) demonstrates the minimization of delay when compared with prior SDN-Fog design. As per the increase in number of requests, it tends to increase the participation of IoT devices.

The reduced mathematical computation is also a major reason in mitigating delay metric. Delay is associated with packet transmission and so it is plotted in accordance with the number of requests. However the changes are minor in delay variations, it reflects over other significant network parameters. The better achievement of delay metric is due to minimized computation and faster processing of packets.

2) Response Time

Response time is the time taken by the IoT devices to receive the response for the requested service. This metric is validated based on the number of requests that are arrived from end devices.

In the proposed forensic architecture, every IoT device sends packets to the gateway which is forwarded to switches and then they are authenticated by using the signature in controllers. Until verification is completed, the time is known to be response time. Fig. 8 illustrates the comparison of response time for proposed forensic architecture with respect to the previous SDN based fog architecture.

FIGURE 8.

Comparison on response time.

Show All

This comparison shows that the proposed forensic architecture is better since the processing of rules and verification is faster and it minimizes response time even if the number of requests increases.

3) Throughput and Accuracy

Throughput is one of the important parameters that is taken into account for validating the proposed Forensic architecture. Throughput is defined as the measure of successful transmission of packets between users in a given time in accordance with the number of request packets.

Fig. 9 demonstrates the variation in throughput for validating the better efficiency of proposed forensic SDN-IoT architecture. The increase in throughput denotes that there are many numbers of successful data transmissions. Increase in the throughput enables to achieve improvement in network performance.

FIGURE 9.

Comparison on throughput.

Show All

Improvements in forensic architecture are achieved due to the involvement of flow rules based traffic analyzing on switches and signature verification in the controller. The reduction of malicious packets into the network is one of the reasons for the increase in throughput. This metric also indicates the quality of devices connected in the network. During the simulation time, forensic architecture has attained 50 – 130 bytes of throughput, whereas the previous work achieves only 30 – 80 bytes at similar simulation time.

The measurement of throughput is enabled to illustrate any type of large scale network infrastructure. An increase in throughput on forensic architecture impacts on other significant network parameters and ensures better performances of the network. Gradual growth in throughput illustrates that the further increase in throughput will be achieved at higher simulation time.

Accuracy plays a significant role in detecting accurate malicious packets. A poor mechanism will result in detecting legitimate packets as malicious which drops the accuracy. We evaluate the accuracy of our proposed work in terms of the incoming packets.

Table 5. depicts the detection accuracy for the present work that processes with the number of packets from IoT devices. As per the increase in packet arrival rate, the packet detection accuracy shows a gradual decrease since the number of incoming packets is higher.

TABLE 5 Detection Accuracy

4) Processing Time

The complete packet handling time from the gateway to the control plane is computed as processing time. This includes the working of algorithms at each plane and each entity for the arrived number packets from IoT devices.

Fig 10 demonstrates the variation of processing time with respect to the arrival of packets for SDN-Fog and proposed Forensic SDN-IoT architecture. According to the increase in the number of packets arrival, the processing time increases since it needs to process on more number of packets.

FIGURE 10.

Comparison on processing time.

Show All

The processing time at 5 packets per second is 10 seconds in forensic SDN-IoT, whereas in SDN-Fog it is 12 seconds. However, the difference is smaller, the gradual increase in the number of arrival packets reflects on the network. The reduction of processing time tends to achieve a good quality of the designed architecture and ability to tolerate many numbers of packets from IoT devices. The noticeable minimized processing time is lesser, even if the numbers of arrival packets are grown. Computation complexity is defined from the utilization of resources for the algorithm with respect to the total number of inputs. Resources involved in this forensic architecture are the configuration of individual devices in the plane. To express the complexity, we predict time complexity for the proposed LHS algorithm and neuro multi-fuzzy algorithm. Let $n$ be the number of inputs and $c$ be the constant which is required to determine execution time. The algorithm executed in a loop until all the $n$ inputs are processed, so the total execution time will be $T(n)$ . From the determined total time, the complexity is predicted using the asymptotic notation $O$ . Using big-O notation time complexity is determined from the following formulation,

View Source\begin{equation*} f\left ({n }\right)\le c\ast g\left ({n }\right)~ for~ all~ n\ge n_{0}\end{equation*}

$f(n)$ and $g(n)$ are the monotonic functions, here $f\left ({n }\right)=O(g(n))$ when $c>0$ and $n_{0}>0$ .

Table 6 depicts the time complexity based on the number of input. $O$ represents an order of the time complexity. In neuro multi-fuzzy, however, three fuzzies are used they process parallel; hence, the time complexity is comparatively higher than of algorithms in the control plane. In LHS, the algorithm is operated linearly which takes all the steps to undergo for each input. On the whole, all the comparative result shows that forensic SDN-IoT architecture is better than SDN-fog that uses blockchain technology for enhancing network performances. The involvement of port number based flow rules and blockchain technology with signature algorithm have supported to attain better results in terms of delay, throughput, response time and processing time. All the significant network parameters show improved results when compared with previous SDN-Fog architecture. The use of blockchain technology for security is highlighted and the applicability on IoT devices is presented, further, their performances are validated.

TABLE 6 Time Complexity

5) Security Analysis

The provisioned security in this proposed work is validated by provenance, interoperability evidence acquisition, and trust. The proposed forensic SDN-IoT is efficiently designed for detecting malicious involvement in the system. The utilization of blockchain technology in the control plane of SDN ensures to provide security. Our security analysis is depicted as follows:

• Provenance: Provenance is the aggregation of evidence by suspecting the malicious user. In our proposed work, the packets from devices are validated in accordance with the port numbers, so only unsuspected packets are allowed for further processing. Hence forensic SDN-IoT supports provenance requirement since, each user log includes address, time, location and packet features that created provenance and evidence are collected in the controller and if there is a change in data log it is updated. In existing SDN-Fog architecture, the abnormal behavior of users is detected.

• Evidence Acquisition: Forensic SDN-IoT makes sure that all the data logged and evidence are stored in the controller which can be accessed by the forensic investigator i.e. the person in charge to detect the cause of the issue. On using blockchain technology the data is maintained secure and hence this work supports evidence acquisition too.

• Trust: In this Forensic SDN-IoT design, the generated logs are stored within the SDN-controllers, which is highly secure and it cannot be easily accessed by any third party. In addition to storing events/logs (as evidence) in controllers, the hash of evidence is also stored by the controller in Blockchain. This is used to maintain the integrity of evidence and increase reliability level of CoC. We will be authenticating the access for the forensic investigator before providing the data logs. The assurance in trust also ensures with the increase of confidentiality.

• Simplicity: The data logs are simply stored on the controller since they are secured parties in the control plane. The controllers are assisted with sufficient memory capacity for storing data logs.

• Detection of the malicious act: Compromising of intermediate entities and entering into the network is the main act of attackers. In this forensic SDN-IoT, we allow user’s traffic in accordance with port number and then permit into a data plane for processing. And then neuro-fuzzy classifies the data packets for predicting malicious packets. Hence it identifies any suspicious packets entering into the network.

In this proposed Forensic SDN-IoT, the authentication of IoT devices and detection of malicious users/traffics with classifications of packets with Neuro Multi-fuzzy based on packet features and three predefined traffic rules in OpenFlow Switches greatly mitigate attacks at the edge of the network.

6) Secure Signature for Decentralized Authentication

In the blockchain, the PoW is presented for confirming that the transactions are handled by the miners. For PoW, a mathematical puzzle is submitted to users as a hash function, integer factorization. In our proposed work, the users are requested to select a unique elliptic point using the formulation discussed in above sections.

Using the elliptic point (X₁, X₂, X₃), a signature is generated and the correct problem solving users are rewarded. $St$ is the signature that is generated using the elliptic point and identity of the user, which is unique for each user. Here the problem is the selection of point from the elliptic curve. If the miner is enabled to solve this then a new block will be created for placing the status.

Fig. 11 depicts the signature generation method of authentication presented in Forensic SDN-IoT architecture. The major advantage of PoW is to ensure anti-DoS attacks. Using this LHS algorithm, it is complex for the attacker to identify the unique point.

FIGURE 11.

Signature based Proof generation.

Show All