TokenGuard: A novel framework for robust access management in SDN controllers

IF 4.5 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computer Communications Pub Date : 2025-04-15 DOI:10.1016/j.comcom.2025.108169

Mahmoud Elzoghbi , Hui He

{"title":"TokenGuard: A novel framework for robust access management in SDN controllers","authors":"Mahmoud Elzoghbi , Hui He","doi":"10.1016/j.comcom.2025.108169","DOIUrl":null,"url":null,"abstract":"<div><div>Software-defined networks (SDNs) are increasingly popular due to their simplified network management and centralized control through an SDN controller. However, ensuring secure authentication and authorization for REST web services in SDN controllers is a critical challenge. This paper introduces TokenGuard, a novel security framework designed to enhance the protection of REST web services in SDN controllers. TokenGuard uses dynamic and unique access tokens for each REST request between network applications and the SDN controller. These tokens are generated using a specialized mathematical model, the Fractional Logistic Map (FLM), which incorporates a fixed memory length. This approach significantly improves the robustness of SDN controllers against REST replay attacks involving stolen access tokens. Extensive simulations demonstrate that TokenGuard outperforms standard and federated token-based authentication systems in terms of performance and security. Specifically, TokenGuard achieves approximately 10.5% faster response times than standard token-based systems and 78.1% faster than federated token-based systems. Additionally, TokenGuard’s content sizes are 1.95% smaller than standard token-based systems and 35.28% smaller than federated token-based systems. Moreover, TokenGuard handles requests per second 1.03 times more efficiently than standard token-based systems and 4.82 times more efficiently than federated token-based systems. By employing dynamic access token sequences, TokenGuard significantly mitigates the risks associated with token replay attacks and stolen access tokens, offering a substantial security advantage over the static single-token mechanisms used in traditional systems. This paper also addresses the challenges and limitations of current SDN controllers and highlights how TokenGuard fills these gaps. Practical aspects of deploying TokenGuard in real-world SDN environments are discussed, including its scalability, performance impact, and interoperability.</div></div>","PeriodicalId":55224,"journal":{"name":"Computer Communications","volume":"238 ","pages":"Article 108169"},"PeriodicalIF":4.5000,"publicationDate":"2025-04-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Communications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0140366425001264","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Software-defined networks (SDNs) are increasingly popular due to their simplified network management and centralized control through an SDN controller. However, ensuring secure authentication and authorization for REST web services in SDN controllers is a critical challenge. This paper introduces TokenGuard, a novel security framework designed to enhance the protection of REST web services in SDN controllers. TokenGuard uses dynamic and unique access tokens for each REST request between network applications and the SDN controller. These tokens are generated using a specialized mathematical model, the Fractional Logistic Map (FLM), which incorporates a fixed memory length. This approach significantly improves the robustness of SDN controllers against REST replay attacks involving stolen access tokens. Extensive simulations demonstrate that TokenGuard outperforms standard and federated token-based authentication systems in terms of performance and security. Specifically, TokenGuard achieves approximately 10.5% faster response times than standard token-based systems and 78.1% faster than federated token-based systems. Additionally, TokenGuard’s content sizes are 1.95% smaller than standard token-based systems and 35.28% smaller than federated token-based systems. Moreover, TokenGuard handles requests per second 1.03 times more efficiently than standard token-based systems and 4.82 times more efficiently than federated token-based systems. By employing dynamic access token sequences, TokenGuard significantly mitigates the risks associated with token replay attacks and stolen access tokens, offering a substantial security advantage over the static single-token mechanisms used in traditional systems. This paper also addresses the challenges and limitations of current SDN controllers and highlights how TokenGuard fills these gaps. Practical aspects of deploying TokenGuard in real-world SDN environments are discussed, including its scalability, performance impact, and interoperability.

查看原文本刊更多论文

TokenGuard：一个用于SDN控制器中健壮访问管理的新框架

软件定义网络（SDN）由于其简化的网络管理和通过SDN控制器的集中控制而越来越受欢迎。然而，确保SDN控制器中REST web服务的安全身份验证和授权是一个关键的挑战。本文介绍了TokenGuard，一种新的安全框架，旨在增强对SDN控制器中REST web服务的保护。TokenGuard为网络应用程序和SDN控制器之间的每个REST请求使用动态和唯一的访问令牌。这些令牌是使用专门的数学模型——分数逻辑映射（FLM）生成的，该模型包含固定的内存长度。这种方法显著提高了SDN控制器对REST重放攻击的鲁棒性，这些攻击涉及被盗的访问令牌。大量的模拟表明，TokenGuard在性能和安全性方面优于标准和基于令牌的联合身份验证系统。具体来说，TokenGuard的响应时间比标准的基于令牌的系统快10.5%，比联邦基于令牌的系统快78.1%。此外，TokenGuard的内容大小比标准的基于令牌的系统小1.95%，比联邦基于令牌的系统小35.28%。此外，TokenGuard每秒处理请求的效率是标准令牌系统的1.03倍，是联邦令牌系统的4.82倍。通过采用动态访问令牌序列，TokenGuard显著降低了与令牌重放攻击和访问令牌被盗相关的风险，与传统系统中使用的静态单令牌机制相比，提供了巨大的安全优势。本文还讨论了当前SDN控制器的挑战和局限性，并强调了TokenGuard如何填补这些空白。讨论了在实际SDN环境中部署TokenGuard的实际方面，包括其可扩展性、性能影响和互操作性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Communications 工程技术-电信学

CiteScore

14.10

自引率

5.00%

发文量

397

审稿时长

66 days

期刊介绍： Computer and Communications networks are key infrastructures of the information society with high socio-economic value as they contribute to the correct operations of many critical services (from healthcare to finance and transportation). Internet is the core of today''s computer-communication infrastructures. This has transformed the Internet, from a robust network for data transfer between computers, to a global, content-rich, communication and information system where contents are increasingly generated by the users, and distributed according to human social relations. Next-generation network technologies, architectures and protocols are therefore required to overcome the limitations of the legacy Internet and add new capabilities and services. The future Internet should be ubiquitous, secure, resilient, and closer to human communication paradigms. Computer Communications is a peer-reviewed international journal that publishes high-quality scientific articles (both theory and practice) and survey papers covering all aspects of future computer communication networks (on all layers, except the physical layer), with a special attention to the evolution of the Internet architecture, protocols, services, and applications.