[0001] The present disclosure relates to the field of network security. In particular, the
present disclosure provides a system and method for detecting the attacks in networks.
BACKGROUND
[0002] The background description includes information that may be useful in
understanding the present invention. It is not an admission that any of the information provided
herein is prior art or relevant to the presently claimed invention, or that any publication
specifically or implicitly referenced is prior art.
[0003] The network architecture plays a significant role in exchange of the data
packets, information bits across the system of clients and server .The degree of reliability of
the network depends on the transmitted data packets and received data packets. The difference
between the two can determine whether the network is free from threat or attack due to no loss
of information bits between the clients and server.
[0004] In traditional networks because of the coupling of control plane and data plane
inside the proprietary hardware limits the security enhancements of the networks. The control
plane can include all functions and processes to determine the route or data packets while data
plane can include the functions an d processes which helps in forwarding the data packets from
one interface to another. The disruptive attacks can cause huge amount of traffic bombardment
towards the targeted server and thus making the resources unavailable for the legitimate users.
Implementing the security enhancement features in the network becomes difficult.
[0005] The above mentioned problem can be overcome with the introduction of
network architecture which can enable the network to be intelligently and centrally controlled
and monitored. Also such network architecture can help in segregating the control plane and
data plane to provide security to the
network.
[0006] There is, therefore a need in the art to provide a network security based system
and method that overcome the above-mentioned and other limitations of the existing solutions
and utilize techniques, which are interesting, interactive, robust, accurate, fast, efficient, cost
effective and simple.
3
OBJECTS OF THE PRESENT DISCLOSURE
[0007] Some of the objects of the present disclosure, which at least one embodiment
herein satisfies are as listed herein below.
[0008] It is an object of the present disclosure to provide system and method which
alarms the user for network for network attack associated with the nodes.
[0009] It is an object of the present disclosure to provide system and method which can
work in multi-controller environment in which there exists one leader and two followers. For
example, the system and method can work for both TCP-SYN and HTTP based network traffic.
[00010] It is an object of the present disclosure to provide system and method which
alarms the user for network for network attack associated with the nodes.
[00011] It is an object of the present disclosure to provide system and method which can
help in identifying the intruder for any malicious attack on the network
[00012] It is an object of the present disclosure to provide system and method which can
handle the enormous amount of traffic and thus generates the alarm for the same when the
intruder targets either nodes like OpenFlow switches or Centralized SDN Controller.
[00013] · It is an object of the present disclosure to provide a robust, efficient,
innovative, cost effective system, and method for network security.
[00014] It is another object of the present disclosure to provide system and method for
providing an interesting, interactive, accurate, fast, efficient, and cost effective network
security system.
[00015] These and other objects of the present invention will become readily apparent
from the following detailed description taken in conjunction with the accompanying drawings.
SUMMARY
[00016] The present disclosure relates to the field of network attacks detection. In
particular, the present disclosure provides a system and method for detecting the attacks in
networks.
[00017] An aspect of the present disclosure pertains to a system to facilitate security
to a network, where the system includes one or more processors coupled with a memory, the
memory storing instructions executable by the one or more processors and configured to
receive a set of data packets from at least one of a plurality of nodes associated with the
network; extract traffic attributes from the received set of data packets, wherein the extracted
traffic attributes may pertain to at least one node among the plurality of nodes; compare the
extracted traffic attributes with a first data set, wherein the first dataset may comprise pre-
4
determined limit ranges; generate a set of alarm signals in case at least one of the extracted
traffic attributes may be beyond the pre-determined limit ranges.
[00018] In an aspect, the network may be any or a combination of Local Area Network
(LAN),Wide Area Network (WAN), Metropolitan Area Network (MAN) and Personal Area
Network (PAN).
[00019] In an aspect, the nodes may be any or a combination of Software Defined
Networking (SDN) Controller, Open flow switch and Node cluster controller.
[00020] In an aspect, the system may be configured to monitor the traffic attributes of
the Software Defined Networking (SDN) and the Open flow switch simultaneously.
[00021] In an aspect, the system may generate a set of validation signals when at least
one of the extracted traffic attributes is within the predetermined limit ranges.
[00022] In an aspect, the system may comprise a display unit configured to display nodal
parameters associated with the generated alarm signals.
[00023] In an aspect, the nodal parameters may comprise any or a combination of node
ID, details of entities, IP address, login ID, login details and source ID of intruder.
[00024] Another aspect of the present disclosure pertains to a method for facilitating
detection of attack on one or more networks where the method including steps of receiving, at
one or more processors of a processing unit, the set of data packets from at least one of a
plurality of nodes associated with one or more network, extracting, at the one or more
processors, traffic attributes from the received set of data packets wherein the set of data
packets may be associated with one or more network, comparing, at the one or more processors,
the extracted traffic attributes with the first data set wherein the first dataset may be comprising
pre-determined limit ranges and generating, at the one or more processors, the set of alarm
signals in case at least one of the extracted traffic attributes may be beyond the pre-determined
limit ranges.
[00025] In an aspect, the method may comprise a step of updating a training and testing
dataset based on the extracted traffic attributes.
[00026] In an aspect, the method may comprise a step of determining the limit ranges
based on the updated training and testing dataset.
BRIEF DESCRIPTION OF THE DRAWINGS
[00027] The accompanying drawings are included to provide a further understanding of
the present disclosure, and are incorporated in and constitute a part of this specification. The
5
drawings illustrate exemplary embodiments of the present disclosure and, together with the
description, serve to explain the principles of the present disclosure.
[00028] The diagrams are for illustration only, which thus is not a limitation of the
present disclosure, and wherein:
[00029] FIG. 1 illustrates exemplary network architecture of the proposed system to
illustrate its overall working in accordance with an embodiment of the present disclosure.
[00030] FIG. 2 illustrates exemplary functional modules of a processing unit of the
proposed system in accordance with an exemplary embodiment of the present disclosure.
[00031] FIG. 3 illustrate exemplary implementation for network security in the nodes,
in accordance with an embodiment of the present disclosure.
[00032] FIG. 4 is a flow diagram illustrating a method for facilitating network security
in the nodes, in accordance with an embodiment of the present disclosure.
[00033] FIG. 5 illustrates an exemplary computer system in which or with which
embodiments of the present invention can be utilized in accordance with embodiments of the
present disclosure.
DETAILED DESCRIPTION OF THE INVENTION
[00034] In the following description, numerous specific details are set forth in order to
provide a thorough understanding of embodiments of the present invention. It will be apparent
to one skilled in the art that embodiments of the present invention may be practiced without
some of these specific details.
[00035] Embodiments of the present invention may be provided as a computer program
product, which may include a machine-readable storage medium tangibly embodying thereon
instructions, which may be used to program a computer (or other electronic devices) to perform
a process. The machine-readable medium may include, but is not limited to, fixed (hard) drives,
magnetic tape, floppy diskettes, optical disks, compact disc read-only memories (CD-ROMs),
and magneto-optical disks, semiconductor memories, such as ROMs, PROMs, random access
memories (RAMs), programmable read-only memories (PROMs), erasable PROMs
(EPROMs), electrically erasable PROMs (EEPROMs), flash memory, magnetic or optical
cards, or other type of media/machine-readable medium suitable for storing electronic
instructions (e.g., computer programming code, such as software or firmware).
[00036] Various methods described herein may be practiced by combining one or more
machine-readable storage media containing the code according to the present invention with
appropriate standard computer hardware to execute the code contained therein. An apparatus
6
for practicing various embodiments of the present invention may involve one or more
computers (or one or more processors within a single computer) and storage systems containing
or having network access to computer program(s) coded in accordance with various methods
described herein, and the method steps of the invention could be accomplished by modules,
routines, subroutines, or subparts of a computer program product.
[00037] If the specification states a component or feature “may”, “can”, “could”, or
“might” be included or have a characteristic, that particular component or feature is not
required to be included or have the characteristic.
[00038] As used in the description herein and throughout the claims that follow, the
meaning of “a,” “an,” and “the” includes plural reference unless the context clearly dictates
otherwise. Also, as used in the description herein, the meaning of “in” includes “in” and “on”
unless the context clearly dictates otherwise.
[00039] The recitation of ranges of values herein is merely intended to serve as a
shorthand method of referring individually to each separate value falling within the range.
Unless otherwise indicated herein, each individual value is incorporated into the specification
as if it were individually recited herein. All methods described herein can be performed in any
suitable order unless otherwise indicated herein or otherwise clearly contradicted by context.
The use of any and all examples, or exemplary language (e.g. “such as”) provided with respect
to certain embodiments herein is intended merely to better illuminate the invention and does
not pose a limitation on the scope of the invention otherwise claimed. No language in the
specification should be construed as indicating any non-claimed element essential to the
practice of the invention.
[00040] Groupings of alternative elements or embodiments of the invention disclosed
herein are not to be construed as limitations. Each group member can be referred to and claimed
individually or in any combination with other members of the group or other elements found
herein. One or more members of a group can be included in, or deleted from, a group for
reasons of convenience and/or patentability. When any such inclusion or deletion occurs, the
specification is herein deemed to contain the group as modified thus fulfilling the written
description of all groups used in the appended claims.
[00041] Exemplary embodiments will now be described more fully hereinafter with
reference to the accompanying drawings, in which exemplary embodiments are shown. This
invention may, however, be embodied in many different forms and should not be construed as
limited to the embodiments set forth herein. These embodiments are provided so that this
disclosure will be thorough and complete and will fully convey the scope of the invention to
7
those of ordinary skill in the art. Moreover, all statements herein reciting embodiments of the
invention, as well as specific examples thereof, are intended to encompass both structural and
functional equivalents thereof. Additionally, it is intended that such equivalents include both
currently known equivalents as well as equivalents developed in the future (i.e., any elements
developed that perform the same function, regardless of structure).
[00042] The present disclosure relates to the field of network security. In particular, the
present disclosure provides a system and method for detecting the attacks in networks caused
during heavy traffics.
[00043] According to an aspect the present disclosure pertains to a system to facilitate
security to a network, wherein the system can include one or more processors coupled with a
memory, the memory storing instructions executable by the one or more processors and can be
configured to receive a set of data packets from at least one of a plurality of nodes associated
with the network. The processors can extract traffic attributes from the received set of data
packets, where the extracted traffic attributes can pertain to at least one node among the
plurality of nodes; compare the extracted traffic attributes with a first data set, where the
first dataset may comprise pre-determined limit ranges and generate a set of alarm signals in
case at least one of the extracted traffic attributes may be beyond the pre-determined limit
ranges.
[00044] In an embodiment, the network can be any or a combination of Local Area
Network (LAN),Wide Area Network (WAN), Metropolitan Area Network (MAN) and
Personal Area Network (PAN).
[00045] In an embodiment, the nodes can be any or a combination of Software Defined
Networking (SDN) Controller, Open flow switch and Node cluster controller.
[00046] In an embodiment, the system can be configured to monitor the traffic attributes
of the Software Defined Networking (SDN) and the Open flow switch simultaneously.
[00047] In an embodiment, the system can generate a set of validation signals when at
least one of the extracted traffic attributes is within the predetermined limit ranges.
[00048] In an embodiment, the system can include a display unit configured to display
nodal parameters associated with the generated alarm signals.
[00049] In an embodiment, the nodal parameters can include any or a combination of
node ID, details of entities, IP address, login ID, login details and source ID of intruder.
[00050] According to another aspect, present disclosure pertains to a method for
facilitating security to one or more networks where the method including the steps of receiving,
at one or more processors of a processing unit, the set of data packets from at least one of a
8
plurality of nodes associated with one or more network, extracting, at the one or more
processors, traffic attributes from the received set of data packets where the set of data packets
can be associated with one or more network, comparing, at the one or more processors, the
extracted traffic attributes with the first data set where the first dataset can be including predetermined limit ranges and generating, at the one or more processors, the set of alarm signals
in case at least one of the extracted traffic attributes can be found beyond the pre-determined
limit ranges.
[00051] In an embodiment, the method can include a step of updating a training and
testing dataset based on the extracted traffic attributes.
[00052] In an embodiment, the method can include a step of determining the limit ranges
based on the updated training and testing dataset.
[00053] FIG. 1 illustrates exemplary network architecture of the proposed system to
illustrate its overall working in accordance with an embodiment of the present disclosure.
[00054] According to an embodiment of the present disclosure, a proposed system 100
can facilitate a network security for nodes 110-1, 110-2… 110-N (also, collectively referred to
as nodes 110, herein) of the network. As illustrated, the proposed system 100 can include a
processing unit 102. The processing unit 102 can be communicatively coupled with any or a
combination of the server 106 and the nodes 110 through a network 104. In an embodiment,
the processing unit 102 can be implemented using any or a combination of hardware
components and software components such as a cloud, a server, a computing system, a
computing device, a network device and the like. Further, the processing unit 102 can interact
with nodes 110 through a website or an application that can reside in the proposed system 100.
In an implementation, the processing unit 102 can be accessed by website or application that
can be configured with any operating system, including but not limited to, AndroidTM,
iOSTM, and the like.
[00055] Further, the network 104 can be a wireless network, a wired network or a
combination thereof that can be implemented as one of the different types of networks, such as
Intranet, Local Area Network (LAN), Wide Area Network (WAN), Internet, and the like.
Further, the network 104 can either be a dedicated network or a shared network. The shared
network can represent an association of the different types of networks that can use variety of
protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control
Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), and the like.
[00056] In an embodiment, a system 100 can include a processing unit 102, where the
processing unit 102 can include one or more processors coupled with a memory, the memory
9
storing instructions executable by the one or more processors and can be configured to receive
a set of data packets from at least one of a plurality of nodes associated with the network. The
processing unit 102 can extract traffic attributes from the received set of data packets, where
the extracted traffic attributes can pertain to at least one node among the plurality of nodes. The
processing unit 102 can compare the extracted traffic attributes with a first data set, where the
first dataset can include pre-determined limit ranges and can generate a set of alarm signals in
case at least one of the extracted traffic attributes is beyond the pre-determined limit ranges.
[00057] In an embodiment, nodes 110 can be configured with a network 104 where
said nodes can be any or a combination of Software Defined Networking (SDN) Controller,
Open flow switch and Node cluster controller. For example, the proposed system 100 can be
used when the intruder bombards a huge amount of traffic either towards the nodes like SDN
controller and Open Flow switches. Also in an embodiment, when the network traffic exceeds
a pre-determined limit range or a threshold value a set of alarm signal can be generated. In
another embodiment, and a set of validation signal can be generated when the traffic attributes
is within the pre-determined limit ranges.
[00058] In an embodiment, the system 100 can include a display unit. In an
embodiment, the system 100 can include a display unit configured to display nodal
parameters associated with the generated alarm signals, where the nodal parameters can include
any or a combination of node ID, details of entities, IP address, login ID, login details and
source ID of intruder. For example, when intruder bombards a huge amount of traffic either
towards nodes 110 such as SDN controller and OpenFlow switches and the extracted traffic
attributes are found beyond the pre-determined limit ranges or threshold value the set of alarm
signals can be generated and the nodal parameters such as source ID, node ID and login details
of the intruder can be displayed. The system can help the network manager to block the
incoming traffic from said source and continue the normal functionality of the network.
[00059] FIG. 2 illustrates exemplary functional modules of a processing unit 102 of the
proposed system in accordance with an exemplary embodiment of the present disclosure.
[00060] As illustrated, the processing unit 102 can include one or more processor(s) 202.
The one or more processor(s) 202 can be implemented as one or more microprocessors,
microcomputers, microcontrollers, digital signal processors, central processing units, logic
circuitries, and/or any devices that manipulate data based on operational instructions. Among
other capabilities, the one or more processor(s) 202 are configured to fetch and execute
computer-readable instructions stored in a memory 204 of the processing unit 102. The
memory 204 can store one or more computer-readable instructions or routines, which may be
10
fetched and executed to create or share the data units over a network service. The memory 204
can include any non-transitory storage device including, for example, volatile memory such as
RAM, or non-volatile memory such as EPROM, flash memory, and the like.
[00061] In an embodiment, the processing unit 102 can also include an interface(s) 206.
The interface(s) 206 may include a variety of interfaces, for example, interfaces for data input
and output devices, referred to as I/O devices, storage devices, and the like. The interface(s)
206 may facilitate communication of the processing unit 102 with various devices coupled to
the unit 102. The interface(s) 206 may also provide a communication pathway for one or more
components of the processing unit 102. Examples of such components include, but are not
limited to, processing engine(s) 208 and data 210.
[00062] In an embodiment, the processing engine(s) 208 can be implemented as a
combination of hardware and programming (for example, programmable instructions) to
implement one or more functionalities of the processing engine(s) 208. In examples described
herein, such combinations of hardware and programming may be implemented in several
different ways. For example, the programming for the processing engine(s) 208 may be
processor executable instructions stored on a non-transitory machine-readable storage medium
and the hardware for the processing engine(s) 208 may include a processing resource (for
example, one or more processors), to execute such instructions. In the present examples, the
machine-readable storage medium may store instructions that, when executed by the
processing resource, implement the processing engine(s) 208. In such examples, the processing
unit 102 can include the machine-readable storage medium storing the instructions and the
processing resource to execute the instructions, or the machine-readable storage medium may
be separate but accessible to processing unit 102 and the processing resource. In other
examples, the processing engine(s) 208 may be implemented by electronic circuitry. The data
210 can include data that is either stored or generated as a result of functionalities implemented
by any of the components of the processing engine(s) 208.
[00063] In an embodiment, the processing engine(s) 208 can include an extraction
unit 212, a comparison unit 214, a signal generation unit 216, and other unit(s) 218. The other
unit(s) 218 can implement functionalities that supplement applications or functions performed
by the processing unit 102 or the processing engine(s) 208.
[00064] In an embodiment, the extraction unit 212 of the processing unit 102 can
facilitate extraction of traffic attributes from the received set of data packets where the extracted
traffic attributes can pertain to at least one node among the plurality of nodes 110 associated
with the network 104.In another embodiment, the extracted traffic attributes can be received
11
from the set of data packets where the set of data packets can be received from at least one
of the plurality of nodes 110associated with the network 104.The nodes 110 of the network 104
can include any or a combination of Software Defined Networking (SDN) Controller, Open
flow switch and Node cluster controller.
[00065] In an embodiment, the comparison unit 214 of the processing unit 102 can
compare the extracted traffic attributes with a first data set, where the first dataset can include
pre-determined limit ranges. The extracted traffic attributes can be received from the set of data
packets where the set of data packets can be received from at least one of the plurality of nodes
associated with the network 104.The comparison of the extracted traffic attributes can be done
with predetermined limit ranges.
[00066] In an embodiment, the signal generation unit 216 of the processing unit 102 can
generate a set of alarm signals in case at least one of the extracted traffic attributes is beyond
the pre-determined limit ranges. The comparison of the extracted traffic attributes from the
received set of data packets can be done with the first dataset where first dataset can include
pre-determined limit ranges for the traffic attributes. For example, when the compared
extracted traffic attributes are found beyond the pre-determined limit ranges an alarm signal
can be generated to give the user an indication for the security threat to at least one of the nodes
110 of the network 104.The nodes 110 can be any or a combination of Software Defined
Networking (SDN) Controller, Open flow switch and Node cluster controller. The network 104
can be any or a combination of Local Area Network (LAN),Wide Area Network (WAN),
Metropolitan Area Network (MAN) and Personal Area Network (PAN).
[00067] FIG 3 illustrates exemplary implementation for facilitating dataflow in the
network security system, in accordance with an embodiment of the present disclosure.
[00068] As illustrated in an embodiment, a system 100 can include a processing unit
102, where the processing unit 102 can include one or more processors coupled with a memory,
the memory storing instructions executable by the one or more processors and can be
configured to receive a set of data packets from at least one of a plurality of nodes 110
associated with a network 104.The processing unit 102 can extract traffic attributes from the
received set of data packets, where the extracted traffic attributes can pertain to at least one
node among the plurality of nodes. The processing unit 102 can compare the extracted traffic
attributes with a first data set, where the first dataset can include pre-determined limit ranges
and can generate a set of alarm signals in case at least one of the extracted traffic attributes is
beyond the pre-determined limit ranges.
12
[00069] In an embodiment, a comparison unit 214 in the processing unit 102 can
compare the extracted traffic attributes with the first dataset where first data set has predetermined limit ranges associated with said nodes 110.The nodes can be any or a
combination of Software Defined Networking (SDN) Controller, Open flow switch and Node
cluster controller. For example, when the intruder bombards a huge amount of traffic towards
either nodes such as SDN controller or Open flow switch the system detects by generating an
alarm signal. The generation of alarm signals can be done based on the pre-determined limit
ranges which can also be said threshold values.
[00070] In an embodiment, a signal generation unit 214 in the processing unit 102 can
generate the set of alarm signals based on the extracted traffic attributes associated with the
nodes 110 where the nodes can be any or a combination of Software Defined Networking
(SDN) Controller, Open flow switch and Node cluster controller. For example, when the
network traffic exceeds the threshold value, a set of alarm signal can be generated and a set of
validation signal can be generated when the traffic attributes or network traffic is within
the threshold limit. The system 100 can closely work with the associated nodes 110 where the
nodes can be any or a combination of Software Defined Networking (SDN) Controller, Open
flow switch and Node cluster controller. Also the system 100 can be configured to monitor the
traffic attributes of the nodes simultaneously.
[00071] In an embodiment, the proposed system 100 can include a display
unit configured to display nodal parameters associated with the generated alarm signals
where the nodal parameters can include any or a combination of node ID, details of entities, IP
address, login ID, login details and source ID of intruder. For example, when intruder bombards
a huge amount of traffic either towards the nodes 110 such as SDN controller and OpenFlow
switches and the extracted traffic attributes are found beyond the pre-determined limit ranges
or threshold value the set of alarm signals can be generated and said nodal parameters such
as the Source ID, node ID and login details of the intruder can be displayed. The proposed
system 100 can help the network manager to block the incoming traffic from that source and
continue the normal functionality of the network.
[00072] FIG. 4 is a flow diagram illustrating a method for facilitating dataflow in the
network security system, in accordance with an embodiment of the present disclosure.
[00073] As illustrated in an embodiment, said method can include a step of receiving,
at one or more processors of a processing unit, the set of data packets from at least one of a
plurality of nodes associated with one or more network.
13
[00074] In an embodiment, said method can include a step of extracting, at the one or
more processors, traffic attributes from said received set of data packets where the set of data
packets can be associated with one or more network 104.The extracted traffic attributes can be
received from the set of data packets, where the set of data packets can be received from at
least one of the plurality of nodes 110 associated with the network 104.The nodes 110 of the
network 104 can include any or a combination of Software Defined Networking (SDN)
Controller, Open flow switch and Node cluster controller. The said method can include a step
of updating a training and testing dataset based on the extracted traffic attributes, where the
said step of determining the limit ranges can be based on the updated training and testing
dataset.
[00075] In an embodiment the said method can include a step of comparing, at the one
or more processors, the extracted traffic attributes with a first dataset where the said first dataset
can include pre-determined limit ranges. The said extracted traffic attributes can be received
from the set of data packets where the set of data packets can be received from at least one of
the plurality of nodes 110 associated with the network 104.The comparison of the extracted
traffic attributes can be done with the help of predetermined limit ranges. The said method can
include a step of updating a training and testing dataset based on the extracted traffic attributes,
where the said step of determining the limit ranges can be based on the updated training and
testing dataset.
[00076] In an embodiment the said method can include a step of generating, at the one
or more processors, a set of alarm signals in case at least one of the extracted traffic attributes
can be found beyond the pre-determined limit ranges. The comparison of said extracted traffic
attributes from the received set of data packets can be done with said first dataset where first
dataset can include pre-determined limit ranges for the traffic attributes. For example, when
the compared extracted traffic attributes are found beyond the pre-determined limit ranges an
alarm signal can be generated to give the user an indication for the security threat to at least
one of the nodes 110 of the network 104.The nodes 110 can be any or a combination of
Software Defined Networking (SDN) Controller, Open flow switch and Node cluster
controller. The network 104 can be any or a combination of Local Area Network (LAN),Wide
Area Network (WAN), Metropolitan Area Network (MAN) and Personal Area Network
(PAN).
[00077] FIG. 5 illustrates an exemplary computer system in which or with which
embodiments of the present invention can be utilized in accordance with embodiments of the
present disclosure.
14
[00078] As shown in FIG. 5, computer system includes an external storage device 510,
a bus 520, a main memory 530, a read only memory 540, a mass storage device 550,
communication port 560, and a processor 570. A person skilled in the art will appreciate that
computer system may include more than one processor and communication ports. Examples of
processor 570 include, but are not limited to, an Intel® Itanium® or Itanium 2 processor(s), or
AMD® Opteron® or Athlon MP® processor(s), Motorola® lines of processors, FortiSOC™
system on a chip processors or other future processors. Processor 570 may include various
modules associated with embodiments of the present invention. Communication port 560 can
be any of an RS-232 port for use with a modem based dialup connection, a 10/100 Ethernet
port, a Gigabit or 10 Gigabit port using copper or fiber, a serial port, a parallel port, or other
existing or future ports. Communication port 560 may be chosen depending on a network, such
a Local Area Network (LAN), Wide Area Network (WAN), or any network to which computer
system connects.
[00079] In an embodiment, the memory 530 can be Random Access Memory (RAM),
or any other dynamic storage device commonly known in the art. Read only memory 540 can
be any static storage device(s) e.g., but not limited to, a Programmable Read Only Memory
(PROM) chips for storing static information e.g., start-up or BIOS instructions for processor
570. Mass storage 550 may be any current or future mass storage solution, which can be used
to store information and/or instructions. Exemplary mass storage solutions include, but are not
limited to, Parallel Advanced Technology Attachment (PATA) or Serial Advanced Technology
Attachment (SATA) hard disk drives or solid-state drives (internal or external, e.g., having
Universal Serial Bus (USB) and/or Firewire interfaces), e.g. those available from Seagate (e.g.,
the Seagate Barracuda 7102 family) or Hitachi (e.g., the Hitachi Deskstar 7K1000), one or
more optical discs, Redundant Array of Independent Disks (RAID) storage, e.g. an array of
disks (e.g., SATA arrays), available from various vendors including Dot Hill Systems Corp.,
LaCie, Nexsan Technologies, Inc. and Enhance Technology, Inc.
[00080] In an embodiment, the bus 520 communicatively couples processor(s) 570 with
the other memory, storage and communication blocks. Bus 520 can be, e.g. a Peripheral
Component Interconnect (PCI) / PCI Extended (PCI-X) bus, Small Computer System Interface
(SCSI), USB or the like, for connecting expansion cards, drives and other subsystems as well
as other buses, such a front side bus (FSB), which connects processor 570 to software system.
[00081] In another embodiment, operator and administrative interfaces, e.g. a display,
keyboard, and a cursor control device, may also be coupled to bus 520 to support direct operator
interaction with computer system. Other operator and administrative interfaces can be provided
15
through network connections connected through communication port 560. External storage
device 510 can be any kind of external hard-drives, floppy drives, IOMEGA® Zip Drives,
Compact Disc - Read Only Memory (CD-ROM), Compact Disc - Re-Writable (CD-RW),
Digital Video Disk - Read Only Memory (DVD-ROM). Components described above are
meant only to exemplify various possibilities. In no way should the aforementioned exemplary
computer system limit the scope of the present disclosure.
[00082] Thus, it will be appreciated by those of ordinary skill in the art that the diagrams,
schematics, illustrations, and the like represent conceptual views or processes illustrating
systems and methods embodying this invention. The functions of the various elements shown
in the figures may be provided through the use of dedicated hardware as well as hardware
capable of executing associated software. Similarly, any switches shown in the figures are
conceptual only. Their function may be carried out through the operation of program logic,
through dedicated logic, through the interaction of program control and dedicated logic, or even
manually, the particular technique being selectable by the entity implementing this invention.
Those of ordinary skill in the art further understand that the exemplary hardware, software,
processes, methods, and/or operating systems described herein are for illustrative purposes and,
thus, are not intended to be limited to any particular named.
[00083] While embodiments of the present invention have been illustrated and
described, it will be clear that the invention is not limited to these embodiments only. Numerous
modifications, changes, variations, substitutions, and equivalents will be apparent to those
skilled in the art, without departing from the spirit and scope of the invention, as described in
the claim.
[00084] In the foregoing description, numerous details are set forth. It will be apparent,
however, to one of ordinary skill in the art having the benefit of this disclosure, that the present
invention may be practiced without these specific details. In some instances, well-known
structures and devices are shown in block diagram form, rather than in detail, to avoid
obscuring the present invention.
[00085] As used herein, and unless the context dictates otherwise, the term "coupled to"
is intended to include both direct coupling (in which two elements that are coupled to each
other contact each other)and indirect coupling (in which at least one additional element is
located between the two elements). Therefore, the terms "coupled to" and "coupled with" are
used synonymously. Within the context of this document terms "coupled to" and "coupled
with" are also used euphemistically to mean “communicatively coupled with” over a network,
16
where two or more devices are able to exchange data with each other over the network, possibly
via one or more intermediary device.
[00086] It should be apparent to those skilled in the art that many more modifications
besides those already described are possible without departing from the inventive concepts
herein. The inventive subject matter, therefore, is not to be restricted except in the spirit of the
appended claims. Moreover, in interpreting both the specification and the claims, all terms
should be interpreted in the broadest possible manner consistent with the context. In particular,
the terms “comprises” and “comprising” should be interpreted as referring to elements,
components, or steps in a non-exclusive manner, indicating that the referenced elements,
components, or steps may be present, or utilized, or combined with other elements,
components, or steps that are not expressly referenced. Where the specification claims refers
to at least one of something selected from the group consisting of A, B, C …. and N, the text
should be interpreted as requiring only one element from the group, not A plus N, or B plus N,
etc.
[00087] While the foregoing describes various embodiments of the invention, other and
further embodiments of the invention may be devised without departing from the basic scope
thereof. The scope of the invention is determined by the claims that follow. The invention is
not limited to the described embodiments, versions or examples, which are included to enable
a person having ordinary skill in the art to make and use the invention when combined with
information and knowledge available to the person having ordinary skill in the art.
ADVANTAGES OF THE PRESENT DISCLOSURE
[00088] The present disclosure provides a system and method which can work in multicontroller environment in which there exists one leader and two followers. For example, the
system and method can work for both TCP-SYN and HTTP based network traffic.
[00089] The present disclosure provides a system and method which alarms the user
for network attack associated with the nodes.
[00090] The present disclosure provides a system and method which can help in
identifying the intruder for any malicious attack on the network.
[00091] The present disclosure provides a system and method which can handle the
enormous amount of traffic and thus generates the alarm for the same when the intruder targets
either nodes like OpenFlow switches or Centralized SDN Controller.
[00092] The present disclosure provides a robust, efficient, innovative, cost effective
system and method for network security.
17
[00093] The present disclosure provides a system and method for providing an
interesting, interactive, accurate, fast, efficient, cost effective network security system.

We Claim:

1. A system to provide security to a network, wherein the system comprises of :
one or more processors coupled with a memory, the memory storing instructions
executable by the one or more processors and configured to:
receive a set of data packets from at least one of a plurality of nodes associated
with the network;
extract traffic attributes from the received set of data packets, wherein the extracted
traffic attributes pertain to at least one node among the plurality of nodes;
compare the extracted traffic attributes with a first data set, wherein the
first dataset comprises pre-determined limit ranges;
generate a set of alarm signals in case at least one of the extracted traffic attributes
is beyond the pre-determined limit ranges.
2. The system as claimed in claim 1,wherein the network comprises any or a combination of
Local Area Network (LAN),Wide Area Network (WAN), Metropolitan Area Network (MAN)
and Personal Area Network (PAN).
3. The system as claimed in claim 1, wherein the nodes comprise any or a combination of
Software Defined Networking (SDN) Controller, Open flow switch and Node cluster
controller.
4. The system as claimed in claim 3, wherein the system configured to monitor the traffic
attributes of the Software Defined Networking(SDN) and the Open flow switch
simultaneously.
5. The system as claimed in claim 1, wherein the system generates a set of validation signals
when at least one of the extracted traffic attributes is within the predetermined limit ranges.
6. The system as claimed in claim 1, wherein the system comprises a display unit configured
to display nodal parameters associated with the generated alarm signals.
7. The system as claimed in claim 8,wherein the nodal parameters comprises any or a
combination of node ID, details of entities, IP address, login ID, login details and source ID of
intruder.
8. A method to provide security to one or more networks wherein the method comprises steps
of
receiving, at one or more processors of a processing unit, the set of data packets from at
least one of a plurality of nodes associated with one or more network
19
extracting, at the one or more processors, traffic attributes from the received set of data
packets wherein the set of data packets associated with one or more network
comparing, at the one or more processors, the extracted traffic attributes with the first
data set wherein the first dataset comprising pre-determined limit ranges and
generating, at the one or more processors, the set of alarm signals in case at least one
of the extracted traffic attributes is beyond the pre-determined limit ranges.
9. The method as claimed in claim 8, wherein the method comprises a step of updating a
training and testing dataset based on the extracted traffic attributes.
10. The method as claimed in claim 9, wherein the method comprises a step of determining the
limit ranges based on the updated training and testing dataset.