Shengsheng Yao,Mingwei Xu,Qi Li,Jiahao Cao,Qiyang Song

DOI: https://doi.org/10.1109/globecom38437.2019.9013473

2019-01-01

Abstract:To reduce the management costs, outsourcing network function (NF) to the cloud becomes prevalent in enterprises. This trend is increasing with the advent of network function virtualization (NFV). However, such outsourcing cannot guarantee the order and security of service function chains(SFCs) as the cloud is susceptible to attacks. In this paper, we introduce credible SFC (cSFC), a practical scheme to build secure service function chains on the untrusted cloud, cooperating with encrypted transport protocols. cSFC simultaneously shields NFs from an untrusted cloud and preserves the order of SFC sequence. Meanwhile, this scheme supports a wide range of NF functionalities and preserves the privacy of session data. We implement the cSFC prototype, and the evaluation result shows that it is practical with acceptable performance.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Wu Qiang,Wu Chunming,Yan Xincheng,Cheng Qiumei

DOI: https://doi.org/10.1109/tnsm.2021.3071774

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:With the emergence of cloud native technology, the network slicing enables automatic service orchestration, flexible network scheduling and scalable network resource allocation, which profoundly affects the traditional security solution. Security is regarded as a technology independent of the cloud native architecture in the initial design, traditional passive defense such as “reinforced” and “stacked” is relied on to achieve system security protection. The lack of intrinsic security mechanisms makes the system capability insufficient when faces the uncertain threat brought by vulnerabilities and backdoors under the ecosystem of opening-up and sharing. The static nature of existing networks and computing systems makes them easy to be compromised and hard to defend, and thus it is urgent to provide intrinsic security and proactive protection against the unpredictable attacks. To this end, this paper proposes a novel paradigm named intrinsic cloud security (iCS) from the perspective of dynamic defense. The dynamic defense provides component-level security, and has complementary and consistency with the cloud native environment. In particular, iCS introduces mimic defense and moving target defense (MTD), and makes full use of the new features introduced by cloud native to implement an intrinsic and proactive defense mechanism with acceptable costs and efficiency. The iCS paradigm achieves seamless integration and symbiosis evolution between security and cloud native. We implement a trial of iCS based on 5GC commercial system and evaluate its performance on costs, efficiency and attack success. The result shows that the iCS enhanced mode always can provide a better and more stable defense effects.

Xiaoli Zhang,Qi Li,Jianping Wu,Jiahai Yang

DOI: https://doi.org/10.1109/IWQoS.2017.7969150

2017-06-01

Abstract:Network Function Virtualization (NFV) is an emerging technology to enable network functions (NFs) outsourcing on cloud so as to reduce the costs of deploying and maintaining NFs. However, NF outsourcing poses a serious gap between the expected service function chains (SFCs) and the real enforcement because SFC deployment and management on cloud is invisible to NF customers (i.e., enterprises). In this paper, we propose verifiable SFC, i.e., vSFC, the first scheme that allows an enterprise to accurately verify the correct enforcement of SFC in realtime. In particular, different from the-state-of-the-art network function verification schemes, vSFC is generic and agile, which can be deployed on various clouds, while not requiring modifications to any NFs on cloud. vSFC detects a wide range of SFC violations including forwarding path incompliance, flow dropping, and packet injection attacks. To demonstrate the feasibility and performance of vSFC, we implement a vSFC prototype built on top of KVM and conduct experiments with real traces. Our experiment results show that vSFC detects various SFC violations with a negligible overhead.

Computer Science

Xiaoli Zhang,Qi Li,Jianping Wu,Jiahai Yang

DOI: https://doi.org/10.1109/tnet.2020.3028846

2020-01-01

IEEE/ACM Transactions on Networking

Abstract:With the advent of network function virtualization (NFV), outsourcing network functions (NFs) to the cloud is becoming increasingly popular for enterprises since it brings significant benefits for NF deployment and maintenance, such as improved scalability and reduced overhead. However, NF outsourcing limits the control of customer enterprises over NF deployment and management, consequently raising serious security concerns. Enterprises cannot ensure whether their outsourced NFs and associated service function chains (SFCs) are correctly enforced according to their specifications. In this paper, we propose vSFC, an SFC verification scheme that allows an enterprise to accurately verify the correctness of SFC enforcement in real time. Specifically, it can detect a wide range of SFC violations including forwarding path incompliance, packet dropping, and flow dropping attacks. Meanwhile, it is generic and agile, which can be applied to arbitrary cloud architectures without requiring any modification to NFs. To demonstrate the feasibility and performance of vSFC, we implement a vSFC prototype on top of Linux kernel-based virtual machines (KVM) and conduct extensive experiments with real traffic. The experimental results show that vSFC can accurately detect SFC violations with negligible overhead.

Huan Chen,Shizhong Xu,Xiong Wang,Yangming Zhao,Ke Li,Yang Wang,Wei Wang,Le Min Li

DOI: https://doi.org/10.1109/ICC.2016.7510996

2016-01-01

Abstract:As Network Function Virtualization (NFV) becomes reality and cloud computing offers a scalable pay-as-you-go charging model, more network operators would like to outsource their Service Function Chains (SFC) to the public clouds in order to reduce the operational cost. However, how to minimize the operational cost with Quality of Service (QoS) guarantee when outsourcing SFC is still an open problem. In this paper, we are to study this problem when there are large number of candidate cloud providers with diverse pricing schemes of network functions. In addition, extra delay is introduced as the result of outsourcing SFCs. Firstly, we formulate this problem as an Integer Linear Programming (ILP) model. Then we design an efficient heuristic algorithm named QoS-Guaranteed SFC Outsourcing algorithm (QGSO) based on Hidden Markov Model (HMM). The extensive simulations show that QGSO saves up to 75.8% cost compared with that of deploying network functions in local network. QGSO also achieves up to 42.6% cost savings compared with the result of first-fit based optimization algorithm.

Junjie Shi,Yuan Zhang,Sheng Zhong

DOI: https://doi.org/10.48550/arxiv.1502.00389

2015-01-01

Abstract:Since the advent of software defined networks (SDN), there have been many attempts to outsource the complex and costly local network functionality, i.e. the middlebox, to the cloud in the same way as outsourcing computation and storage. The privacy issues, however, may thwart the enterprises' willingness to adopt this innovation since the underlying configurations of these middleboxes may leak crucial and confidential information which can be utilized by attackers. To address this new problem, we use firewall as an sample functionality and propose the first privacy preserving outsourcing framework and schemes in SDN. The basic technique that we exploit is a ground-breaking tool in cryptography, the cryptographic multilinear map. In contrast to the infeasibility in efficiency if a naive approach is adopted, we devise practical schemes that can outsource the middlebox as a blackbox after obfuscating it such that the cloud provider can efficiently perform the same functionality without knowing its underlying private configurations. Both theoretical analysis and experiments on real-world firewall rules demonstrate that our schemes are secure, accurate, and practical.

Zewei Liu,Chunqiang Hu,Ruinian Li,Tao Xiang,Xingwang Li,Jiguo Yu,Hui Xia

DOI: https://doi.org/10.1109/tcc.2022.3201401

IF: 5.697

2022-01-01

IEEE Transactions on Cloud Computing

Abstract:As one of the key technologies to enable the internet of things (IoT), cloud computing plays a significant role in providing huge computing and storage facilities for large-scale data. Though cloud computing brings great advantages, new issues emerge, such as data security breach and privacy disclosure. In this article, we introduce a novel secure and privacy-preserving outsourcing computing scheme (hereafter referred to as SPOCS) to tackle this issue. In SPOCS, the effective use of Intel Software Guard Extensions (SGX), one of the trusted execution environment (TEE), ensures the confidence and integrity of sensitive data in cloud computing and prevents data loss from causing privacy disclosure. In order to keep malicious cloud service providers (CSPs) from illegally tampering with the outsourcing results, blockchain is employed to ensure the data immutability. Significantly, our proposed scheme achieves anonymity and traceability. In the outsourcing process, smart contracts are applied to make the whole process fully automated without any human involvement. Finally, the security of the proposed scheme is analyzed in terms of its resistance to different attacks. The experiments indicate that our scheme is effective and efficient.

computer science, information systems, theory & methods

Hualong Sheng,Lingbo Wei,Chi Zhang,Xia Zhang

DOI: https://doi.org/10.1109/nana.2016.37

2016-01-01

Abstract:Firewall is the critical first line of defense against cyber attacks. In order to improve security and performance, modern enterprises have to deploy and manage their own firewalls. But the firewall infrastructure is expensive and complex to manage, thus enterprises begin to outsource their firewalls to the cloud to reduce firewall management and deployment costs. The current firewall outsourcing schemes require enterprises to fully trust the cloud. However, firewall policies are confidential information of enterprises, and enterprises do not want to reveal them to the cloud. Such privacy issues hinder the adoption of cloud-based firewall service. With the development of cloud computing, more and more enterprises migrate their IT systems to the cloud (we call these enterprises the IaaS-based enterprises). In this paper, we propose a privacy-preserving firewall outsourcing scheme for a new architecture, in which an IaaS-based enterprise outsources its firewall policies to another cloud. We implement a prototype of our scheme and the experimental results demonstrate the feasibility and performance of our scheme.

Huawei Huang,Song Guo,Jinsong Wu,Jie Li

DOI: https://doi.org/10.1109/tcc.2017.2721401

IF: 5.697

2019-01-01

IEEE Transactions on Cloud Computing

Abstract:In the Service-Function-Chaining (SFC) enabled networks, various sophisticated policy-aware network functions, such as intrusion detection, access control and unified threat management, can be realized in either physical middleboxes or virtualized network function (VNF) appliances. In this paper, we study the service chaining towards the hybrid SFC clouds, where both physical appliances and VNF appliances provide services collaboratively. In such hybrid SFC networks, the challenge is how to efficiently steer the service chains for traffic demands while matching their individual policy chains concurrently such that a utility associated with the total admitted traffic rate and the induced overheads can be maximized. We find such problem has not been well solved so far. To this end, we devise a Markov Approximation (MA) based algorithm. The approximation property of the proposed algorithm is also proved. Extensive evaluation results show that the proposed MA algorithm can yield near-optimal solutions and outperform other benchmark algorithms significantly.

Peipei Jiang,Qian Wang,Muqi Huang,Cong Wang,Qi Li,Chao Shen,Kui Ren

DOI: https://doi.org/10.1109/jproc.2021.3127277

IF: 20.6

2021-12-01

Proceedings of the IEEE

Abstract:Network function virtualization (NFV) has been promising to improve the availability, programmability, and flexibility of network function deployment and communication facilities. Meanwhile, with the advancements of cloud technologies, there has been a trend to outsource network functions through virtualization to a cloud service provider, so as to alleviate the local burdens on provisioning and managing such hardware resources. Promising as it is, redirecting the communication traffic to a third-party service provider has drawn various security and privacy concerns. Traditional end-to-end encryption can protect the traffic in transmit, but it also hinders data usability. This dilemma has raised wide interests from both industry and academia, and great efforts have been made to realize privacy-preserving network function outsourcing that can guarantee the confidentiality of network communications while preserving the ability to inspect the traffic. In this article, we conduct a comprehensive survey of the state-of-the-art literature on network function outsourcing, with a special focus on privacy and security issues. We first give a brief introduction to NFV and pinpoint its challenges and security risks in the cloud context. Then, we present detailed descriptions and comparisons of existing secure network function outsourcing schemes in terms of functionality, efficiency, and security. Finally, we conclude by discussing possible future research directions.

engineering, electrical & electronic

Ali Sajjad,Muttukrishnan Rajarajan,Andrea Zisman,Theo Dimitrakos

DOI: https://doi.org/10.1016/j.future.2015.01.018

IF: 7.307

2015-01-01

Future Generation Computer Systems

Abstract:Most of the current cloud computing platforms offer Infrastructure as a Service (IaaS) model, which aims to provision basic virtualized computing resources as on-demand and dynamic services. Nevertheless, a single cloud does not have limitless resources to offer to its users, hence the notion of an Inter-Cloud environment where a cloud can use the infrastructure resources of other clouds. However, there is no common framework in existence that allows the service owners to seamlessly provision even some basic services across multiple cloud service providers, albeit not due to any inherent incompatibility or proprietary nature of the foundation technologies on which these cloud platforms is built. In this paper we present a novel solution which aims to cover a gap in a subsection of this problem domain. Our solution offers a security architecture that enables service owners to provision a dynamic and service-oriented secure virtual private network on top of multiple cloud IaaS providers. It does this by leveraging the scalability, robustness and flexibility of peer-to-peer overlay techniques to eliminate the manual configuration, key management and peer churn problems encountered in setting up the secure communication channels dynamically, between different components of a typical service that is deployed on multiple clouds. We present the implementation details of our solution as well as experimental results carried out on two commercial clouds. We have designed a secure communication framework for inter-cloud computing model.We use three security schemes in a novel way to minimize the performance overhead.We implemented our design and measured the overhead caused by the security features on two commercial clouds.Our results show the cost of the throughput overhead as a 5% decrease in throughput.Our results show the cost of the latency overhead as a 10% increase in latency.

Yi Liu,Hong-qi Zhang,Jiang Liu,Ying-jie Yang

DOI: https://doi.org/10.1155/2017/9534754

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:Security functions are usually deployed on proprietary hardware, which makes the delivery of security service inflexible and of high cost. Emerging technologies such as software-defined networking and network function virtualization go in the direction of executing functions as software components in virtual machines or containers provisioned in standard hardware resources. They enable network to provide customized security service by deploying Security Service Chain (SSC), which refers to steering flow through multiple security functions in a particular order specified by individual user or application. However, SSC Deployment Problem (SSC-DP) needs to be solved. It is a challenging problem for various reasons, such as the heterogeneity of instances in terms of service capacity and resource demand. In this paper, we propose an SSC-based approach to deliver security service to users without worrying about physical locations of security functions. For SSC-DP, we present a three-phase method to solve it while optimizing network and security resource allocation. The presented method allows network to serve a large number of flows and minimizes the latency seen by flows. Comparative experiments on the fat-tree and Waxman topologies show that our method performs better than other heuristics under a wide range of network conditions.

Guanglei Li,Huachun Zhou,Guanwen Li,Bohao Feng

DOI: https://doi.org/10.22667/jisis.2017.11.30.021

2017-01-01

Abstract:Mobile networks have urgent demands of fine-grained, cost-effective and flexible service provision for diversified user traffic. To cope with these demands, researchers have proposed various Service Function Chaining (SFC) solutions with the rise of Software Defined Networking (SDN) and Network Function Virtualization (NFV) technologies. However, most of them are performed based on MAC address and/or OpenFlow protocols without Network Service Header (NSH) support, having drawbacks in complexity, scalability and flexibility. NSH-based approaches are more promising for mobile networks, since they support metadata-based packet information sharing and policy enforcement. Moreover, a hierarchical SFC (hSFC) architecture is proposed to alleviate the scalability and management problems in large-scale networks. Nevertheless, how to realize application awareness and on-demand service provision has not been investigated thoroughly in the hSFC environment. Thus, in this paper, we propose a proactive-based branching approach for application-aware and dynamic security function chaining, where application features are analyzed at first, and then carried in the metadata of NSHs for subsequent processes by the relevant security functions. In this way, the data plane is able to redirect traffic based on metadata without the participation of control plane. Besides, we verify the proposed approach through our prototype system via two typical use cases, the application-aware traffic control and lawful interception, and the related experiment results confirm its feasibility and elasticity.

Xuxia Zhong,Ying Wang,Xuesong Qiu,Shaoyng Guo

DOI: https://doi.org/10.1109/cc.2018.8485473

2018-01-01

China Communications

Abstract:Network function virtualization is a new network concept that moves network functions from dedicated hardware to software-defined applications running on standard high volume severs. In order to accomplish network services, traffic flows are usually processed by a list of network functions in sequence which is defined by service function chain. By incorporating network function virtualization in inter-data center (DC) network, we can use the network resources intelligently and deploy network services faster. However, orchestrating service function chains across multiple data centers will incur high deployment cost, including the inter-data center bandwidth cost, virtual network function cost and the intra-data center bandwidth cost. In this paper, we orchestrate SFCs across multiple data centers, with a goal to minimize the overall cost. An integer linear programming (ILP) model is formulated and we provide a meta-heuristic algorithm named GBAO which contains three modules to solve it. We implemented our algorithm in Python and performed side-by-side comparison with prior algorithms. Simulation results show that our proposed algorithm reduces the overall cost by at least 21.4% over the existing algorithms for accommodating the same service function chain requests.

Jingsi Ren,Jinlin Wang,Xiao Chen,Xiaozhou Ye

DOI: https://doi.org/10.18178/wcse.2017.06.137

2017-01-01

Abstract:Cloud storage offers a flexible, dynamic and cost effective data storage service.However, there are some major concerns regarding the security and privacy of data in cloud storage.This paper presents design and implementation of a Cloud Storage Security Gateway (CSSG) based on real-time processing.The CSSG serves all clients in an organization that outsources its data through HTTP based interface protocol.The outsourced data is encrypted on uploading and decrypted on downloading in real-time on the proposed CSSG.The session between the client and the Cloud Service Provider (CSP) is not interrupted.Hence the data confidentiality during communication and storage is effectively safeguarded.In addition, the CSSG remains transparent to both the client and CSP, therefore it can be used seamlessly with existing applications.The experimental results validate the efficiency of the proposed CSSG.

Jiahui Xu,Hefei Hu

DOI: https://doi.org/10.1109/ainit61980.2024.10581801

2024-01-01

Abstract:With the diversification of network users and services, network architectures have gradually become rigid. Network Function Virtualization (NFV) technology decouples network function (NF) from network devices to reduce excessive network expenses caused by frequent equipment replacements. However, in the short term, achieving complete NFV by removing all dedicated devices from the underlying network architecture remains impractical. The coexistence of dedicated hardware devices and commercial servers is an inevitable trend. In this paper, we investigate the deployment of service function chains (SFC) for hybrid network functions, where physical devices and commercial servers collaborate to provide services. The challenge in such a hybrid network lies in minimizing SFC deployment costs while meeting user demands, leveraging the different characteristics of dedicated hardware devices and servers. We find that this problem has not been satisfactorily addressed to date. Therefore, we formulate the optimization problem as an integer linear programming (ILP) problem and designs an enhanced Particle Swarm Optimization Algorithm (PSOA). In the initialization phase of the particles, the algorithm employs resource prediction to determine the types of nodes to which network functions should be mapped. Furthermore, it distinguishes between different types of nodes by utilizing updates from various domains. Experimental validation demonstrates that the proposed algorithm effectively reduces the complexity of the hybrid network SFC deployment problem and establishes its superiority.

Montida Pattaranantakul,Qipeng Song,Yanmei Tian,Licheng Wang,Zonghua Zhang,Ahmed Meddahi,Chalee Vorakulpipat

DOI: https://doi.org/10.1109/tnsm.2021.3081014

2021-01-01

Abstract:Service Function Chaining (SFC) has recently received considerable attentions from both industry and academia, due to its potential for improving the flexibility of provisioning and composition of Virtualized Network Functions (VNFs) to suit application-specific needs. From a security perspective, there is a gap between high-level SFC policy specification and its enforcement in the data plane. It cannot guarantee that the deployed VNFs are always chained in an expected manner, or the packet flows of a particular service chain are sequentially forwarded to the intended and legitimate VNFs strictly compliant with the specified SFC policy. This lack of assurance leaves the door open for attackers to maliciously manipulate the service chain by evading from security functions such as firewall, Deep Packet Inspection (DPI), etc., or deviating the packet flows from their original service function path, ultimately leading to the violation of SFC policy. It is therefore important to have an efficient self-checking mechanism in place, ensuring the SFC to be implemented in a secure and dependable way. This paper presents a new security primitive – Lite Identity-based Ordered Multisignature scheme (ChainSign in short), which enforces all intended VNFs in a particular service chain to sequentially sign the packet received. Then the last hop of the chain will verify the signature, so as to validate whether all of them work as expected and have not been compromised, while satisfying the security properties of concern (i.e., the consistency in VNF chaining, their authenticities and sequences in a service chain). In addition to the implementation, we leverage the IETF Network Service Header (NSH) to carry the signature generated from our proposed scheme. The experiments show that ChainSign can preserve all identified security properties with minimal overhead.

Lingbo Wei,Chi Zhang,Yanmin Gong,Yuguang Fang,Kefei Chen

DOI: https://doi.org/10.1109/GLOCOM.2016.7841497

2016-01-01

Abstract:It is increasingly common for enterprises and other organizations to outsource firewalls to public clouds in order to reduce the cost and complexity in deploying and maintaining dedicated hardware middleboxes. However, this poses a serious threat to the enterprise network security because sensitive network policies, such as firewall rules, are revealed to cloud providers, which may be leaked and exploited by attackers. In this paper, we design and implement a SE-FWaaS, a secured system that enables cloud providers to support middlebox (e.g., firewall) outsourcing while preserving the network policy confidentiality. The key ingredients in our SE-FWaaS are the distribution of the firewall primitives, namely policy checking and verdict enforcing, to two independent public clouds, and the enabling techniques of efficient firewall rule obfuscation and oblivious rule-matching. Our SE-FWaaS provides the maximum achievable level of protection of network policies by enforcing the principle of the least privilege and removing the threat of offline probing attacks. We evaluate the proposed system over real-world firewall rules and demonstrate its effectiveness and feasibility.

WEI Lingbo,FENG Xiaobing,ZHANG Chi,SHENG Hualong,YU Nenghai

DOI: https://doi.org/10.11959/j.issn.1000-436x.2018057

2018-01-01

Abstract:Due to the problem of high cost and limited scalability of dedicated hardware middleboxes, it is popular for enterprises to outsource middleboxes as software processes to the cloud service provider. In the current network function outsourcing schemes, the cloud service provider requires the enterprise's communication traffic and network strategy which poses a serious threat to the enterprise's piracy. Based on prefix-preserving encryption, a privacy preserving net-work function outsourcing system was proposed. Compared with other similar schemes, the system not only realizes the privacy protection of communication traffic, but also has higher throughput and lower delay.