Li Lin,Huanzeng Yang,Jing Zhan,Xuhui Lv

DOI: https://doi.org/10.1155/2022/1242576

IF: 1.968

2022-04-16

Security and Communication Networks

Abstract:Edge-assisted Internet of things applications often need to use cloud virtual network services to transmit data. However, the internal threats such as illegal management and configuration to cloud platform intentionally or unintentionally will lead to virtual network security problems such as malicious changes of user network and hijacked data flow. It will eventually affect edge-assisted Internet of things applications. We propose a virtual network internal threat detection method called VNGuarder in a cloud computing environment, which can effectively monitor whether the virtual network configuration of legitimate users under the IaaS cloud platform has been maliciously changed or destroyed by insiders. First, based on the life cycle of cloud virtual network services, we summarized two types of internal attacks involving illegal use of virtualization management tools and illegal invocation of virtual network-related processes. Second, based on normal behavior of tenants, a hierarchical trusted call correlation scheme is proposed to provide a basis for discovering that insiders illegally call virtualized management tools and virtual network-related processes on the controller node of the cloud platform or the network node and compute node. Third, a trace-enable mechanism combining real-time monitoring and log analysis is introduced. By collecting and recording the complete call process of virtual network management and configuration in the cloud platform, and comparing it with the result of the hierarchical trusted call correlation, abnormal operations can be reported to the tenants in time. Comprehensive simulation experiments on the Openstack platform show that VNGuarder can effectively detect illegal management and configuration of virtual networks by insiders without significantly affecting the creation time of tenant networks and the utilization of CPU and memory.

computer science, information systems,telecommunications

Juan Deng,Hongxin Hu,Hongda Li,Zhizhong Pan,Kuang-Ching Wang,Gail-Joon Ahn,Jun Bi,Younghee Park

DOI: https://doi.org/10.1109/nfv-sdn.2015.7387414

2015-01-01

Abstract:Network Function Virtualization (NFV) together with cloud technology enables users to request creating flexible virtual networks (VNs). Users also have specific security requirements to protect their VNs. Especially, due to changeable network perimeters, constant VM migrations, and usercentric security needs, VNs require new security features that traditional firewalls fail to provide, because traditional firewalls rely greatly on restricted network topology and entry points to provide effective security protection. To address this challenge, we propose VNGuard, a framework for effective provision and management of virtual firewalls to safeguard VNs, leveraging features provided by NFV and Software Defined Networking (SDN). VNGuard defines a high-level firewall policy language, finds optimal virtual firewall placement, and adapts virtual firewalls to VN changes. To demonstrate the feasibility of our approach, we have implemented core components of VNGuard on top of ClickOS. Our experimental results demonstrate the effectiveness and efficiency of virtual firewalls built on VNGuard.

Zou Xi,Gao Ming,Yining Wang,Chunming Wu

DOI: https://doi.org/10.1109/PAAP.2015.29

2015-01-01

Abstract:The emergence of network virtualization solves the problem of ossification. At the same time, it provides endless possibilities for the innovations of the network architecture. As a result, it has attracted the attention of the next generation Internet architecture. Therefore this paper based on the architecture of For CES to explore the implementation of the data plane virtualization and provide the framework for virtualization platform via the method. Meanwhile, in the premise of meeting the requirements which the virtual network packet has enough processing capacity. For the sake of solving the allocation of FE resource in virtual network (Forwarding Element, FE). To make the number of FE and the utilization of FE more reasonable. This paper puts forward a kind of FE resource allocation algorithm based on twice iteration subtraction. We use Click Modular Router as the data plane processing engine, then we give the virtual method to realize data plane and explain that supporting multiple virtual network and the virtualization of FE can provide more flexibility for processing data packets.

Xiaoxi Wang

2014-01-01

Abstract:Rapid increase of campus network data in colleges leads to the continuous increase of server,which results in low use ratio of servers,complicated safety maintenance and data backup of the system and increase of administrative cost.Taking specific college campus network as an example,this paper discusses application of virtualization technology in campus network management based on analysis of current situation of campus network topology and application server.Based on that,it puts forward scheme of virtualized integration of existing servers.Application practice shows that campus network management with virtualization technology can increase use ratio of server resources,reduce data maintenance cost and improve management and operation level of campus network effectively.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Wei-Fa Liao,Hung-Min Sun,Wei Wu

DOI: https://doi.org/10.1109/dasc-picom-datacom-cyberscitec.2016.159

2016-01-01

Abstract:In recent years, Cloud computing has become increasingly popular. Many companies have replaced traditional hosting to cloud hosting. Cloud providers are responsible for tenant isolation, if a tenant (virtual machine) is infected, other tenants will be affected. Because the virtual network environment is very complex, the traditional intrusion detection systems can only detect attacks from external networks, but can not effectively detect the internal traffic (virtual network). In order to full defend from a threat, we need to redesign the architecture of the intrusion detection system. In this thesis, we propose a flexible distributed architecture for intrusion detection, and uses software-defined networking technology for defensive purposes. In addition, our system collects alerts from different nodes, and analyzes their correlation to generate security rules to achieve the effect of a joint defense. To make the administrator more effective in management purposes, we also provide a web-based management center to reduce the burden on administrators. Finally, we analyze the performance of the proposed system with an original system. The results show that our system adds slightly overhead, and it can effectively block the malicious flow.

Zhifeng Zhao,Feng Hong,Rongpeng Li

DOI: https://doi.org/10.1109/ACCESS.2017.2762362

IF: 3.9

2017-01-01

IEEE Access

Abstract:Nowadays, cloud computing networks significantly benefit the deployment of new services and have become one infrastructure provider in the digital society. The virtual extensible local area network (VxLAN), which belongs to the network schemes to overlay Layer 2 over Layer 3, is one of the most popular methods to realize cloud computing networks. Though VxLAN partially overcomes the capacity limitation of its predecessor virtual local area network, it still faces several challenges like annoying signaling overhead during the multicast period and interrupted communication with a migrating virtual machine (VM). In this paper, we propose a new software defined network (SDN) based VxLAN network architecture. Based on this architecture, we address how we can deploy an intelligent center to enhance the multicast capability and facilitate the VM migration. Besides, we discuss the means to update the global information and guarantee the communication continuum. Finally, we use Mininet to emulate this SDN based VxLAN architecture and demonstrate effective load balancing results. In a word, this proposed architecture could provide a blueprint for future cloud computing networks.

Wu Xiaochun,Wu Chunming,Wang Bin,Qian Yaguan,Lan Julong

2014-01-01

Abstract:Network virtualization has been a particularly important driving force behind the development of NGN. Finding effective ways to control self-adapting virtual networks has become a research hot spot. This paper tries to find an efficient way in combining dynamic resource sensing with traffic character and requirements in virtual network, based on that an intelligent cognition based virtual network resources management model has been put forward. We design a network topology view by coloring network topology matrix with current resources model. We present an intelligent virtual resource management mechanism based on the proposed network topology view. Experiment results illustrate that the proposed mechanism can improve VN capacity by automatic resource adjustment, which can obtain high utilization of VN resources without increasing computational expenses.

Rui Li,Jiawei Ye,Dongjie He,Hua Cai

DOI: https://doi.org/10.3969/j.issn.1000-386x.2014.05.078

2014-01-01

Abstract:Virtualisation technology allows multiple virtual machines to run simultaneously on a single physical machine,which improves the resource utilisation,and becomes the basis of cloud computing technology to develop.However,the virtualisation technology has also brought a number of new security issues,and due to the characteristics of virtualisation its own,traditional security means are not sufficient to solve these issues.In this paper,we focus on the analysis of virtual network security features,and explore the use of Open vSwitch to imple-ment virtual network access control.

Ranabhat Saugatdeep,Alexey N. Nazarov,Tuleun Terhemen Daniel,,,

DOI: https://doi.org/10.36724/2664-066x-2022-8-6-2-9

2022-01-01

SYNCHROINFO JOURNAL

Abstract:Lately, the most efficient solution for an organization and individual of internet based distributed computing platforms is cloud computing. Processing, storage, and data management are just a few of the useful services that end users can get from cloud computing. However, it raises a lot of issues with privacy and security which needs to be resolved. Major component of cloud computing is virtualization technology, which helps to develop complex cloud services based on the externalization and composition of these resources. The primary concern with cloud computing security is virtualization security. The collective measures and methods that ensure the safety of a virtualization environment are referred to as virtualization security. It tackles the security risks that virtualized components encounter, as well as techniques for mitigating or preventing them. In recent days, attacks are mainly aimed either to the virtualization architecture or the infrastructure. We prefer to examine the security holes associated with virtualization in this paper and how concentrating on virtualization security might ultimately result in safeguarding cloud computing platform. Through this paper we tend to highlight the recent progress and an overview of the existing works performed on various dimensions of the cloud security. We conclude our paper by making several recommendations with respect to the attack vector for supporting cloud protection with a mathematical LP model.

Yi Jie Tong,Wei Qi Yan,Jin Yu

DOI: https://doi.org/10.4018/ijdcf.2015010104

2015-01-01

International Journal of Digital Crime and Forensics

Abstract:With an increasing number of personal computers introduced in schools, enterprises and other large organizations, workloads of system administrators have been on the rise due to the issues related to energy costs, IT expenses, PC replacement expenditures, data storage capacity, and information security, etc. However, Application Virtualization (AV) has been proved as a successful cost-effective solution to solve these problems. In this paper, the analytics of a Virtual Desktop Infrastructure (VDI) system will be taken into consideration for a campus network. Our developed system will be introduced and justified. Furthermore, the rationality for these improvements will be introduced.

Maziar Janbeglou,WeiQi Yan

DOI: https://doi.org/10.1007/978-3-642-30867-3_42

2013-01-01

Abstract:Cloud computing has been introduced as a tool for improving IT proficiency and business responsiveness for organizations as it delivers flexible hardware and software services as well as providing an array of fundamentally systematized IT processes. Despite its many advantages, cloud computing security has been a major concern for organizations that are making the transition towards usage of this technology. In this paper, we focus on improving cloud computing security by managing and isolating shared network resources in bridge-mode hypervisors.

Xiangyang Luo,Lin Yang,Dai Hao,Fenlin Liu,Daoshun Wang

DOI: https://doi.org/10.4304/jnw.9.3.571-581

2014-01-01

Abstract:Data security and virtualization security issues are two key bottlenecks restricting the application of cloud computing promoting and applications, especially for the Cloud-based media computing system. In this paper, states of the art of the techniques on cloud computing data security issues, such as data encryption, access control, integrity authentication and other issues is surveyed, on this basis, the key technical issues of the cloud computing data security should concern about and focus on are indicated, and some corresponding countermeasures and suggestions are presented. For the virtualization security problem introduced by private cloud computing, the security risks induced by virtualization are analyzed and classified, and then based on the divide-conquer idea, for each kind of security risk, some corresponding solutions are presented.

Chen Wen-Zhi,Zhu Hong-Wei,Huang Wei

DOI: https://doi.org/10.1109/CW.2008.110

2008-01-01

Abstract:The security problem became more severe since the security requirement of different applications may conflict with the others in distributed application or grid computing. Virtualization technology can improvethe system's security, but did not satisfy the requirement of virtual resource sharing and inner-domain communication in distributed services and grid computing. By dividing the virtual resources into sharing virtual resources and normal ones, SeVMM provided secure mechanism for inter-domain communication control, which formed the base of multi-level security control model for virtual machine monitors, operating systems and applications. Case study and application showed that SeVMM improved the system's security without causing significant performance penalty.

Xin Jin,Eric Keller,Jennifer Rexford

2012-01-01

Abstract:Cloud computing leverages virtualization to offer resources on demand to multiple "tenants". However, sharing the server and network infrastructure creates new vulnerabilities, where one tenant can attack another by compromising the underlying hypervisor. We design a system that supports virtualized networking using software switches without a hypervisor. In our architecture, the software switch runs in a Switch Domain (DomS) that is separate from the control VM. Both the guest VMs and DomS run directly on the server hardware, with processing and memory resources allocated in advance. Each guest VM interacts with the software switch through a shared memory region using periodic polling to detect network packets. The communication does not involve the hypervisor or the control VM. In addition, any software bugs that crash the software switch do not crash the rest of the system, and a crashed switch can be easily rebooted. Experiments with our initial prototype, built using Xen and Open vSwitch, show that the combination of shared pages and polling offers reasonable performance compared to conventional hypervisor-based solutions.

Pengfei Sun,Qingni Shen,Liang Gu,Yangwei Li

DOI: https://doi.org/10.1109/anthology.2013.6784967

2013-01-01

Abstract:Virtualization technologies enable multi-tenancy cloud business models by providing a scalable, shared resource platform for all tenants. Computing capacity, storage, and network are shared between multi-tenants. However, placing different customers' workloads on the same virtualization platform may lead to security vulnerabilities, which include the failure of mechanisms separating storage, memory, routing, and even reputation between different tenants of the shared infrastructure. The co-location of many customers inevitably causes conflict for the cloud provider as customers' communication security requirements are likely to be divergent from each other. In this paper, we introduce Multi-lateral Security concept to multi-tenancy cloud platform. It is difficult to analyze policies defined by consumers in the same virtualization platform in order to guarantee configuration stability given that policies may have conflicts leading to unpredictable effects. We present the Multilateral Security Architecture for Virtualization platform (VPMS) which enables the multilateral security for consumers.

Leonardo Richter Bays,Rodrigo Ruas Oliveira,Marinho Pilla Barcellos,Luciano Paschoal Gaspary,Edmundo Roberto Mauro Madeira

DOI: https://doi.org/10.1186/s13174-014-0015-z

2015-01-27

Journal of Internet Services and Applications

Abstract:Abstract Network virtualization has become increasingly prominent in recent years. It enables the creation of network infrastructures that are specifically tailored to the needs of distinct network applications and supports the instantiation of favorable environments for the development and evaluation of new architectures and protocols. Despite the wide applicability of network virtualization, the shared use of routing devices and communication channels leads to a series of security-related concerns. It is necessary to provide protection to virtual network infrastructures in order to enable their use in real, large scale environments. In this paper, we present an overview of the state of the art concerning virtual network security. We discuss the main challenges related to this kind of environment, some of the major threats, as well as solutions proposed in the literature that aim to deal with different security aspects.

English Else

Ping Xia

DOI: https://doi.org/10.1007/978-3-030-43306-2_6

2020-01-01

Abstract:Cloud computing is another technological revolution of the Internet. It is the product of the development of the information age, which has changed the way people use data and applications. The core idea of cloud computing is to virtualize server entities into logical servers, forming a large cloud resource pool, and providing services such as common computing, parallel processing, and shared resources. However, with the continuous development of cloud computing technology, the large amount of user and application data processed on the virtual cloud server is vulnerable to various security threats. This paper mainly analyzes the data security risks of the virtual cloud server from three aspects of data transmission, data storage, and data application, and proposes corresponding data security precautions to ensure the data security of the virtual cloud server and build a good cloud service network security environment.

Pingping Lin, Jun Bi, Hongyu Hu

DOI: https://doi.org/10.1109/ICNP.2012.6459953

2012-01-01

Abstract:Software Defined Networking (SDN) is considered as a promising method to re-construct the architecture of Internet. At present, the programs of network protocols are mixed together in SDN controller. However, in the production network, an isolated network environment with private resources is needed for each network protocol running on the same SDN controller. It is therefore necessary to design a practical virtualization cloud platform on the SDN network operating system (NOS). In this paper, we introduce a virtualization cloud platform for SDN production network. A prototype is implemented and two cases are performed to show the feasibility and the effectiveness of our proposed framework.

Wenfei Wu,Guohui Wang,Aditya Akella,Anees Shaikh

DOI: https://doi.org/10.1145/2523616.2523621

2013-01-01

Abstract:Today's cloud network platforms allow tenants to construct sophisticated virtual network topologies among their VMs on a shared physical network infrastructure. However, these platforms provide little support for tenants to diagnose problems in their virtual networks. Network virtualization hides the underlying infrastructure from tenants as well as prevents deploying existing network diagnosis tools. This paper makes a case for providing virtual network diagnosis as a service in the cloud. We identify a set of technical challenges in providing such a service and propose a Virtual Network Diagnosis (VND) framework. VND exposes abstract configuration and query interfaces for cloud tenants to troubleshoot their virtual networks. It controls software switches to collect flow traces, distributes traces storage, and executes distributed queries for different tenants for network diagnosis. It reduces the data collection and processing overhead by performing local flow capture and on-demand query execution. Our experiments validate VND's functionality and shows its feasibility in terms of quick service response and acceptable overhead; our simulation proves the VND architecture scales to the size of a real data center network.