Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Wu Qiang,Wu Chunming,Yan Xincheng,Cheng Qiumei

DOI: https://doi.org/10.1109/tnsm.2021.3071774

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:With the emergence of cloud native technology, the network slicing enables automatic service orchestration, flexible network scheduling and scalable network resource allocation, which profoundly affects the traditional security solution. Security is regarded as a technology independent of the cloud native architecture in the initial design, traditional passive defense such as “reinforced” and “stacked” is relied on to achieve system security protection. The lack of intrinsic security mechanisms makes the system capability insufficient when faces the uncertain threat brought by vulnerabilities and backdoors under the ecosystem of opening-up and sharing. The static nature of existing networks and computing systems makes them easy to be compromised and hard to defend, and thus it is urgent to provide intrinsic security and proactive protection against the unpredictable attacks. To this end, this paper proposes a novel paradigm named intrinsic cloud security (iCS) from the perspective of dynamic defense. The dynamic defense provides component-level security, and has complementary and consistency with the cloud native environment. In particular, iCS introduces mimic defense and moving target defense (MTD), and makes full use of the new features introduced by cloud native to implement an intrinsic and proactive defense mechanism with acceptable costs and efficiency. The iCS paradigm achieves seamless integration and symbiosis evolution between security and cloud native. We implement a trial of iCS based on 5GC commercial system and evaluate its performance on costs, efficiency and attack success. The result shows that the iCS enhanced mode always can provide a better and more stable defense effects.

Honghao Lv,Jing Yan,Jialin Zhang,Zhibo Pang,Geng Yang,Alf J. Isaksson

DOI: https://doi.org/10.1109/mie.2024.3407051

IF: 8.36

2024-01-01

IEEE Industrial Electronics Magazine

Abstract:The emergence of virtualized computing and converged networks has the potential to revolutionize industrial automation systems, offering unprecedented levels of flexibility and scalability that were previously unattainable with traditional infrastructure. Therefore, cloud-fog automation (CFA) platforms are becoming key players not only in coordinating the production task management in upper-layer applications but also in handling real-time control and monitoring by the edge devices. In this article, we discuss how cloud/fog-based virtualization and converged communication networks can allow for flexible deployment of automation use cases and evaluate the impacts introduced by the less deterministic infrastructure from the perspective of control. Four representative use cases are studied using our in-house developed CFA platform to demonstrate the smart coordination of automation in a variety of real-life prototypes. Moreover, the capabilities of the commercial off-the-shelf virtualized computing and converged networks are characterized, which confirms the CFA platform as an essential part of the future industrial infrastructure for hosting heterogenous control applications is not a “daydream”.

Wenjuan Li,Xuezeng Pan,Qifei Zhang,Lingdi Ping

DOI: https://doi.org/10.5220/0003381101520157

2011-01-01

Abstract:: Job scheduling and resource allocation are the key factors which affect the performance of parallel and distributed systems. This paper first analyzed several common used job scheduling models in large and distributed environment. Since the main purpose of cloud computing is to provide “low-cost” and “on-demand” services, this paper introduced a novel two-level based cloud scheduling model. In our model, job scheduling in the cloud is divided into User Scheduling and Task Scheduling which were designed to implement different scheduling strategies. In the User Scheduling level, it applies the distribution justice theory in the sociology area to achieve the highest average user fairness. While in Task Scheduling level, it applies adaptive strategies to achieve the binding of micro tasks and the virtual machines according to different objectives of tasks. The new model redefined the messaging mechanism between main cloud entities and a new advertising mode was introduced for cloud providers to promote their services. The results of emulation experiments show that compared to traditional algorithms the proposed model can guarantee the user expectations and the relative fairness of the services on the basis of high overall efficiency of cloud systems.

Meng Liu,Wanchun Dou,Shui Yu,Zhensheng Zhang

DOI: https://doi.org/10.1109/tpds.2014.2314672

IF: 5.3

2015-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Cloud computing is becoming popular as the next infrastructure of computing platform. Despite the promising model and hype surrounding, security has become the major concern that people hesitate to transfer their applications to clouds. Concretely, cloud platform is under numerous attacks. As a result, it is definitely expected to establish a firewall to protect cloud from these attacks. However, setting up a centralized firewall for a whole cloud data center is infeasible from both performance and financial aspects. In this paper, we propose a decentralized cloud firewall framework for individual cloud customers. We investigate how to dynamically allocate resources to optimize resources provisioning cost, while satisfying QoS requirement specified by individual customers simultaneously. Moreover, we establish novel queuing theory based model M/Geo/1 and M/Geo/m for quantitative system analysis, where the service times follow a geometric distribution. By employing Z-transform and embedded Markov chain techniques, we obtain a closed-form expression of mean packet response time. Through extensive simulations and experiments, we conclude that an M/Geo/1 model reflects the cloud firewall real system much better than a traditional M/M/1 model. Our numerical results also indicate that we are able to set up cloud firewall with affordable cost to cloud customers.

Xiaoyu Ma,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/globecom38437.2019.9013771

2019-01-01

Abstract:Security is critical to cloud services, this paper introduces a design of firewall, which based on IDS's feedback t change rules in order to detect attack flexible. It combines firewall and Intrusion Detection Systems(IDS) by using Intrusion Detection Systems, which detects ICMP, TCP, UDP attacks. Usually, a cloud service is a service built on a virtual machine. The virtual device is virtualized to achieve the purpose of multiplexing. Therefore, if you want to implement cloud security detection, you can listen to the physical device's network card. There are two types of Intrusion Detection System, one is host-based intrusion detection system(HIDS) and another is network intrusion detection system(NIDS). What's more, in order to highlight the importance of the firewall, the IDS monitoring data is analyzed and added to the firewall's defense strategy automatically. Finally, we measure the effectiveness of the system by False Negative(FN) and False Positive(FP), and verify that feedback plays a crucial role in improving the effectiveness of the system, improving the efficiency of the entire system filtering attacks.

Yang Li,Zheng Li,Nenghai Yu,Ke Ma

DOI: https://doi.org/10.1007/978-3-642-10665-1_48

2009-01-01

Abstract:Security in cloud computing is getting more and more important recently. Besides passive defense such as encryption, it is necessary to implement real-time active monitoring, detection and defense in the cloud. According to the published researches, DPI (deep packet inspection) is the most effective technology to realize active inspection and defense. However, most recent works of DPI aim at space reduction but could not meet the demands of high speed and stability in the cloud. So, it is important to improve regular methods of DPI, making it more suitable for cloud computing. In this paper, an asynchronous parallel finite automaton named APFA is proposed, by introducing the asynchronous parallelization and the heuristically forecast mechanism, which significantly decreases the time consumed in matching while still keeps reducing the memory required. What is more, APFA is immune to the overlapping problem so that the stability is also enhanced. The evaluation results show that APFA achieves higher stability, better performance on time and memory. In short, APFA is more suitable for cloud computing.

J. Vijitha Ananthi,S. Shobana

DOI: https://doi.org/10.36548/jitdw.2022.2.004

2022-07-19

Journal of Information Technology and Digital World

Abstract:Wireless Sensor Network (WSN) is a distributed network formed by sensor nodes that perform a specific sensing task like temperature, humidity, fire attacks, and so on. Used in all sorts of application like military, medical, industrial, scientific, and so on, WSN’s are well known for high performance operations. Till date, power conservation and sensor node lifetime remained as the major drawback in such networks where the development of optimization techniques and routing protocols were proposed to overcome them. Also, attacks like DoS (Denial Of Service), Sybil attack, wormhole attack, HELLO flood attack, and identity replication attack are mostly common in a WSN. At present, Hotspot-based issues and attacks is found as one of the major and performance-degrading factor in wireless sensor network. In this paper, we propose a novel cloud-based FPA scheme or approach to defend and withstand such hotspot-related issues and attacks in WSN. Developed with the principle of Cloud, the simulation results prove that the proposed scheme offer high privacy, and routing stability.

Xiaoyi Chen,Qingni Shen,Peng Cheng,Yongqiang Xiong,Zhonghai Wu

DOI: https://doi.org/10.1109/icws55610.2022.00044

2022-01-01

Abstract:Web Application Firewall (WAF) is widely deployed in cloud to protect web applications, whose performance becomes one of the major bottlenecks for web services. In this paper, we comprehensively analyze several root causes that downgrade WAF’s efficiency. Inspired by that, we build a caching system RuleCache to devise optimization strategies for improving WAF’s performance. Among, Rule Ordering Cache is online learning an optimal order of the ruleset for a better performance of blocking. Rule Result Cache reuses rule results of targets, saving large repetitive computations. Additionally, Rule Prepruning Cache aims to cut extra overhead by processing the static rules in the offline stage. Our evaluation demonstrates that the prototype can improve the performance by up to 3.85x, 1.57x, and 2.4x respectively with the above modules, and up to 5.5x in total.

Maziar Janbeglou,WeiQi Yan

DOI: https://doi.org/10.1007/978-3-642-30867-3_42

2013-01-01

Abstract:Cloud computing has been introduced as a tool for improving IT proficiency and business responsiveness for organizations as it delivers flexible hardware and software services as well as providing an array of fundamentally systematized IT processes. Despite its many advantages, cloud computing security has been a major concern for organizations that are making the transition towards usage of this technology. In this paper, we focus on improving cloud computing security by managing and isolating shared network resources in bridge-mode hypervisors.

Abhijeet Sahu,Patrick Wlazlo,Nastassja Gaudet,Ana Goulart,Edmond Rogers,Katherine Davis

2023-06-27

Abstract:Electric power delivery relies on a communications backbone that must be secure. SCADA systems are essential to critical grid functions and include industrial control systems (ICS) protocols such as the Distributed Network Protocol-3 (DNP3). These protocols are vulnerable to cyber threats that power systems, as cyber-physical critical infrastructure, must be protected against. For this reason, the NERC Critical Infrastructure Protection standard CIP-005-5 specifies that an electronic system perimeter is needed, accomplished with firewalls. This paper presents how these electronic system perimeters can be optimally found and generated using a proposed meta-heuristic approach for optimal security zone formation for large-scale power systems. Then, to implement the optimal firewall rules in a large scale power system model, this work presents a prototype software tool that takes the optimization results and auto-configures the firewall nodes for different utilities in a cyber-physical testbed. Using this tool, firewall policies are configured for all the utilities and their substations within a synthetic 2000-bus model, assuming two different network topologies. Results generate the optimal electronic security perimeters to protect a power system's data flows and compare the number of firewalls, monetary cost, and risk alerts from path analysis.

Systems and Control

Hongyi Huang,Wenfei Wu,Yongchao He,Zehua Guo

DOI: https://doi.org/10.1109/ipdps53621.2022.00123

2022-01-01

Abstract:Recent progress in programmable switches provides opportunities for service function chains (SFCs) provision to cloud tenants, which has the advantage of flexible deployment and high performance. We devise SFP for such SFC provision in the cloud. SFP's data plane installs physical NFs and is virtualized to host logical SFCs from multiple tenants. SFP's control plane uses a relaxed integer programming model to jointly optimize the placement of physical and logical NFs, which can achieve resource efficiency and high tenant traffic processing throughput within efficient execution time. Our prototype and evaluation shows that SFP can significantly offload NFV computation from server to the switch and maximize the switch resource utilization.

Wajid Rafique,Xin He,Zifan Liu,Yuhu Sun,Wanchun Dou

DOI: https://doi.org/10.1109/HPCC/SmartCity/DSS.2019.00080

2019-01-01

Abstract:Managing the Internet of Things (IoT) infrastructure has become a critical challenge due to an enormous increase in the connected devices and the lack of available security solutions. Software-Defined Networking (SDN) has been extensively involved in network infrastructure management. Moreover, numerous recent studies demonstrate the use of SDN for managing IoT networks. In SDN, policy consistency and security of the data plane is maintained through Waypoint Enforcement (WPE) which ensures that the traffic traverses policy nodes/switches to implement high-level network requirements. Previous studies on SDN primarily secure SDN infrastructure against traditional Distributed Denial of Service (DDoS) attacks. However, we investigate Crossfire Attack (CFA), which is a novel DDoS attack capable of interrupting communication of data plane switches using low-rate legitimate traffic. CFA has the potential to isolate policy switch from the rest of the data plane devices which introduces many security anomalies and routing inconsistencies. We first demonstrate how CFA is lethal on policy switch attacks and then present the design and implementation of a novel CFA countermeasure called CFADefense, which employs link selection, attack detection, and malicious flows interception modules. CFADefense has been developed as an application at the application layer of the open-source Floodlight controller. Our evaluation demonstrates that CFADefense accurately detects and efficiently mitigates CFA and poses minimal overhead on the controller in dealing with this attack.

Junjie Shi,Yuan Zhang,Sheng Zhong

DOI: https://doi.org/10.48550/arxiv.1502.00389

2015-01-01

Abstract:Since the advent of software defined networks (SDN), there have been many attempts to outsource the complex and costly local network functionality, i.e. the middlebox, to the cloud in the same way as outsourcing computation and storage. The privacy issues, however, may thwart the enterprises' willingness to adopt this innovation since the underlying configurations of these middleboxes may leak crucial and confidential information which can be utilized by attackers. To address this new problem, we use firewall as an sample functionality and propose the first privacy preserving outsourcing framework and schemes in SDN. The basic technique that we exploit is a ground-breaking tool in cryptography, the cryptographic multilinear map. In contrast to the infeasibility in efficiency if a naive approach is adopted, we devise practical schemes that can outsource the middlebox as a blackbox after obfuscating it such that the cloud provider can efficiently perform the same functionality without knowing its underlying private configurations. Both theoretical analysis and experiments on real-world firewall rules demonstrate that our schemes are secure, accurate, and practical.

Dinesha Ranathunga,Matthew Roughan,Paul Tune,Phil Kernick,Nick Falkner

DOI: https://doi.org/10.48550/arXiv.1902.05689

2019-02-15

Abstract:Firewall configuration is critical, yet often conducted manually with inevitable errors, leaving networks vulnerable to cyber attack [40]. The impact of misconfigured firewalls can be catastrophic in Supervisory Control and Data Acquisition (SCADA) networks. These networks control the distributed assets of industrial systems such as power generation and water distribution systems. Automation can make designing firewall configurations less tedious and their deployment more reliable. In this paper, we propose ForestFirewalls, a high-level approach to configuring SCADA firewalls. Our goals are three-fold. We aim to: first, decouple implementation details from security policy design by abstracting the former; second, simplify policy design; and third, provide automated checks, pre and post-deployment, to guarantee configuration accuracy. We achieve these goals by automating the implementation of a policy to a network and by auto-validating each stage of the configuration process. We test our approach on a real SCADA network to demonstrate its effectiveness.

Cryptography and Security

Fei-Yue Wang,Liuqing Yang,Xiang Cheng,Shuangshuang Han,Jian Yang

DOI: https://doi.org/10.1109/mnet.2016.7513865

IF: 10.294

2016-01-01

IEEE Network

Abstract:The coexistence of various protocols for current network equipment leads to extremely complex network systems, which not only limit the development of network technologies, but also cannot meet the growing demands for cloud computing, big data, and service visualization applications, just to name a few. As a new network architecture, parallel networks are expected to revolutionize this situation and meet the evolving demands for network services. The main idea of a parallel network is to leverage upon software-defined networking to construct artificial networks, and then effectively optimize the network system operations via the interactions between actual and artificial networks. The foundation of the parallel network is the theory of ACP, composed of artificial societies, computational experiments, and parallel execution. By the computational experiments and analysis of the artificial network, a control strategy based on network traffic flow can be continuously updated and tracked on a real-time basis; meanwhile, the collected operating status of the actual network can also be used to optimize the model of the artificial network. These strategies can be applied to all types of network equipment to control network operations at various levels; thus, it is possible to allocate the network resources more effectively, improve the management and utilization of resources, and then provide new network solutions to effectively address the constantly evolving network demands for network performance, scalability, and security.

Wei Jiang,Wanchun Jiang,Weiping Wang,Haodong Wang,Yi Pan,Jianxin Wang

DOI: https://doi.org/10.1016/j.jnca.2018.03.025

IF: 7.574

2018-01-01

Journal of Network and Computer Applications

Abstract:To better control the individual data flow in the cloud, traffic management policies are in need of increasing fine-grained rules, causing a dramatic increase in rules. The limited CPU or memory resources at the servers become the bottleneck when those policies are employed in large-scale data centers. To overcome these resource constraints, the rule partition algorithm is indispensable to decompose the rule set so that some rules can be migrated away. This paper shows that the current rule partition algorithm of vCRIB may lead to a high traffic overhead and high rule inflation in certain cases. Motivated by this observation, we propose a Fine-grained Rule Partition (FRP) algorithm. Different from vCRIB which divides the rule set based on the unit of rules within the same source address, FRP treats the individual rule as a unit, and thus reduce the traffic overhead by retaining more deny rules. In addition, FRP controls the rule inflation by optimizing the number of redirection rules as well. The simulation results confirm that FRP outperforms vCRIB, especially when the resources are severely constrained.

Jianbin Hu,Yonggang Wang,Cong Tang,Zhi Guan,Fengxian Ren,Zhong Chen

DOI: https://doi.org/10.5815/ijcnis.2011.03.01

2011-01-01

International Journal of Computer Network and Information Security

Abstract:in current cloud services, users put their data and resources into the cloud so as to enjoy the on-demand high quality applications and services. Different from the conventional services, users in cloud services lose control of their data which is instead manipulated by the large-scale cloud. Therefore, cloud service providers (CSP) guarantee that the cloud which they provide is of high confidence in accuracy and integrity. Traditional penetration test is carried out manually and has low efficiency. In this paper, we propose FPTC, a novel framework of penetration test in cloud environment. In FPTC, there are managers, executors and toolkits. FPTC managers guide FPTC executors to gather information from the cloud environment, generate appropriate testing scenarios, run matched tools in the toolkit and collect test results to do evaluation. The capacity and quality of the toolkit is a key issue in FPTC. We develop a prototype in which FPTC is implemented and the experimental results show that FPTC is helpful to automatically carry out penetration test in cloud environment.

Jia Xu,Jia Yan,Liang He,Purui Su,Dengguo Feng

DOI: https://doi.org/10.1109/CloudCom.2010.16

2010-01-01

Abstract:Massive Internet invasions implemented through the distributed platform fabricated by rapid diffusion of malwares, has become a significant issue in network security. We argue that the notion of “Collaborative Security” is an emerging trend in resisting distributed attacks originated from malware. Therefore, this paper proposes a new architecture: CloudSEC, for composing collaborative security-related services in clouds, such as correlated intrusion analysis, anti-spam, anti-DDOS, automated malware detection and containment. CloudSEC is modeled as a dynamic peer-to-peer overlay hierarchy with three types of top-down architectural components. Based on, this architecture, both data distribution and task scheduling overlays can be simultaneously implemented in a loosely coupled fashion, which can efficiently retrieve data resources from heterogeneous network security facilities, and harness distributed collection of computational resources to process data-intensive tasks. Hence, CloudSEC endues the network security infrastructure with the capability of dynamic adaptation and collaboration on an inter-organizational scale. The results of preliminary evaluation demonstrate that, CloudSEC not only delivers a sample service of distributed intrusion correlation with high scalability and robustness, but also achieves remarkable effectiveness in data sharing and task scheduling.