Junjie Shi,Yuan Zhang,Sheng Zhong

DOI: https://doi.org/10.48550/arxiv.1502.00389

2015-01-01

Abstract:Since the advent of software defined networks (SDN), there have been many attempts to outsource the complex and costly local network functionality, i.e. the middlebox, to the cloud in the same way as outsourcing computation and storage. The privacy issues, however, may thwart the enterprises' willingness to adopt this innovation since the underlying configurations of these middleboxes may leak crucial and confidential information which can be utilized by attackers. To address this new problem, we use firewall as an sample functionality and propose the first privacy preserving outsourcing framework and schemes in SDN. The basic technique that we exploit is a ground-breaking tool in cryptography, the cryptographic multilinear map. In contrast to the infeasibility in efficiency if a naive approach is adopted, we devise practical schemes that can outsource the middlebox as a blackbox after obfuscating it such that the cloud provider can efficiently perform the same functionality without knowing its underlying private configurations. Both theoretical analysis and experiments on real-world firewall rules demonstrate that our schemes are secure, accurate, and practical.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Zhenfang Wang,ZhiHui Lu,Jie Wu,Kang Fan

DOI: https://doi.org/10.1007/978-3-319-26979-5_9

2015-01-01

Abstract:In cloud, resources are virtualized and the software delivery way is becoming something like a \"service\" to provide end user and operator benefits including on-demand self-service, resource pooling, rapid elasticity and service metering capability. As a part of network function virtualization, firewall virtualization can greatly increase the firewall configuration flexibility for the cloud environment. In this paper, we focus on FWaaS Firewall as a Service and we design a parallel firewall system called CPFirewall Cloud Parallel Firewall System. In CPFirewall, the firewall resources are virtualized and multiple tenants can build up their own parallel firewall by renting virtual firewalls. This needs solve some challenges. We adopt a rule-splitting algorithm to build a rule anomaly set We call it Wrapset. for detecting rule anomaly. We design the rule-allocation algorithm to achieve the cloud-native features, including load balance and dynamic scale. And we also improve the system performance using Exponential Smoothing ES forecasting method. Experiment results have verified that CPFirewall has a higher efficiency than other firewall schemes and is much more suitable for the Cloud network environment.

Huazhe Wang,Xin Li,Yu Zhao,Ye Yu,Hongkun Yang,Chen Qian

DOI: https://doi.org/10.48550/arXiv.1606.07079

2016-06-22

Networking and Internet Architecture

Abstract:There is an increasing trend that enterprises outsource their network functions to the cloud for lower cost and ease of management. However, network function outsourcing brings threats to the privacy of enterprises since the cloud is able to access the traffic and rules of in-cloud network functions. Current tools for secure network function outsourcing either incur large performance overhead or do not support real-time updates. In this paper, we present SICS, a secure service function chain outsourcing framework. SICS encrypts each packet header and use a label for in-cloud rule matching, which enables the cloud to perform its functionalities correctly with minimum header information leakage. Evaluation results show that SICS achieves higher throughput, faster construction and update speed, and lower resource overhead at both enterprise and cloud sides, compared to existing solutions.

Yuzhao Wu,Yongqiang Lyu,Qian Fang,Hao Yin,Geng Zheng,Yuanchun Shi

DOI: https://doi.org/10.1109/icdcsw.2017.19

2017-01-01

Abstract:Data outsourcing in cloud is emerging as a successful paradigm that benefits organizations and enterprises with high-performance, low-cost, scalable data storage and sharing services. However, this paradigm also brings forth new challenges for data confidentiality because the outsourced are not under the physic control of the data owners. The existing schemes to achieve the security and usability goal usually apply encryption to the data before outsourcing them to the storage service providers (SSP), and disclose the decryption keys only to authorized user. They cannot ensure the security of data while operating data in cloud where the third-party servicers are usually semi-trustworthy, and need lots of time to deal with the data. We construct a privacy data management system appending hierarchical access control called HAC-DMS, which can not only assure security but also save plenty of time when updating data in cloud.

Meng Liu,Wanchun Dou,Shui Yu,Zhensheng Zhang

DOI: https://doi.org/10.1109/tpds.2014.2314672

IF: 5.3

2015-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Cloud computing is becoming popular as the next infrastructure of computing platform. Despite the promising model and hype surrounding, security has become the major concern that people hesitate to transfer their applications to clouds. Concretely, cloud platform is under numerous attacks. As a result, it is definitely expected to establish a firewall to protect cloud from these attacks. However, setting up a centralized firewall for a whole cloud data center is infeasible from both performance and financial aspects. In this paper, we propose a decentralized cloud firewall framework for individual cloud customers. We investigate how to dynamically allocate resources to optimize resources provisioning cost, while satisfying QoS requirement specified by individual customers simultaneously. Moreover, we establish novel queuing theory based model M/Geo/1 and M/Geo/m for quantitative system analysis, where the service times follow a geometric distribution. By employing Z-transform and embedded Markov chain techniques, we obtain a closed-form expression of mean packet response time. Through extensive simulations and experiments, we conclude that an M/Geo/1 model reflects the cloud firewall real system much better than a traditional M/M/1 model. Our numerical results also indicate that we are able to set up cloud firewall with affordable cost to cloud customers.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Ken Goss,Wei Jiang

DOI: https://doi.org/10.48550/arXiv.1810.01571

2018-10-03

Abstract:Firewalls have long been in use to protect local networks from threats of the larger Internet. Although firewalls are effective in preventing attacks initiated from outside, they are vulnerable to insider threats, e.g., malicious insiders may access and alter firewall configurations, and disable firewall services. In this paper, we develop an innovative distributed architecture to obliviously manage and evaluate firewalls to prevent both insider and external attacks oriented to the firewalls. Our proposed structure alleviates these issues by obfuscating the firewall rules or policies themselves, then distributing the function of evaluating these rules across multiple servers. Thus, both accessing and altering the rules are considerably more difficult thereby providing better protection to the local network as well as greater security for the firewall itself. We achieve this by integrating multiple areas of research such as secret sharing schemes and multi-party computation, as well as Bloom filters and Byzantine agreement protocols. Our resulting solution is an efficient and secure means by which a firewall may be distributed, and obfuscated while maintaining the ability for multiple servers to obliviously evaluate its functionality.

Cryptography and Security

Shengsheng Yao,Mingwei Xu,Qi Li,Jiahao Cao,Qiyang Song

DOI: https://doi.org/10.1109/globecom38437.2019.9013473

2019-01-01

Abstract:To reduce the management costs, outsourcing network function (NF) to the cloud becomes prevalent in enterprises. This trend is increasing with the advent of network function virtualization (NFV). However, such outsourcing cannot guarantee the order and security of service function chains(SFCs) as the cloud is susceptible to attacks. In this paper, we introduce credible SFC (cSFC), a practical scheme to build secure service function chains on the untrusted cloud, cooperating with encrypted transport protocols. cSFC simultaneously shields NFs from an untrusted cloud and preserves the order of SFC sequence. Meanwhile, this scheme supports a wide range of NF functionalities and preserves the privacy of session data. We implement the cSFC prototype, and the evaluation result shows that it is practical with acceptable performance.

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Luca Melis,Hassan Jameel Asghar,Emiliano De Cristofaro,Mohamed Ali Kaafar

DOI: https://doi.org/10.1145/2876019.2876021

2016-01-25

Abstract:Aiming to reduce the cost and complexity of maintaining networking infrastructures, organizations are increasingly outsourcing their network functions (e.g., firewalls, traffic shapers and intrusion detection systems) to the cloud, and a number of industrial players have started to offer network function virtualization (NFV)-based solutions. Alas, outsourcing network functions in its current setting implies that sensitive network policies, such as firewall rules, are revealed to the cloud provider. In this paper, we investigate the use of cryptographic primitives for processing outsourced network functions, so that the provider does not learn any sensitive information. More specifically, we present a cryptographic treatment of privacy-preserving outsourcing of network functions, introducing security definitions as well as an abstract model of generic network functions, and then propose a few instantiations using partial homomorphic encryption and public-key encryption with keyword search. We include a proof-of-concept implementation of our constructions and show that network functions can be privately processed by an untrusted cloud provider in a few milliseconds.

Cryptography and Security

Hao Ren,Hongwei Li,Dongxiao Liu,Guowen Xu,Nan Cheng,Xuemin Shen,Xuemin Sherman Shen

DOI: https://doi.org/10.1109/tcc.2020.2991167

IF: 5.697

2020-01-01

IEEE Transactions on Cloud Computing

Abstract:With the increasing traffic volume, enterprises choose to outsource their middlebox services, such as deep packet inspection, to the cloud to acquire rich computational and communication resources. However, since the traffic is redirected to the public cloud, information leakages, such as packet payload and inspection rules, arouse privacy concerns of both middlebox owner and packet senders. To address the concerns, we propose an efficient verifiable deep packet inspection (EV-DPI) scheme with strong privacy guarantees. Specifically, a two-layer architecture is designed and deployed over two non-collusion cloud servers. The first layer fast filters out most of legitimate packets and the second layer supports exact rule matching. During the inspection, the privacy of packet payload and the confidentiality of inspection rules are well preserved. To improve the efficiency, only fast symmetric crypto-systems, such as hash functions, are used. Moreover, the proposed scheme allows the network administrator to verify the execution results, which offers a strong control of outsourced services. To validate the performance of the proposed EV-DPI scheme, we conduct extensive experiments on the Amazon Cloud. Large-scale dataset (millions of packets) is tested to obtain the key performance metrics. The experimental results demonstrate that EV-DPI not only preserves the packet privacy, but also achieves high packet inspection efficiency.

computer science, information systems, theory & methods

WEI Lingbo,FENG Xiaobing,ZHANG Chi,SHENG Hualong,YU Nenghai

DOI: https://doi.org/10.11959/j.issn.1000-436x.2018057

2018-01-01

Abstract:Due to the problem of high cost and limited scalability of dedicated hardware middleboxes, it is popular for enterprises to outsource middleboxes as software processes to the cloud service provider. In the current network function outsourcing schemes, the cloud service provider requires the enterprise's communication traffic and network strategy which poses a serious threat to the enterprise's piracy. Based on prefix-preserving encryption, a privacy preserving net-work function outsourcing system was proposed. Compared with other similar schemes, the system not only realizes the privacy protection of communication traffic, but also has higher throughput and lower delay.

Tien Tuan Anh Dinh,Anwitaman Datta

DOI: https://doi.org/10.48550/arXiv.1210.0660

2012-10-02

Cryptography and Security

Abstract:There is an increasing trend for businesses to migrate their systems towards the cloud. Security concerns that arise when outsourcing data and computation to the cloud include data confidentiality and privacy. Given that a tremendous amount of data is being generated everyday from plethora of devices equipped with sensing capabilities, we focus on the problem of access controls over live streams of data based on triggers or sliding windows, which is a distinct and more challenging problem than access control over archival data. Specifically, we investigate secure mechanisms for outsourcing access control enforcement for stream data to the cloud. We devise a system that allows data owners to specify fine-grained policies associated with their data streams, then to encrypt the streams and relay them to the cloud for live processing and storage for future use. The access control policies are enforced by the cloud, without the latter learning about the data, while ensuring that unauthorized access is not feasible. To realize these ends, we employ a novel cryptographic primitive, namely proxy-based attribute-based encryption, which not only provides security but also allows the cloud to perform expensive computations on behalf of the users. Our approach is holistic, in that these controls are integrated with an XML based framework (XACML) for high-level management of policies. Experiments with our prototype demonstrate the feasibility of such mechanisms, and early evaluations suggest graceful scalability with increasing numbers of policies, data streams and users.

Cong Wang,Xingliang Yuan,Yong Cui,Kui Ren

DOI: https://doi.org/10.1109/mnet.2017.1700060

IF: 10.294

2017-01-01

IEEE Network

Abstract:Modern enterprise networks heavily rely on ubiquitous network middleboxes for advanced traffic processing such as deep packet inspection, traffic classification, and load balancing. Recent advances in NFV have pushed forward the paradigm of migrating in-house middleboxes to third-party providers as software-based services for reduced cost yet increased scalability. Despite its potential, this new service model also raises new security and privacy concerns, as traffic is now redirected and processed in an untrusted environment. In this article, we survey recent efforts in the direction of enabling secure outsourced middlebox functions, and identify open challenges for researchers and practitioners to further investigate solutions toward secure middlebox services.

Kui Ren,Cong Wang

2012-01-01

Abstract:Cloud computing economically enables a fundamental paradigm of data service outsourcing, which provides lower up-front capital costs and less hands-on management. However, outsourcing data services to the commercial public cloud deprives customers' control over the systems that manage their data, raising security and privacy as the primary obstacles to the adoption of the cloud. To address these challenges, in this dissertation we explore the problem of secure and privacy-assured data service outsourcing in cloud computing. We aim at deploying the most fundamental data services including data storage, search, and sharing on the commercial public cloud, with built-in security and privacy assurance as well as high level service performance, usability, and scalability. Our contributions are as follows: Firstly, we focus on privacy-preserving secure cloud storage auditing to maintain strong storage correctness guarantee, given the difficulty that data files are no longer locally possessed by data owners. We first develop a random-masking sampling approach to allow a third party auditor to perform on-demand privacy-preserving storage correctness auditing on behalf of data owners, without violating owners' data privacy. For storage correctness assurance with data dynamics, we further investigate a novel sequence-enforced Merkle Hash Tree and manipulate it with the random sampling approach to support fully dynamic data operations. Secondly, we focus on privacy-assured and effective cloud data search services with strong privacy-assurance, while enjoying high service-level performance inherently demanded by the large number of data users and huge amount data files. We first investigate a widely applicable fuzzy/similarity keyword search problem, and develop a brand new symbol-based trie-traverse searching approach, where transformed fuzzy keywords extracted from data files are stored using a multi-way tree structure, while protecting keyword privacy. To enable search result relevance ranking, we further investigate secure ranked search, which facilitates efficient server-side result ranking without leaking any keyword related information. Thirdly, we study how to enable scalable and owner-controlled cloud data sharing services, given the challenge that data no longer resides on owners' trusted domain. We first associate data with a set of meaningful attributes, use logical composition of attributes to reflect fine-grained data access, and enforce owner's control via attribute-based encryption. For the inherent scalability requirement of cloud system, we further leverage the cloud as a mediated proxy, to which data owners can delegate most cumbersome data/user management workload, without affecting the underlying data confidentiality.

Haotian Chi,Qiang Zeng,Xiaojiang Du,Lannan Luo

DOI: https://doi.org/10.48550/arXiv.1910.07987

2019-10-22

Abstract:Emerging Internet of Thing (IoT) platforms provide a convenient solution for integrating heterogeneous IoT devices and deploying home automation applications. However, serious privacy threats arise as device data now flow out to the IoT platforms, which may be subject to various attacks. We observe two privacy-unfriendly practices in emerging home automation systems: first, the majority of data flowed to the platform are superfluous in the sense that they do not trigger any home automation; second, home owners currently have nearly zero control over their data. We present PFirewall, a customizable data-flow control system to enhance user privacy. PFirewall analyzes the automation apps to extract their semantics, which are automatically transformed into data-minimization policies; these policies only send minimized data flows to the platform for app execution, such that the ability of attackers to infer user privacy is significantly impaired. In addition, PFirewall provides capabilities and interfaces for users to define and enforce customizable policies based on individual privacy preferences. PFirewall adopts an elegant man-in-the-middle design, transparently executing data minimization and user-defined policies to process raw data flows and mediating the processed data between IoT devices and the platform (via the hub), without requiring modifications of the platform or IoT devices. We implement PFirewall to work with two popular platforms: SmartThings and openHAB, and set up two real-world testbeds to evaluate its performance. The evaluation results show that PFirewall is very effective: it reduces IoT data sent to the platform by 97% and enforces user defined policies successfully.

Cryptography and Security

Wei-Yang Chiu,Weizhi Meng

2023-03-23

Abstract:Central-managed security mechanisms are often utilized in many organizations, but such server is also a security breaking point. This is because the server has the authority for all nodes that share the security protection. Hence if the attackers successfully tamper the server, the organization will be in trouble. Also, the settings and policies saved on the server are usually not cryptographically secured and ensured with hash. Thus, changing the settings from alternative way is feasible, without causing the security solution to raise any alarms. To mitigate these issues, in this work, we develop BlockFW - a blockchain-based rule sharing firewall to create a managed security mechanism, which provides validation and monitoring from multiple nodes. For BlockFW, all occurred transactions are cryptographically protected to ensure its integrity, making tampering attempts in utmost challenging for attackers. In the evaluation, we explore the performance of BlockFW under several adversarial conditions and demonstrate its effectiveness.

Cryptography and Security,Computers and Society

Tien Tuan Anh Dinh,Anwitaman Datta

DOI: https://doi.org/10.48550/arXiv.1305.6146

2013-05-28

Abstract:As tremendous amount of data being generated everyday from human activity and from devices equipped with sensing capabilities, cloud computing emerges as a scalable and cost-effective platform to store and manage the data. While benefits of cloud computing are numerous, security concerns arising when data and computation are outsourced to a third party still hinder the complete movement to the cloud. In this paper, we focus on the problem of data privacy on the cloud, particularly on access controls over stream data. The nature of stream data and the complexity of sharing data make access control a more challenging issue than in traditional archival databases. We present Streamforce - a system allowing data owners to securely outsource their data to the cloud. The owner specifies fine-grained policies which are enforced by the cloud. The latter performs most of the heavy computations, while learning nothing about the data. To this end, we employ a number of encryption schemes, including deterministic encryption, proxy-based attribute based encryption and sliding-window encryption. In Streamforce, access control policies are modeled as secure continuous queries, which entails minimal changes to existing stream processing engines, and allows for easy expression of a wide-range of policies. In particular, Streamforce comes with a number of secure query operators including Map, Filter, Join and Aggregate. Finally, we implement Streamforce over an open source stream processing engine (Esper) and evaluate its performance on a cloud platform. The results demonstrate practical performance for many real-world applications, and although the security overhead is visible, Streamforce is highly scalable.

Databases,Cryptography and Security