Xiaoqin Pan,Shaofei Tang,Zuqing Zhu

DOI: https://doi.org/10.1109/ICCC49849.2020.9238883

2020-01-01

Abstract:As a new paradigm for the monitoring and troubleshooting of backbone networks, the multilayer in-band network telemetry (ML-INT) with deep learning (DL) based data analytics (DA) has recently been proven to be effective on real-time visualization and fine-grained monitoring. However, the existing studies on ML-INT&DA systems have overlooked the privacy and security issues, i.e., a malicious party can apply tapping in the data reporting channels between the data and control planes to illegally obtain plaintext ML-INT data in them. In this paper, we discuss a privacy-preserving DL-based ML-INT&DA system for realizing AI-assisted network automation in backbone networks in the form of IP-over-Optical. We first show a lightweight encryption scheme based on integer vector homomorphic encryption (IVHE), which is used to encrypt plaintext ML-INT data. Then, we architect a DL model for anomaly detection, which can directly analyze the ciphertext ML-INT data. Finally, we present the implementation and experimental demonstrations of the proposed system. The privacy-preserving DL-basedML-INT&DA system is realized in a real IP over elastic optical network (IP-over-EON) testbed, and the experimental results verify the feasibility and effectiveness of our proposal.

Xiaoqin Pan,Shaofei Tang,Siqi Liu,Jiawei Kong,Xu Zhang,Daoyun Hu,Jin Qi,Zuqing Zhu

DOI: https://doi.org/10.1109/jlt.2020.3007491

IF: 4.7

2020-11-01

Journal of Lightwave Technology

Abstract:Xiaoqin Pan, Shaofei Tang, Siqi Liu, Jiawei Kong, Xu Zhang, Daoyun Hu, Jin Qi, Zuqing Zhu<br/>With the evolution of Internet infrastructure and network services, multilayer in-band network telemetry (ML-INT) and data analytics (DA) ... [J. Lightwave Technol. 38, 5855-5866 (2020)]

engineering, electrical & electronic,optics,telecommunications

Dezhang Kong,Xiang Chen,Hang Lin,Zhengyan Zhou,Yi Shen,Hongyan Liu,Qiumei Cheng,Xuan Liu,Dong Zhang,Chunming Wu,Muhammad Khurram Khan

DOI: https://doi.org/10.1109/tnsm.2024.3504563

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:In-band Network Telemetry (INT) is a widely used monitoring framework in modern large-scale networks. It provides packet-level visibility into network conditions by inserting telemetry data into packets, enabling unprecedented fine-grained network management. However, this mechanism also introduces new vulnerabilities that malicious attackers can exploit. In this paper, we present eight In-band Network Telemetry Manipulation Attacks that take advantage of INT’s weakness, demonstrating that attackers can cause severe damage with little effort by manipulating INT packets. To address this issue, we designed SecureINT, a security-enhanced INT prototype that provides encryption and integrity verification for INT packets. Specifically, SecureINT deploys Even-Mansour and SipHash for confidentiality and integrity, respectively. It also uses a zero-delay rotation mechanism, which enables administrators to dynamically change the version of the deployed Even-Mansour/SipHash running on programmable switches without the need to re-install new programs. In this way, SecureINT can provide lasting security for INT packets using the limited resources of programmable switches. According to the experiments, SecureINT can be deployed on programmable switches using a single pipeline. Besides, the overhead of the rotation mechanism running on the control plane is still minimal.

Dezhang Kong,Zhengyan Zhou,Yi Shen,Xiang Chen,Qiumei Cheng,Dong Zhang,Chunming Wu

DOI: https://doi.org/10.1109/IWQoS57198.2023.10188809

2023-01-01

Abstract:In-band Network Telemetry (INT) is a widely used monitoring framework in modern large-scale networks that provides fine-grained visibility into network conditions by inserting telemetry data into packets. However, this mechanism also introduces new vulnerabilities that malicious attackers can exploit. In this paper, we present four In-band Network Telemetry Manipulation Attacks that take advantage of INT's weakness, demonstrating that attackers can cause severe damage with little effort by manipulating INT packets. To address this issue, we design SecureINT, a novel INT prototype that ensures confidentiality and integrity for INT packets. To meet the stringent computational requirements of programmable switches, we comprehensively analyze possible attacks on the deployed encryption/hash algorithms and modify them accordingly without compromising their security. According to the experiments, SecureINT can be deployed on programmable switches using a single pipeline, providing encryption and integrity verification for INT packets with minimal overhead.

Longfei Zheng,Chaochao Chen,Yingting Liu,Bingzhe Wu,Xibin Wu,Li Wang,Lei Wang,Jun Zhou,Shuang Yang

2020-01-01

Abstract:Deep Neural Network (DNN) has been showing great potential in kinds of real-world applications such as fraud detection and distress prediction. Meanwhile, data isolation has become a serious problem currently, i.e., different parties cannot share data with each other. To solve this issue, most research leverages cryptographic techniques to train secure DNN models for multi-parties without compromising their private data. Although such methods have strong security guarantee, they are difficult to scale to deep networks and large datasets due to its high communication and computation complexities. To solve the scalability of the existing secure Deep Neural Network (DNN) in data isolation scenarios, in this paper, we propose an industrial scale privacy preserving neural network learning paradigm, which is secure against semi-honest adversaries. Our main idea is to split the computation graph of DNN into two parts, i.e., the computations related to private data are performed by each party using cryptographic techniques, and the rest computations are done by a neutral server with high computation ability. We also present a defender mechanism for further privacy protection. We conduct experiments on real-world fraud detection dataset and financial distress prediction dataset, the encouraging results demonstrate the practicalness of our proposal.

Yanfei Fan,Yixin Jiang,Haojin Zhu,Jiming Chen,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/twc.2011.122010.100087

IF: 10.4

2010-01-01

IEEE Transactions on Wireless Communications

Abstract:Privacy threat is one of the critical issues in multi-hop wireless networks, where attacks such as traffic analysis and flow tracing can be easily launched by a malicious adversary due to the open wireless medium. Network coding has the potential to thwart these attacks since the coding/mixing operation is encouraged at intermediate nodes. However, the simple deployment of network coding cannot achieve the goal once enough packets are collected by the adversaries. On the other hand, the coding/mixing nature precludes the feasibility of employing the existing privacy-preserving techniques, such as Onion Routing. In this paper, we propose a novel network coding based privacy-preserving scheme against traffic analysis in multi-hop wireless networks. With homomorphic encryption on Global Encoding Vectors (GEVs), the proposed scheme offers two significant privacy-preserving features, packet flow untraceability and message content confidentiality, for efficiently thwarting the traffic analysis attacks. Moreover, the proposed scheme keeps the random coding feature, and each sink can recover the source packets by inverting the GEVs with a very high probability. Theoretical analysis and simulative evaluation demonstrate the validity and efficiency of the proposed scheme.

Shaofei Tang,Jiawei Kong,Bin Niu,Zuqing Zhu

DOI: https://doi.org/10.1109/mcom.001.1900365

IF: 9.03

2020-01-01

IEEE Communications Magazine

Abstract:Recently, the fast development of backbone networks has made the traffic, services, and infrastructure of packet-over-optical networks increasingly complicated. This stimulates research and development on fine-grained and real-time performance monitoring and troubleshooting. In this article, we propose a ProML-INT system to oversee packet-over-optical networks in real time and enable customized performance monitoring and troubleshooting. We introduce the system design in detail, and explain how to control the overhead of multilayer INT ML-INT by inserting INT fields in packets selectively. Experiments demonstrate the ProML-INT system, a small-scale packet-over-optical network testbed. The experimental results confirm that our proposal can monitor packet and optical layers jointly in real time, and the homemade data analyzer in it can leverage artificial intelligence to identify the root causes of exceptions in packet-over-optical networks correctly and promptly.

Bin Niu,Jiawei Kong,Shaofei Tang,Yingcong Li,Zuqing Zhu

DOI: https://doi.org/10.1109/access.2019.2924332

IF: 3.9

2019-01-01

IEEE Access

Abstract:Nowadays, with the fast development of backbone networks, performance monitoring and troubleshooting on IP-over-optical networks have become increasingly important. However, a real-time monitoring scheme, which is programmable to reveal the end-to-end multilayer information of an arbitrary flow in an IP-over-optical network, is still absent. Also, for such a monitoring scheme, how to balance the tradeoff between the accuracy and the overhead has not been studied yet. To address these challenges, we design a P4-based flexible multilayer in-band network telemetry (ML-INT) system to visualize an IP-over-optical network in real time. Specifically, the flexible ML-INT scheme only selects a small portion of packets in an IP flow to encode INT headers, while each INT header only contains a part of the statistics of all the electrical/optical network elements (NEs) on the flow's routing path. We design the packet processing pipelines for the scheme, program P4-based hardware programmable data-plane (PDP) switches to implement the pipelines, develop the optical performance monitors that can cooperate with the PDP switches to facilitate ML-INT, and implement a high-performance data analyzer that can extract, parse, and analyze the INT data carried by the high-speed IP flows [i.e., with an arrival rate up to 2 million packets per second (Mp/s)]. The whole flexible ML-INT system is experimentally demonstrated in a small-scale but real IP-over-optical network testbed. The experimental results verify that our proposal only introduces very small overhead and can make the IP-over-optical network more visible in real time for performance monitoring and troubleshooting.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zuqing Zhu,Bin Niu,Jiawei Kong,Shaofei Tang,Yingcong Li,Hongqiang Fang,Wei Lu

DOI: https://doi.org/10.23919/ps.2019.8817634

2019-01-01

Abstract:We discuss how to design automatic and effective network control and management (NC&M) for IP over elastic optical networks (IPoEONs). We first develop a flexible multilayer inband network telemetry (ML-INT) system and then propose the artificial intelligence (AI) assisted NC&M framework to leverage the ML-INT data for application-aware service provisioning.

Chengze Du,Jibin Shi

2024-12-11

Abstract:Network tomography plays a crucial role in network monitoring and management, where network topology serves as the fundamental basis for various tomography tasks including traffic matrix estimation and link performance inference. The topology information, however, can be inferred through end-to-end measurements using various inference algorithms, posing significant security risks to network infrastructure. While existing protection methods attempt to secure topology information by manipulating end-to-end delay measurements, they often require complex computation and sophisticated modification strategies, making real-time protection challenging. Moreover, these delay-based modifications typically render the measurements unusable for network monitoring, even by trusted users, as the manipulated delays distort the actual network performance characteristics. This paper presents a novel privacy-preserving framework that addresses these limitations. Our approach provides efficient topology protection while maintaining the utility of measurements for authorized network monitoring. Through extensive evaluation on both simulated and real-world networks topology, we demonstrate that our framework achieves superior privacy protection compared to existing methods while enabling trusted users to effectively monitor network performance. Our solution offers a practical approach for organizations to protect sensitive topology information without sacrificing their network monitoring capabilities.

Cryptography and Security

Zichen Xu,Shaofei Tang,Zuqing Zhu

DOI: https://doi.org/10.1109/jstqe.2022.3156157

IF: 4.9

2022-01-01

IEEE Journal of Selected Topics in Quantum Electronics

Abstract:Recently, IP over elastic optical network (IP-over-EON) has become a promising architecture for metro and core networks. This work studies how to visualize both layers of an IP-over-EON in real time, at different granularities (e.g., at flow-level, lightpath-level, and link-level), and with self-adaptivity. Specifically, we consider the multilayer application of in-band telemetry (INT) and propose entropy-driven adaptive INT (namely, EntropyINT). We introduce stateful processing to programmable data plane (PDP) switches for EntropyINT, such that they can make local decisions to determine whether and what type of telemetry data about the IP and EON layers should be encoded in each packet. The local decisions are designed to be based on the amount of information that can be conveyed by telemetry data to the network automation system. Meanwhile, we make EntropyINT cooperate with out-of-band monitoring, to detect and locate exceptions in the EON layer. Our proposal is implemented in a real-world testbed of IP-over-EON, to evaluate its assistance to network automation. Experimental results verify the effectiveness of our proposal, and indicate that the telemetry data collected by EntropyINT and out-of-band monitoring can better assist the machine learning in network automation, for status prediction and anomaly detection.

Xiaomin Liu,Huazhi Lun,Ruoxuan Gao,Meng Cai,Lilin Yi,Weisheng Hu,Qunbi Zhuge

DOI: https://doi.org/10.1109/jlt.2021.3067146

IF: 4.7

2021-01-01

Journal of Lightwave Technology

Abstract:For further improving the capacity and reliability of optical networks, a closed-loop autonomous architecture is preferred. Considering a large number of optical components in an optical network and many digital signal processing modules in each optical transceiver, massive real-time data can be collected. However, for a traditional monitoring structure, collecting, storing and processing a large size of data are challenging tasks. Moreover, strong correlations and similarities between data from different sources and regions are not properly considered, which may limit function extension and accuracy improvement. To address abovementioned issues, a data-fusion-assisted telemetry layer between the physical layer and control layer is proposed in this paper. The data fusion methodologies are elaborated on three different levels: Source Level, Space Level and Model Level. For each level, various data fusion algorithms are introduced and relevant works are reviewed. In addition, proof-of-concept use cases for each level are provided through simulations, where the benefits of the data-fusion-assisted telemetry layer are shown.

Geong Sen Poh,Dinil Mon Divakaran,Hoon Wei Lim,Jianting Ning,Achintya Desai

DOI: https://doi.org/10.48550/arXiv.2101.04338

2021-01-12

Cryptography and Security

Abstract:Middleboxes in a computer network system inspect and analyse network traffic to detect malicious communications, monitor system performance and provide operational services. However, encrypted traffic hinders the ability of middleboxes to perform such services. A common practice in addressing this issue is by employing a "Man-in-the-Middle" (MitM) approach, wherein an encrypted traffic flow between two endpoints is interrupted, decrypted and analysed by the middleboxes. The MitM approach is straightforward and is used by many organisations, but there are both practical and privacy concerns. Due to the cost of the MitM appliances and the latency incurred in the encrypt-decrypt processes, enterprises continue to seek solutions that are less costly. There were discussion on the many efforts required to configure MitM. Besides, MitM violates end-to-end privacy guarantee, raising privacy concerns and issues on compliance especially with the rising awareness on user privacy. Furthermore, some of the MitM implementations were found to be flawed. Consequently, new practical and privacy-preserving techniques for inspection over encrypted traffic were proposed. We examine them to compare their advantages, limitations and challenges. We categorise them into four main categories by defining a framework that consist of system architectures, use cases, trust and threat models. These are searchable encryption, access control, machine learning and trusted hardware. We first discuss the man-in-the-middle approach as a baseline, then discuss in details each of them, and provide an in-depth comparisons of their advantages and limitations. By doing so we describe practical constraints, advantages and pitfalls towards adopting the techniques. We also give insights on the gaps between research work and industrial deployment, which leads us to the discussion on the challenges and research directions.

Pranshav Gajjar,Azuka Chiejina,Vijay K. Shah

2024-02-15

Abstract:Deep learning offers a promising solution to improve spectrum access techniques by utilizing data-driven approaches to manage and share limited spectrum resources for emerging applications. For several of these applications, the sensitive wireless data (such as spectrograms) are stored in a shared database or multistakeholder cloud environment and are therefore prone to privacy leaks. This paper aims to address such privacy concerns by examining the representative case study of shared database scenarios in 5G Open Radio Access Network (O-RAN) networks where we have a shared database within the near-real-time (near-RT) RAN intelligent controller. We focus on securing the data that can be used by machine learning (ML) models for spectrum sharing and interference mitigation applications without compromising the model and network performances. The underlying idea is to leverage a (i) Shuffling-based learnable encryption technique to encrypt the data, following which, (ii) employ a custom Vision transformer (ViT) as the trained ML model that is capable of performing accurate inferences on such encrypted data. The paper offers a thorough analysis and comparisons with analogous convolutional neural networks (CNN) as well as deeper architectures (such as ResNet-50) as baselines. Our experiments showcase that the proposed approach significantly outperforms the baseline CNN with an improvement of 24.5% and 23.9% for the percent accuracy and F1-Score respectively when operated on encrypted data. Though deeper ResNet-50 architecture is obtained as a slightly more accurate model, with an increase of 4.4%, the proposed approach boasts a reduction of parameters by 99.32%, and thus, offers a much-improved prediction time by nearly 60%.

Cryptography and Security,Machine Learning,Networking and Internet Architecture

Xiaoqin Pan,Hao Yang,Zichen Xu,Zuqing Zhu

DOI: https://doi.org/10.1109/jlt.2022.3172523

IF: 4.7

2022-08-01

Journal of Lightwave Technology

Abstract:The fast development of multi-layer packet-over-optical networks has made network monitoring and troubleshooting increasingly complicated. This has stimulated people to combine machine learning (ML) and software-defined networking (SDN) to realize multi-layer network automation. Despite its initial successes, the vulnerabilities of multi-layer network automation have not been fully explored. This work studies how to mislead the ML-based classifiers for anomaly detection. Specifically, we design two adversarial-sample-based attack schemes based on the white-box attack (WBA) and black-box attack (BBA) strategies, respectively, to eavesdrop and tamper legitimate telemetry data samples and generate adversarial samples adaptively, for disturbing ML-based classifiers and in turn misleading network automation to make incorrect decisions. Compared with WBA, BBA makes the attack scheme more practical by minimizing the dependency on pre-knowledge of the target ML-based classifiers. Considering different types of ML-based classifiers, we build a real-world packet-over-optical testbed and leverage the telemetry samples collected in it to demonstrate that our proposed BBA scheme can interact with the network quietly to train itself, generate well-crafted adversarial samples to tamper legitimate telemetry samples in the hard-to-detect way, and mislead ML-based classifiers in the network automation system to severely affect their performance on anomaly detection.

engineering, electrical & electronic,optics,telecommunications

Shaofei Tang,Jianquan Peng,Siqi Liu,Jiawei Kong,Zuqing Zhu

DOI: https://doi.org/10.1364/ofc.2021.f2g.6

2021-01-01

Abstract:We propose and experimentally demonstrate a self-adaptive network monitoring system for IP over elastic optical networks, which can coordinate and adjust in-band and out-of-band monitoring schemes intelligently based on the data analytics on multilayer telemetry data.

Lin Wang,Wang, Lin

DOI: https://doi.org/10.1007/s11082-023-05539-5

IF: 3

2023-10-26

Optical and Quantum Electronics

Abstract:Allocating and routing resources in optical networks is an extremely important operation since it has a direct bearing on the efficiency and scalability of the network's resources. As the backbone of communication supporting fundamental societal services, optical networks have an obligation to operate reliably and swiftly. Machine Learning (ML)-based cognitive and automated security management capabilities that interface with industry-standard network control entities and procedures are so essential. The performance and effectiveness of ML techniques for security diagnostics, as well as new management structures and features, must be improved for automated administration of optical network security. This study uses a deep learning model to provide a new method for elastic optical network routing and data transmission security. Utilising reinforcement matrix-based genetic routing analysis, network routing is improved, and hybrid convolutional component vector encoder neural networks are used for security analysis. The experimental study is done for different network parameters in terms of SNR, bit error rate, spectral efficiency, and data integrity. Based on the results of the current study, we suggest future research areas for resource allocation and routing in multidimensional time–space-frequency optical networks and satellite optical networks. The proposed technique attained spectral efficiency of 92%, data integrity 89%, SNR of 51%, bit error rate of 58%.

engineering, electrical & electronic,optics,quantum science & technology

Yong Yu,Huilin Li,Ruonan Chen,Yanqi Zhao,Haomiao Yang,Xiaojiang Du

DOI: https://doi.org/10.1109/MNET.2019.1800362

IF: 10.294

2019-01-01

IEEE Network

Abstract:Intelligent networks are regarded as existing networks incorporating some intelligent mechanisms such as cognitive and cooperative approaches to improve network performance. Security is highly essential in intelligent networks but has received less attention so far. In this article, we propose a framework that enables a secure intelligent network with the assistance of cloud-assisted privacy-preserving machine learning. In the framework, the cloud server can first generate a model using outsourced machine learning algorithms and then process testing data from the network with the generated model in real time, which reflects to the network and makes it more intelligent. At the same time, the proposal guarantees the security and privacy of both the training data and the testing data in the sense that the proposed framework takes advantage of differential privacy to perform privacy-preserving data analysis and homomorphic encryption to conduct valid operations over encrypted data. The performance evaluations of the core primitives employed in the framework including differential privacy and homomorphic encryption algorithms demonstrate the practicability of our proposal.

Mohamad Hasan,Tania Malik

DOI: https://doi.org/10.34190/eccws.23.1.2505

2024-06-21

Abstract:In today's digital age, ensuring network privacy and integrity is of utmost importance. To address this, our work proposed an advanced VPN security framework that integrates open-source threat intelligence and machine learning (ML) to enhance cyber defences. By combining Wazuh for threat detection and analysis, and pfsense for firewall capabilities, with state-of-the-art ML algorithms, we present a robust VPN security solution to the challenges presented by the evolving landscape of cyber threats, representing a significant advancement in securing digital networks. This framework is strengthened by the integration of four ML algorithms— Gradient Boosted Trees (GBT), Random Forest (RF), K-Nearest Neighbors (KNN), and Dense Deep Learning (DDL)— chosen for their classification efficacy and their ability to process complex security data, thereby improving the efficiency and accuracy of threat detection. Results indicated significant improvements in threat detection accuracy following the integration of ML algorithms. The Random Forest (RF) algorithm, in particular, stood out for its exceptional accuracy and ability to handle various threat scenarios, showcasing its efficacy in identifying sophisticated cyber threats through network traffic pattern analysis. Further performance benchmarking confirmed the feasibility of deploying the advanced VPN security framework, demonstrating minimal impact on network latency and throughput.

Kishore Rajasekar,Randolph Loh,Kar Wai Fok,Vrizlynn L. L. Thing

2024-04-11

Abstract:MLaaS (Machine Learning as a Service) has become popular in the cloud computing domain, allowing users to leverage cloud resources for running private inference of ML models on their data. However, ensuring user input privacy and secure inference execution is essential. One of the approaches to protect data privacy and integrity is to use Trusted Execution Environments (TEEs) by enabling execution of programs in secure hardware enclave. Using TEEs can introduce significant performance overhead due to the additional layers of encryption, decryption, security and integrity checks. This can lead to slower inference times compared to running on unprotected hardware. In our work, we enhance the runtime performance of ML models by introducing layer partitioning technique and offloading computations to GPU. The technique comprises two distinct partitions: one executed within the TEE, and the other carried out using a GPU accelerator. Layer partitioning exposes intermediate feature maps in the clear which can lead to reconstruction attacks to recover the input. We conduct experiments to demonstrate the effectiveness of our approach in protecting against input reconstruction attacks developed using trained conditional Generative Adversarial Network(c-GAN). The evaluation is performed on widely used models such as VGG-16, ResNet-50, and EfficientNetB0, using two datasets: ImageNet for Image classification and TON IoT dataset for cybersecurity attack detection.

Cryptography and Security