Wu Qiang,Wu Chunming,Yan Xincheng,Cheng Qiumei

DOI: https://doi.org/10.1109/tnsm.2021.3071774

2021-01-01

IEEE Transactions on Network and Service Management

Abstract:With the emergence of cloud native technology, the network slicing enables automatic service orchestration, flexible network scheduling and scalable network resource allocation, which profoundly affects the traditional security solution. Security is regarded as a technology independent of the cloud native architecture in the initial design, traditional passive defense such as “reinforced” and “stacked” is relied on to achieve system security protection. The lack of intrinsic security mechanisms makes the system capability insufficient when faces the uncertain threat brought by vulnerabilities and backdoors under the ecosystem of opening-up and sharing. The static nature of existing networks and computing systems makes them easy to be compromised and hard to defend, and thus it is urgent to provide intrinsic security and proactive protection against the unpredictable attacks. To this end, this paper proposes a novel paradigm named intrinsic cloud security (iCS) from the perspective of dynamic defense. The dynamic defense provides component-level security, and has complementary and consistency with the cloud native environment. In particular, iCS introduces mimic defense and moving target defense (MTD), and makes full use of the new features introduced by cloud native to implement an intrinsic and proactive defense mechanism with acceptable costs and efficiency. The iCS paradigm achieves seamless integration and symbiosis evolution between security and cloud native. We implement a trial of iCS based on 5GC commercial system and evaluate its performance on costs, efficiency and attack success. The result shows that the iCS enhanced mode always can provide a better and more stable defense effects.

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Xiang Wang,Zhi Liu,Jun Li,Baohua Yang,Yaxuan Qi

DOI: https://doi.org/10.1109/icccn.2014.6911782

2014-01-01

Abstract:Multi-tenant infrastructures deployed in cloud datacenters need network security protection. However, the rigid control mechanism of current security middleboxes induces inflexible orchestration, limiting the agile and on-demand security provision in virtualized datacenters. This paper presents Tualatin, a consolidated framework of delivering security services in multi-tenant datacenters. It meets security requirements of different scenarios by hardware and software co-design. Leveraging Software-Defined Networking (SDN) and OpenFlow techniques, Tualatin provides fine-grained security protection in dynamically changing network topologies, where both switches and security middleboxes are programmatically controlled by logically centralized controllers. With service-level APIs exposed, Tualatin could be easily integrated with other Cloud Management System (CMS). A proof-of-concept system has been deployed in a Tier-IV datacenter, providing customizable network security services for tenant Virtual Private Cloud (VPC) infrastructure.

Yikuan Yan,Keman Huang,Michael Siegel

2024-03-03

Abstract:The growing system complexity from microservice architectures and the bilateral enhancement of artificial intelligence (AI) for both attackers and defenders presents increasing security challenges for cloud-native operations. In particular, cloud-native operators require a holistic view of the dynamic security posture for the cloud-native environment from a defense aspect. Additionally, both attackers and defenders can adopt advanced AI technologies. This makes the dynamic interaction and benchmark among different intelligent offense and defense strategies more crucial. Hence, following the multi-agent deep reinforcement learning (RL) paradigm, this research develops an agent-based intelligent security service framework (ISSF) for cloud-native operation. It includes a dynamic access graph model to represent the cloud-native environment and an action model to represent offense and defense actions. Then we develop an approach to enable the training, publishing, and evaluating of intelligent security services using diverse deep RL algorithms and training strategies, facilitating their systematic development and benchmark. The experiments demonstrate that our framework can sufficiently model the security posture of a cloud-native system for defenders, effectively develop and quantitatively benchmark different services for both attackers and defenders and guide further service optimization.

Cryptography and Security

Ihsan H. Abdulqadder,Shijie Zhou,Israa T. Aziz,Deqing Zou,Xianjun Deng,Syed Muhammad Abrar Akber

DOI: https://doi.org/10.1109/i2ct51068.2021.9417961

2021-01-01

Abstract:Software defined network (SDN) and network function virtualization (NFV) are the two key technologies that support a large scale 5G environment composed of bunches of users. In this paper, the intrusion detection system (IDS) is provisioned in each layer to completely drop the malicious packets that have escaped in prior layers. The four-layer architecture presented in this work is the perception layer, data plane layer, control plane layer, and application layer. Each layer mitigates particular attacks that peculiarly participate in the network. Classification of attacker packets is handled by analyzing flow features and packet features. Initially, the 5G users are authenticated using the Prince algorithm with identity, password, MAC address, location, and physically unclonable function. Then optimal switches are selected to overwhelm flow table overloading attack by sea lion optimization algorithm. The flow rules in switches are secured through blockchain that maintains PHOTON based hashed flow rules. Flow features from the packets are extracted and classified using recurrent neural network (RNN) in the control plane and then the attack packets are dropped, normal packets are processed and suspicious packets are further classified in the application layer. NFV enabled cloud on the application layer classifies the suspicious packets into normal and malicious from the extracted packet feature based on multinomial naïve bayes (MNB) algorithm. The extensive simulation is performed in Network simulator and experimental results show the proposed attack mitigation is better in terms of detection rate, accuracy, precision, recall, and authentication time with respect to previous research.

Jin He,Kaoru Ota,Mianxiong Dong,Laurence T. Yang,Mingyu Fan,Guangwei Wang,Stephen S. Yau

DOI: https://doi.org/10.1109/tsc.2017.2725828

IF: 11.019

2020-01-01

IEEE Transactions on Services Computing

Abstract:Modern cloud computing platforms based on virtual machine monitors (VMMs) host a variety of complex businesses which present many network security vulnerabilities. In order to protect network security for these businesses in cloud computing, nowadays, a number of middleboxes are deployed at front-end of cloud computing or parts of middleboxes are deployed in cloud computing. However, the former is leading to high cost and management complexity, and also lacking of network security protection between virtual machines while the latter does not effectively prevent network attacks from external traffic. To address the above-mentioned challenges, we introduce a novel customized network security for cloud service (CNS), which not only prevents attacks from external and internal traffic to ensure network security of services in cloud computing, but also affords customized network security service for cloud users. CNS is implemented by modifying the Xen hypervisor and proved by various experiments which showing the proposed solution can be directly applied to the extensive practical promotion in cloud computing.

Nawaf Alhebaishi,Lingyu Wang,Sushil Jajodia

DOI: https://doi.org/10.1007/978-3-030-49669-2_1

2020-01-01

Abstract:By virtualizing proprietary hardware networking devices, Network Functions Virtualization (NFV) allows agile and cost-effective deployment of diverse network services for multiple tenants on top of the same physical infrastructure. As NFV relies on virtualization, and as an NFV stack typically involves several levels of abstraction and multiple co-resident tenants, this new technology also unavoidably leads to new security threats. In this paper, we take the first step toward modeling and mitigating security threats unique to NFV. Specifically, we model both cross-layer and co-residency attacks on the NFV stack. Additionally, we mitigate such threats through optimizing the virtual machine (VM) placement with respect to given constraints. The simulation results demonstrate the effectiveness of our solution.

Ihsan H. Abdulqadder,Shijie Zhou,Deqing Zou,Israa T. Aziz,Syed Muhammad Abrar Akber

DOI: https://doi.org/10.1016/j.comnet.2020.107364

IF: 5.493

2020-01-01

Computer Networks

Abstract:Software defined networking (SDN), network function virtualization (NFV), and cloud computing are receiving significant attention in 5G networks. However, this attention creates a new challenge for security provisioning in these integrated technologies. Research in the field of SDN, NFV, cloud computing, and 5G has recently focused on the intrusion detection and prevention system (IDPS). Existing IDPS solutions are inadequate, which could cause large resource wastage and several security threats. To alleviate security issues, timely detection of an attacker is important. Thus, in this paper, we propose a novel approach that is referred to as multilayered intrusion detection and prevention (ML-IDP) in an SDN/NFV-enabled cloud of 5G networks. The proposed approach defends against security attacks using artificial intelligence (AI). In this paper, we employed five layers: data acquisition layer, switches layer, domain controllers (DC) layer, smart controller (SC) layer, and virtualization layer (NFV infrastructure). User authentication is held in the first layer using the Four-Q-Curve algorithm. To address the flow table overloading attack in the switches layer, the game theory approach, which is executed in the IDP agent, is proposed. The involvement of the IDP agent is to completely avoid a flow table overloading attack by a deep reinforcement learning algorithm, and thus, it updates the current state of all switches. In the DC layer, packets are processed and classified into two classes (normal and suspicious) by a Shannon Entropy function. Normal packets are forwarded to the cloud via the SC. Suspicious packets are sent to the VNF using a growing multiple self-organization map (GM-SOM). The proposed ML-IDP system is evaluated using NS3.26 for different security attacks, including IP Spoofing, flow table overloading, DDoS, Control Plane Saturation, and host location hijacking. From the experiment results, we proved that the ML-IDP with AI-based defense mechanisms effectively detects and prevents attacks.

Rodrigo Moreira,Rodolfo S. Villaca,Moises R. N. Ribeiro,Joberto S. B. Martins,Joao Henrique Correa,Tereza C. Carvalho,Flavio de Oliveira Silva

DOI: https://doi.org/10.1016/j.future.2024.107537

2024-10-05

Abstract:Network Slicing (NS) has transformed the landscape of resource sharing in networks, offering flexibility to support services and applications with highly variable requirements in areas such as the next-generation 5G/6G mobile networks (NGMN), vehicular networks, industrial Internet of Things (IoT), and verticals. Although significant research and experimentation have driven the development of network slicing, existing architectures often fall short in intrinsic architectural intelligent security capabilities. This paper proposes an architecture-intelligent security mechanism to improve the NS solutions. We idealized a security-native architecture that deploys intelligent microservices as federated agents based on machine learning, providing intra-slice and architectural operation security for the Slicing Future Internet Infrastructures (SFI2) reference architecture. It is noteworthy that federated learning approaches match the highly distributed modern microservice-based architectures, thus providing a unifying and scalable design choice for NS platforms addressing both service and security. Using ML-Agents and Security Agents, our approach identified Distributed Denial-of-Service (DDoS) and intrusion attacks within the slice using generic and non-intrusive telemetry records, achieving an average accuracy of approximately $95.60\%$ in the network slicing architecture and $99.99\%$ for the deployed slice -- intra-slice. This result demonstrates the potential for leveraging architectural operational security and introduces a promising new research direction for network slicing architectures.

Cryptography and Security,Artificial Intelligence,Emerging Technologies,Machine Learning,Networking and Internet Architecture

Lin Chen,Xingshu Chen,Junfang Jiang,Xueyuan Yin,Guolin Shao

DOI: https://doi.org/10.1109/tst.2014.6919826

2014-01-01

Tsinghua Science & Technology

Abstract:Network security requirements based on virtual network technologies in IaaS platforms and corresponding solutions were reviewed.A dynamic network security architecture was proposed,which was built on the technologies of software defined networking,Virtual Machine（VM）traffic redirection,network policy unified management,software defined isolation networks,vulnerability scanning,and software updates.The proposed architecture was able to obtain the capacity for detection and access control for VM traffic by redirecting it to configurable security appliances,and ensured the effectiveness of network policies in the total life cycle of the VM by configuring the policies to the right place at the appropriate time,according to the impacts of VM state transitions.The virtual isolation domains for tenants’VMs could be built flexibly based on VLAN policies or Netfilter/Iptables firewall appliances,and vulnerability scanning as a service and software update as a service were both provided as security supports.Through cooperation with IDS appliances and automatic alarm mechanisms,the proposed architecture could dynamically mitigate a wide range of network-based attacks.The experimental results demonstrate the effectiveness of the proposed architecture.

Ke Wang,Li Su,Haitao Du

DOI: https://doi.org/10.1109/ICCT59356.2023.10419581

2023-10-20

Abstract:Network slice security is the prerequisite for introducing network slicing to vertical industries. The security capabilities of one slice need to be decided based on customers' requirements and the security capabilities that the network is capable of providing. Provisioning slice security capabilities passes through the life cycle of a slice instance. However, there is a gap between security requirements and security capabilities that need to be provisioned. It's not easy for the slice customers or the network operators provisioning the security capabilities of one slice. An intelligent slice security capabilities provisioning and management method is urgently needed. This paper proposes an approach to decompose, propagate and perform the slice security related intents in order to achieve intent-driven slice security provision and management.

Computer Science,Engineering

Shengsheng Yao,Mingwei Xu,Qi Li,Jiahao Cao,Qiyang Song

DOI: https://doi.org/10.1109/globecom38437.2019.9013473

2019-01-01

Abstract:To reduce the management costs, outsourcing network function (NF) to the cloud becomes prevalent in enterprises. This trend is increasing with the advent of network function virtualization (NFV). However, such outsourcing cannot guarantee the order and security of service function chains(SFCs) as the cloud is susceptible to attacks. In this paper, we introduce credible SFC (cSFC), a practical scheme to build secure service function chains on the untrusted cloud, cooperating with encrypted transport protocols. cSFC simultaneously shields NFs from an untrusted cloud and preserves the order of SFC sequence. Meanwhile, this scheme supports a wide range of NF functionalities and preserves the privacy of session data. We implement the cSFC prototype, and the evaluation result shows that it is practical with acceptable performance.

Zhi Liu,Xiang Wang,Jun Li

DOI: https://doi.org/10.3969/j.issn.1673-5188.2016.01.008

2016-01-01

Abstract:By extracting the control plane from the data plane, SDN enables unprecedented flexibility for future network architectures and quickly changes the landscape of the networking industry. Although the maturity of commonly accepted SDN security practices is the key to the proliferation of cloud DCN, SDN security research is still in its infancy. This paper gives a top-down survey of the approaches in this area,discussing security challenges and opportunities of softwaredefined datacenter networking for cloud computing. It leverages the well-known confidentiality-integrity-availability（CIA）matrix and protection-detection-reaction（PDR） model to give an overview of current security threats and security measures. It also discusses promising research directions in this field.

Huazhe Wang,Xin Li,Yu Zhao,Ye Yu,Hongkun Yang,Chen Qian

DOI: https://doi.org/10.48550/arXiv.1606.07079

2016-06-22

Networking and Internet Architecture

Abstract:There is an increasing trend that enterprises outsource their network functions to the cloud for lower cost and ease of management. However, network function outsourcing brings threats to the privacy of enterprises since the cloud is able to access the traffic and rules of in-cloud network functions. Current tools for secure network function outsourcing either incur large performance overhead or do not support real-time updates. In this paper, we present SICS, a secure service function chain outsourcing framework. SICS encrypts each packet header and use a label for in-cloud rule matching, which enables the cloud to perform its functionalities correctly with minimum header information leakage. Evaluation results show that SICS achieves higher throughput, faster construction and update speed, and lower resource overhead at both enterprise and cloud sides, compared to existing solutions.

Hao YIN,Dongchao GUO,Yongqiang LYU,Peng YANG,Zhiwei ZHAO,Yaoxue ZHANG

DOI: https://doi.org/10.1360/n112017-00171

2019-01-01

Abstract:Cyberspace security is vital to state interest. Recently, there are some challenges in cyber security. In architecture for instance, although protection mechanisms are introduced and applied everywhere, the modern network architecture (well connected and open) still has difficulty in completely ensuring cyber security. It is also observed that contemporary cyber security protection mechanism highly depends on the priori information of security threats and thus will hardly address unknown potential threats. In this paper, a novel cyberspace security protection framework is proposed. A dual-structural Internet scheme that integrates the current Internet architecture with a redundant secondary structure network characterized by its broad-storage scheme, heterogeneous structure, and dynamic protection mechanism is introduced. Also, a novel active defense mechanism that is knowledge-data driven and thus independent of the priori information of the security threat is proposed. Furthermore, some key techniques such as transparent access and prepositive active defense are introduced. The theoretical and technical work proposed in this paper offers a comprehensively evolutionary solution to constructing a cyberspace in which the protection mechanism is more independent and active.

Stan Wong,Bin Han,Hans D. Schotten

DOI: https://doi.org/10.3390/network2010011

2022-03-08

Network

Abstract:This article reveals an adequate comprehension of basic defense, security challenges, and attack vectors in deploying multi-network slicing. Network slicing is a revolutionary concept of providing mobile network on-demand and expanding mobile networking business and services to a new era. The new business paradigm and service opportunities are encouraging vertical industries to join and develop their own mobile network capabilities for enhanced performances that are coherent with their applications. However, a number of security concerns are also raised in this new era. In this article, we focus on the deployment of multi-network slicing with multi-tenancy. We identify the security concerns and discuss the defense approaches such as network slice isolation and insulation in a multi-layer network slicing security model. Furthermore, we identify the importance to appropriately select the network slice isolation points and propose a generic framework to optimize the isolation policy regarding the implementation cost while guaranteeing the security and performance requirements.

Ihsan H. Abdulqadder,Deqing Zou,Israa T. Aziz,Bin Yuan,Weiming Li

DOI: https://doi.org/10.1109/access.2018.2797214

IF: 3.9

2018-01-01

IEEE Access

Abstract:A software-defined network (SDN) is a technology that supports computer network administrators. However, the centralized control plane architecture of SDNs makes them vulnerable to harmful security threats. In this paper, we propose a secure cloud (SecSDN-cloud) architecture that includes user authentication, routing, attack resistance, and third-party monitoring. The goal of this paper is to design an SDN-cloud environment with integrated security that can resist three different attack types: flow table overloading, control plane saturation, and Byzantine attacks. A novel digital signature with chaotic secure hashing is used for user authentication, followed by an enhanced particle swarm optimization multi-class routing protocol to improve the quality of service. Controllers are assigned to switches by integrating an enhanced genetic algorithm with a modified cuckoo search algorithm. The malicious flow identification includes the analysis of five-tuples constructed from features extracted from packets. We implemented the proposed SecSDN-cloud in the OMNeT++ simulator and evaluated its performance in terms of packet loss, end-to-end delay, throughput, latency, and bandwidth.

Jia Xu,Jia Yan,Liang He,Purui Su,Dengguo Feng

DOI: https://doi.org/10.1109/CloudCom.2010.16

2010-01-01

Abstract:Massive Internet invasions implemented through the distributed platform fabricated by rapid diffusion of malwares, has become a significant issue in network security. We argue that the notion of “Collaborative Security” is an emerging trend in resisting distributed attacks originated from malware. Therefore, this paper proposes a new architecture: CloudSEC, for composing collaborative security-related services in clouds, such as correlated intrusion analysis, anti-spam, anti-DDOS, automated malware detection and containment. CloudSEC is modeled as a dynamic peer-to-peer overlay hierarchy with three types of top-down architectural components. Based on, this architecture, both data distribution and task scheduling overlays can be simultaneously implemented in a loosely coupled fashion, which can efficiently retrieve data resources from heterogeneous network security facilities, and harness distributed collection of computational resources to process data-intensive tasks. Hence, CloudSEC endues the network security infrastructure with the capability of dynamic adaptation and collaboration on an inter-organizational scale. The results of preliminary evaluation demonstrate that, CloudSEC not only delivers a sample service of distributed intrusion correlation with high scalability and robustness, but also achieves remarkable effectiveness in data sharing and task scheduling.

Anshul Jain,Tanya Singh,Satyendra Kumar Sharma,Vikas Prajapati

DOI: https://doi.org/10.28945/4675

2021-01-01

Abstract:Aim/Purpose: 5G and IoT are two path-breaking technologies, and they are like wall and climbers, where IoT as a climber is growing tremendously, taking the support of 5G as a wall. The main challenge that emerges here is to secure the ecosystem created by the collaboration of 5G and IoT, which consists of a network, users, endpoints, devices, and data. Other than underlying and hereditary security issues, they bring many Zero-day vulnerabilities, which always pose a risk. This paper proposes a security solution using network slicing, where each slice serves customers with different problems. Background: 5G and IoT are a combination of technology that will enhance the user experience and add many security issues to existing ones like DDoS, DoS. This paper aims to solve some of these problems by using network slicing and implementing an Intrusion Detection System to identify and isolate the compromised resources. Methodology: This paper proposes a 5G-IoT architecture using network slicing. Research here is an advancement to our previous implementation, a Python-based software divided into five different modules. This paper’s amplification includes induction of security using pattern matching intrusion detection methods and conducting tests in five different scenarios, with 1000 up to 5000 devices in different security modes. This enhancement in security helps differentiate and isolate attacks on IoT endpoints, base stations, and slices. Contribution: Network slicing is a known security technique; we have used it as a platform and developed a solution to host IoT devices with peculiar requirements and enhance their security by identifying intruders. This paper gives a different solution for implementing security while using slicing technology. Findings: The study entails and simulates how the IoT ecosystem can be variedly deployed on 5G networks using network slicing for different types of IoT devices and users. Simulation done in this research proves that the suggested architecture can be successfully implemented on IoT users with peculiar requirements in a network slicing environment. Recommendations for Practitioners: Practitioners can implement this solution in any live or production IoT environment to enhance security. This solution helps them get a cost-effective method for deploying IoT devices on a 5G network, which would otherwise have been an expensive technology to implement. Recommendation for Researchers: Researchers can enhance the simulations by amplifying the different types of IoT devices on varied hardware. They can even perform the simulation on a real network to unearth the actual impact. Impact on Society: This research provides an affordable and modest solution for securing the IoT ecosystem on a 5G network using network slicing technology, which will eventually benefit society as an end-user. This research can be of great assistance to all those working towards implementing security in IoT ecosystems. Future Research: All the configuration and slicing resources allocation done in this research was performed manually; it can be automated to improve accuracy and results. Our future direction will include machine learning techniques to make this application and intrusion detection more intelligent and advanced. This simulation can be combined and performed with smart network devices to obtain more varied results. A proof-of-concept system can be implemented on a real 5G network to amplify the concept further.

English Else

Muhammad Iftikhar Hussain,Jingsha He,Nafei Zhu,Zulfiqar Ali Zardari,Fahad Razque,Saqib Hussain,Muhammad Salman Pathan

DOI: https://doi.org/10.3233/jifs-200835

2021-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:Cloud computing on-demand dynamicity in nature of end-user that leads towards a hybrid cloud model deployment is called a multi-cloud. Multi-cloud is a multi-tenant and multi-vendor heterogeneous cloud platform in terms of services and security under a defined SLA (service level agreement). The diverse deployment of the multi-cloud model leads to rise in security risks. In this paper, we define a multi-cloud model with hybridization of vendor and security to increase the end-user experience. The proposed model has a heterogeneous cloud paradigm with a combination of firewall tracts to overcome rising security issues. The proposed work consists of three steps, firstly, all incoming traffic from the consumer end into five major groups called ambient. Secondly, design a next-generation firewall (NGFW) topology with a mixture of tree-based and demilitarized zone (DMZ) implications. Test implementation of designed topology performed by using a simple DMZ technique in case of vendor-specific model and NGFW on hybrid vendor based multi-cloud model. Furthermore, it also defines some advantages of NGFW to overcome these concerns. The proposed work is helpful for the new consumer to define their dynamic secure cloud services under a single SLA before adopting a multi-cloud platform. Finally, results are compared in terms of throughput and CPU utilization in both cases.