Da-Wen Huang,Fengji Luo,Jichao Bi,Mingyang Sun

DOI: https://doi.org/10.1109/tifs.2022.3191491

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Deploying Intrusion Detection Systems (IDSs) is an essential way to enhance the security of Multi-hop Clustered Wireless Sensor Networks (MCWSNs). The conventional IDS deployment architectural designs show limitations in ensuring the security of MCWSNs due to the limited monitoring range of the nodes. This paper proposes an efficient IDS deployment architecture for MCWSNs. The architecture is a hybrid design, in which the cluster heads and the sink collaboratively act as IDS agents to monitor the entire network and perform intrusion detection. Based on the new architecture, this paper proposes a resource allocation model to optimally allocate resources among the IDS agents so that the network’s security metric can be maximized. A comprehensive analytical framework is proposed to analyze the optimality of the model’s solution, and an efficient computational approach is developed to obtain the optimal resource allocation strategy. Extensive numerical simulation and comparison studies are conducted to validate the proposed method.

Chenxi Li,Jiahai Yang,Guo Li,Kang Wang

DOI: https://doi.org/10.1109/LCNSymposium47956.2019.9000666

2019-01-01

Abstract:With the emergence of Network Function Virtualization (NFV) technology, researchers start to implement typical software Intrusion detection Systems (IDS) as Virtual Network Function (VNF) to improve the scalability of IDS deployment. Determining the setups and configurations of every instance to optimize VNF performance is one of the core challenges in NFV scenario. Previous researches mainly focus on how IDS performs under different Virtual Machine (VM) setups and just load its default configuration. However, when loading different rulesets and running IDS under different VM setups, the default configuration may not always lead to optimal performance. In this paper, we focus on the configuration problem of Snort. We propose a lightweight estimation algorithm to auto configure the most performance-related part of Snort - Fast Pattern Matcher (FPM). We firstly explore how those options make influence on Snort's packet detection by several measurement experiments. Then we summarize some basic principles to design our auto configuration algorithm. At last, we implement the algorithm to evaluate its accuracy and efficiency. The result shows our algorithm can seek a better configuration than the default one in various situations; in the meanwhile, it just takes a few seconds to run the algorithm, which is important if we want to import an auto configuration modular into NFV dynamic and elastic scheduling strategy.

Michel Gokan Khan,Saeed Bastani,Javid Taheri,Andreas Kassler,Shuiguang Deng

DOI: https://doi.org/10.1109/CloudNet.2018.8549333

2018-01-01

Abstract:Network Function Virtualization (NFV) focuses on decoupling network functions from proprietary hardware (i.e., middleboxes) by leveraging virtualization technology. Combining it with Software Defined Networking (SDN) enables us to chain network services much easier and faster. The main idea of using these technologies is to consolidate several Virtual Network Functions (VNFs) into a fewer number of commodity servers to reduce costs, increase VNFs fluidity and improve resource efficiency. However, the resource allocation and placement of VNFs in the network is a multifaceted decision problem that depends on many factors, including VNFs resource demand characteristics, arrival rate, configuration of underlying infrastructure, available resources and agreed Quality of Services (QoS) in Service Level Agreements (SLAs). This paper presents a bottom-up open-source NFV analysis platform (NFV-Inspector) to (1) systematically profile and classify VNFs based on resource capacities, traffic demand rate, underlying system properties, placement of VNFs in the network, etc. and (2) extract/calculate the correlation among the QoS metrics and resource utilization of VNFs. We evaluated our approach using an emulated virtual Evolved Packet Core platform (Open5GCore) to showcase how complex relation among various NFV service chains can be systematically profiled and analyzed.

Morteza Sheibani,Savas Konur,Irfan Awan,Amna Qureshi

DOI: https://doi.org/10.3390/electronics13081515

IF: 2.9

2024-04-18

Electronics

Abstract:Software-defined networking (SDN) and network functions virtualisation (NFV) are crucial technologies for integration in the fifth generation of cellular networks (5G). However, they also pose new security challenges, and a timely research subject is working on intrusion detection systems (IDSs) for 5G networks. Current IDSs suffer from several limitations, resulting in a waste of resources and some security threats. This work proposes a new three-layered solution that includes forwarding and data transport, management and control, and virtualisation layers, emphasising distributed controllers in the management and control layer. The proposed solution uses entropy detection to classify arriving packets as normal or suspicious and then forwards the suspicious packets to a centralised controller for further processing using a self-organising map (SOM). A dynamic OpenFlow switch relocation method is introduced based on deep reinforcement learning to address the unbalanced burden among controllers and the static allocation of OpenFlow switches. The proposed system is analysed using the Markov decision process, and a Double Deep Q-Network (DDQN) is used to train the system. The experimental results demonstrate the effectiveness of the proposed approach in mitigating DDoS attacks, efficiently balancing controller workloads, and reducing the duration of the balancing process in 5G networks.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yogendra Kumar,Vijay Kumar,Basant Subba

DOI: https://doi.org/10.1142/s0218126624502281

2024-03-13

Journal of Circuits Systems and Computers

Abstract:Journal of Circuits, Systems and Computers, Ahead of Print. Network Intrusion Detection Systems (NIDSs) have been proposed in the literature as security tools for detecting anomalous and intrusive network data traffic. However, the existing NIDS frameworks are computation-intensive, thereby making them unsuitable for deployment in resource-constrained networks with limited computational capabilities. This paper aims to address this issue by proposing computationally efficient NIDS framework for detecting anomalous data traffic in resource-constrained networks. The proposed NIDS framework uses an ensemble-based classifier model comprising multiple classifiers, which enables it to achieve high accuracy and detection rate across a wide range of low-footprint and stealth network attacks. The proposed framework also uses feature scaling and dimensionality reduction techniques to minimize the overall computational overhead. The proposed framework consists of two stages. In the first stage, four distinct base-level classifiers are utilized. The classification probabilities of the first stage are used in the modified meta-level classifier. The modified meta-level classifier is trained on the class probabilities of the base-level classifiers combined using a novel proposed probability function. The performance of the proposed NIDS framework is evaluated on a proprietary testbed dataset and two benchmark datasets namely CICIDS-2017 and UNSW-NB15. The results reveal that the proposed NIDS framework provides better performance than the existing NIDS frameworks in terms of false positive rate, despite using a significantly lower number of input features for its analysis.

engineering, electrical & electronic,computer science, hardware & architecture

Ziming Zhao,Zhaoxuan Li,Zhuoxue Song,Fan Zhang

DOI: https://doi.org/10.1109/rtss59052.2023.00045

2023-01-01

Abstract:Existing Deep Learning (DL)-based network Intrusion Detection System (IDS) is able to characterize sequence semantics of traffic and discover malicious behaviors. Yet DL models are often nonlinear and highly non-convex functions that are difficult for in-network real-time deployment, i.e., existing DL solutions are essentially offline analysis. In this paper, we present RIDS, a hardware-friendly Recurrent Neural Network (RNN) model that is co-designed with programmable switches. As its core, RIDS is powered by two tightly-coupled components: (i) rLearner, the RNN learning module with in-network deployability as the first-class requirement; and (ii) rEnforcer, the concrete pipeline design to realize rLearner-generated models inside the network dataplane. We implement a prototype of RIDS and evaluate it on our physical testbed. The experiments show that RIDS could satisfy both detection performance and high-speed bandwidth adaptation simultaneously, when none of the other existing approaches could do so. Inspiringly, RIDS realizes remarkable intrusion/malware detection effect (e.g., ∽99% F1 score) and model deployment (e.g., 100 Gbps per port), while only imposing nanoseconds of latency.

Jiaqi Li,Zhifeng Zhao,Rongpeng Li

DOI: https://doi.org/10.1049/iet-net.2017.0212

2018-01-01

IET Networks

Abstract:As an inevitable trend of future fifth generation (5G) networks, software-defined architecture has many advantages in providing centralised control and flexible resource management. However, it is also confronted with various security challenges and potential threats with emerging services and technologies. As the focus of network security, intrusion detection systems (IDSs) are usually deployed separately without collaboration. They are also unable to detect novel attacks with limited intelligent abilities, which are hard to meet the needs of software-defined 5G. In this study, the authors propose an intelligent IDS taking the advances in software-defined technology and artificial intelligence based on software-defined 5G architecture. It flexibly integrates security function modules which are adaptively invoked under centralised management and control with a global view. It can also deal with unknown intrusions by using machine learning algorithms. Evaluation results prove that the intelligent IDS achieves better performance with lower overhead. It is also verified that the selected machine learning algorithms show better accuracy and reduced false alarm rate in flow-based classification.

Zhang Xiantao,Li Qi,Qing Sihan,Zhang Huanguo

DOI: https://doi.org/10.1109/WKDD.2008.135

2008-01-01

Abstract:Intrusion detection system (IDS) has been introduced and broadly applied to prevent unauthorized access to system resource and data for several years. However, many problems are still not well resolved in most of IDS, such as detection evasion, intrusion containment. In order to resolve these problems, we propose a novel flexible architecture VNIDA which is based on virtual machine monitor (VMM) and has no-intrusive behavior to target system after studying popular IDS architectures. In this architecture, a separate intrusion detection domain (IDD) is added to provide intrusion detection services for all virtual machines. Specially, an IDD helper is introduced to take response to the intrusions according to the security policies. Moreover, event sensors and IDS stub, as the core components of IDS, are separately isolated from target systems, so strong reliability is also achieved in this architecture. To show the feasibility of the VNIDA, we implement a prototype based on the proposed architecture. Based on the prototype, we employed some rootkits to evaluate our VNIDA, and the results shows that VNIDA has the ability to detect them efficiently, even some potential intrusions. In addition, system performance evaluation also shows that VNIDA only introduce less than 1.25% extra overhead.

Yu Sheng,Dongming Lu,Yifeng Hu,Qingshu Yuan

DOI: https://doi.org/10.1007/11424758_102

2005-01-01

Abstract:The limitation of network resource reduces the awareness capability of CVE system, which becomes the main bottleneck for applications in Internet. In this paper, we study the relationship between the awareness capability of system and network parameters, such as latency, jitter, and data loss rate; also, according to the features and preferences of user awareness, a network-status-based solution is proposed for self-adaptable awareness scheduling. Moreover, the scheduling algorithm is implemented and verified by a prototype system, results from which indicate that awareness scheduling is useful for decreasing the loss of the awareness capability of system in a limited or unstable network.

JIANG Wenbao,HAO Shuang,DAI Yiqi,LIU Tinghua

DOI: https://doi.org/10.3321/j.issn:1000-0054.2006.01.028

2006-01-01

Abstract:The performance of high-speed network intrusion detection systems(nIDSs) is improved by load balancing algorithms developed for high-speed nIDSs.Three load balancing policies were analyzed to develop a flow-based dynamic load balancing algorithm based on nIDSs using multiple detection engines.The algorithm divides the data stream according to the current value of each detection engine's load using a dynamic feed and prediction mechanism.The incoming data packets for a new session are forwarded to the engine that currently has the lightest load.Test results show that the algorithm performs better than the Round Robin algorithm,especially when a large number of concurrent detection engines are used in heavy network traffic environments.

Qi Li,Xinhao Deng,Zhuotao Liu,Yuan Yang,Xiaoyue Zou,Qian Wang,Mingwei Xu,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2022.3142995

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Network Function Virtualization (NFV) is a new networking paradigm to enable dynamic network function deployment in networks. Existing studies focused on optimized function deployment and management in NFV. Unfortunately, these studies did not well address the problem of efficient security function enforcement in networks, which is the goal of deploying network functions (NFs), i.e., for real-time security function enforcement on the traffic, since optimal function deployment does not mean efficient security function enforcement on network traffic. In particular, they incurred significant NF enforcement cost. In order to address this issue, in this paper, we propose ${\textsf {FuncE}}$ that aims to solve the efficient real-time security function enforcement problem by developing unified dynamic flow and function scheduling. We formulate the problem as an integer linear programming problem and prove that it is NP-hard. We tackle the problem by decomposing it and developing heuristics to achieve near-optimal solutions. We conduct comprehensive experiments by using real topologies to demonstrate the effectiveness of the ${\textsf {FuncE}}$ design. The experimental results demonstrate that ${\textsf {FuncE}}$ achieves near-optimal network function enforcement, which incurs over 100 times less latency than the existing the optimal solver. In particular, compared to the state-of-art defenses, ${\textsf {FuncE}}$ processes the same number of candidate flows using over 50% less VNFs, while ensuring the same level of function enforcement.

computer science, theory & methods,engineering, electrical & electronic

Nadra Guizani,Arif Ghafoor

DOI: https://doi.org/10.1109/jsac.2020.2986618

IF: 16.4

2020-06-01

IEEE Journal on Selected Areas in Communications

Abstract:The exponential growth in the use of Internet of Things (IoT) devices has introduced numerous challenges, in particular dealing with new security threats. In addition, for connecting heterogeneous devices using different protocols, large networks need resilient software-based security systems that can defend against unprecedented attacks for which the traditional security countermeasures prove to be ineffective. Furthermore, to deal with the ever growing onslaught on data and networks, modern security systems need to utilize novel machine learning mechanisms. This paper proposes a software-based architecture that provides network function virtualization (NFV) capability to combat malware spread for heterogeneous IoT networks. To build a scalable and generalized Intrusion Detection System (IDS), we propose for these networks a RNN-LSTM learning model that can predict malware attacks in a timely manner for the NFV to deploy appropriate countermeasures. In addition, we investigate the scalability of the network and discuss how the generalized IDS can deal with a broad range of malwares that can be detected. The analysis utilizes the susceptible (S), exposed (E), infected (I), and resistant (R) (SEIR) epidemic model to moniter the spread of the malware attack and subsequently provides patching to the system. Our analysis focuses primarily on the feasibility and the performance evaluation of the proposed integrated RNN-LSTM and NFV architecture.

telecommunications,engineering, electrical & electronic

Chongzhen Zhang,Yanli Chen,Yang Meng,Fangming Ruan,Runze Chen,Yidan Li,Yaru Yang

DOI: https://doi.org/10.1155/2021/6610675

IF: 1.968

2021-01-25

Security and Communication Networks

Abstract:Traditional machine learning-based intrusion detection often only considers a single algorithm to identify intrusion data, lack of the flexibility method, low detection rate, no handing high-dimensional data, and cannot solve these problems well. In order to improve the performance of intrusion detection system, a novel general intrusion detection framework was proposed in this paper, which consists of five parts: preprocessing module, autoencoder module, database module, classification module, and feedback module. The data processed by the preprocessing module are compressed by the autoencoder module to obtain a lower-dimensional reconstruction feature, and the classification result is obtained through the classification module. Compressed features of each traffic are stored in the database module which can both provide retraining and testing for the classification module and restore these features to the original traffic for postevent analysis and forensics. For evaluation of the framework performance proposed, simulation was conducted with the CICIDS2017 dataset to the real traffic of the network. As the experimental results, the accuracy of binary classification and multiclass classification is better than previous work, and high-level accuracy was reached for the restored traffic. At the last, the possibility was discussed on applying the proposed framework to edge/fog networks.

computer science, information systems,telecommunications

Weilin Zhou,Yuan Yang,Mingwei Xu,Hao Chen

DOI: https://doi.org/10.1109/icc.2019.8761554

2019-01-01

Abstract:Network function virtualization has become a promising technology recently. To accommodate dynamic traffic such as burst, NFV can scale virtual network functions (VNFs) across several physical servers, which is known as horizontal scaling, or enlarge the capacity of a VNF lever-aging idle resources in one physical server, which is called vertical scaling. Vertical scaling should be used as much as possible to accommodate user traffic increment immediately, and horizontal scaling is only performed when vertical scaling cannot allocate sufficient resource to meet the demand. We find that just to reserve redundant resource is far from sufficient to enable vertical scaling with good performance, and VNF placement plays a crucial role. In this paper, we model the scalable VNF placement problem formally, and prove that the problem is NP-hard. Then, we develop two online heuristic algorithms gradually to solve the problem. The sVNFP algorithm focuses on maximizing the vertical scalability, while the sVNFP-adv algorithm considers path length and server utilization concurrently. Simulation results show that our algorithms can reduce packet loss ratio by 15% to 40%, with a short path length and a high server utilization.

Wei Lin,Liu Xiang,Derek Pao,Bin Liu

DOI: https://doi.org/10.1109/FGCN.2008.67

2008-01-01

Abstract:In order to protect Internet users from various attacks such as worms, viruses and other intrusions, signature-based intrusion detection system (IDS) should be deployed at the critical part of the network with rapid response for updating newly emerged attack signatures and containing the spread of worms or viruses at their early stage. The processing speed of one IDS cannot achieve the throughput requirement in the core networks because of the pattern matching, the key operation for signature-based IDS, is complex and time consuming. In this paper, it argues that if the signature set is shared by multiple IDSs, a packet needs to be checked once and once only by one of the IDSs, so traffic load can be redistributed among the IDSs to avoid local congestion. Packet marking is used to indicate the status of this packet utilized by collaborative IDSs, and a redistribution strategy named inner logical ring (ILR) is built among IDSs to redistribute the traffic load. Meanwhile, caching scheme is used to keep sequence for packets belonging to the same flow. This collaborative distributed IDS is robust with rapid response to various attacks, and the detection throughput is significantly increased from the throughput of the weakest IDS to the summation of all the collaborative IDSs.

Mansi Sahi,Nitin Auluck,Akramul Azim,Md Al Maruf

DOI: https://doi.org/10.1002/spe.3338

2024-05-02

Software Practice and Experience

Abstract:The Internet of Things (IoT) has gained widespread importance in recent time. However, the related issues of security and privacy persist in such IoT networks. Owing to device limitations in terms of computational power and storage, standard protection approaches cannot be deployed. In this article, we propose a lightweight distributed intrusion detection system (IDS) framework, called FCAFE‐BNET (Fog based Context Aware Feature Extraction using BranchyNET). The proposed FCAFE‐BNET approach considers versatile network conditions, such as varying bandwidths and data loads, while allocating inference tasks to cloud/edge resources. FCAFE‐BNET is able to adjust to dynamic network conditions. This can be advantageous for applications with particular quality of service requirements, such as video streaming or real‐time communication, ensuring a steady and reliable performance. Early exit deep neural networks (DNNs) have been employed for faster inference generation at the edge. Often, the weights that the model learns in the initial layer may be sufficiently qualified to perform the required classification tasks. Instead of using subsequent layers of DNNs for generating the inference, we have employed the early‐exit mechanism in the DNNs. Such DNNs help to predict a wide range of testing samples through these early‐exit branches, upon crossing a threshold. This method maintains the confidence values corresponding to the inference. Employing this approach, we achieved a faster inference, with significantly high accuracy. Comparative studies exploit manual feature extraction techniques, that can potentially overlook certain valuable patterns, thus degrading classification performance. The proposed framework converts textual/tabular data into 2‐D images, allowing the DNN model to autonomously learns its own features. This conversion scheme facilitated the identification of various intrusion types, ranging from 5 to 14 different categories. FCAFE‐BNET works for both network‐based and host‐based IDS: NIDS and HIDS. Our experiments demonstrate that, in comparison with recent approaches, FCAFE‐BNET achieves a 39.12%–50.23% reduction in the total inference time on benchmark real‐world datasets, such as: NSL‐KDD, UNSW‐NB 15, ToN_IoT, and ADFA_LD.

computer science, software engineering

Xu Tian-Ni,Sun Hai-Feng,Zhang Di,Zhou Xiao-Ming,Sui Xiu-Feng,Wang Sa,Huang Qun,Bao Yun-Gang

DOI: https://doi.org/10.1007/s11390-020-0434-1

IF: 1.871

2022-01-01

Journal of Computer Science and Technology

Abstract:With the advent of virtualization techniques and software-defined networking (SDN), network function virtualization (NFV) shifts network functions (NFs) from hardware implementations to software appliances, between which exists a performance gap. How to narrow the gap is an essential issue of current NFV research. However, the cumbersomeness of deployment, the water pipe effect of virtual network function (VNF) chains, and the complexity of the system software stack together make it tough to figure out the cause of low performance in the NFV system. To pinpoint the NFV system performance issues, we propose NfvInsight, a framework for automatic deployment and benchmarking VNF chains. Our framework tackles the challenges in NFV performance analysis. The framework components include chain graph generation, automatic deployment, and fine granularity measurement. The design and implementation of each component have their advantages. To the best of our knowledge, we make the first attempt to collect rules forming a knowledge base for generating reasonable chain graphs. NfvInsight deploys the generated chain graphs automatically, which frees the network operators from executing at least 391 lines of bash commands for a single test. To diagnose the performance bottleneck, NfvInsight collects metrics from multiple layers of the software stack. Specifically, we collect the network stack latency distribution ingeniously, introducing only less than 2.2% overhead. We showcase the convenience and usability of NfvInsight in finding bottlenecks for both VNF chains and the underlying system. Leveraging our framework, we find several design flaws of the network stack, which are unsuitable for packet forwarding inside one single server under the NFV circumstance. Our optimization for these flaws gains at most 3x performance improvement.

Zayed alhaddad, Mostafa Hanoune, Abdelaziz Mamouni

DOI: https://doi.org/10.17762/ijcnis.v8i3.1950

2022-04-17

International Journal of Communication Networks and Information Security (IJCNIS)

Abstract:In recent years, Cloud computing has emerged as a new paradigm for delivering highly scalable and on-demand shared pool IT resources such as networks, servers, storage, applications and services through internet. It enables IT managers to provision services to users faster and in a cost-effective way. As a result, this technology is used by an increasing number of end users. On the other hand, existing security deficiencies and vulnerabilities of underlying technologies can leave an open door for intruders. Indeed, one of the major security issues in Cloud is to protect against distributed attacks and other malicious activities on the network that can affect confidentiality, availability and integrity of Cloud resources. In order to solve these problems, we propose a Collaborative Network Intrusion Detection System (C-NIDS) to detect network attacks in Cloud by monitoring network traffic, while offering high accuracy by addressing newer challenges, namely, intrusion detection in virtual network, monitoring high traffic, scalability and resistance capability. In our NIDS framework, we use Snort as a signature based detection to detect known attacks, while for detecting network anomaly, we use Support Vector Machine (SVM). Moreover, in this framework, the NIDS sensors deployed in Cloud operate in collaborative way to oppose the coordinated attacks against cloud infrastructure and knowledge base remains up-to-date.

Daoqiang Xu,Yefei Li,Ming Yin,Xin Li,Hao Li,Zhuzhong Qian

DOI: https://doi.org/10.1007/978-3-319-72395-2_24

2017-01-01

Abstract:Network function virtualization (NFV) is designed to reduce high cost of the hardware deployment and maintenance, which will be of great importance in the future resource management. NFV makes it possible for general servers to realize fast deployment of network functions, namely virtual network function (VNF), to achieve on-demand requests. The service request is generally composed of a sequence of VNFs, which is defined as a service chain. Although one node (server) only run one VNF at a time, the VNF could be shared with several VNF chains. How to deploy VNF and share VNF to achieve high usage of both computing and bandwidth resource is a challenge. In this paper, we present the VNF request model and the formal definition of the VNF deployment problem. Then, we investigate the VNF reuse and deployment problem, and propose a greedy strategy to deploy VNFs, so that the system could effectively offer a reliable VNF service. Simulations show that this VNF deployment schema could effectively improve the resource usage compared with other classic algorithms.

Jie Sun,Feng Liu,Manzoor Ahmed,Yong Li

DOI: https://doi.org/10.1109/icc.2019.8761609

2019-01-01

Abstract:Network Function Virtualization (NFV) and Software Defined Network have revolutionized data networks. For deployment of the VNFs, it is imperative to consider the queuing delay occurring in the NFV servers. The presented work suggests to incorporate the Poisson distribution of packet arrival rate and packet size along with the limited processing capacity of NFV server. The underlying phenomenon is framed as a 0-1 fractional programming problem. More precisely, the underlying problem is framed to 0-1 MILP to get the optimal solution. Since the VNF placement problem is NP-hard, therefore, we propose two heuristic algorithms to get the solution. Extensive simulations demonstrate that our algorithms effectively reduce 72.9% delay compared with the universal algorithm Improve Service Chaining Performance (ISCP).