151 research outputs found
ScienceSDS: A Novel Software Defined Security Framework for Large-scale Data-intensive Science
Experimental science workflows from projects such as Compact Muon Solenoid (CMS) [6] and Laser Interferometer Gravitational Wave Observatory (LIGO) [2] are characterized by data-intensive computational tasks over large datasets transferred over encrypted channels. The Science DMZ [7] approach to network design favors lossless packet forwarding through a separate isolated network over secure lossy forwarding through stateful packet processors (e.g. fire-walls). We propose ScienceSDS, a novel software denied security framework for securely monitoring large-scale science datasets over a software defined networking and network functions virtualization (SDN/NFV) infrastructure
Recommended from our members
System Design and Implementation for Hybrid Network Function Virtualization
With the application of virtualization technology in computer networks, many new research areas and techniques have been explored, such as network function virtualization (NFV). A significant benefit of virtualization is that it reduces the cost of a network system and increases its flexibility. Due to the increasing complexity of the network environment and constantly improving network scale and bandwidth, it is imperative to aim for higher performance, extensibility, and flexibility in the future network systems. In this dissertation, hybrid NFV platforms applying virtualization technology are proposed. We further explore the techniques used to improve the performance, scalability and resilience of these systems.
In the first part of this dissertation, we describe a new heterogeneous hardware-software NFV platform that provides scalability and programmability while supporting significant hardware-level parallelism and reconfiguration. Our computing platform takes advantage of both field-programmable gate arrays (FPGAs) and microprocessors to implement numerous virtual network functions (VNFs) that can be dynamically customized to specific network flow needs. Traffic management and hardware reconfiguration functions are performed by a global coordinator which allows for the rapid sharing of network function states and continuous evaluation of network function needs. With the help of state sharing mechanism offered by the coordinator, customer-defined VNF instances can be easily migrated between heterogeneous middleboxes as the network environment changes. A resource allocation algorithm dynamically assesses resource deployments as network flows and conditions are updated.
In the second part of this thesis document, we explore a new session-level approach for NFV that implements distributed agents in heterogeneous middleboxes to steer packets belonging to different sessions through session-specific service chains. Our session-level approach supports inter-domain service chaining with both FPGA- and processor-based middleboxes, dynamic reconfiguration of service chains for ongoing sessions, and the application of session-level approaches for UDP-based protocols. To demonstrate our approach, we establish inter-domain service chains for QUIC sessions, and reconfigure the service chains across a range of FPGA- and processor-based middleboxes. We show that our session-level approach can successfully reconfigure service chains for individual QUIC sessions. Compared with software implementations, the distributed agents implemented on FPGAs show better performance in various test scenarios
Ultra-reliable Low-latency, Energy-efficient and Computing-centric Software Data Plane for Network Softwarization
Network softwarization plays a significantly important role in the development and deployment of the latest communication system for 5G and beyond. A more flexible and intelligent network architecture can be enabled to provide support for agile network management, rapid launch of innovative network services with much reduction in Capital Expense (CAPEX) and Operating Expense (OPEX). Despite these benefits, 5G system also raises unprecedented challenges as emerging machine-to-machine and human-to-machine communication use cases require Ultra-Reliable Low Latency Communication (URLLC). According to empirical measurements performed by the author of this dissertation on a practical testbed, State of the Art (STOA) technologies and systems are not able to achieve the one millisecond end-to-end latency requirement of the 5G standard on Commercial Off-The-Shelf (COTS) servers. This dissertation performs a comprehensive introduction to three innovative approaches that can be used to improve different aspects of the current software-driven network data plane. All three approaches are carefully designed, professionally implemented and rigorously evaluated. According to the measurement results, these novel approaches put forward the research in the design and implementation of ultra-reliable low-latency, energy-efficient and computing-first software data plane for 5G communication system and beyond
Definition and specification of connectivity and QoE/QoS management mechanisms – final report
This document summarizes the WP5 work throughout the project, describing its functional architecture and the solutions that implement the WP5 concepts on network control and orchestration. For this purpose, we defined 3 innovative controllers that embody the network slicing and multi tenancy: SDM-C, SDM-X and SDM-O. The functionalities of each block are detailed with the interfaces connecting them and validated through exemplary network processes, highlighting thus 5G NORMA innovations. All the proposed modules are designed to implement the functionality needed to provide the challenging KPIs required by future 5G networks while keeping the largest possible compatibility with the state of the art
Scalable and Reliable Middlebox Deployment
Middleboxes are pervasive in modern computer networks providing functionalities beyond mere packet forwarding. Load balancers, intrusion detection systems, and network address translators are typical examples of middleboxes. Despite their benefits, middleboxes come with several challenges with respect to their scalability and reliability.
The goal of this thesis is to devise middlebox deployment solutions that are cost effective, scalable, and fault tolerant. The thesis includes three main contributions: First, distributed service function chaining with multiple instances of a middlebox deployed on different physical servers to optimize resource usage; Second, Constellation, a geo-distributed middlebox framework enabling a middlebox application to operate with high performance across wide area networks; Third, a fault tolerant service function chaining system
Recommended from our members
Enhancing Automated Network Management
Network management benefits from automated tools. With the recent advent of software-defined principles, automated tools have been proposed from both industry and academia to fulfill function components in the network management control loop. While automation aims to accommodate the ever increasing network diversity and dynamics with improved reliability and management efficiency, it also brings new concerns as it’s becoming more difficult to understand the control of the network and operators cannot rely on traditional troubleshooting tools. Meanwhile, how to effectively integrate new automation tools with existing legacy networks remains a question. This dissertationpresents efficient methods to address key functionalities within the control loop in the adaption of automated network management.Identifying the network-wide forwarding behaviors of a packet is essential for many network management tasks, including policy enforcement, rule verification, and fault localization. We start by presenting AP Classifier. AP Classifier was developed based on the concept of atomic predicates which can be used to characterize the forwarding behaviors of packets. There is an increasing trend that enterprises outsource their Network Function (NF) processing to a cloud to lower cost and ease management. To avoid threats to the enterprise’s private information, we propose SICS based on AP Classifier, a secure and dynamic NF outsourcing framework. Stateful NFs have become essential parts of modern networks, increasing the complexity in network management. A major step in network automation is to automatically translate high level network intents into low level configurations. To ensure those configurations and the states generated by automation match intents, we present Epinoia, a network intent checker for stateful networks. While the concept of auto-translation sounds promising, operators may not know what intents should be. To close the control loop, we present AutoInfer to automatically infer intents of running networks, which helps operators understand the network runtime states
Mecanismos dinâmicos de segurança para redes softwarizadas e virtualizadas
The relationship between attackers and defenders has traditionally been
asymmetric, with attackers having time as an upper hand to devise an exploit
that compromises the defender. The push towards the Cloudification of
the world makes matters more challenging, as it lowers the cost of an attack,
with a de facto standardization on a set of protocols. The discovery of a vulnerability
now has a broader impact on various verticals (business use cases),
while previously, some were in a segregated protocol stack requiring independent
vulnerability research. Furthermore, defining a perimeter within a cloudified
system is non-trivial, whereas before, the dedicated equipment already
created a perimeter. This proposal takes the newer technologies of network
softwarization and virtualization, both Cloud-enablers, to create new dynamic
security mechanisms that address this asymmetric relationship using novel
Moving Target Defense (MTD) approaches. The effective use of the exploration
space, combined with the reconfiguration capabilities of frameworks like
Network Function Virtualization (NFV) and Management and Orchestration
(MANO), should allow for adjusting defense levels dynamically to achieve the
required security as defined by the currently acceptable risk. The optimization
tasks and integration tasks of this thesis explore these concepts. Furthermore,
the proposed novel mechanisms were evaluated in real-world use cases, such
as 5G networks or other Network Slicing enabled infrastructures.A relação entre atacantes e defensores tem sido tradicionalmente assimétrica,
com os atacantes a terem o tempo como vantagem para conceberem
uma exploração que comprometa o defensor. O impulso para a Cloudificação
do mundo torna a situação mais desafiante, pois reduz o custo de um
ataque, com uma padronização de facto sobre um conjunto de protocolos.
A descoberta de uma vulnerabilidade tem agora um impacto mais amplo em
várias verticais (casos de uso empresarial), enquanto anteriormente, alguns
estavam numa pilha de protocolos segregados que exigiam uma investigação
independente das suas vulnerabilidades. Além disso, a definição de um
perímetro dentro de um sistema Cloud não é trivial, enquanto antes, o equipamento
dedicado já criava um perímetro. Esta proposta toma as mais recentes
tecnologias de softwarização e virtualização da rede, ambas facilitadoras da
Cloud, para criar novos mecanismos dinâmicos de segurança que incidem sobre
esta relação assimétrica utilizando novas abordagens de Moving Target
Defense (MTD). A utilização eficaz do espaço de exploração, combinada com
as capacidades de reconfiguração de frameworks como Network Function
Virtualization (NFV) e Management and Orchestration (MANO), deverá permitir
ajustar dinamicamente os níveis de defesa para alcançar a segurança
necessária, tal como definida pelo risco actualmente aceitável. As tarefas de
optimização e de integração desta tese exploram estes conceitos. Além disso,
os novos mecanismos propostos foram avaliados em casos de utilização no
mundo real, tais como redes 5G ou outras infraestruturas de Network Slicing.Programa Doutoral em Engenharia Informátic
- …