Implementation and evaluation of the sensornet protocol for Contiki

Sensornet Protocol (SP) is a link abstraction layer between the network layer and the link layer for sensor networks. SP was proposed as the core of a future-oriented sensor node architecture that allows flexible and optimized combination between multiple coexisting protocols. This thesis implements the SP sensornet protocol on the Contiki operating system in order to: evaluate the effectiveness of the original SP services; explore further requirements and implementation trade-offs uncovered by the original proposal. We analyze the original SP design and the TinyOS implementation of SP to design the Contiki port. We implement the data sending and receiving part of SP using Contiki processes, and the neighbor management part as a group of global routines. The evaluation consists of a single-hop traffic throughput test and a multihop convergecast test. Both tests are conducted using both simulation and experimentation. We conclude from the evaluation results that SP's link-level abstraction effectively improves modularity in protocol construction without sacrificing performance, and our SP implementation on Contiki lays a good foundation for future protocol innovations in wireless sensor networks

Digital provenance - models, systems, and applications

Data provenance refers to the history of creation and manipulation of a data object and is being widely used in various application domains including scientific experiments, grid computing, file and storage system, streaming data etc. However, existing provenance systems operate at a single layer of abstraction (workflow/process/OS) at which they record and store provenance whereas the provenance captured from different layers provide the highest benefit when integrated through a unified provenance framework. To build such a framework, a comprehensive provenance model able to represent the provenance of data objects with various semantics and granularity is the first step. In this thesis, we propose a such a comprehensive provenance model and present an abstract schema of the model. ^ We further explore the secure provenance solutions for distributed systems, namely streaming data, wireless sensor networks (WSNs) and virtualized environments. We design a customizable file provenance system with an application to the provenance infrastructure for virtualized environments. The system supports automatic collection and management of file provenance metadata, characterized by our provenance model. Based on the proposed provenance framework, we devise a mechanism for detecting data exfiltration attack in a file system. We then move to the direction of secure provenance communication in streaming environment and propose two secure provenance schemes focusing on WSNs. The basic provenance scheme is extended in order to detect packet dropping adversaries on the data flow path over a period of time. We also consider the issue of attack recovery and present an extensive incident response and prevention system specifically designed for WSNs

Digital provenance - models, systems, and applications

Data provenance refers to the history of creation and manipulation of a data object and is being widely used in various application domains including scientific experiments, grid computing, file and storage system, streaming data etc. However, existing provenance systems operate at a single layer of abstraction (workflow/process/OS) at which they record and store provenance whereas the provenance captured from different layers provide the highest benefit when integrated through a unified provenance framework. To build such a framework, a comprehensive provenance model able to represent the provenance of data objects with various semantics and granularity is the first step. In this thesis, we propose a such a comprehensive provenance model and present an abstract schema of the model. ^ We further explore the secure provenance solutions for distributed systems, namely streaming data, wireless sensor networks (WSNs) and virtualized environments. We design a customizable file provenance system with an application to the provenance infrastructure for virtualized environments. The system supports automatic collection and management of file provenance metadata, characterized by our provenance model. Based on the proposed provenance framework, we devise a mechanism for detecting data exfiltration attack in a file system. We then move to the direction of secure provenance communication in streaming environment and propose two secure provenance schemes focusing on WSNs. The basic provenance scheme is extended in order to detect packet dropping adversaries on the data flow path over a period of time. We also consider the issue of attack recovery and present an extensive incident response and prevention system specifically designed for WSNs

Policy-based Information Sharing using Software-Defined Networking in Cloud Systems

Cloud Computing is rapidly becoming a ubiquitous technology. It enables an escalation in computing capacity, storage and performance without the need to invest in new infrastructure and the maintenance expenses that follow. Security is among the major concerns of organizations that are still reluctant to adopt this technology: The cloud is dynamic, and with so many different parameters involved, it is a diffi cult task to regulate it. With an approach that blends Usage Management and Statistical Learning, this research yielded a novel approach to mitigate some of the issues arising due to questionable security, and to regulate performance (utilization of resources).This research also explored how to enforce the policies related to the resources inside a Virtual Machine(VM), apart from providing initial access control. As well, this research compared various encryption schemes and observed their behavior in the cloud. We considered various components in the cloud to deduce a multi-cost function, which in turn helps to regulate the cloud. While guaranteeing security policies in the cloud, it is essential to add security to the network because the virtual cloud and SDN tie together. Enforcing network-wide policies has always been a challenging task in the domain of communication networks. Software-defined networking (SDN) enables the use of a central controller to define policies, and to use each network switch to enforce policies. While this presents an attractive operational model, it uses a very low-level framework, and is not suitable for directly implement- ing high-level policies. Therefore, we present a new framework for defining policies and easily compiling them from a user interface directly into OpenFlow actions and usage management system processes. This demonstrated capability allows cloud administrators to enforce both network and usage polices on the cloud

Policy Conflict Management in Distributed SDN Environments

abstract: The ease of programmability in Software-Defined Networking (SDN) makes it a great platform for implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. However, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers. In this dissertation, a formalism for flow rule conflicts in SDN environments is introduced. This formalism is realized in Brew, a security policy analysis framework implemented on an OpenDaylight SDN controller. Brew has comprehensive conflict detection and resolution modules to ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage. Techniques for global prioritization of flow rules in a decentralized environment are presented, using which all SDN flow rule conflicts are recognized and classified. Strategies for unassisted resolution of these conflicts are also detailed. Alternately, if administrator input is desired to resolve conflicts, a novel visualization scheme is implemented to help the administrators view the conflicts in an aesthetic manner. The correctness, feasibility and scalability of the Brew proof-of-concept prototype is demonstrated. Flow rule conflict avoidance using a buddy address space management technique is studied as an alternate to conflict detection and resolution in highly dynamic cloud systems attempting to implement an SDN-based Moving Target Defense (MTD) countermeasures.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Dynamic Enforcement of Security Policies in Multi-Tenant Cloud Networks

RÉSUMÉ Au cours des dernières années, l'évolution des nouvelles technologies a été drastique. Désormais, les ordinateurs et les réseaux ont une place cruciale, que ce soit pour les individus, les grandes entreprises ou les gouvernements. Internet est devenu une partie importante de nos vies personnelle et professionnelle, et est devenu une infrastructure critique au même titre que les réseaux électriques, tant la quantité de données numériques et devenue importante. Cette évolution continue avec la montée en puissance de l'informatique en nuage. Dans ce nouveau modèle, on peut accéder à distance à des logiciels, à du stockage numérique ou bien à des infrastructures. Les machines sont regroupées en centre de données dont l'accès se fait de manière transparente par internet. La sécurité de l'information est devenue primordiale en informatique, et également dans l'informatique en nuage. En effet, les entreprises exportant leurs données désirent obtenir le même niveau de sécurité que sur leurs propres installations, tant leurs données peuvent être sensibles. Nous appellerons middlebox, un élément du réseau autre qu'un routeur ou commutateur, ayant pour fonction d'inspecter et de filtrer les paquets, dans un but autre que la retransmission de paquet. Un pare-feu est un bon exemple de middlebox. Les solutions existantes pour sécuriser l'informatique en nuage prennent rarement en considération la traversée de chaînes de sécurité consistant en l'application successive de middlebox de sécurité. En effet, les solutions courantes se concentrent plus sur l'isolation des trafics entre les différents clients du centre de données. De plus, les solutions prenant en compte l'application de middlebox le font d'une façon qui empêche, ou tout du moins qui contraint la migration des nœuds au sein du réseau. Notre projet consiste en la création d'une architecture permettant l'application de politiques de sécurité par client, au sein d'un centre de données en nuage. Les politiques de sécurité seront des séquences de middlebox que le trafic des clients devra traverser. En effet, c'est de cette façon que la sécurité est assurée dans les entreprises. L'application de ces politiques de sécurité devra prendre en compte la migration des machines au sein du réseau. Plus précisément, le trafic devra traverser uniquement la séquence de middlebox requise par le client, pas une de plus, pas une de moins. L'application des politiques doit être automatiquement reconfigurée lors de la migration des machines virtuelles. Afin de réaliser ce projet, nous utilisons une architecture de réseau programmable afin d'atteindre nos objectifs. Dans cette architecture, le plan de contrôle est découplé du plan de données ce qui permet de centraliser la gestion du réseau. Les clients de notre architecture définissent le niveau de sécurité qu'ils veulent voir être appliqué à leur machines. Nous utilisons un identifiant d'application, AppID), afin de désigner une politique de sécurité en particulier. Nous supposons que l'hyperviseur a la capacité d'insérer cet AppID au sein des paquets, lorsqu'une machine en émet. Au moment où le premier paquet d'un flux atteint un commutateur du réseau, il est transférer au contrôleur de réseau, qui a pour tâche de lire cet AppID. En fonction de ce dernier, le contrôleur détermine la chaine de sécurité à appliquer au trafic. Nous définissons différents marqueurs (que nous nommons EEL-tags) afin d'effectuer le routage des paquets au sein du réseau. Ceux-ci sont subdivisés en gTag et iTag. Les gTags correspondent à des types de middlebox, tandis que les iTags correspondent à des instances de middlebox. Ainsi, une chaîne de sécurité est définie par des gTag. On s'en sert afin de déterminer quels types d'instances seront traversés, tandis que les iTags correspondants sont utilisés afin d'effectuer le routage des paquets au sein du réseau, en définissant la prochaine instance à traverser. Le contrôleur conserve une base de données liant les instances de middlebox ainsi que leurs tags correspondants. En ajoutant ces EEL-tags aux paquets, notre modèle procure une façon simple et automatique d'appliquer des politiques de sécurité, tout en s'assurant de leur cohérence malgré la migration des nœuds. De plus, notre modèle permet au réseau d'être divisé en petites zones, chacune d'entre elle étant contrôlée par un contrôleur de réseau spécifique. Lorsque les machines émettrice et réceptrice se trouvent dans deux zones différentes, l'application de la politique de sécurité peut être divisée entre les différentes zones. Nous avons développé un prototype que nous avons testé dans un environnement simulé. Bien que de nombreux aspects de notre implémentation requièrent de l'amélioration afin d'obtenir une solution commerciale, cette expérimentation nous a permis d'obtenir une preuve de concept de notre architecture. Nous avons notamment pu observer que les politiques de sécurité restent cohérentes malgré la migration de nœuds.----------ABSTRACT During the past decades, the evolution of technology has drastically changed our ways. All major enterprises, government services, and even us as individuals, rely on computers and networks. They have become a part of our personal and professional lives and represent nowadays a critical infrastructure as the amount of data stored numerically as well as its sensitivity has grown considerably. This evolution continues with the rise of cloud computing. In this new model, one can access software, digital storage or infrastructure without constraints, as the hardware is pooled in remote data center, accessed seamlessly via Internet. Security has become a major concern in computer science in general and in the cloud in particular, as enterprises moving to the cloud would have to export some of their sensitive data. Therefore, the cloud providers need to offer a level of security which matches what the companies have in their on-site installations. A middlebox is a network appliance that inspects and filters packets for purposes other than packet forwarding. A firewall is a good example of a middlebox. Existing solutions to secure the cloud rarely take in consideration the traversal of middleboxes, as they focus mainly on creating isolation between the different tenants. Furthermore, the solutions considering the traversal of middlebox sequences do so in a way which does not permit the migration of nodes. Through our project, we aim to create a cloud architecture allowing the application of security policies per tenant. The security will consist in sequences of middleboxes to be traversed, as it is the way commonly used by enterprises to secure their networks. The enforcement of security policies will have to take in consideration the multi-tenant aspect of the cloud, as well as the node migration. Particularly, traffic should traverse middleboxes in the sequence required by the tenant and should not traverse unnecessary middleboxes. The enforcement of policies should be automatically re-configured due to VM migrations. In this work, we propose a method of leveraging the current Software-Defined Network (SDN) architecture for efficient policy enforcement. SDN is a form of network architecture in which the control plane is separated from the data plane, allowing the network to be centrally managed. Therefore, the tenants define the security design they want to apply to their Virtual Machine (VM), or groups of VMs. In order to identify the security policies, we use an Application ID (AppID), which actually refers to a chain of middleboxes to be traversed. We assume that the running hypervisor has the capability to add this AppID into the flow when a VM emits packets. When the first packet of a flow reaches a switch, it is forwarded to the network controller, which in turn retrieves the AppID from the packet. Based on the AppID, the controller determines the chain of middleboxes to be traversed. In order to route the packets through the middleboxes, our model defines labels to apply to each flow of packets (EEL-tags). The latter are divided in generic EEL-tag (gTag) and instance EEL-tag (iTag). Each gTag corresponds to a middlebox type, and each iTag corresponds to a middlebox instance. The security chain is defined by a chain of gTags. The iTags are added to the packets in order to route the packets across the network, defining the next middlebox the packet must be sent to. By using the EEL-tags, this model provides a simple way to automatically enforce security policies, while keeping them consistent despite node migration. Furthermore, we allow the network to be partitioned in different zones, each zone being ruled by a specific controller. When the VM source and destination belong to different zones, the enforcement of security policies can be spread between the different zones. We created a prototype of our model that we tested in a simulated environment. Although many aspects of our implementation will have to be improved in order to obtain a viable commercial solution, testing our prototype provided us with a proof of concept. Particularly, it showed how the security policies remain consistent despite node migration

Deliverable JRA1.1: Evaluation of current network control and management planes for multi-domain network infrastructure

This deliverable includes a compilation and evaluation of available control and management architectures and protocols applicable to a multilayer infrastructure in a multi-domain Virtual Network environment.The scope of this deliverable is mainly focused on the virtualisation of the resources within a network and at processing nodes. The virtualization of the FEDERICA infrastructure allows the provisioning of its available resources to users by means of FEDERICA slices. A slice is seen by the user as a real physical network under his/her domain, however it maps to a logical partition (a virtual instance) of the physical FEDERICA resources. A slice is built to exhibit to the highest degree all the principles applicable to a physical network (isolation, reproducibility, manageability, ...). Currently, there are no standard definitions available for network virtualization or its associated architectures. Therefore, this deliverable proposes the Virtual Network layer architecture and evaluates a set of Management- and Control Planes that can be used for the partitioning and virtualization of the FEDERICA network resources. This evaluation has been performed taking into account an initial set of FEDERICA requirements; a possible extension of the selected tools will be evaluated in future deliverables. The studies described in this deliverable define the virtual architecture of the FEDERICA infrastructure. During this activity, the need has been recognised to establish a new set of basic definitions (taxonomy) for the building blocks that compose the so-called slice, i.e. the virtual network instantiation (which is virtual with regard to the abstracted view made of the building blocks of the FEDERICA infrastructure) and its architectural plane representation. These definitions will be established as a common nomenclature for the FEDERICA project. Other important aspects when defining a new architecture are the user requirements. It is crucial that the resulting architecture fits the demands that users may have. Since this deliverable has been produced at the same time as the contact process with users, made by the project activities related to the Use Case definitions, JRA1 has proposed a set of basic Use Cases to be considered as starting point for its internal studies. When researchers want to experiment with their developments, they need not only network resources on their slices, but also a slice of the processing resources. These processing slice resources are understood as virtual machine instances that users can use to make them behave as software routers or end nodes, on which to download the software protocols or applications they have produced and want to assess in a realistic environment. Hence, this deliverable also studies the APIs of several virtual machine management software products in order to identify which best suits FEDERICA’s needs.Postprint (published version

Architectures for the Future Networks and the Next Generation Internet: A Survey

Networking research funding agencies in the USA, Europe, Japan, and other countries are encouraging research on revolutionary networking architectures that may or may not be bound by the restrictions of the current TCP/IP based Internet. We present a comprehensive survey of such research projects and activities. The topics covered include various testbeds for experimentations for new architectures, new security mechanisms, content delivery mechanisms, management and control frameworks, service architectures, and routing mechanisms. Delay/Disruption tolerant networks, which allow communications even when complete end-to-end path is not available, are also discussed

Intrusion Detection System against Denial of Service attack in Software-Defined Networking

Das exponentielle Wachstum der Online-Dienste und des über die Kommunikationsnetze übertragenen Datenvolumens macht es erforderlich, die Struktur traditioneller Netzwerke durch ein neues Paradigma zu ersetzen, das sich den aktuellen Anforderungen anpasst. Software-Defined Networking (SDN) ist hierfür eine fortschrittliche Netzwerkarchitektur, die darauf abzielt, das traditionelle Netzwerk in ein flexibleres Netzwerk umzuwandeln, das sich an die wachsenden Anforderungen anpasst. Im Gegensatz zum traditionellen Netzwerk ermöglicht SDN die Entkopplung von Steuer- und Datenebene, um Netzwerkressourcen effizient zu überwachen, zu konfigurieren und zu optimieren. Es verfügt über einen zentralisierten Controller mit einer globalen Netzwerksicht, der seine Ressourcen über programmierbare Schnittstellen verwaltet. Die zentrale Steuerung bringt jedoch neue Sicherheitsschwachstellen mit sich und fungiert als Single Point of Failure, den ein böswilliger Benutzer ausnutzen kann, um die normale Netzwerkfunktionalität zu stören. So startet der Angreifer einen massiven Datenverkehr, der als Distributed-Denial-of-Service Angriff (DDoSAngriff) von der SDN-Infrastrukturebene in Richtung des Controllers bekannt ist. Dieser DDoS-Angriff führt zu einer Sättigung der Steuerkanal-Bandbreite und belegt die Ressourcen des Controllers. Darüber hinaus erbt die SDN-Architektur einige Angriffsarten aus den traditionellen Netzwerken. Der Angreifer fälscht beispielweise die Pakete, um gutartig zu erscheinen, und zielt dann auf die traditionellen DDoS-Ziele wie Hosts, Server, Anwendungen und Router ab. In dieser Arbeit wird das Verhalten von böswilligen Benutzern untersucht. Anschließend wird ein Intrusion Detection System (IDS) zum Schutz der SDN-Umgebung vor DDoS-Angriffen vorgestellt. Das IDS berücksichtigt dabei drei Ansätze, um ausreichendes Feedback über den laufenden Verkehr durch die SDN-Architektur zu erhalten: die Informationen von einem externen Gerät, den OpenFlow-Kanal und die Flow-Tabelle. Daher besteht das vorgeschlagene IDS aus drei Komponenten. Das Inspector Device verhindert, dass böswillige Benutzer einen Sättigungsangriff auf den SDN-Controller starten. Die Komponente Convolutional Neural Network (CNN) verwendet eindimensionale neuronale Faltungsnetzwerke (1D-CNN), um den Verkehr des Controllers über den OpenFlow-Kanal zu analysieren. Die Komponente Deep Learning Algorithm(DLA) verwendet Recurrent Neural Networks (RNN), um die vererbten DDoS-Angriffe zu erkennen. Sie unterstützt auch die Unterscheidung zwischen bösartigen und gutartigen Benutzern als neue Gegenmaßnahme. Am Ende dieser Arbeit werden alle vorgeschlagenen Komponenten mit dem Netzwerkemulator Mininet und der Programmiersprache Python modelliert, um ihre Machbarkeit zu testen. Die Simulationsergebnisse zeigen hierbei, dass das vorgeschlagene IDS im Vergleich zu mehreren Benchmarking- und State-of-the-Art-Vorschlägen überdurchschnittliche Leistungen erbringt.The exponential growth of online services and the data volume transferred over the communication networks raises the need to change the structure of traditional networks to a new paradigm that adapts to the development’s demands. Software- Defined Networking (SDN) is an advanced network architecture aiming to evolve and transform the traditional network into a more flexible network that responds to the new requirements. In contrast to the traditional network, SDN allows decoupling of the control and data planes functionalities to monitor, configure, and optimize network resources efficiently. It has a centralized controller with a global network view to manage its resources using programmable interfaces. The central control brings new security vulnerabilities and acts as a single point of failure, which the malicious user might exploit to disrupt the network functionality. Thus, the attacker launches massive traffic known as Distributed Denial of Service (DDoS) attack from the SDN infrastructure layer towards the controller. This DDoS attack leads to saturation of control channel bandwidth and destroys the controller resources. Furthermore, the SDN architecture inherits some attacks types from the traditional networks. Therefore, the attacker forges the packets to appear benign and then targets the traditional DDoS objectives such as hosts, servers, applications, routers. This work observes the behavior of malicious users. It then presents an Intrusion Detection System (IDS) to safeguard the SDN environment against DDoS attacks. The IDS considers three approaches to obtain sufficient feedback about the ongoing traffic through the SDN architecture: the information from an external device, the OpenFlow channel, and the flow table. Therefore, the proposed IDS consists of three components; Inspector Device prevents the malicious users from launching the saturation attack towards the SDN controller. Convolutional Neural Network (CNN) Component employs the One- Dimensional Convolutional Neural Networks (1D-CNN) to analyze the controller’s traffic through the OpenFlow Channel. The Deep Learning Algorithm (DLA) component employs Recurrent Neural Networks (RNN) to detect the inherited DDoS attacks. The IDS also supports distinguishing between malicious and benign users as a new countermeasure. At the end of this work, the network emulator Mininet and the programming language python model all the proposed components to test their feasibility. The simulation results demonstrate that the proposed IDS outperforms compared several benchmarking and state-of-the-art suggestions