An Architecture for QoS-capable Integrated Security Gateway to Protect Avionic Data Network

International audienceWhile the use of Internet Protocol (IP) in aviation allows new applications and benefits, it opens the doors for security risks and attacks. Many security mechanisms and solutions have evolved to mitigate the ever continuously increasing number of network attacks. Although these conventional solutions have solved some security problems, they also leave some security holes. Securing open and complex systems have become more and more complicated and obviously, the dependence on a single security mechanism gives a false sense of security while opening the doors for attackers. Hence, to ensure secure networks, several security mechanisms must work together in a harmonic multi-layered way. In addition, if we take QoS requirements into account, the problem becomes more complicated and necessitates in-depth reflexions. In this paper, we present the architecture of our QoS-capable integrated security gateway: a gateway that highly integrates well chosen technologies in the area of network security as well as QoS mechanisms to provide the strongest level of security for avionic data network; our main aim is to provide both multi-layered security and stable performances for critical network applications

Quality-Managed Group-Aware Stream Filtering

We consider a distributed system that disseminates high-volume event streams to many simultaneous monitoring applications over a low-bandwidth network. For bandwidth efficiency, we propose a group-aware stream filtering approach, used together with multicasting, that exploits two overlooked, yet important, properties of monitoring applications: 1) many of them can tolerate some degree of “slack” in their data quality requirements, and 2) there may exist multiple subsets of the source data satisfying the quality needs of an application. We can thus choose the “best alternative” subset for each application to maximize the data overlap within the group to best benefit from multicasting. Here we provide a general framework for the group-aware stream filtering problem, which we prove is NP-hard. We introduce a suite of heuristics-based algorithms that ensure data quality (specifically, granularity and timeliness) while preserving bandwidth. Our evaluation shows that group-aware stream filtering is effective in trading CPU time for bandwidth savings, compared with self-interested filtering

Contribution to multi-domain network slicing : resource orchestration framework and algorithms

5G/6G services and applications, in the context of the eMBB, mMTC and uRLLC network slicing framework, whose network infrastructure requirements may span beyond the coverage area of a single Infrastructure Provider (InP), are envisaged to be supported by leasing resources from multiple InPs. A challenging aspect for a Service Provider (SP) is how to obtain an optimal set of InPs on which to provision the requests and the particular substrate nodes and links within each InP on which to map the different VNFs and virtual links of the service requests, respectively, for a seamless, reliable and cost-effective orchestration of service requests. Existing works in this area either perform service mapping in uncoordinated manner, do not incorporate service reliability or do so from the perspective of stateless VNFs. Also they assume full information disclosure, or are based on exact approaches, which considerations are not well suited for future network scenarios characterized by delay sensitive mission critical applications and resource constrained networks. This thesis contributes to the above challenge by breaking the multi-domain service orchestration problem into two interlinked sub-problems that are solved in a coordinated manner: (1) Request splitting/partitioning (sub-problem 1), involving obtaining a subset of InPs and the corresponding inter-domain links on which to provision the different VNFs and virtual links of the service request; (2) Intra-domain VNF orchestration (sub-problem 2), involving obtaining the intra-domain nodes and links to provision the VNFs and virtual links of the sub-SFC associated with each InP. In this way, the thesis sets out four key targets that are necessary to align with the mission critical and delay sensitive use-cases envisaged in 5G and future networks in terms of service deployment cost and QoS: (1) coordinated mapping of service requests, with a view of realizing better utilization of the substrate resources; (2) survivability and fault-tolerant orchestration of service requests, to tame both QoS violations and the penalties from such violations; (3) limited disclosure of InP internal information, in order adhere to the privacy requirements InPs, and (4) achieving all the above targets in polynomial time. In order to realize the above targets, the thesis sought for solution techniques that are: (1) able to incorporate information learned in the previous solutions search space and historical mapping decisions, hence, resulting in acceptable performance even in scenarios of limited information exposure and fuzzy environments; (2) robust and less problem specific, hence, can be tailored to different optimization objectives, network topologies and service request constraints, thus enabling to deal with requests with either chained topologies or with bifurcated paths; (3) capable of dealing with an optimization problem that is jointly affected by multiple attributes, since in practice, the service deployment cost is jointly affected by multiple conflicting costs; (4) able to realize near-optimal solutions in practical run-times, thus rendering well suited approaches for delay sensitive and resource constrained scenarios. Three different algorithms namely, an RL, Genetic Algorithm (GA) and a fully distributed multi-stage graph-based algorithms are proposed for sub-problem 1. In addition, five different algorithms based on GA, Harmony search, RL, and multi-stage graph approach are proposed for sub-problem 2. Finally, in order to guide the implementation and adherence of the thesis proposals to the four main targets of the thesis, an architectural framework is proposed, aligned with the ETSI NFV-MANO architectural framework. Overall, the simulations results proved that the thesis proposals are optimized in terms of request acceptance ratios, mapping cost and execution time, hence, rendering such proposals well suited for 5G and future scenarios.Els serveis que es poden presentar en el marc de la tecnologia de “slicing” de xarxa de 5G/6G, com ara eMBB, mMTC o uRLLC, es possible que no els pugui oferir un sol proveïdor d’infraestructura (InP) degut a les limitacions que pot tenir la seva xarxa, i per tant que faci necessària la cooperació de múltiples InPs. En aquest cas, el primer repte que afronta el Proveïdor de Servei (SP) que rep la sol·licitud de desplegament es determinar el conjunt òptim de InPs que hi han d’intervenir i en concret els nodes i enllaços de cada un d’ells que s’han d’utilitzar per al mapatge de les diferents VNFs i enllaços virtuals de la sol·licitud. Els treballs que existeixen en aquesta àrea duen a terme el mapatge del servei be sigui de manera no coordinada, o no incorporen la fiabilitat, o ho fan des de la perspectiva de VNFs sense estat. També, pressuposen la divulgació total de la informació, o estan basats en metodologies exactes que fa que no siguin idonis per a escenaris de xarxes del futur, caracteritzats per aplicacions de missió critica, sensibles al retard i sobre xarxes amb recursos limitats. Aquesta tesi contribueix a afrontar aquests reptes dividint el problema d’orquestració de serveis multi domini en dos subproblemes relacionats, que es resolen de manera coordinada. (1) Divisió / partició de la sol·licitud de servei (sub-problema 1), que implica l'obtenció d'un subconjunt d'InPs i els enllaços interdomini corresponents sobre els quals proporcionar les diferents VNF i enllaços virtuals de la sol·licitud de servei; (2) Orquestració VNF intradomini (sub-problema 2), que implica l'obtenció dels nodes i enllaços intradomini per aprovisionar les VNF i enllaços virtuals dels sub-SFC associats a cada InP. D'aquesta manera, la tesi estableix quatre objectius clau que són necessaris per alinear-se amb els casos d'ús de missió crítica i sensibles al retard previstos en 5G i xarxes futures en termes de cost de desplegament del servei i QoS: (1) mapatge coordinat de les sol·licituds de servei, amb l'objectiu de realitzar una millor utilització dels recursos del substrat; (2) orquestració de les sol·licituds de servei contemplant la supervivència del servei en situacions de fallides, minimitzant les violacions de la QoS i les sancions derivades d'aquestes violacions; (3) divulgació limitada de la informació interna de l’InP, per tal d'adherir-se als requisits de privadesa dels InPs, i (4) aconseguir tots els objectius anteriors en temps polinòmic. Per tal de realitzar els objectius anteriors, la tesi busca solucions que siguin: (1) capaces d'incorporar informació apresa en les solucions anteriors de l'espai de cerca i decisions de mapatge històric, donant lloc a un rendiment acceptable fins i tot en escenaris d'exposició limitada a la informació i entorns difusos; (2) robustes i menys dependents dels problemes específics, i per tant, que es poden adaptar a diferents objectius d'optimització, topologies de xarxa i restriccions de sol·licitud de servei, permetent així fer front a sol·licituds amb cadenes de funcions de topologies molt diverses; (3) capaces de fer front a un problema d'optimització de múltiples atributs, ja que a la pràctica, el cost de desplegament del servei depèn de múltiples costos; (4) capaces de trobar solucions gairebé òptimes en temps suficientment breus, resultant així adequades a escenaris sensibles al retard i amb limitació de recursos. La tesi proposa tres algorismes diferents per al sub-problema 1: un algorisme de RL, un algorisme genètic (GA) i un algorisme multi etapa basat en grafs i completament distribuït. A més, es proposen cinc algorismes diferents basats en l'enfocament de grafs, un algorisme GA, un algorisme de cerca d’harmonia, un algorisme de RL i un algorisme multi-etapa per al sub-problema 2. Finalment, per tal de guiar la implementació i l'adhesió de les propostes als quatre objectius principals de la tesi, es proposa...Postprint (published version

Control Plane in Software Defined Networks and Stateful Data Planes

L'abstract è presente nell'allegato / the abstract is in the attachmen

Patterns and Interactions in Network Security

Networks play a central role in cyber-security: networks deliver security attacks, suffer from them, defend against them, and sometimes even cause them. This article is a concise tutorial on the large subject of networks and security, written for all those interested in networking, whether their specialty is security or not. To achieve this goal, we derive our focus and organization from two perspectives. The first perspective is that, although mechanisms for network security are extremely diverse, they are all instances of a few patterns. Consequently, after a pragmatic classification of security attacks, the main sections of the tutorial cover the four patterns for providing network security, of which the familiar three are cryptographic protocols, packet filtering, and dynamic resource allocation. Although cryptographic protocols hide the data contents of packets, they cannot hide packet headers. When users need to hide packet headers from adversaries, which may include the network from which they are receiving service, they must resort to the pattern of compound sessions and overlays. The second perspective comes from the observation that security mechanisms interact in important ways, with each other and with other aspects of networking, so each pattern includes a discussion of its interactions.Comment: 63 pages, 28 figures, 56 reference

Methods and Techniques for Dynamic Deployability of Software-Defined Security Services

With the recent trend of “network softwarisation”, enabled by emerging technologies such as Software-Defined Networking and Network Function Virtualisation, system administrators of data centres and enterprise networks have started replacing dedicated hardware-based middleboxes with virtualised network functions running on servers and end hosts. This radical change has facilitated the provisioning of advanced and flexible network services, ultimately helping system administrators and network operators to cope with the rapid changes in service requirements and networking workloads. This thesis investigates the challenges of provisioning network security services in “softwarised” networks, where the security of residential and business users can be provided by means of sets of software-based network functions running on high performance servers or on commodity devices. The study is approached from the perspective of the telecom operator, whose goal is to protect the customers from network threats and, at the same time, maximize the number of provisioned services, and thereby revenue. Specifically, the overall aim of the research presented in this thesis is proposing novel techniques for optimising the resource usage of software-based security services, hence for increasing the chances for the operator to accommodate more service requests while respecting the desired level of network security of its customers. In this direction, the contributions of this thesis are the following: (i) a solution for the dynamic provisioning of security services that minimises the utilisation of computing and network resources, and (ii) novel methods based on Deep Learning and Linux kernel technologies for reducing the CPU usage of software-based security network functions, with specific focus on the defence against Distributed Denial of Service (DDoS) attacks. The experimental results reported in this thesis demonstrate that the proposed solutions for service provisioning and DDoS defence require fewer computing resources, compared to similar approaches available in the scientific literature or adopted in production networks

Analysis and Management of Security State for Large-Scale Data Center Networks

abstract: With the increasing complexity of computing systems and the rise in the number of risks and vulnerabilities, it is necessary to provide a scalable security situation awareness tool to assist the system administrator in protecting the critical assets, as well as managing the security state of the system. There are many methods to provide security states' analysis and management. For instance, by using a Firewall to manage the security state, and/or a graphical analysis tools such as attack graphs for analysis. Attack Graphs are powerful graphical security analysis tools as they provide a visual representation of all possible attack scenarios that an attacker may take to exploit system vulnerabilities. The attack graph's scalability, however, is a major concern for enumerating all possible attack scenarios as it is considered an NP-complete problem. There have been many research work trying to come up with a scalable solution for the attack graph. Nevertheless, non-practical attack graph based solutions have been used in practice for realtime security analysis. In this thesis, a new framework, namely 3S (Scalable Security Sates) analysis framework is proposed, which present a new approach of utilizing Software-Defined Networking (SDN)-based distributed firewall capabilities and the concept of stateful data plane to construct scalable attack graphs in near-realtime, which is a practical approach to use attack graph for realtime security decisions. The goal of the proposed work is to control reachability information between different datacenter segments to reduce the dependencies among vulnerabilities and restrict the attack graph analysis in a relative small scope. The proposed framework is based on SDN's programmable capabilities to adjust the distributed firewall policies dynamically according to security situations during the running time. It apply white-list-based security policies to limit the attacker's capability from moving or exploiting different segments by only allowing uni-directional vulnerability dependency links between segments. Specifically, several test cases will be presented with various attack scenarios and analyze how distributed firewall and stateful SDN data plan can significantly reduce the security states construction and analysis. The proposed approach proved to achieve a percentage of improvement over 61% in comparison with prior modules were SDN and distributed firewall are not in use.Dissertation/ThesisMasters Thesis Computer Engineering 201