Traffic-Aware Deployment of Interdependent NFV Middleboxes in Software-Defined Networks

Middleboxes, such as firewalls, Network Address Translators (NATs), Wide Area Network (WAN) optimizers, or Deep Packet Inspector (DPIs), are widely deployed in modern networks to improve network security and performance. Traditional middleboxes are typically hardware based, which are expensive and closed systems with little extensibility. Furthermore, they are developed by different vendors and deployed as standalone devices with little scalability. As the development of networks in scale, the limitations of traditional middleboxes bring great challenges in middlebox deployments. Network Function Virtualization (NFV) technology provides a promising alternative, which enables flexible deployment of middleboxes, as virtual machines (VMs) running on standard servers. However, the flexibility also creates a challenge for efficiently placing such middleboxes, due to the availability of multiple hosting servers, capabilities of middleboxes to change traffic volumes, and dependency between middleboxes. In our first two work, we addressed the optimal placement challenge of NFV middleboxes by considering middlebox traffic changing effects and dependency relations. Since each VM has only a limited processing capacity restricted by its available resources, multiple instances of the same function are necessary in an NFV network. Thus, routing in an NFV network is also a challenge to determine not only via a path from the source to destination but also the service (middlebox) locations. Furthermore, the challenge is complicated by the traffic changing effects of NFV services and dependency relations between them. In our third work, we studied how to efficiently route a flow to receive services in an NFV network. We conducted large-scale simulations to evaluate our proposed solutions, and also implemented a Software-Defined Networking (SDN) based prototype to validate the solutions in realistic environments. Extensive simulation and experiment results have been fully demonstrated the effectiveness of our design

Profilage et débogage par prise de traces efficaces d'applications hybrides multi-threadées HPC

Supercomputers’ evolution is at the source of both hardware and software challenges. In the quest for the highest computing power, the interdependence in-between simulation components is becoming more and more impacting, requiring new approaches. This thesis is focused on the software development aspect and particularly on the observation of parallel software when being run on several thousand cores. This observation aims at providing developers with the necessary feedback when running a program on an execution substrate which has not been modeled yet because of its complexity. In this purpose, we firstly introduce the development process from a global point of view, before describing developer tools and related work. In a second time, we present our contribution which consists in a trace based profiling and debugging tool and its evolution towards an on-line coupling method which as we will show is more scalable as it overcomes IOs limitations. Our contribution also covers our time-stamp synchronisation algorithm for tracing purposes which relies on a probabilistic approach with quantified error. We also present a tool allowing machine characterisation from the MPI aspect and demonstrate the presence of machine noise for both point to point and collectives, justifying the use of an empirical approach. In summary, this work proposes and motivates an alternative approach to trace based event collection while preserving event granularity and a reduced overheadL’évolution des supercalculateurs est à la source de défis logiciels et architecturaux. Dans la quête de puissance de calcul, l’interdépendance des éléments du processus de simulation devient de plus en plus impactante et requiert de nouvelles approches. Cette thèse se concentre sur le développement logiciel et particulièrement sur l’observation des programmes parallèles s’exécutant sur des milliers de cœurs. Dans ce but, nous décrivons d’abord le processus de développement de manière globale avant de présenter les outils existants et les travaux associés. Dans un second temps, nous détaillons notre contribution qui consiste d’une part en des outils de débogage et profilage par prise de traces, et d’autre part en leur évolution vers un couplage en ligne qui palie les limitations d’entrées–sorties. Notre contribution couvre également la synchronisation des horloges pour la prise de traces avec la présentation d’un algorithme de synchronisation probabiliste dont nous avons quantifié l’erreur. En outre, nous décrivons un outil de caractérisation machine qui couvre l’aspect MPI. Un tel outil met en évidence la présence de bruit aussi bien sur les communications de type point-à-point que de type collective. Enfin, nous proposons et motivons une alternative à la collecte d’événements par prise de traces tout en préservant la granularité des événements et un impact réduit sur les performances, tant sur le volet utilisation CPU que sur les entrées–sortie

Secure virtual machines allocation in cloud computing environments

A Cloud Computing Environment (CCE) leverages the advantages offered by virtualisation to enable the sharing of computing resources among cloud users elastically and based on the user requirements. Hence, virtual machines (VMs) can share physical resources within the same physical machine (PM). However, resource sharing is exposed to potential security threats that can lead to a malicious co-residency, or multitenancy, between the co-located VMs. The malicious co-residency happens when a malicious VM is co-located with a critical, or target, VM on the same PM, leading to side-channel attacks (SCAs), widely recognised as a potential threat in CCEs. Specifically, the SCAs allow the malicious VMs to capture private information from the target VMs by co-locating with them on the same PM. The co-location of VMs is an outcome of the VMs allocation algorithm behaviour, which is responsible for allocating the VMs to a specific PM based on defined allocation objectives. As such, the VMs allocation behaviours can potentially lead to a malicious co-residency; hence, it is significant that the implemented VMs allocation algorithms need to be made secure. Most of the earlier studies tackled the malicious co-residency, which leads to SCAs, through specific solutions, by focusing on either formulating VMs allocation algorithms or modifying the architecture of the CCEs to mitigate the threats of SCAs. However, most of them are oriented to specific situations and assumptions, leading to malicious co-residency when applied to other scopes or situations. While in our work, we presented the solution from a different holistic perspective by studying the allocation behaviours and other properties that affect and lead to obtaining a secure VMs allocation. In addition, we develop a secure VMs allocation model that aims to minimise the malicious co-residency under various situations and constraints. Furthermore, we introduce an evaluation of our model using an optimisation-based approach by utilising a linear programming technique to capture the behaviour of the optimal VMs allocation. Moreover, based on the optimisation-based outcomes, we develop security-aware VMs allocation and VMs migration algorithms that aim to allocate the VMs securely to reduce the potential threats from malicious co-residency. Therefore, to accomplish our objectives, we utilise state of the art tools and simulations such as PuLP and CloudSim to examine and implement the VMs allocation algorithms. Moreover, we perform an extensive examination of selected VMs allocation behaviours, which are stacking-based, random-based and spreading-based. The examinations are performed under different scenarios and structures for each behaviour to understand the possible situations that lead to secure VMs allocation. Hence, we show that the stacking-based behaviours algorithms are more likely to produce secure allocations than those with spreading-based or randombased allocation behaviours algorithms. Accordingly, our stacking-based algorithms are significantly better as they produce secure allocations more than the compared algorithms under the same examined situations. Moreover, our results show that VMs arrival time has a significant impact producing secure allocations, where the arrival of target or malicious VMs earlier than the rest of VMs often minimises the malicious co-residency occurrence. In addition, the high available resources diversity between the available resources of PMs yields to produce more secure allocations as it offers more allocation options for the allocation algorithms and thus more flexibility. Furthermore, our stacking-based algorithms show the lowest PMs usage among the compared algorithms, by significant amounts, under most examined situations, leading to utilising fewer PMs and therefore fewer power consumption of the available resources. Lastly, the number of VMs migration is the lowest among the examined algorithms, leading to the higher availability of the VMs in cloud systems by avoiding many interruptions resulting from the VMs migration while enhancing the state of the secure allocations

Nature-inspired survivability: Prey-inspired survivability countermeasures for cloud computing security challenges

As cloud computing environments become complex, adversaries have become highly sophisticated and unpredictable. Moreover, they can easily increase attack power and persist longer before detection. Uncertain malicious actions, latent risks, Unobserved or Unobservable risks (UUURs) characterise this new threat domain. This thesis proposes prey-inspired survivability to address unpredictable security challenges borne out of UUURs. While survivability is a well-addressed phenomenon in non-extinct prey animals, applying prey survivability to cloud computing directly is challenging due to contradicting end goals. How to manage evolving survivability goals and requirements under contradicting environmental conditions adds to the challenges. To address these challenges, this thesis proposes a holistic taxonomy which integrate multiple and disparate perspectives of cloud security challenges. In addition, it proposes the TRIZ (Teorija Rezbenija Izobretatelskib Zadach) to derive prey-inspired solutions through resolving contradiction. First, it develops a 3-step process to facilitate interdomain transfer of concepts from nature to cloud. Moreover, TRIZ’s generic approach suggests specific solutions for cloud computing survivability. Then, the thesis presents the conceptual prey-inspired cloud computing survivability framework (Pi-CCSF), built upon TRIZ derived solutions. The framework run-time is pushed to the user-space to support evolving survivability design goals. Furthermore, a target-based decision-making technique (TBDM) is proposed to manage survivability decisions. To evaluate the prey-inspired survivability concept, Pi-CCSF simulator is developed and implemented. Evaluation results shows that escalating survivability actions improve the vitality of vulnerable and compromised virtual machines (VMs) by 5% and dramatically improve their overall survivability. Hypothesis testing conclusively supports the hypothesis that the escalation mechanisms can be applied to enhance the survivability of cloud computing systems. Numeric analysis of TBDM shows that by considering survivability preferences and attitudes (these directly impacts survivability actions), the TBDM method brings unpredictable survivability information closer to decision processes. This enables efficient execution of variable escalating survivability actions, which enables the Pi-CCSF’s decision system (DS) to focus upon decisions that achieve survivability outcomes under unpredictability imposed by UUUR

Online learning on the programmable dataplane

This thesis makes the case for managing computer networks with datadriven methods automated statistical inference and control based on measurement data and runtime observations—and argues for their tight integration with programmable dataplane hardware to make management decisions faster and from more precise data. Optimisation, defence, and measurement of networked infrastructure are each challenging tasks in their own right, which are currently dominated by the use of hand-crafted heuristic methods. These become harder to reason about and deploy as networks scale in rates and number of forwarding elements, but their design requires expert knowledge and care around unexpected protocol interactions. This makes tailored, per-deployment or -workload solutions infeasible to develop. Recent advances in machine learning offer capable function approximation and closed-loop control which suit many of these tasks. New, programmable dataplane hardware enables more agility in the network— runtime reprogrammability, precise traffic measurement, and low latency on-path processing. The synthesis of these two developments allows complex decisions to be made on previously unusable state, and made quicker by offloading inference to the network. To justify this argument, I advance the state of the art in data-driven defence of networks, novel dataplane-friendly online reinforcement learning algorithms, and in-network data reduction to allow classification of switchscale data. Each requires co-design aware of the network, and of the failure modes of systems and carried traffic. To make online learning possible in the dataplane, I use fixed-point arithmetic and modify classical (non-neural) approaches to take advantage of the SmartNIC compute model and make use of rich device local state. I show that data-driven solutions still require great care to correctly design, but with the right domain expertise they can improve on pathological cases in DDoS defence, such as protecting legitimate UDP traffic. In-network aggregation to histograms is shown to enable accurate classification from fine temporal effects, and allows hosts to scale such classification to far larger flow counts and traffic volume. Moving reinforcement learning to the dataplane is shown to offer substantial benefits to stateaction latency and online learning throughput versus host machines; allowing policies to react faster to fine-grained network events. The dataplane environment is key in making reactive online learning feasible—to port further algorithms and learnt functions, I collate and analyse the strengths of current and future hardware designs, as well as individual algorithms

Improving the performance of Virtualized Network Services based on NFV and SDN

Network Functions Virtualisation (NFV) proposes to move all the traditional network appliances, which require dedicated physical machine, onto virtualised environment (e.g,. Virtual Machine). In this way, many of the current physical devices present in the infrastructure are replaced with standard high volume servers, which could be located in Datacenters, at the edge of the network and in the end user premises. This enables a reduction of the required physical resources thanks to the use of virtualization technologies, already used in cloud computing, and allows services to be more dynamic and scalable. However, differently from traditional cloud applications which are rather demanding in terms of CPU power, network applications are mostly I/O bound, hence the virtualization technologies in use (either standard VM-based or lightweight ones) need to be improved to maximize the network performance. A series of Virtual Network Functions (VNFs) can be connected to each other thanks to Software-Defined Networks (SDN) technologies (e.g., OpenFlow) to create a Network Function Forwarding Graph (NF-FG) that processes the network traffic in the configured order of the graph. Using NF-FGs it is possible to create arbitrary chains of services, and transparently configure different virtualized network services, which can be dynamically instantiated and rearranges depending on the requested service and its requirements. However, the above virtualized technologies are rather demanding in terms of hardware resources (mainly CPU and memory), which may have a non-negligible impact on the cost of providing the services according to this paradigm. This thesis will investigate this problem, proposing a set of solutions that enable the novel NFV paradigm to be efficiently used, hence being able to guarantee both flexibility and efficiency in future network services

Cooperative Radio Communications for Green Smart Environments

The demand for mobile connectivity is continuously increasing, and by 2020 Mobile and Wireless Communications will serve not only very dense populations of mobile phones and nomadic computers, but also the expected multiplicity of devices and sensors located in machines, vehicles, health systems and city infrastructures. Future Mobile Networks are then faced with many new scenarios and use cases, which will load the networks with different data traffic patterns, in new or shared spectrum bands, creating new specific requirements. This book addresses both the techniques to model, analyse and optimise the radio links and transmission systems in such scenarios, together with the most advanced radio access, resource management and mobile networking technologies. This text summarises the work performed by more than 500 researchers from more than 120 institutions in Europe, America and Asia, from both academia and industries, within the framework of the COST IC1004 Action on "Cooperative Radio Communications for Green and Smart Environments". The book will have appeal to graduates and researchers in the Radio Communications area, and also to engineers working in the Wireless industry. Topics discussed in this book include: • Radio waves propagation phenomena in diverse urban, indoor, vehicular and body environments• Measurements, characterization, and modelling of radio channels beyond 4G networks• Key issues in Vehicle (V2X) communication• Wireless Body Area Networks, including specific Radio Channel Models for WBANs• Energy efficiency and resource management enhancements in Radio Access Networks• Definitions and models for the virtualised and cloud RAN architectures• Advances on feasible indoor localization and tracking techniques• Recent findings and innovations in antenna systems for communications• Physical Layer Network Coding for next generation wireless systems• Methods and techniques for MIMO Over the Air (OTA) testin