Virtualisation and resource allocation in MECEnabled metro optical networks

The appearance of new network services and the ever-increasing network traffic and number of connected devices will push the evolution of current communication networks towards the Future Internet. In the area of optical networks, wavelength routed optical networks (WRONs) are evolving to elastic optical networks (EONs) in which, thanks to the use of OFDM or Nyquist WDM, it is possible to create super-channels with custom-size bandwidth. The basic element in these networks is the lightpath, i.e., all-optical circuits between two network nodes. The establishment of lightpaths requires the selection of the route that they will follow and the portion of the spectrum to be used in order to carry the requested traffic from the source to the destination node. That problem is known as the routing and spectrum assignment (RSA) problem, and new algorithms must be proposed to address this design problem. Some early studies on elastic optical networks studied gridless scenarios, in which a slice of spectrum of variable size is assigned to a request. However, the most common approach to the spectrum allocation is to divide the spectrum into slots of fixed width and allocate multiple, consecutive spectrum slots to each lightpath, depending on the requested bandwidth. Moreover, EONs also allow the proposal of more flexible routing and spectrum assignment techniques, like the split-spectrum approach in which the request is divided into multiple "sub-lightpaths". In this thesis, four RSA algorithms are proposed combining two different levels of flexibility with the well-known k-shortest paths and first fit heuristics. After comparing the performance of those methods, a novel spectrum assignment technique, Best Gap, is proposed to overcome the inefficiencies emerged when combining the first fit heuristic with highly flexible networks. A simulation study is presented to demonstrate that, thanks to the use of Best Gap, EONs can exploit the network flexibility and reduce the blocking ratio. On the other hand, operators must face profound architectural changes to increase the adaptability and flexibility of networks and ease their management. Thanks to the use of network function virtualisation (NFV), the necessary network functions that must be applied to offer a service can be deployed as virtual appliances hosted by commodity servers, which can be located in data centres, network nodes or even end-user premises. The appearance of new computation and networking paradigms, like multi-access edge computing (MEC), may facilitate the adaptation of communication networks to the new demands. Furthermore, the use of MEC technology will enable the possibility of installing those virtual network functions (VNFs) not only at data centres (DCs) and central offices (COs), traditional hosts of VFNs, but also at the edge nodes of the network. Since data processing is performed closer to the enduser, the latency associated to each service connection request can be reduced. MEC nodes will be usually connected between them and with the DCs and COs by optical networks. In such a scenario, deploying a network service requires completing two phases: the VNF-placement, i.e., deciding the number and location of VNFs, and the VNF-chaining, i.e., connecting the VNFs that the traffic associated to a service must transverse in order to establish the connection. In the chaining process, not only the existence of VNFs with available processing capacity, but the availability of network resources must be taken into account to avoid the rejection of the connection request. Taking into consideration that the backhaul of this scenario will be usually based on WRONs or EONs, it is necessary to design the virtual topology (i.e., the set of lightpaths established in the networks) in order to transport the tra c from one node to another. The process of designing the virtual topology includes deciding the number of connections or lightpaths, allocating them a route and spectral resources, and finally grooming the traffic into the created lightpaths. Lastly, a failure in the equipment of a node in an NFV environment can cause the disruption of the SCs traversing the node. This can cause the loss of huge amounts of data and affect thousands of end-users. In consequence, it is key to provide the network with faultmanagement techniques able to guarantee the resilience of the established connections when a node fails. For the mentioned reasons, it is necessary to design orchestration algorithms which solve the VNF-placement, chaining and network resource allocation problems in 5G networks with optical backhaul. Moreover, some versions of those algorithms must also implements protection techniques to guarantee the resilience system in case of failure. This thesis makes contribution in that line. Firstly, a genetic algorithm is proposed to solve the VNF-placement and VNF-chaining problems in a 5G network with optical backhaul based on star topology: GASM (genetic algorithm for effective service mapping). Then, we propose a modification of that algorithm in order to be applied to dynamic scenarios in which the reconfiguration of the planning is allowed. Furthermore, we enhanced the modified algorithm to include a learning step, with the objective of improving the performance of the algorithm. In this thesis, we also propose an algorithm to solve not only the VNF-placement and VNF-chaining problems but also the design of the virtual topology, considering that a WRON is deployed as the backhaul network connecting MEC nodes and CO. Moreover, a version including individual VNF protection against node failure has been also proposed and the effect of using shared/dedicated and end-to-end SC/individual VNF protection schemes are also analysed. Finally, a new algorithm that solves the VNF-placement and chaining problems and the virtual topology design implementing a new chaining technique is also proposed. Its corresponding versions implementing individual VNF protection are also presented. Furthermore, since the method works with any type of WDM mesh topologies, a technoeconomic study is presented to compare the effect of using different network topologies in both the network performance and cost.Departamento de Teoría de la Señal y Comunicaciones e Ingeniería TelemáticaDoctorado en Tecnologías de la Información y las Telecomunicacione

A monitoring and threat detection system using stream processing as a virtual function for big data

The late detection of security threats causes a significant increase in the risk of irreparable damages, disabling any defense attempt. As a consequence, fast realtime threat detection is mandatory for security guarantees. In addition, Network Function Virtualization (NFV) provides new opportunities for efficient and low-cost security solutions. We propose a fast and efficient threat detection system based on stream processing and machine learning algorithms. The main contributions of this work are i) a novel monitoring threat detection system based on stream processing; ii) two datasets, first a dataset of synthetic security data containing both legitimate and malicious traffic, and the second, a week of real traffic of a telecommunications operator in Rio de Janeiro, Brazil; iii) a data pre-processing algorithm, a normalizing algorithm and an algorithm for fast feature selection based on the correlation between variables; iv) a virtualized network function in an open-source platform for providing a real-time threat detection service; v) near-optimal placement of sensors through a proposed heuristic for strategically positioning sensors in the network infrastructure, with a minimum number of sensors; and, finally, vi) a greedy algorithm that allocates on demand a sequence of virtual network functions.A detecção tardia de ameaças de segurança causa um significante aumento no risco de danos irreparáveis, impossibilitando qualquer tentativa de defesa. Como consequência, a detecção rápida de ameaças em tempo real é essencial para a administração de segurança. Além disso, A tecnologia de virtualização de funções de rede (Network Function Virtualization - NFV) oferece novas oportunidades para soluções de segurança eficazes e de baixo custo. Propomos um sistema de detecção de ameaças rápido e eficiente, baseado em algoritmos de processamento de fluxo e de aprendizado de máquina. As principais contribuições deste trabalho são: i) um novo sistema de monitoramento e detecção de ameaças baseado no processamento de fluxo; ii) dois conjuntos de dados, o primeiro ´e um conjunto de dados sintético de segurança contendo tráfego suspeito e malicioso, e o segundo corresponde a uma semana de tráfego real de um operador de telecomunicações no Rio de Janeiro, Brasil; iii) um algoritmo de pré-processamento de dados composto por um algoritmo de normalização e um algoritmo para seleção rápida de características com base na correlação entre variáveis; iv) uma função de rede virtualizada em uma plataforma de código aberto para fornecer um serviço de detecção de ameaças em tempo real; v) posicionamento quase perfeito de sensores através de uma heurística proposta para posicionamento estratégico de sensores na infraestrutura de rede, com um número mínimo de sensores; e, finalmente, vi) um algoritmo guloso que aloca sob demanda uma sequencia de funções de rede virtual

Traffic-Aware Deployment of Interdependent NFV Middleboxes in Software-Defined Networks

Middleboxes, such as firewalls, Network Address Translators (NATs), Wide Area Network (WAN) optimizers, or Deep Packet Inspector (DPIs), are widely deployed in modern networks to improve network security and performance. Traditional middleboxes are typically hardware based, which are expensive and closed systems with little extensibility. Furthermore, they are developed by different vendors and deployed as standalone devices with little scalability. As the development of networks in scale, the limitations of traditional middleboxes bring great challenges in middlebox deployments. Network Function Virtualization (NFV) technology provides a promising alternative, which enables flexible deployment of middleboxes, as virtual machines (VMs) running on standard servers. However, the flexibility also creates a challenge for efficiently placing such middleboxes, due to the availability of multiple hosting servers, capabilities of middleboxes to change traffic volumes, and dependency between middleboxes. In our first two work, we addressed the optimal placement challenge of NFV middleboxes by considering middlebox traffic changing effects and dependency relations. Since each VM has only a limited processing capacity restricted by its available resources, multiple instances of the same function are necessary in an NFV network. Thus, routing in an NFV network is also a challenge to determine not only via a path from the source to destination but also the service (middlebox) locations. Furthermore, the challenge is complicated by the traffic changing effects of NFV services and dependency relations between them. In our third work, we studied how to efficiently route a flow to receive services in an NFV network. We conducted large-scale simulations to evaluate our proposed solutions, and also implemented a Software-Defined Networking (SDN) based prototype to validate the solutions in realistic environments. Extensive simulation and experiment results have been fully demonstrated the effectiveness of our design

A New Approach for Delivering Customized Security Everywhere: Security Service Chain

Security functions are usually deployed on proprietary hardware, which makes the delivery of security service inflexible and of high cost. Emerging technologies such as software-defined networking and network function virtualization go in the direction of executing functions as software components in virtual machines or containers provisioned in standard hardware resources. They enable network to provide customized security service by deploying Security Service Chain (SSC), which refers to steering flow through multiple security functions in a particular order specified by individual user or application. However, SSC Deployment Problem (SSC-DP) needs to be solved. It is a challenging problem for various reasons, such as the heterogeneity of instances in terms of service capacity and resource demand. In this paper, we propose an SSC-based approach to deliver security service to users without worrying about physical locations of security functions. For SSC-DP, we present a three-phase method to solve it while optimizing network and security resource allocation. The presented method allows network to serve a large number of flows and minimizes the latency seen by flows. Comparative experiments on the fat-tree and Waxman topologies show that our method performs better than other heuristics under a wide range of network conditions

On the Orchestration and Provisioning of NFV-enabled Multicast Services

The paradigm of network function virtualization (NFV) with the support of software-defined networking has emerged as a prominent approach to foster innovation in the networking field and reduce the complexity involved in managing modern-day conventional networks. Before NFV, functions, which can manipulate the packet header and context of traffic flow, used to be implemented at fixed locations in the network substrate inside proprietary physical devices (called middlewares). With NFV, such functions are softwarized and virtualized. As such, they can be deployed in commodity servers as demanded. Hence, the provisioning of a network service becomes more agile and abstract, thereby giving rise to the next-generation service-customized networks which have the potential to meet new demands and use cases. In this thesis, we focus on three complementary research problems essential to the orchestration and provisioning of NFV-enabled multicast network services. An NFV-enabled multicast service connects a source with a set of destinations. It specifies a set of NFs that should be executed at the chosen routes from the source to the destinations, with some resources and ordering relationships that should be satisfied in wired core networks. In Problem I, we investigate a static joint traffic routing and virtual NF placement framework for accommodating multicast services over the network substrate. We develop optimal formulations and efficient heuristic algorithms that jointly handle the static embedding of one or multiple service requests over the network substrate with single-path and multipath routing. In Problem II, we study the online orchestration of NFV-enabled network services. We consider both unicast and multicast NFV-enabled services with mandatory and best-effort NF types. Mandatory NFs are strictly necessary for the correctness of a network service, whereas best-effort NFs are preferable yet not necessary. Correspondingly, we propose a primal-dual based online approximation algorithm that allocates both processing and transmission resources to maximize a profit function that is proportional to the throughput. The online algorithm resembles a joint admission mechanism and an online composition, routing, and NF placement framework. In the core network, traffic patterns exhibit time-varying characteristics that can be cumbersome to model. Therefore, in Problem III, we develop a dynamic provisioning approach to allocate processing and transmission resources based on the traffic pattern of the embedded network service using deep reinforcement learning (RL). Notably, we devise a model-assisted exploration procedure to improve the efficiency and consistency of the deep RL algorithm

A Study on Efficient Service Function Chain Placement in Network Function Virtualization Environment

電気通信大学202