Caught-in-Translation (CiT): Detecting Cross-level Inconsistency Attacks in Network Functions Virtualization

By providing network functions through software running on standard hardware, Network Functions Virtualization (NFV) brings many benefits, such as increased agility and flexibility with reduced costs, as well as additional security concerns. Although existing works have examined various security issues of NFV, such as vulnerabilities in VNF software and DoS, there has been little effort on a security issue that is intrinsic to NFV, i.e., as an NFV environment typically involves multiple abstraction levels, the inconsistency that may arise between different levels can potentially be exploited for security attacks. Existing solutions mostly focus on verification, which is after the fact and cannot prevent irreversible damages. Further adding to the complexity, the different abstraction levels can be managed by multiple service providers, which may render the data required for verification inaccessible. Moreover, many existing solutions are limited to a single abstraction level and disregard the multi-level nature of NFV. In this work, we propose the first NFV deployment model to capture the deployment aspects of NFV at different abstraction levels, which is essential for an in-depth study of the inconsistencies between such levels. We then present concrete attack scenarios in which the inconsistencies are exploited to attack the network functions in a stealthy manner. Based on the deployment model, we study the feasibility of detecting the inconsistencies through verification. Furthermore, by drawing an analogy between multi-level NFV events and natural languages, we propose a Neural Machine Translation (NMT)-based detection approach, namely, Caught-in-Translation (CiT), to detect cross-level inconsistency attacks in NFV. Specifically, we first extract event sequences from different abstraction levels of an NFV stack. We then leverage the Long Short-Term Memory (LSTM) to translate the event sequences from one level to another. Finally, we apply both similarity metric and Siamese neural network to compare the translated event sequences with the actual sequences to detect attacks. We integrate CiT into OpenStack/Tacker, and evaluate its performance using both real and synthetic data. Experimental results show that CiT outperforms traditional anomaly detection and provides an accurate, efficient, and robust solution for detecting inconsistency attacks in NFV

A State-Based Proactive Approach To Network Isolation Verification In Clouds

The multi-tenancy nature of public clouds usually leads to cloud tenants' concerns over network isolation around their virtual resources. Verifying network isolation in clouds faces unique challenges. The sheer size of virtual infrastructures paired with the self-serviced nature of clouds means the verification will likely have a high complexity and yet its results may become obsolete in seconds. Moreover, the _ne-grained and distributed network access control (e.g., per-VM security group rules) typical to virtual cloud infrastructures means the verification must examine not only the events but also the current state of the infrastructures. In this thesis, we propose VMGuard, a state-based proactive approach for efficiently verifying large-scale virtual infrastructures against network isolation policies. Informally, our key idea is to proactively trigger the verification based on predicted events and their simulated impact upon the current state, such that we can have the best of both worlds, i.e., the efficiency of a proactive approach and the effectiveness of state-based verification. We implement and evaluate VMGuard based on OpenStack, and our experiments with both real and synthetic data demonstrate the performance and efficiency

Provenance Analysis in Virtualized Environments

With the unprecedented need for remote working and virtual retail, there has been a worldwide surge in the adoption of cloud and edge computing. On the other hand, the significant reliance on virtual services has rendered the underlying virtualized environments supporting those services an attractive target for cyber criminals. There exist provenance-based solutions for identifying the root causes of security incidents and threat prevention by tracing the relationships between events at lower abstraction levels (e.g., system calls of an operating system). However, the sheer scale of virtualized environments means that such solutions would generate impractically large and complex provenance graphs for human analysts to interpret, especially in the context of virtualized environments with tens of thousands of users and inter-connected resources. Moreover, most intended user actions (e.g., creating a virtual function) generate a large number of events at lower abstraction levels, while it is typically challenging to associate those triggered operations to the intended actions of users, which further hinders understanding the provenance graphs. Finally, most works rely on human analysts to interpret provenance graphs into human-readable forensic reports. Therefore, the main focus of this thesis is to facilitate the investigation and prevention of security incidents through practical provenance-based solutions in virtualized environments such as clouds and network functions virtualization (NFV). First, we propose a cloud management-level provenance model to facilitate forensic investigations by capturing the dependencies between cloud management operations, instead of low-level system calls. Based on this model, we design a framework to construct management-level provenance graphs and prune operations that are irrelevant to detected security incidents. Second, we propose an approach preventing security incidents in clouds based on the management-level provenance graph. Third, we propose the first multi-level provenance system for NFV built for capturing the relationship between management operations across different levels of the NFV stack, and increasing the interpretability of the logged information by leveraging the inherent cross-level dependencies. Fourth, we propose a solution to bridge the gap between human understanding of natural languages and data provenance by automatically generating forensic reports explaining the root cause of security incidents based on the provenance graphs

Federated learning-based anomaly detection as an enabler for securing network and service management automation in beyond 5G networks

Abstract. Zero-touch network architecture (ZSM) is proposed to cater to unprecedented performance requirements, including network automation. 5G and beyond networks include exceptional latency, reliability, and bandwidth requirements. As a result, network automation is a necessity. ZSM architecture combines closed-loop mechanisms and artificial intelligence (AI) to meet the network automation requirement. Even though AI is prevalent, privacy concerns and resource limitations are growing concerns. However, techniques such as federated learning (FL) can be applied to address such issues. The proposed solution is a hierarchical anomaly detection mechanism based on the ZSM architecture, divided into domains by considering technical or business features. The network flow is categorized as an anomaly or not, and abnormal flows are removed from both stages. Detectors and aggregation servers are placed inside the network based on their purpose. The proposed detector is simulated with the UNSW-NB15 Dataset. The simulation results show accuracy improvement after the 2nd stage, and the detection accuracy varies with training data composition

Mitigating Stealthy Link Flooding DDoS Attacks Using SDN-Based Moving Target Defense

With the increasing diversity and complication of Distributed Denial-of-Service (DDoS) attacks, it has become extremely challenging to design a fully protected network. For instance, recently, a new type of attack called Stealthy Link Flooding Attack (SLFA) has been shown to cause critical network disconnection problems, where the attacker targets the communication links in the surrounding area of a server. The existing defense mechanisms for this type of attack are based on the detection of some unusual traffic patterns; however, this might be too late as some severe damage might already be done. These mechanisms also do not consider countermeasures during the reconnaissance phase of these attacks. Over the last few years, moving target defense (MTD) has received increasing attention from the research community. The idea is based on frequently changing the network configurations to make it much more difficult for the attackers to attack the network. In this dissertation, we investigate several novel frameworks based on MTD to defend against contemporary DDoS attacks. Specifically, we first introduce MTD against the data phase of SLFA, where the bots are sending data packets to target links. In this framework, we mitigate the traffic if the bandwidth of communication links exceeds the given threshold, and experimentally show that our method significantly alleviates the congestion. As a second work, we propose a framework that considers the reconnaissance phase of SLFA, where the attacker strives to discover critical communication links. We create virtual networks to deceive the attacker and provide forensic features. In our third work, we consider the legitimate network reconnaissance requests while keeping the attacker confused. To this end, we integrate cloud technologies as overlay networks to our system. We demonstrate that the developed mechanism preserves the security of the network information with negligible delays. Finally, we address the problem of identifying and potentially engaging with the attacker. We model the interaction between attackers and defenders into a game and derive a defense mechanism based on the equilibria of the game. We show that game-based mechanisms could provide similar protection against SLFAs like the extensive periodic MTD solution with significantly reduced overhead. The frameworks in this dissertation were verified with extensive experiments as well as with the theoretical analysis. The research in this dissertation has yielded several novel defense mechanisms that provide comprehensive protection against SLFA. Besides, we have shown that they can be integrated conveniently and efficiently to the current network infrastructure

Progressive introduction of network softwarization in operational telecom networks: advances at architectural, service and transport levels

Technological paradigms such as Software Defined Networking, Network Function Virtualization and Network Slicing are altogether offering new ways of providing services. This process is widely known as Network Softwarization, where traditional operational networks adopt capabilities and mechanisms inherit form the computing world, such as programmability, virtualization and multi-tenancy. This adoption brings a number of challenges, both from the technological and operational perspectives. On the other hand, they provide an unprecedented flexibility opening opportunities to developing new services and new ways of exploiting and consuming telecom networks. This Thesis first overviews the implications of the progressive introduction of network softwarization in operational networks for later on detail some advances at different levels, namely architectural, service and transport levels. It is done through specific exemplary use cases and evolution scenarios, with the goal of illustrating both new possibilities and existing gaps for the ongoing transition towards an advanced future mode of operation. This is performed from the perspective of a telecom operator, paying special attention on how to integrate all these paradigms into operational networks for assisting on their evolution targeting new, more sophisticated service demands.Programa de Doctorado en Ingeniería Telemática por la Universidad Carlos III de MadridPresidente: Eduardo Juan Jacob Taquet.- Secretario: Francisco Valera Pintor.- Vocal: Jorge López Vizcaín

Bridging the Gap: A Survey and Classification of Research-Informed Ethical Hacking Tools

The majority of Ethical Hacking (EH) tools utilised in penetration testing are developed by practitioners within the industry or underground communities. Similarly, academic researchers have also contributed to developing security tools. However, there appears to be limited awareness among practitioners of academic contributions in this domain, creating a significant gap between industry and academia’s contributions to EH tools. This research paper aims to survey the current state of EH academic research, primarily focusing on research-informed security tools. We categorise these tools into process-based frameworks (such as PTES and Mitre ATT&CK) and knowledge-based frameworks (such as CyBOK and ACM CCS). This classification provides a comprehensive overview of novel, research-informed tools, considering their functionality and application areas. The analysis covers licensing, release dates, source code availability, development activity, and peer review status, providing valuable insights into the current state of research in this field

Symmetry-Adapted Machine Learning for Information Security

Symmetry-adapted machine learning has shown encouraging ability to mitigate the security risks in information and communication technology (ICT) systems. It is a subset of artificial intelligence (AI) that relies on the principles of processing future events by learning past events or historical data. The autonomous nature of symmetry-adapted machine learning supports effective data processing and analysis for security detection in ICT systems without the interference of human authorities. Many industries are developing machine-learning-adapted solutions to support security for smart hardware, distributed computing, and the cloud. In our Special Issue book, we focus on the deployment of symmetry-adapted machine learning for information security in various application areas. This security approach can support effective methods to handle the dynamic nature of security attacks by extraction and analysis of data to identify hidden patterns of data. The main topics of this Issue include malware classification, an intrusion detection system, image watermarking, color image watermarking, battlefield target aggregation behavior recognition model, IP camera, Internet of Things (IoT) security, service function chain, indoor positioning system, and crypto-analysis