A pattern-based framework for the design of secure and dependable SDN/NFV-enabled networks

As the world becomes an interconnected network where objects and humans interact, cyber and physical networks appear to play an important role in smart ecosystems due to their increasing use on critical infrastructure and smart cities. Software Defined Networking (SDN) and Network Function Virtualisation (NFV) are a promising combination for programmable connectivity, rapid service provisioning and service chaining as they offer the necessary end-to-end optimisations. However, with the actual exponential growth of connected devices, future networks, such as SDN and NFV, require open architectures, facilitated by standards and a strong ecosystem.In this thesis, a model-based approach is proposed to support the design and verification of secure and dependable SDN/NFV-enabled networks. The model is based on the development of a pattern-based approach to design executable patterns as solutions for reusable designs and interactions of objects, encoded in a rule based reasoning system, able to guarantee security and dependability (S&D) properties in SDN/NFV enabled networks. To execute S&D patterns, a pattern based framework is implemented for the insertion of patterns at design and at runtime level. The developed pattern framework highlights also the benefit of leveraging the flexibility of SDN/NFV-enabled networks to deploy enhanced reactive security mechanisms for the protection of the industrial network via the use of service function chaining (SFC). To prove the importance of this approach and the functionality of the pattern framework, different pattern instances are implemented to guarantee S&D in network infrastructures. The developed design patterns are able to design network topologies, guarantee network properties and offer security service provisioning and chaining. Finally, in order to evaluate the developed patterns in the pattern framework, three different use cases are described, where a number of usage scenarios are deployed and evaluated experimentally

Distributed Adaptive Learning Framework for Wide Area Monitoring of Power Systems Integrated with Distributed Generations

This paper presents a preliminary study of developing a novel distributed adaptive real-time learning framework for wide area monitoring of power systems integrated with distributed generations using synchrophasor technology. The framework comprises distributed agents (synchrophasors) for autonomous local condition monitoring and fault detection, and a central unit for generating global view for situation awareness and decision making. Key technologies that can be integrated into this hierarchical distributed learning scheme are discussed to enable real-time information extraction and knowledge discovery for decision making, without explicitly accumulating and storing all raw data by the central unit. Based on this, the configuration of a wide area monitoring system of power systems using synchrophasor technology, and the functionalities for locally installed open-phasor-measurement-units (OpenPMUs) and a central unit are presented. Initial results on anti-islanding protection using the proposed approach are given to illustrate the effectiveness

Internet of Things From Hype to Reality

The Internet of Things (IoT) has gained significant mindshare, let alone attention, in academia and the industry especially over the past few years. The reasons behind this interest are the potential capabilities that IoT promises to offer. On the personal level, it paints a picture of a future world where all the things in our ambient environment are connected to the Internet and seamlessly communicate with each other to operate intelligently. The ultimate goal is to enable objects around us to efficiently sense our surroundings, inexpensively communicate, and ultimately create a better environment for us: one where everyday objects act based on what we need and like without explicit instructions

Scalable and Reliable Middlebox Deployment

Middleboxes are pervasive in modern computer networks providing functionalities beyond mere packet forwarding. Load balancers, intrusion detection systems, and network address translators are typical examples of middleboxes. Despite their benefits, middleboxes come with several challenges with respect to their scalability and reliability. The goal of this thesis is to devise middlebox deployment solutions that are cost effective, scalable, and fault tolerant. The thesis includes three main contributions: First, distributed service function chaining with multiple instances of a middlebox deployed on different physical servers to optimize resource usage; Second, Constellation, a geo-distributed middlebox framework enabling a middlebox application to operate with high performance across wide area networks; Third, a fault tolerant service function chaining system

Cyber Security

This open access book constitutes the refereed proceedings of the 18th China Annual Conference on Cyber Security, CNCERT 2022, held in Beijing, China, in August 2022. The 17 papers presented were carefully reviewed and selected from 64 submissions. The papers are organized according to the following topical sections: ​​data security; anomaly detection; cryptocurrency; information security; vulnerabilities; mobile internet; threat intelligence; text recognition

Towards Authentication of IoMT Devices via RF Signal Classification

The increasing reliance on the Internet of Medical Things (IoMT) raises great concern in terms of cybersecurity, either at the device’s physical level or at the communication and transmission level. This is particularly important as these systems process very sensitive and private data, including personal health data from multiple patients such as real-time body measurements. Due to these concerns, cybersecurity mechanisms and strategies must be in place to protect these medical systems, defending them from compromising cyberattacks. Authentication is an essential cybersecurity technique for trustworthy IoMT communications. However, current authentication methods rely on upper-layer identity verification or key-based cryptography which can be inadequate to the heterogeneous Internet of Things (IoT) environments. This thesis proposes the development of a Machine Learning (ML) method that serves as a foundation for Radio Frequency Fingerprinting (RFF) in the authentication of IoMT devices in medical applications to improve the flexibility of such mechanisms. This technique allows the authentication of medical devices by their physical layer characteristics, i.e. of their emitted signal. The development of ML models serves as the foundation for RFF, allowing it to evaluate and categorise the released signal and enable RFF authentication. Multiple feature take part of the proposed decision making process of classifying the device, which then is implemented in a medical gateway, resulting in a novel IoMT technology.A confiança crescente na IoMT suscita grande preocupação em termos de cibersegurança, quer ao nível físico do dispositivo quer ao nível da comunicação e ao nível de transmissão. Isto é particularmente importante, uma vez que estes sistemas processam dados muito sensíveis e dados, incluindo dados pessoais de saúde de diversos pacientes, tais como dados em tempo real de medidas do corpo. Devido a estas preocupações, os mecanismos e estratégias de ciber-segurança devem estar em vigor para proteger estes sistemas médicos, defendendo-os de ciberataques comprometedores. A autenticação é uma técnica essencial de ciber-segurança para garantir as comunicações em sistemas IoMT de confiança. No entanto, os métodos de autenticação atuais focam-se na verificação de identidade na camada superior ou criptografia baseada em chaves que podem ser inadequadas para a ambientes IoMT heterogéneos. Esta tese propõe o desenvolvimento de um método de ML que serve como base para o RFF na autenticação de dispositivos IoMT para melhorar a flexibilidade de tais mecanismos. Isto permite a autenticação dos dispositivos médicos pelas suas características de camada física, ou seja, a partir do seu sinal emitido. O desenvolvimento de modelos de ML serve de base para o RFF, permitindo-lhe avaliar e categorizar o sinal libertado e permitir a autenticação do RFF. Múltiplas features fazem parte do processo de tomada de decisão proposto para classificar o dispositivo, que é implementada num gateway médico, resultando numa nova tecnologia IoMT

Journal of Telecommunications and Information Technology, 2008, nr 2

kwartalni

Sécurité collaborative pour l internet des objets

Cette thèse aborde des nouveaux défis de sécurité dans l'Internet des Objets (IdO). La transition actuelle de l'Internet classique vers l'Internet des Objets conduit à de nombreux changements dans les modèles de communications sous-jacents. La nature hétérogène des communications de l IdO et le déséquilibre entre les capacités des entités communicantes qui le constituent rendent difficile l'établissement de connexions sécurisées de bout en bout. Contrairement aux nœuds de l Internet traditionnel, la plupart des composants de l'Internet des Objets sont en effet caractérisés par de faibles capacités en termes d'énergie et de puissance calcul. Par conséquent, ils ne sont pas en mesure de supporter des systèmes de sécurité complexes. En particulier, la mise en place d'un canal de communication sécurisé de bout en bout nécessite l établissement d'une clé secrète commune entre les deux nœuds souhaitant communiquer, qui sera négociée en s'appuyant sur un protocole d'échange de clés tels que le Transport Layer Security (TLS) Handshake ou l Internet Key Exchange (IKE). Or, une utilisation directe de ces protocoles pour établir des connexions sécurisées entre deux entités de l IdO peut être difficile en raison de l'écart technologique entre celles-ci et des incohérences qui en résultent sur le plan des primitives cryptographiques supportées. Le sujet de l'adaptation des protocoles de sécurité existants pour répondre à ces nouveaux défis a récemment été soulevé dans la communauté scientifique. Cependant, les premières solutions proposées n'ont pas réussi à répondre aux besoins des nœuds à ressources limitées. Dans cette thèse, nous proposons de nouvelles approches collaboratives pour l'établissement de clés, dans le but de réduire les exigences des protocoles de sécurité existants, afin que ceux-ci puissent être mis en œuvre par des nœuds à ressources limitées. Nous avons particulièrement retenu les protocoles TLS Handshake, IKE et HIP BEX comme les meilleurs candidats correspondant aux exigences de sécurité de bout en bout pour l'IdO. Puis nous les avons modifiés de sorte que le nœud contraint en énergie puisse déléguer les opérations cryptographiques couteuses à un ensemble de nœuds au voisinage, tirant ainsi avantage de l'hétérogénéité spatiale qui caractérise l IdO. Nous avons entrepris des vérifications formelles de sécurité et des analyses de performance qui prouvent la sureté et l'efficacité énergétique des protocoles collaboratifs proposés. Dans une deuxième partie, nous avons porté notre attention sur une classe d attaques internes que la collaboration entre les nœuds peut induire et que les mécanismes cryptographiques classiques, tels que la signature et le chiffrement, s'avèrent impuissants à contrer. Cela nous a amené à introduire la notion de confiance au sein d'un groupe collaboratif. Le niveau de fiabilité d'un nœud est évalué par un mécanisme de sécurité dédié, connu sous le nom de système de gestion de confiance. Ce système est lui aussi instancié sur une base collaborative, dans laquelle plusieurs nœuds partagent leurs témoignages respectifs au sujet de la fiabilité des autres nœuds. En nous appuyant sur une analyse approfondie des systèmes de gestion de confiance existants et des contraintes de l IoD, nous avons conçu un système de gestion de confiance efficace pour nos protocoles collaboratifs. Cette efficacité a été évaluée en tenant compte de la façon dont le système de gestion de la confiance répond aux exigences spécifiques à nos approches proposées pour l'établissement de clés dans le contexte de l'IdO. Les résultats des analyses de performance que nous avons menées démontrent le bon fonctionnement du système proposé et une efficacité accrue par rapport à la littératureThis thesis addresses new security challenges in the Internet of Things (IoT). The current transition from legacy Internet to Internet of Things leads to multiple changes in its communication paradigms. Wireless sensor networks (WSNs) initiated this transition by introducing unattended wireless topologies, mostly made of resource constrained nodes, in which radio spectrum therefore ceased to be the only resource worthy of optimization. Today's Machine to Machine (M2M) and Internet of Things architectures further accentuated this trend, not only by involving wider architectures but also by adding heterogeneity, resource capabilities inconstancy and autonomy to once uniform and deterministic systems. The heterogeneous nature of IoT communications and imbalance in resources capabilities between IoT entities make it challenging to provide the required end-to-end secured connections. Unlike Internet servers, most of IoT components are characterized by low capabilities in terms of both energy and computing resources, and thus, are unable to support complex security schemes. The setup of a secure end-to-end communication channel requires the establishment of a common secret key between both peers, which would be negotiated relying on standard security key exchange protocols such as Transport Layer Security (TLS) Handshake or Internet Key Exchange (IKE). Nevertheless, a direct use of existing key establishment protocols to initiate connections between two IoT entities may be impractical because of the technological gap between them and the resulting inconsistencies in their cryptographic primitives. The issue of adapting existing security protocols to fulfil these new challenges has recently been raised in the international research community but the first proposed solutions failed to satisfy the needs of resource-constrained nodes. In this thesis, we propose novel collaborative approaches for key establishment designed to reduce the requirements of existing security protocols, in order to be supported by resource-constrained devices. We particularly retained TLS handshake, Internet key Exchange and HIP BEX protocols as the best keying candidates fitting the end-to-end security requirements of the IoT. Then we redesigned them so that the constrained peer may delegate its heavy cryptographic load to less constrained nodes in neighbourhood exploiting the spatial heterogeneity of IoT nodes. Formal security verifications and performance analyses were also conducted to ensure the security effectiveness and energy efficiency of our collaborative protocols. However, allowing collaboration between nodes may open the way to a new class of threats, known as internal attacks that conventional cryptographic mechanisms fail to deal with. This introduces the concept of trustworthiness within a collaborative group. The trustworthiness level of a node has to be assessed by a dedicated security mechanism known as a trust management system. This system aims to track nodes behaviours to detect untrustworthy elements and select reliable ones for collaborative services assistance. In turn, a trust management system is instantiated on a collaborative basis, wherein multiple nodes share their evidences about one another's trustworthiness. Based on an extensive analysis of prior trust management systems, we have identified a set of best practices that provided us guidance to design an effective trust management system for our collaborative keying protocols. This effectiveness was assessed by considering how the trust management system could fulfil specific requirements of our proposed approaches for key establishment in the context of the IoT. Performance analysis results show the proper functioning and effectiveness of the proposed system as compared with its counterparts that exist in the literatureEVRY-INT (912282302) / SudocSudocFranceF