7 research outputs found

    Tietoverkkojen valvonnan yhdenmukaistaminen

    Get PDF
    As the modern society is increasingly dependant on computer networks especially as the Internet of Things gaining popularity, a need to monitor computer networks along with associated devices increases. Additionally, the amount of cyber attacks is increasing and certain malware such as Mirai target especially network devices. In order to effectively monitor computer networks and devices, effective solutions are required for collecting and storing the information. This thesis designs and implements a novel network monitoring system. The presented system is capable of utilizing state-of-the-art network monitoring protocols and harmonizing the collected information using a common data model. This design allows effective queries and further processing on the collected information. The presented system is evaluated by comparing the system against the requirements imposed on the system, by assessing the amount of harmonized information using several protocols and by assessing the suitability of the chosen data model. Additionally, the protocol overheads of the used network monitoring protocols are evaluated. The presented system was found to fulfil the imposed requirements. Approximately 21% of the information provided by the chosen network monitoring protocols could be harmonized into the chosen data model format. The result is sufficient for effective querying and combining the information, as well as for processing the information further. The result can be improved by extending the data model and improving the information processing. Additionally, the chosen data model was shown to be suitable for the use case presented in this thesis.Yhteiskunnan ollessa jatkuvasti verkottuneempi erityisesti Esineiden Internetin kasvattaessa suosiotaan, tarve seurata sekä verkon että siihen liitettyjen laitteiden tilaa ja mahdollisia poikkeustilanteita kasvaa. Lisäksi tietoverkkohyökkäysten määrä on kasvamassa ja erinäiset haittaohjelmat kuten Mirai, ovat suunnattu erityisesti verkkolaitteita kohtaan. Jotta verkkoa ja sen laitteiden tilaa voidaan seurata, tarvitaan tehokkaita ratkaisuja tiedon keräämiseen sekä säilöntään. Tässä diplomityössä suunnitellaan ja toteutetaan verkonvalvontajärjestelmä, joka mahdollistaa moninaisten verkonvalvontaprotokollien hyödyntämisen tiedonkeräykseen. Lisäksi järjestelmä säilöö kerätyn tiedon käyttäen yhtenäistä tietomallia. Yhtenäisen tietomallin käyttö mahdollistaa tiedon tehokkaan jatkojalostamisen sekä haut tietosisältöihin. Diplomityössä esiteltävän järjestelmän ominaisuuksia arvioidaan tarkastelemalla, minkälaisia osuuksia eri verkonvalvontaprotokollien tarjoamasta informaatiosta voidaan yhdenmukaistaa tietomalliin, onko valittu tietomalli soveltuva verkonvalvontaan sekä varmistetaan esiteltävän järjestelmän täyttävän sille asetetut vaatimukset. Lisäksi työssä arvioidaan käytettävien verkonvalvontaprotokollien siirtämisen kiinteitä kustannuksia kuten otsakkeita. Työssä esitellyn järjestelmän todettiin täyttävän sille asetetut vaatimukset. Eri verkonvalvontaprotokollien tarjoamasta informaatiosta keskimäärin 21% voitiin harmonisoida tietomalliin. Saavutettu osuus on riittävä, jotta eri laitteista saatavaa informaatiota voidaan yhdistellä ja hakea tehokkaasti. Lukemaa voidaan jatkossa parantaa laajentamalla tietomallia sekä kehittämällä kerätyn informaation prosessointia. Lisäksi valittu tietomalli todettiin soveltuvaksi tämän diplomityön käyttötarkoitukseen

    A mid-level framework for independent network services configuration management

    Get PDF
    Tese doutoramento do Programa Doutoral em TelecomunicaçõesDecades of evolution in communication network’s resulted in a high diversity of solutions, not only in terms of network elements but also in terms of the way they are managed. From a management perspective, having heterogeneous elements was a feasible scenario over the last decades, where management activities were mostly considered as additional features. However, with the most recent advances on network technology, that includes proposals for future Internet as well as requirements for automation, scale and efficiency, new management methods are required and integrated network management became an essential issue. Most recent solutions aiming to integrate the management of heterogeneous network elements, rely on the application of semantic data translations to obtain a common representation between heterogeneous managed elements, thus enabling their management integration. However, the realization of semantic translations is very complex to be effectively achieved, requiring extensive processing of data to find equivalent representation, besides requiring the administrator’s intervention to create and validate conversions, since contemporary data models lack a formal semantic representation. From these constrains a research question arose: Is it possible to integrate the con g- uration management of heterogeneous network elements overcoming the use of manage- ment translations? In this thesis the author uses a network service abstraction to propose a framework for network service management, which comprehends the two essential management operations: monitoring and configuring. This thesis focus on describing and experimenting the subsystem responsible for the network services configurations management, named Mid-level Network Service Configuration (MiNSC), being the thesis most important contribution. The MiNSC subsystem proposes a new configuration management interface for integrated network service management based on standard technologies that includes an universal information model implemented on unique data models. This overcomes the use of management translations while providing advanced management functionalities, only available in more advanced research projects, that includes scalability and resilience improvement methods. Such functionalities are provided by using a two-layer distributed architecture, as well as over-provisioning of network elements. To demonstrate MiNSC’s management capabilities, a group of experiments was conducted, that included, configuration deployment, instance migration and expansion using a DNS management system as test bed. Since MiNSC represents a new architectural approach, with no direct reference for a quantitative evaluation, a theoretical analysis was conducted in order to evaluate it against important integrated network management perspectives. It was concluded that there is a tendency to apply management translations, being the most straightforward solution when integrating the management of heterogeneous management interfaces and/or data models. However, management translations are very complex to be realized, being its effectiveness questionable for highly heterogeneous environments. The implementation of MiNSC’s standard configuration management interface provides a simplified perspective that, by using universal configurations, removes translations from the management system. Its distributed architecture uses independent/universal configurations and over-provisioning of network elements to improve the service’s resilience and scalability, enabling as well a more efficient resource management by dynamically allocating resources as needed

    Un cadriciel pour la vérification en ligne, générique, flexible et évolutive de configurations de systèmes communicants complexes

    Get PDF
    Les systèmes communicants complexes constituent une base fondamentale de la vie d'aujourd'hui. Ils supportent de plus en plus de services et d'usages critiques, essentiels tant aux entreprises et administrations qu'à la société en général. L'exemple-type est celui d'Internet avec l'ensemble de ses services et usages variés, architectures et média allant de petits équipements mobiles comme les smartphones aux systèmes critiques à grande échelle comme les clusters de serveurs et le cloud. Il devient dès lors indispensable d'en garantir le fonctionnement effectif et continu. Pour ce faire, une vision consiste en la mise en œuvre de systèmes de gestion autonomes et adaptifs, capables de reconfigurer dynamiquement et en permanence ces systèmes afin de maintenir un état de fonctionnement désiré face à des conditions opérationnelles, instables et de moins en moins prévisibles. Un frein à l'exploitation effective des solutions de reconfiguration dynamique réside dans le manque de méthodes et de moyens garantissant l'effectivité et la sûreté de ces changements dynamiques de configurations. La contribution générale des travaux de cette thèse fournit des concepts, des méthodes et des outils qui favorisent la mise en œuvre d'une vérification en ligne de configurations. Notre démarche pour construire ce cadriciel a consisté dans un premier temps à définir un langage de haut niveau dédié à la spécification et la vérification de configurations. Nous avons architecturé dans un deuxième temps, un service de vérification générique, flexible et évolutive at runtime capable de manipuler les concepts définis dans ce langage. Enfin, nous avons défini une architecture de composants intermédiaires d'intégration de l'existant. Ce cadriciel permet de supporter un processus de vérification opérationnelle de configurations qui commence, en phase de conception par une spécification rigoureuse de modèles de configurations, puis se poursuit en phase d'exécution du système de gestion à travers une vérification automatique de configurations basée sur ces modèles. Le cadriciel a fait l'objet d'un prototype que nous avons expérimenté sur une série de cas issus de deux contextes applicatifs différents : la vérification de configurations d'un middleware orienté messages dans un environnement JMX et la vérification de configurations de machines virtuelles dans un environnement CIM/WBEM (standards du DMTF). Les résultats ont montré la faisabilité de l'approche ainsi que la capacité du cadriciel à soutenir une vérification en ligne, flexible et évolutive de configurations favorisant l'intégration de l'existant.Complex networked systems are a fundamental basis of today's life. They increasingly sup- port critical services and usages, essential both to businesses and the society at large. The evident example is the Internet with all its services and usages in a variety of forms, architectures and media ranging from small mobile devices such as smartphones to large-scale critical systems such as clusters of servers and cloud infrastructures. It is therefore crucial to ensure their effective and continuous operation. A vision to do this consists in the development of autonomous and adaptive management solutions, capable of dynamically and continuously reconfiguring these systems in order to maintain a desired state of operation in the face of unstable and unpredictable operational conditions. A main obstacle to the effective deployment of dynamic reconfiguration solutions is the lack of methods and means to ensure the effectiveness and safety of these dynamic con- figuration changes. The overall contribution of this thesis is to provide concepts, methods and tools to enable an online configuration verification. Our approach to build this framework was first to define a high-level language dedicated to the specification and verification of configurations. Second, we designed a generic flexible and adaptable runtime verification service, able to manipulate the concepts defined in this language. Finally, we defined an architecture of adapters for integrating existing systems and platforms. This allows our framework to support a runtime configuration verification process that starts at design time with a rigorous specification of configuration models and continues at runtime through automatic checking of configurations based on these models. The framework has been implemented in a prototype that has been experienced on a series of experiments from two different application domains: the verification of a messaging middle- ware's configurations in a JMX environment and the verification of virtual machines' configurations in a CIM/WBEM (DMTF standards) environment. The results showed the feasibility of our approach and the framework's ability to support a flexible and adaptable online verification of configurations that can be integrated with existing management solutions

    A web services based framework for efficient monitoring and event reporting.

    Get PDF
    Network and Service Management (NSM) is a research discipline with significant research contributions the last 25 years. Despite the numerous standardised solutions that have been proposed for NSM, the quest for an "all encompassing technology" still continues. A new technology introduced lately to address NSM problems is Web Services (WS). Despite the research effort put into WS and their potential for addressing NSM objectives, there are efficiency, interoperability, etc issues that need to be solved before using WS for NSM. This thesis looks at two techniques to increase the efficiency of WS management applications so that the latter can be used for efficient monitoring and event reporting. The first is a query tool we built that can be used for efficient retrieval of management state data close to the devices where they are hosted. The second technique is policies used to delegate a number of tasks from a manager to an agent to make WS-based event reporting systems more efficient. We tested the performance of these mechanisms by incorporating them in a custom monitoring and event reporting framework and supporting systems we have built, against other similar mechanisms (XPath) that have been proposed for the same tasks, as well as previous technologies such as SNMP. Through these tests we have shown that these mechanisms are capable of allowing us to use WS efficiently in various monitoring and event reporting scenarios. Having shown the potential of our techniques we also present the design and implementation challenges for building a GUI tool to support and enhance the above systems with extra capabilities. In summary, we expect that other problems WS face will be solved in the near future, making WS a capable platform for it to be used for NSM

    Gestion unifiée et dynamique de la sécurité : un cadriciel dirigé par les situations

    Get PDF
    Les systèmes de gestion de la sécurité (SGS) font le lien entre les exigences de sécurité et le domaine d'application technique. D'un côté, le SGS doit permettre à l'administrateur sécurité de traduire les exigences de sécurité en configurations de sécurité (appelé ici le processus de déploiement). De l'autre, il doit lui fournir des mécanismes de supervision (tels que des SIEM, IDS, fichiers de logs, etc.) afin de vérifier que l'état courant du système est toujours conforme aux exigences de sécurité (appelé ici processus de supervision). Aujourd'hui, garantir que les exigences de sécurité sont respectées nécessite une intervention humaine. En effet, les processus de déploiement et de supervision ne sont pas reliés entre eux. Ainsi, les SGS ne peuvent garantir que les exigences de sécurité sont toujours respectées lorsque le comportement du système change. Dans le cadre du projet européen PREDYKOT, nous avons tenté de boucler la boucle de gestion en intégrant les informations sur le changement de comportement du système et en les injectant dans le processus de déploiement. Cela permet de faire appliquer des mesures de sécurité dynamiques en fonction des changements de comportement du système. Toutefois, il existe diverses approches pour exprimer et mettre en œuvre des politiques de sécurité. Chaque solution de gestion est dédiée à des problématiques de gestion des autorisations ou à celles des configurations de sécurité. Chaque solution fournit son propre langage de politique, son propre modèle architectural et son propre protocole de gestion. Or, il est nécessaire de gérer à la fois les autorisations et les configurations de sécurité de manière unifiée. Notre contribution porte principalement sur trois points : Le retour d'information de supervision : Le processus de supervision capture le comportement dynamique du système au travers d'évènements. Chaque évènement transporte peu de sens. Nous proposons de considérer non pas les évènements individuellement mais de les agréger pour former des situations afin d'amener plus de sémantique sur l'état du système. Nous utilisons ce concept pour relier les exigences de sécurité, les changements dans le système et les politiques de sécurité à appliquer. Un nouvel agent, appelé gestionnaire de situations, est responsable de la gestion du cycle de vie des situations (début et fin de situation, etc.) Nous avons implanté cet agent grâce à la technologie de traitement des évènements complexes. Expression de la politique : Nous proposons d'utiliser le concept de situation comme élément central pour exprimer des politiques de sécurité dynamiques. Les décisions de sécurité peuvent être alors automatiquement dirigées par les situations sans avoir besoin de changer la règle courante. Nous appliquons l'approche de contrôle d'accès à base d'attributs pour spécifier nos politiques. Cette approche orientée par les situations facilite l'écriture des règles de sécurité mais aussi leur compréhension. De plus, ces politiques étant moins techniques, elles sont plus proches des besoins métiers. L'architecture de gestion : Nous présentons une architecture de gestion orientée événement qui supporte la mise en œuvre de politiques de sécurité dirigées par les situations. Considérer les messages de gestion en terme d'évènements, nous permet d'être indépendant de tout protocole de gestion. En conséquence, notre architecture couvre de manière unifiée les approches de gestion des autorisations comme des configurations (obligations) selon les modèles de contrôle de politiques en externalisation comme en approvisionnement. De plus, les agents de gestion sont adaptables et peuvent être dynamiquement améliorés avec de nouvelles fonctionnalités de gestion si besoin. Notre cadriciel a été complètement implanté et est conforme au standard XACMLv3 d'OASIS. Enfin, nous avons évalué la généricité de notre approche à travers quatre scénarii.A Security Management System (SMS) connects security requirements to the technical application domain. On the one hand, an SMS must allow the security administrator/officer to translate the security requirements into security configurations that is known as the enforcement process. On the other hand, it must supply the administrator/officer with monitoring features (SIEM, IDS, log files, etc.) to verify that the environments' changes do not affect the compliance to the predefined security requirements known as the monitoring process. Nowadays, guarantying security objectives requires a human intervention. Therefore, the SMS enforcement process is disconnected from the monitoring process. Thus, an SMS cannot dynamically guarantee that security requirements are still satisfied when environment behavior changings are observed. As part of the European project PREDYKOT, we have worked on closing the management loop by establishing a feedback on the dynamic behavior, captured from the environment, to impact the enforcement process. As a result, expressing and applying a dynamic security policy will be possible. However, many policy expression and enforcement approaches exist currently. Each security management solution is dedicated to some specific issues related to authorization or to system/network management. Each solution provides a specific policy language, an architectural model and a management protocol. Nevertheless, closing the management loop implies managing both authorizations and system/network configurations in a unified framework. Our contribution tackles the following three main issues: Feedback: The monitoring process captures the highly dynamics of the behavior through events. However, each event is not semantically associated with other events. We propose to get more semantics about behavior's changings thus introducing the concept of "situation" to be dealt with in security management applications. This concept aggregates events and links relevant security requirements, relevant behavior changes, and relevant policy rules. A new management agent, called the situation manager, has been added. The latter is responsible for the management process of the situations lifecycle (situation beginning and ending, etc.). We implement this software module using the complex event processing technology. Policy Expression: We propose to specify dynamic security policies oriented by situations. By doing so, the expression of the security policy rules becomes simpler to understand, easier to write and closer to the business and security needs. Hence, each relevant situation orients automatically the policy evaluation process towards a new dynamic decision that doesn't require updating the policy rules. We apply the attribute-based expression approach because of its ability to represent everything through attribute terms, which is a flexible way to express our dynamic policy rules. Enforcement Architecture: we propose a unified and adaptive architecture that supports situations-oriented policies enforcement. We choose to build an event-driven architecture. Exchanging management messages in terms of events allows our architecture to be independent from the management protocols. Thus, it covers in a unified way authorizations as well as configurations management approaches considering both provisioning and outsourcing policy control models. In addition, management agents are adaptable and can be upgraded dynamically with new management functionalities. Our framework has been implemented and is compliant with the OASIS XACMLv3 standard. Finally, we evaluated our contributed according to four different scenarios to prove its generic nature
    corecore