Side Channel Attack-Aware Resource Allocation for URLLC and eMBB Slices in 5G RAN

Network slicing is a key enabling technology to realize the provisioning of customized services in 5G paradigm. Due to logical isolation instead of physical isolation, network slicing is facing a series of security issues. Side Channel Attack (SCA) is a typical attack for slices that share resources in the same hardware. Considering the risk of SCA among slices, this paper investigates how to effectively allocate heterogeneous resources for the slices under their different security requirements. Then, a SCA-aware Resource Allocation (SCA-RA) algorithm is proposed for Ultra-reliable and Low-latency Communications (URLLC) and Enhanced Mobile Broadband (eMBB) slices in 5G RAN. The objective is to maximize the number of slices accommodated in 5G RAN. With dynamic slice requests, simulation is conducted to evaluate the performance of the proposed algorithm in two different network scenarios. Simulation results indicate that compared with benchmark, SCA-RA algorithm can effectively reduce blocking probability of slice requests. In addition, the usage of IT and transport resources is also optimized

Deep Learning-based Intra-slice Attack Detection for 5G-V2X Sliced Networks

peer reviewedConnected and Automated Vehicles (CAVs) represent one of the main verticals of 5G to provide road safety, road traffic efficiency, and user convenience. As a key enabler of 5G, Network Slicing (NS) aims to create Vehicle-to-Everything (V2X) network slices with different network requirements on a shared and programmable physical infrastructure. However, NS has generated new network threats that might target CAVs leading to road hazards. More specifically, such attacks may target either the inner functioning of each V2X-NS (intra-slice) or break the NS isolation. In this paper, we aim to deal with the raised question of how to detect intra-slice V2X attacks. To do so, we leverage both Virtual Security as a Service (VSaS) concept and deep learning (DL) to deploy a set of DL-empowered security Virtual Network Functions (sVNFs) within V2X-NSs. These sVNFs are in charge of detecting such attacks, thanks to a DL model that we also build in this work. The proposed DL model is trained, validated, and tested using a publicly available dataset. The results show the efficiency and accuracy of our scheme to detect intra-slice V2X attacks

Federated Learning-based Inter-slice Attack Detection for 5G-V2X Sliced Networks

As a leading enabler of 5G, Network Slicing (NS) aims at creating multiple virtual networks on the same shared and programmable physical infrastructure. Integrated with 5G-Vehicle-to-Everything (V2X) technology, NS enables various isolated 5G-V2X networks with different requirements such as autonomous driving and platooning. This combination has generated new attack surfaces against Connected and Automated Vehicles (CAVs), leading them to road hazards and putting users' lives in danger. More specifically, such attacks can either intra-slice targeting the internal service within each V2X Network Slice (V2X-NS) or inter-slice targeting the cross V2X-NSs and breaking the isolation between them. However, detecting such attacks is challenging, especially inter-slice V2X attacks where security mechanisms should maintain privacy preservation and NS isolation. To this end, this paper addresses detecting inter-slice V2X attacks. To do so, we leverage both Virtual Security as a Service (VSaS) concept and Deep learning (DL) together with Federated learning (FL) to deploy a set of DL-empowered security Virtual Network Functions (sVNFs) over V2X-NSs. Our privacy preservation scheme is hierarchical and supports FL-based collaborative learning. It also integrates a game-theory-based mechanism to motivate FL clients (CAVs) to provide high-quality DL local models. We train, validate, and test our scheme using a publicly available dataset. The results show our scheme's accuracy and efficiency in detecting inter-slice V2X attacks

Graph-based feature enrichment for online intrusion detection in virtual networks

The increasing number of connected devices to provide the required ubiquitousness of Internet of Things paves the way for distributed network attacks at an unprecedented scale. Graph theory, strengthened by machine learning techniques, improves an automatic discovery of group behavior patterns of network threats often omitted by traditional security systems. Furthermore, Network Function Virtualization is an emergent technology that accelerates the provisioning of on-demand security function chains tailored to an application. Therefore, repeatable compliance tests and performance comparison of such function chains are mandatory. The contributions of this dissertation are divided in two parts. First, we propose an intrusion detection system for online threat detection enriched by a graph-learning analysis. We develop a feature enrichment algorithm that infers metrics from a graph analysis. By using different machine learning techniques, we evaluated our algorithm for three network traffic datasets. We show that the proposed graph-based enrichment improves the threat detection accuracy up to 15.7% and significantly reduces the false positives rate. Second, we aim to evaluate intrusion detection systems deployed as virtual network functions. Therefore, we propose and develop SFCPerf, a framework for an automatic performance evaluation of service function chaining. To demonstrate SFCPerf functionality, we design and implement a prototype of a security service function chain, composed of our intrusion detection system and a firewall. We show the results of a SFCPerf experiment that evaluates the chain prototype on top of the open platform for network function virtualization (OPNFV).O crescente número de dispositivos IoT conectados contribui para a ocorrência de ataques distribuídos de negação de serviço a uma escala sem precedentes. A Teoria de Grafos, reforçada por técnicas de aprendizado de máquina, melhora a descoberta automática de padrões de comportamento de grupos de ameaças de rede, muitas vezes omitidas pelos sistemas tradicionais de segurança. Nesse sentido, a virtualização da função de rede é uma tecnologia emergente que pode acelerar o provisionamento de cadeias de funções de segurança sob demanda para uma aplicação. Portanto, a repetição de testes de conformidade e a comparação de desempenho de tais cadeias de funções são obrigatórios. As contribuições desta dissertação são separadas em duas partes. Primeiro, é proposto um sistema de detecção de intrusão que utiliza um enriquecimento baseado em grafos para aprimorar a detecção de ameaças online. Um algoritmo de enriquecimento de características é desenvolvido e avaliado através de diferentes técnicas de aprendizado de máquina. Os resultados mostram que o enriquecimento baseado em grafos melhora a acurácia da detecção de ameaças até 15,7 % e reduz significativamente o número de falsos positivos. Em seguida, para avaliar sistemas de detecção de intrusões implantados como funções virtuais de rede, este trabalho propõe e desenvolve o SFCPerf, um framework para avaliação automática de desempenho do encadeamento de funções de rede. Para demonstrar a funcionalidade do SFCPerf, ´e implementado e avaliado um protótipo de uma cadeia de funções de rede de segurança, composta por um sistema de detecção de intrusão (IDS) e um firewall sobre a plataforma aberta para virtualização de função de rede (OPNFV)

Virtual Security as a Service for 5G Verticals

| openaire: EC/H2020/731558/EU//ANASTACIAThe future 5G systems ought to meet diverse requirements of new industry verticals, such as Massive Internet of Things (IoT), broadband access in dense networks and ultra-reliable communications. Network slicing is an important concept that is expected to support these 5G verticals and cope with the conflicting requirements of their respective services. Network slicing allows the deployment of multiple virtual networks, or slices, over the same physical infrastructure as well as supporting on-demand resource allocation to those slices. In this paper, we propose an architecture that will explore how both Network Function Virtualization (NFV) and Software Defined Networking (SDN) may be leveraged to secure a network slice on-demand, addressing the new security concerns imposed to the network management by the flexibility and elasticity support. Our proposed framework aims to ensure an optimal resource allocation that manages the slice security strategy in an efficient way. Moreover, experimental performance evaluations are presented to evaluate the security overhead in virtualized environments.Peer reviewe