Beyond The Cloud, How Should Next Generation Utility Computing Infrastructures Be Designed?

To accommodate the ever-increasing demand for Utility Computing (UC) resources, while taking into account both energy and economical issues, the current trend consists in building larger and larger data centers in a few strategic locations. Although such an approach enables to cope with the actual demand while continuing to operate UC resources through centralized software system, it is far from delivering sustainable and efficient UC infrastructures. We claim that a disruptive change in UC infrastructures is required: UC resources should be managed differently, considering locality as a primary concern. We propose to leverage any facilities available through the Internet in order to deliver widely distributed UC platforms that can better match the geographical dispersal of users as well as the unending demand. Critical to the emergence of such locality-based UC (LUC) platforms is the availability of appropriate operating mechanisms. In this paper, we advocate the implementation of a unified system driving the use of resources at an unprecedented scale by turning a complex and diverse infrastructure into a collection of abstracted computing facilities that is both easy to operate and reliable. By deploying and using such a LUC Operating System on backbones, our ultimate vision is to make possible to host/operate a large part of the Internet by its internal structure itself: A scalable and nearly infinite set of resources delivered by any computing facilities forming the Internet, starting from the larger hubs operated by ISPs, government and academic institutions to any idle resources that may be provided by end-users. Unlike previous researches on distributed operating systems, we propose to consider virtual machines (VMs) instead of processes as the basic element. System virtualization offers several capabilities that increase the flexibility of resources management, allowing to investigate novel decentralized schemes.Afin de supporter la demande croissante de calcul utilitaire (UC) tout en prenant en compte les aspects énergétique et financier, la tendance actuelle consiste à construire des centres de données (ou centrales numériques) de plus en plus grands dans un nombre limité de lieux stratégiques. Cette approche permet sans aucun doute de satisfaire la demande tout en conservant une approche centralisée de la gestion de ces ressources mais elle reste loin de pouvoir fournir des infrastructures de calcul utilitaire efficaces et durables. Après avoir indiqué pourquoi cette tendance n'est pas appropriée, nous proposons au travers de ce rapport, une proposition radicalement différente. De notre point de vue, les ressources de calcul utilitaire doivent être gérées de manière à pouvoir prendre en compte la localité des demandes dès le départ. Pour ce faire, nous proposons de tirer parti de tous les équipements disponibles sur l'Internet afin de fournir des infrastructures de calcul utilitaire qui permettront de part leur distribution de prendre en compte plus efficacement la dispersion géographique des utilisateurs et leur demande toujours croissante. Un des aspects critique pour l'émergence de telles plates-formes de calcul utilitaire ''local'' (LUC) est la disponibilité de mécanismes de gestion appropriés. Dans la deuxième partie de ce document, nous défendons la mise en oeuvre d'un système unifié gérant l'utilisation des ressources à une échelle sans précédent en transformant une infrastructure complexe et hétérogène en une collection d'équipements virtualisés qui seront à la fois plus simples à gérer et plus sûrs. En déployant un système de type LUC sur les coeurs de réseau, notre vision ultime est de rendre possible l'hébergement et la gestion de l'Internet sur sa propre infrastructure interne: un ensemble de ressources extensible et quasiment infini fourni par n'importe quel équipement constituant l'Internet, partant des gros noeud réseaux gérés par les ISPs, les gouvernements et les institutions acadèmiques jusqu'à n'importe quelle ressource inactive fournie par les utilisateurs finaux. Contrairement aux approches précédentes appliquées aux systèmes distribués, nous proposons de considérer les machines virtuelles comme la granularité élémentaire du système (à la place des processus). La virtualisation système offre plusieurs fonctionnalités qui améliorent la flexibilité de la gestion de ressources, permettant l'étude de nouveaux schémas de décentralisation

Sécurité des Systèmes Distribués Virtualisés : De la Modélisation au Déploiement

This Thesis deals with security for virtualized distributed environments such as Clouds. In these environments, a client can access resources or services (compute, storage, etc.) on-demand without prior knowledge of the infrastructure underneath. These services are low-cost due to the mutualization of resources. As a result, the clients share a common infrastructure. However, the concentration of businesses and critical data makes Clouds more attractive for malicious users, especially when considering new attack vectors between tenants.Nowadays, Cloud providers offer default security or security by design which does not fit tenants' custom needs. This gap allows for multiple attacks (data thieft, malicious usage, etc.)In this Thesis, we propose a user-centric approach where a tenant models both its security needs as high-level properties and its virtualized application. These security objectives are based on a new logic dedicated to expressing system-based information flow properties. Then, we propose security-aware algorithm to automatically deploy the application and enforce the security properties. The enforcement can be realized by taking into account shared resources during placement decision and/or through the configuration of existing security mechanisms.Cette thèse s'intéresse à la sécurité des environnements virtualisés distribués type “Clouds” ou informatique en nuage. Dans ces environnements, le client bénéficie de ressources ou services (de calcul, stockage, etc.) à la demande sans connaissance de l'infrastructure sous-jacente. Ces services sont proposés à bas coût en mutualisant les ressources proposées aux clients. Ainsi, ces derniers se retrouvent à partager une infrastructure commune. Cependant, cette concentration des activités en fait une cible privilégiée pour un attaquant, d'autant plus intéressante que les Clouds présentent de nouveaux vecteurs d'attaque entre les clients du Clouds de part le partage des ressources. Actuellement, les fournisseurs de solutions de Cloud proposent une sécurité par défaut ne correspondant pas nécessairement aux besoins de sécurité des clients. Cet aspect est donc bien souvent négligé et cette situation donne lieu à de nombreux exemples d'attaques (vol de données, usage malicieux, etc.). Dans cette thèse, nous proposons une approche où le client spécifie ses besoins de sécurité ainsi que son application virtualisée au sein d'un modèle. Nous proposons notamment une nouvelle logique dédiée à l'expression de propriétés sur la propagation de l'information dans un système.Puis, nous proposons un déploiement automatique de ce modèle sur une infrastructure de type Cloud basée sur la virtualisation grâce à nos nouveaux algorithmes prenant en compte les propriétés de sécurité. Ces dernières sont assurées via un placement prenant en compte les risques d'attaques entre ressources partagées et/ou via la configuration de mécanismes de sécurité existants au sein du système

Optimizing energy-efficiency for multi-core packet processing systems in a compiler framework

Network applications become increasingly computation-intensive and the amount of traffic soars unprecedentedly nowadays. Multi-core and multi-threaded techniques are thus widely employed in packet processing system to meet the changing requirement. However, the processing power cannot be fully utilized without a suitable programming environment. The compilation procedure is decisive for the quality of the code. It can largely determine the overall system performance in terms of packet throughput, individual packet latency, core utilization and energy efficiency. The thesis investigated compilation issues in networking domain first, particularly on energy consumption. And as a cornerstone for any compiler optimizations, a code analysis module for collecting program dependency is presented and incorporated into a compiler framework. With that dependency information, a strategy based on graph bi-partitioning and mapping is proposed to search for an optimal configuration in a parallel-pipeline fashion. The energy-aware extension is specifically effective in enhancing the energy-efficiency of the whole system. Finally, a generic evaluation framework for simulating the performance and energy consumption of a packet processing system is given. It accepts flexible architectural configuration and is capable of performingarbitrary code mapping. The simulation time is extremely short compared to full-fledged simulators. A set of our optimization results is gathered using the framework

Artificial intelligence empowered virtual network function deployment and service function chaining for next-generation networks

The entire Internet of Things (IoT) ecosystem is directing towards a high volume of diverse applications. From smart healthcare to smart cities, every ubiquitous digital sector provisions automation for an immersive experience. Augmented/Virtual reality, remote surgery, and autonomous driving expect high data rates and ultra-low latency. The Network Function Virtualization (NFV) based IoT infrastructure of decoupling software services from proprietary devices has been extremely popular due to cutting back significant deployment and maintenance expenditure in the telecommunication industry. Another substantially highlighted technological trend for delaysensitive IoT applications has emerged as multi-access edge computing (MEC). MEC brings NFV to the network edge (in closer proximity to users) for faster computation. Among the massive pool of IoT services in NFV context, the urgency for efficient edge service orchestration is constantly growing. The emerging challenges are addressed as collaborative optimization of resource utilities and ensuring Quality-ofService (QoS) with prompt orchestration in dynamic, congested, and resource-hungry IoT networks. Traditional mathematical programming models are NP-hard, hence inappropriate for time-sensitive IoT environments. In this thesis, we promote the need to go beyond the realms and leverage artificial intelligence (AI) based decision-makers for “smart” service management. We offer different methods of integrating supervised and reinforcement learning techniques to support future-generation wireless network optimization problems. Due to the combinatorial explosion of some service orchestration problems, supervised learning is more superior to reinforcement learning performance-wise. Unfortunately, open access and standardized datasets for this research area are still in their infancy. Thus, we utilize the optimal results retrieved by Integer Linear Programming (ILP) for building labeled datasets to train supervised models (e.g., artificial neural networks, convolutional neural networks). Furthermore, we find that ensemble models are better than complex single networks for control layer intelligent service orchestration. Contrarily, we employ Deep Q-learning (DQL) for heavily constrained service function chaining optimization. We carefully address key performance indicators (e.g., optimality gap, service time, relocation and communication costs, resource utilization, scalability intelligence) to evaluate the viability of prospective orchestration schemes. We envision that AI-enabled network management can be regarded as a pioneering tread to scale down massive IoT resource fabrication costs, upgrade profit margin for providers, and sustain QoS mutuall

Cross-VM network attacks & their countermeasures within cloud computing environments

Cloud computing is a contemporary model in which the computing resources are dynamically scaled-up and scaled-down to customers, hosted within large-scale multi-tenant systems. These resources are delivered as improved, cost-effective and available upon request to customers. As one of the main trends of IT industry in modern ages, cloud computing has extended momentum and started to transform the mode enterprises build and offer IT solutions. The primary motivation in using cloud computing model is cost-effectiveness. These motivations can compel Information and Communication Technologies (ICT) organizations to shift their sensitive data and critical infrastructure on cloud environments. Because of the complex nature of underlying cloud infrastructure, the cloud environments are facing a large number of challenges of misconfigurations, cyber-attacks, root-kits, malware instances etc which manifest themselves as a serious threat to cloud environments. These threats noticeably decline the general trustworthiness, reliability and accessibility of the cloud. Security is the primary concern of a cloud service model. However, a number of significant challenges revealed that cloud environments are not as much secure as one would expect. There is also a limited understanding regarding the offering of secure services in a cloud model that can counter such challenges. This indicates the significance of the fact that what establishes the threat in cloud model. One of the main threats in a cloud model is of cost-effectiveness, normally cloud providers reduce cost by sharing infrastructure between multiple un-trusted VMs. This sharing has also led to several problems including co-location attacks. Cloud providers mitigate co-location attacks by introducing the concept of isolation. Due to this, a guest VM cannot interfere with its host machine, and with other guest VMs running on the same system. Such isolation is one of the prime foundations of cloud security for major public providers. However, such logical boundaries are not impenetrable. A myriad of previous studies have demonstrated how co-resident VMs could be vulnerable to attacks through shared file systems, cache side-channels, or through compromising of hypervisor layer using rootkits. Thus, the threat of cross-VM attacks is still possible because an attacker uses one VM to control or access other VMs on the same hypervisor. Hence, multiple methods are devised for strategic VM placement in order to exploit co-residency. Despite the clear potential for co-location attacks for abusing shared memory and disk, fine grained cross-VM network-channel attacks have not yet been demonstrated. Current network based attacks exploit existing vulnerabilities in networking technologies, such as ARP spoofing and DNS poisoning, which are difficult to use for VM-targeted attacks. The most commonly discussed network-based challenges focus on the fact that cloud providers place more layers of isolation between co-resided VMs than in non-virtualized settings because the attacker and victim are often assigned to separate segmentation of virtual networks. However, it has been demonstrated that this is not necessarily sufficient to prevent manipulation of a victim VM’s traffic. This thesis presents a comprehensive method and empirical analysis on the advancement of co-location attacks in which a malicious VM can negatively affect the security and privacy of other co-located VMs as it breaches the security perimeter of the cloud model. In such a scenario, it is imperative for a cloud provider to be able to appropriately secure access to the data such that it reaches to the appropriate destination. The primary contribution of the work presented in this thesis is to introduce two innovative attack models in leading cloud models, impersonation and privilege escalation, that successfully breach the security perimeter of cloud models and also propose countermeasures that block such types of attacks. The attack model revealed in this thesis, is a combination of impersonation and mirroring. This experimental setting can exploit the network channel of cloud model and successfully redirects the network traffic of other co-located VMs. The main contribution of this attack model is to find a gap in the contemporary network cloud architecture that an attacker can exploit. Prior research has also exploited the network channel using ARP poisoning, spoofing but all such attack schemes have been countered as modern cloud providers place more layers of security features than in preceding settings. Impersonation relies on the already existing regular network devices in order to mislead the security perimeter of the cloud model. The other contribution presented of this thesis is ‘privilege escalation’ attack in which a non-root user can escalate a privilege level by using RoP technique on the network channel and control the management domain through which attacker can manage to control the other co-located VMs which they are not authorized to do so. Finally, a countermeasure solution has been proposed by directly modifying the open source code of cloud model that can inhibit all such attacks

Management And Security Of Multi-Cloud Applications

Single cloud management platform technology has reached maturity and is quite successful in information technology applications. Enterprises and application service providers are increasingly adopting a multi-cloud strategy to reduce the risk of cloud service provider lock-in and cloud blackouts and, at the same time, get the benefits like competitive pricing, the flexibility of resource provisioning and better points of presence. Another class of applications that are getting cloud service providers increasingly interested in is the carriers\u27 virtualized network services. However, virtualized carrier services require high levels of availability and performance and impose stringent requirements on cloud services. They necessitate the use of multi-cloud management and innovative techniques for placement and performance management. We consider two classes of distributed applications – the virtual network services and the next generation of healthcare – that would benefit immensely from deployment over multiple clouds. This thesis deals with the design and development of new processes and algorithms to enable these classes of applications. We have evolved a method for optimization of multi-cloud platforms that will pave the way for obtaining optimized placement for both classes of services. The approach that we have followed for placement itself is predictive cost optimized latency controlled virtual resource placement for both types of applications. To improve the availability of virtual network services, we have made innovative use of the machine and deep learning for developing a framework for fault detection and localization. Finally, to secure patient data flowing through the wide expanse of sensors, cloud hierarchy, virtualized network, and visualization domain, we have evolved hierarchical autoencoder models for data in motion between the IoT domain and the multi-cloud domain and within the multi-cloud hierarchy

Enabling Technologies for Ultra-Reliable and Low Latency Communications: From PHY and MAC Layer Perspectives

© 1998-2012 IEEE. Future 5th generation networks are expected to enable three key services-enhanced mobile broadband, massive machine type communications and ultra-reliable and low latency communications (URLLC). As per the 3rd generation partnership project URLLC requirements, it is expected that the reliability of one transmission of a 32 byte packet will be at least 99.999% and the latency will be at most 1 ms. This unprecedented level of reliability and latency will yield various new applications, such as smart grids, industrial automation and intelligent transport systems. In this survey we present potential future URLLC applications, and summarize the corresponding reliability and latency requirements. We provide a comprehensive discussion on physical (PHY) and medium access control (MAC) layer techniques that enable URLLC, addressing both licensed and unlicensed bands. This paper evaluates the relevant PHY and MAC techniques for their ability to improve the reliability and reduce the latency. We identify that enabling long-term evolution to coexist in the unlicensed spectrum is also a potential enabler of URLLC in the unlicensed band, and provide numerical evaluations. Lastly, this paper discusses the potential future research directions and challenges in achieving the URLLC requirements

Tactful Networking: Humans in the Communication Loop

International audienceThis survey discusses the human-perspective into networking through the Tactful Networking paradigm, whose goal is to add perceptive senses to the network by assigning it with human-like capabilities of observation, interpretation, and reaction to daily-life features and associated entities. To achieve this, knowledge extracted from inherent human behavior in terms of routines, personality, interactions, and others is leveraged, empowering the learning and prediction of user needs to improve QoE and system performance while respecting privacy and fostering new applications and services. Tactful Networking groups solutions from literature and innovative interdisciplinary human aspects studied in other areas. The paradigm is motivated by mobile devices' pervasiveness and increasing presence as a sensor in our daily social activities. With the human element in the foreground, it is essential: (i) to center big data analytics around individuals; (ii) to create suitable incentive mechanisms for user participation; (iii) to design and evaluate both humanaware and system-aware networking solutions; and (iv) to apply prior and innovative techniques to deal with human-behavior sensing and learning. This survey reviews the human aspect in networking solutions through over a decade, followed by discussing the tactful networking impact through literature in behavior analysis and representative examples. This paper also discusses a framework comprising data management, analytics, and privacy for enhancing human raw-data to assist Tactful Networking solutions. Finally, challenges and opportunities for future research are presented