Methods and Techniques for Dynamic Deployability of Software-Defined Security Services

With the recent trend of “network softwarisation”, enabled by emerging technologies such as Software-Defined Networking and Network Function Virtualisation, system administrators of data centres and enterprise networks have started replacing dedicated hardware-based middleboxes with virtualised network functions running on servers and end hosts. This radical change has facilitated the provisioning of advanced and flexible network services, ultimately helping system administrators and network operators to cope with the rapid changes in service requirements and networking workloads. This thesis investigates the challenges of provisioning network security services in “softwarised” networks, where the security of residential and business users can be provided by means of sets of software-based network functions running on high performance servers or on commodity devices. The study is approached from the perspective of the telecom operator, whose goal is to protect the customers from network threats and, at the same time, maximize the number of provisioned services, and thereby revenue. Specifically, the overall aim of the research presented in this thesis is proposing novel techniques for optimising the resource usage of software-based security services, hence for increasing the chances for the operator to accommodate more service requests while respecting the desired level of network security of its customers. In this direction, the contributions of this thesis are the following: (i) a solution for the dynamic provisioning of security services that minimises the utilisation of computing and network resources, and (ii) novel methods based on Deep Learning and Linux kernel technologies for reducing the CPU usage of software-based security network functions, with specific focus on the defence against Distributed Denial of Service (DDoS) attacks. The experimental results reported in this thesis demonstrate that the proposed solutions for service provisioning and DDoS defence require fewer computing resources, compared to similar approaches available in the scientific literature or adopted in production networks

FLAD: Adaptive Federated Learning for DDoS Attack Detection

Federated Learning (FL) has been recently receiving increasing consideration from the cybersecurity community as a way to collaboratively train deep learning models with distributed profiles of cyberthreats, with no disclosure of training data. Nevertheless, the adoption of FL in cybersecurity is still in its infancy, and a range of practical aspects have not been properly addressed yet. Indeed, the Federated Averaging algorithm at the core of the FL concept requires the availability of test data to control the FL process. Although this might be feasible in some domains, test network traffic of newly discovered attacks cannot be always shared without disclosing sensitive information. In this paper, we address the convergence of the FL process in dynamic cybersecurity scenarios, where the trained model must be frequently updated with new recent attack profiles to empower all members of the federation with latest detection features. To this aim, we propose FLAD (adaptive Federated Learning Approach to DDoS attack detection), a FL solution for cybersecurity applications based on an adaptive mechanism that orchestrates the FL process by dynamically assigning more computation to those members whose attacks profiles are harder to learn, without the need of sharing any test data to monitor the performance of the trained model. Using a recent dataset of DDoS attacks, we demonstrate that FLAD outperforms the original FL algorithm in terms of convergence time and accuracy across a range of unbalanced datasets of heterogeneous DDoS attacks. We also show the robustness of our approach in a realistic scenario, where we retrain the deep learning model multiple times to introduce the profiles of new attacks on a pre-trained model

Relative motion estimation of a non-cooperative target satellite with a stereo vision system

openNegli ultimi decenni si è assistito ad un crescente interesse allo sviluppo di algoritmi per la navigazione ed il controllo di prossimità tra satelliti in orbita, usati ad esempio per eseguire manovre di rendez-vous e docking, rimozione dei detriti spaziali o ispezione di satelliti non più operativi o che hanno subito un malfunzionamento. Questo lavoro di tesi si basa sulla stima del moto relativo tramite un sistema di stereo visione tra due satelliti, un chaser controllato ed un target non operativo. Lo scenario scelto è di non cooperazione, ovvero il satellite target non comunica al chaser la propria dinamica in maniera diretta, in un'ottica riconducibile a manovre di rendez-vous con un satellite dismesso. L'attività è svolta in via sperimentale nel laboratorio di Misure Meccaniche e Termiche presso il Dipartimento di Ingegneria Industriale dell’Università di Padova. La stima del moto, traslazionale e rotazionale, è fatta attraverso l'utilizzo di una stereo camera che acquisisce le immagini del satellite target, in questo caso un mock-up di un cubesat 2U, libero di ruotare attorno ad un asse tramite l'utilizzo di uno stadio rotativo motorizzato. Sfruttando certe componenti della facility SPARTANS, sono stati analizzati diversi scenari sperimentali: due stazionari e quattro rotazionali, con diverso assetto e diversa velocità angolare relativa. Le equazioni del moto relativo sono non lineari, pertanto per la stima viene usato un filtro di Kalman esteso (EKF) che rappresenta una soluzione molto utilizzata in stime basate su misure affette da rumore, in questo caso provenienti dall'analisi delle immagini effettuata in post-processing attraverso il software MATLAB. L'analisi delle immagini stereo permette innanzitutto di estrarre delle features comuni ad entrambe che sono poi utilizzate dal filtro di Kalman esteso per ottenere una stima del moto relativo. Quest'ultima viene poi confrontata con un riferimento fiduciario fornito da un sistema di Motion Capture per valutarne l'errore. In particolare, l'errore di stima è stato valutato considerando l'influenza di diversi fattori, quali: numero e distribuzione delle features sul target, frequenza di acquisizione delle immagini e condizioni iniziali del vettore di stato più o meno prossime al valore di riferimento. I risultati ottenuti portano a dedurre che per poter avere una buona velocità computazionale e allo stesso tempo una buona stima del moto relativo, la ricerca delle features deve essere fatta acquisendo immagini con una frequenza più bassa e le features non devono essere di numero eccessivo, ma di un numero ridotto purché siano distribuite uniformemente sul target.In the last decade we have assisted to a growing interest in the development of advanced navigation and control algorithms for proximity operations between satellites in orbit, used for instance to perform rendez-vous e docking maneuvers, removing of space debris or inspection maneuver of no more operative satellites or satellites with a malfunction. This thesis focuses on the estimation of the relative motion between two satellites, a controlled chaser and a non-operative target, based on a stereo-vision system. The scenario analyzed is a non-cooperating scenario, i.e. the target satellite does not transmit its motion to the chaser, in a context of rendezvous maneuvers with a decommissioned satellite. The experimental activity was carried out at the Mechanical and Thermal Measurements laboratory of the Department of Industrial Engineering of the University of Padua. The estimation of the translational and rotational motion is done by using a stereo camera that acquires images of the target satellite, in this case a mock-up of a 2U cubesat, that is free to rotate around one axis through the use of a motorized rotary stage. By exploiting certain components of the SPARTANS facility, different experimental scenarios were analyzed: two stationary scenarios and four rotational ones with different attitude and angular velocities. The equations of relative motion are non-linear and therefore to have an estimation of the relative motion an Extended Kalman filter (EKF) is used. The last one is the most widely used solution in estimations based on noise-affected measurements, which in this case are coming from a post-processing image analysis carried out using MATLAB. At first, the analysis of the stereo images allows to identify some features that are common to both images and that are then employed in the Extended Kalman Filter to have an estimation of the relative motion. After that, the last one is compared with a fiducial reference provided by a Motion Capture system to evaluate the estimation error. Specifically, the estimation error was evaluated considering the influence of different elements, as the number and the distribution of the features on the target, the image acquisition frequency and initial conditions for the state vector more or less close to the reference ones. The experimental results showed that, to obtain a reduced computational cost and, at the same time, a good estimation of the relative motion, the image acquisition frequency has to be not so high and the detected features must not be excessive in number, but a small number of features are enough as long as they are uniformly distributed over the target

Resource-aware Cyber Deception in Cloud-Native Environments

Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloud-native environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys

Application-Centric Provisioning of Virtual Security Network Functions

Network Function Virtualization (NFV) enables flexible implementation and provisioning of network functions as virtual machines running on commodity servers. Due to the availability of multiple hosting servers, such network functions (also called Virtual Network Functions (VNFs)) can be placed where they are actually needed, dynamically migrated, duplicated, or deleted according to the current network requirements. However, the placement of VNFs within the physical network is one of the main challenges in the NFV domain as it has a critical impact on the performance of the network. In this work we focus on efficient placement of Virtual Security Network Functions (VSNFs), i.e. the placement of virtual network functions whose purpose is to prevent or mitigate network security threats. In this regard, we tackle the placement problem not only considering performance optimization aspects, but also trying to find solutions that are consistent from the security viewpoint. Specifically, the main contribution of this paper is the formulation of the placement problem by taking into account both Security and Quality of Service (QoS) requirements of user applications

Is There Light at the Ends of the Tunnel? Wireless Sensor Networks for Adaptive Lighting in Road Tunnels

Existing deployments of wireless sensor networks (WSNs) are often conceived as stand-alone monitoring tools. In this paper, we report instead on a deployment where the WSN is a key component of a closed-loop control system for adaptive lighting in operational road tunnels. WSN nodes along the tunnel walls report light readings to a control station, which closes the loop by setting the intensity of lamps to match a legislated curve. The ability to match dynamically the lighting levels to the actual environmental conditions improves the tunnel safety and reduces its power consumption. The use of WSNs in a closed-loop system, combined with the real-world, harsh setting of operational road tunnels, induces tighter requirements on the quality and timeliness of sensed data, as well as on the reliability and lifetime of the network. In this work, we test to what extent mainstream WSN technology meets these challenges, using a dedicated design that however relies on wellestablished techniques. The paper describes the hw/sw architecture we devised by focusing on the WSN component, and analyzes its performance through experiments in a real, operational tunnel

Hybrid SDN Evolution: A Comprehensive Survey of the State-of-the-Art

Software-Defined Networking (SDN) is an evolutionary networking paradigm which has been adopted by large network and cloud providers, among which are Tech Giants. However, embracing a new and futuristic paradigm as an alternative to well-established and mature legacy networking paradigm requires a lot of time along with considerable financial resources and technical expertise. Consequently, many enterprises can not afford it. A compromise solution then is a hybrid networking environment (a.k.a. Hybrid SDN (hSDN)) in which SDN functionalities are leveraged while existing traditional network infrastructures are acknowledged. Recently, hSDN has been seen as a viable networking solution for a diverse range of businesses and organizations. Accordingly, the body of literature on hSDN research has improved remarkably. On this account, we present this paper as a comprehensive state-of-the-art survey which expands upon hSDN from many different perspectives