On fault-tolerance and security in MPLS networks

Multi-Protocol Label Switching (MPLS) is an evolving network technology that is used to provide Traffic Engineering (TE) and high speed networking. Internet service providers, which support MPLS technology, are increasingly required to provide high Quality of Service (QoS) guarantees and security. One of the aspects of QoS is fault tolerance. It is defined as the property of a system to continue operating in the event of failure of some of its parts. Fault tolerance techniques are very useful to maintain the survivability of the network by recovering from failure within acceptable delay and minimum packet-loss while efficiently utilizing network resources. On the other hand, with the increasing deployment of MPLS networks, security concerns have been raised. The basic architecture of MPLS networks does not support security aspects such as data confidentiality, data integrity, and availability. MPLS technology has emerged mainly to provide high speed packet delivery. As a result security considerations have not been discussed thoroughly until recent demands for security have emerged by most providers and researchers. In this thesis, we propose a new method that has a two-fold objective: to provide fault tolerance and to enhance the security in MPLS networks. Our approach uses a modified (k, n) threshold sharing scheme (TSS) combined with multi-path routing. An IP packet entering MPLS network is partitioned into n MPLS packets, which are each assigned to disjoint or maximally disjoint Label Switched Path (LSP) across the MPLS network. Receiving MPLS packets from k out of n LSPs are sufficient to reconstruct the original IP packet. From the security point of view, the modified TSS provides data confidentiality, integrity, availability and IP spoofing. In addition, fault tolerance in MPLS is supported using reasonable resources. The recovery from node/link failure and/or transmission errors is provided with no delay or packet loss. Packet re-ordering may not be required if packets are lost due to failure. However, sequencing is considered in our approach to identify packets with transmission errors. In order to provide fault tolerance, our scheme requires n > k . However, for security purposes, if the target is only to provide data confidentiality, then only a modified (k, k ) TSS algorithm is sufficient and consequently no significant redundant bandwidth is required. To verify that our approach does not require long processing time, we conducted simulations that show the modified TSS processing time does not significantly affect the packet transmission time. RSVP-TE is the MPLS signaling protocol used to establish LSPs. Extensions required to support multi-path routing in RSVP-TE are also studied. The impact of multi-path routing and modified TSS on MPLS security and fault tolerance is investigated and compared with single routing. The connection intrusion probability and connection failure probability have shown lower values when multi-path routing is used. The application of IPSec security protocol in MPLS networks is also investigated. Finally, we applied the modified threshold sharing scheme on MPLS multicast networks, where both the source specific tree approach and the group shared tree approach are considered

A multi-dimension taxonomy of insider threats in cloud computing

Security is considered a significant deficiency in cloud computing, and insider threats problem exacerbate security concerns in the cloud. In addition to that, cloud computing is very complex by itself, because it encompasses numerous technologies and concepts. Apparently, overcoming these challenges requires substantial efforts from information security researchers to develop powerful mitigation solutions for this emerging problem. This entails developing a taxonomy of insider threats in cloud environments encompassing all potential abnormal activities in the cloud, and can be useful for conducting security assessment. This paper describes the first phase of an ongoing research to develop a framework for mitigating insider threats in cloud computing environments. Primarily, it presents a multidimensional taxonomy of insider threats in cloud computing, and demonstrates its viability. The taxonomy provides a fundamental understanding for this complicated problem by identifying five dimensions, it also supports security engineers in identifying hidden paths, thus determining proper countermeasures, and presents a guidance covers all bounders of insiders threats issue in clouds, hence it facilitates researchers’ endeavours in tackling this problem. For instance, according to the hierarchical taxonomy, clearly many significant issues exist in public cloud, while conventional insider mitigation solutions can be used in private clouds. Finally, the taxonomy assists in identifying future research directions in this emerging area

A new approach for testing buffer overflow vulnerabilities in C and C++

With the high growth of computer technology, and especially the fast growth of computer networks and internet, buffer overflows are the most notorious and widely publicized attacks. This problem has a predominant threat to the secure operation of network and in particular, internet based applications. In this thesis, a combined static and dynamic testing approach for detecting the buffer overflow vulnerabilities is implemented. Compared to other approaches, the tool presents more features and aims to increase the accuracy and efficiency while scanning the C and C++ source code. The main idea behind our approach is to rewrite the vulnerable source code so that the modified code uses the new safe call version of old vulnerable C and C++ function. If rewriting is impossible, the tool gives different types of warnings, depending on the complexity of the function syntax, format, and other factors detailed in this thesis. Moreover, the tool provides a description of the problem. If a warning is issued, then it helps the programmer solve this security problem. The new approach brings down the false positive and false negative factors as low as possible. (Abstract shortened by UMI.

An Effective Classification Approach for Big Data Security Based on GMPLS/MPLS Networks

The need for effective approaches to handle big data that is characterized by its large volume, different types, and high velocity is vital and hence has recently attracted the attention of several research groups. This is especially the case when traditional data processing techniques and capabilities proved to be insufficient in that regard. Another aspect that is equally important while processing big data is its security, as emphasized in this paper. Accordingly, we propose to process big data in two different tiers.The first tier classifies the data based on its structure and on whether security is required or not. In contrast, the second tier analyzes and processes the data based on volume, variety, and velocity factors. Simulation results demonstrated that using classification feedback from a MPLS/GMPLS core network proved to be key in reducing the data evaluation and processing time

Work in Progress – Establishing a Master Program in Cyber Physical Systems: Basic Findings and Future Perspectives

© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.This paper reports on the basic findings and future perspectives of a capacity building project funded by the European Union. The International Master of Science on Cyber Physical Systems (MS@CPS) is a collaborative project that aims to establish a master program in cyber physical systems (CPS). A consortium composed of nine partners proposed the project. Three partners are European and from Germany, UK and Sweden; while the other six partners are from the South Mediterranean region and include: Palestine, Jordan and Tunisia. The consortium is led by the University of Siegen in Germany who also manages the implementation of the work packages. CPS is an emerging engineering subject with significant economic and societal implications, which motivated the consortium to propose the establishment of a master program to offer educational and training opportunities at graduate level in the fields of CPS. In this paper, CPS as a field of study is introduced with an emphasis on its importance, especially with regard to meeting local needs. A brief description of the project is presented in conjunction with the methodology for developing the courses and their learning outcomes

Context-aware multifaceted trust framework for evaluating trustworthiness of cloud providers

\u3cp\u3eWith the rapidly increasing number of cloud-based services, selecting a service provider is becoming more and more difficult. Among the many factors to be considered, trust in a given service and in a service provider is often critical. Appraisal of trust is a complex process, information about the offered service's quality needs to be collected from a number of sources, while user requirements may place different emphasis on the various quality indicators. Several frameworks have been proposed to facilitate service provider selection, however, only very few of them are built on existing cloud standards, and adaptability to different contexts is still a challenge. This paper proposes a new trust framework, called Context-Aware Multifaceted Trust Framework (CAMFT), to assist in evaluating trust in cloud service providers. CAMTF is flexible and context aware: it considers trust factors, users and services. When making recommendations, CAMFT employs a combination of mathematical methods that depend on the type of trust factors, and it takes both service characteristics and user perspective into account. A case study is also presented to demonstrate CAMFT's applicability to practical cases.\u3c/p\u3

Context-aware multifaceted trust framework for evaluating trustworthiness of cloud providers

With the rapidly increasing number of cloud-based services, selecting a service provider is becoming more and more difficult. Among the many factors to be considered, trust in a given service and in a service provider is often critical. Appraisal of trust is a complex process, information about the offered service's quality needs to be collected from a number of sources, while user requirements may place different emphasis on the various quality indicators. Several frameworks have been proposed to facilitate service provider selection, however, only very few of them are built on existing cloud standards, and adaptability to different contexts is still a challenge. This paper proposes a new trust framework, called Context-Aware Multifaceted Trust Framework (CAMFT), to assist in evaluating trust in cloud service providers. CAMTF is flexible and context aware: it considers trust factors, users and services. When making recommendations, CAMFT employs a combination of mathematical methods that depend on the type of trust factors, and it takes both service characteristics and user perspective into account. A case study is also presented to demonstrate CAMFT's applicability to practical cases

Security of VoIP traffic over low or limited bandwidth networks

The early days of voice over IP (VoIP) adoption were characterized by a lack of concern and awareness about security issues related to its use. Indeed, service providers and users were mostly preoccupied with issues related to its quality, functionality, and cost. Now that VoIP is a mainstream communication technology, security has become a major issue. This paper investigates the major security threats for VoIP communications and proposes a multipath approach solution, especially targeted for low bandwidth networks. Results show that security has an effect on VoIP quality especially for a large distance between communicating nodes and packet size. Results also show that our proposed multipath solution reduces significantly packet losses and performs better than single routing techniques in networks with low bandwidth capacities