Methods and Techniques for Dynamic Deployability of Software-Defined Security Services

With the recent trend of “network softwarisation”, enabled by emerging technologies such as Software-Defined Networking and Network Function Virtualisation, system administrators of data centres and enterprise networks have started replacing dedicated hardware-based middleboxes with virtualised network functions running on servers and end hosts. This radical change has facilitated the provisioning of advanced and flexible network services, ultimately helping system administrators and network operators to cope with the rapid changes in service requirements and networking workloads. This thesis investigates the challenges of provisioning network security services in “softwarised” networks, where the security of residential and business users can be provided by means of sets of software-based network functions running on high performance servers or on commodity devices. The study is approached from the perspective of the telecom operator, whose goal is to protect the customers from network threats and, at the same time, maximize the number of provisioned services, and thereby revenue. Specifically, the overall aim of the research presented in this thesis is proposing novel techniques for optimising the resource usage of software-based security services, hence for increasing the chances for the operator to accommodate more service requests while respecting the desired level of network security of its customers. In this direction, the contributions of this thesis are the following: (i) a solution for the dynamic provisioning of security services that minimises the utilisation of computing and network resources, and (ii) novel methods based on Deep Learning and Linux kernel technologies for reducing the CPU usage of software-based security network functions, with specific focus on the defence against Distributed Denial of Service (DDoS) attacks. The experimental results reported in this thesis demonstrate that the proposed solutions for service provisioning and DDoS defence require fewer computing resources, compared to similar approaches available in the scientific literature or adopted in production networks

FLAD: Adaptive Federated Learning for DDoS Attack Detection

Federated Learning (FL) has been recently receiving increasing consideration from the cybersecurity community as a way to collaboratively train deep learning models with distributed profiles of cyberthreats, with no disclosure of training data. Nevertheless, the adoption of FL in cybersecurity is still in its infancy, and a range of practical aspects have not been properly addressed yet. Indeed, the Federated Averaging algorithm at the core of the FL concept requires the availability of test data to control the FL process. Although this might be feasible in some domains, test network traffic of newly discovered attacks cannot be always shared without disclosing sensitive information. In this paper, we address the convergence of the FL process in dynamic cybersecurity scenarios, where the trained model must be frequently updated with new recent attack profiles to empower all members of the federation with latest detection features. To this aim, we propose FLAD (adaptive Federated Learning Approach to DDoS attack detection), a FL solution for cybersecurity applications based on an adaptive mechanism that orchestrates the FL process by dynamically assigning more computation to those members whose attacks profiles are harder to learn, without the need of sharing any test data to monitor the performance of the trained model. Using a recent dataset of DDoS attacks, we demonstrate that FLAD outperforms the original FL algorithm in terms of convergence time and accuracy across a range of unbalanced datasets of heterogeneous DDoS attacks. We also show the robustness of our approach in a realistic scenario, where we retrain the deep learning model multiple times to introduce the profiles of new attacks on a pre-trained model

Resource-aware Cyber Deception in Cloud-Native Environments

Cyber deception can be a valuable addition to traditional cyber defense mechanisms, especially for modern cloud-native environments with a fading security perimeter. However, pre-built decoys used in classical computer networks are not effective in detecting and mitigating malicious actors due to their inability to blend with the variety of applications in such environments. On the other hand, decoys cloning the deployed microservices of an application can offer a high-fidelity deception mechanism to intercept ongoing attacks within production environments. However, to fully benefit from this approach, it is essential to use a limited amount of decoy resources and devise a suitable cloning strategy to minimize the impact on legitimate services performance. Following this observation, we formulate a non-linear integer optimization problem that maximizes the number of attack paths intercepted by the allocated decoys within a fixed resource budget. Attack paths represent the attacker's movements within the infrastructure as a sequence of violated microservices. We also design a heuristic decoy placement algorithm to approximate the optimal solution and overcome the computational complexity of the proposed formulation. We evaluate the performance of the optimal and heuristic solutions against other schemes that use local vulnerability metrics to select which microservices to clone as decoys. Our results show that the proposed allocation strategy achieves a higher number of intercepted attack paths compared to these schemes while requiring approximately the same number of decoys

Application-Centric Provisioning of Virtual Security Network Functions

Network Function Virtualization (NFV) enables flexible implementation and provisioning of network functions as virtual machines running on commodity servers. Due to the availability of multiple hosting servers, such network functions (also called Virtual Network Functions (VNFs)) can be placed where they are actually needed, dynamically migrated, duplicated, or deleted according to the current network requirements. However, the placement of VNFs within the physical network is one of the main challenges in the NFV domain as it has a critical impact on the performance of the network. In this work we focus on efficient placement of Virtual Security Network Functions (VSNFs), i.e. the placement of virtual network functions whose purpose is to prevent or mitigate network security threats. In this regard, we tackle the placement problem not only considering performance optimization aspects, but also trying to find solutions that are consistent from the security viewpoint. Specifically, the main contribution of this paper is the formulation of the placement problem by taking into account both Security and Quality of Service (QoS) requirements of user applications

Hybrid SDN Evolution: A Comprehensive Survey of the State-of-the-Art

Software-Defined Networking (SDN) is an evolutionary networking paradigm which has been adopted by large network and cloud providers, among which are Tech Giants. However, embracing a new and futuristic paradigm as an alternative to well-established and mature legacy networking paradigm requires a lot of time along with considerable financial resources and technical expertise. Consequently, many enterprises can not afford it. A compromise solution then is a hybrid networking environment (a.k.a. Hybrid SDN (hSDN)) in which SDN functionalities are leveraged while existing traditional network infrastructures are acknowledged. Recently, hSDN has been seen as a viable networking solution for a diverse range of businesses and organizations. Accordingly, the body of literature on hSDN research has improved remarkably. On this account, we present this paper as a comprehensive state-of-the-art survey which expands upon hSDN from many different perspectives

A glosa de créditos do ICMS como forma de retaliação na guerra fiscal : uma análise acerca da recepção do art. 8º, I, da LC nº 24/75 em face da Constituição Federal de 1988

Trabalho de conclusão de curso (graduação)—Universidade de Brasília, Faculdade de Direito, 2017.O presente trabalho tem como escopo analisar a compatibilidade do art. 8º, I, da LC nº 24/75, com a Constituição vigente, por meio de um juízo de recepção, em razão da préconstitucionalidade do dispositivo. Tal preceptivo institui a prática da glosa de créditos, como forma de retaliação efetuada pelos Estados e Distrito Federal na guerra fiscal, e vem sendo usado como arrimo para a edição de atos normativos das unidades políticas desde o fim do século passado até os dias atuais. A matéria, nas oportunidades em que foi levada a julgamento no Superior Tribunal de Justiça (STJ) e no Supremo Tribunal Federal (STF), apresentou soluções díspares, conquanto a tendência dos últimos julgados aponte para uma não recepção do preceito em pauta. Todos os correntes processos que envolvem a controvérsia encontram-se sobrestados, tendo em vista o reconhecimento de repercussão geral da matéria pelo STF no Recurso Extraordinário nº 628.075. Inserindo-a em um contexto do conflito federativo da guerra fiscal, buscou-se, por meio de pesquisa doutrinária e jurisprudencial, traçar as premissas para delimitar o que realmente deve ser visto como glosa de créditos para fins exclusivos do dispositivo analisado, além de vislumbrar se, sob os principais eixos de crítica ao dispositivo, subsistia sua conciliabilidade com a Carta Maior. Concluiu-se pela não recepção do art. 8º, I, da LC nº 24/75, por não passar pelo crivo das normas constitucionais da segurança jurídica, não cumulatividade, legalidade e razoabilidade.This study seeks to analyze the compatibility between art. 8, line I, of Supplementary Law (LC) nº 24/75, and the current Brazilian Constitution, to verify if the aforementioned legal device was received by new legal order instituted by the Constitution of 1988. The article provides the possibility of credits cancellation, as a form of retaliation by the States and by the Federal District in the tax war, and has been used as a support for the editing of normative acts by the federative units since the end of last century, until present day. On the occasions in which it was judged by the Brazilian Supreme Court (STF) and by the Brazilian Superior Court of Justice (STJ), the issue presented different solutions, although the last cases judged tend to follow the non-reception of art. 8, line I, of LC nº 24/75. All the current lawsuits involving the controversy are suspended, due to the recognition of the general repercussion of the matter by the STF, in Special Appeal (RE) n° 628.075. Taking into consideration a context of federative conflict, represented by the tax war, this study aimed to, through doctrinal and jurisprudential research, draw the premises for the definition of credits cancellation, as foreseen in the analyzed legal device. In addition, the study intends to verify if the compatibility between the article and the Constitution subsists after the analysis of the main points of criticism to the device. At last, it was observed that art. 8, line I, of LC nº 24/75, was not received by the current Constitution, since it was not supported by the constitutional norms of legal security, non-cumulativity, legality and reasonableness

FLAD: Adaptive Federated Learning for DDoS Attack Detection

Federated Learning (FL) has been recently receiving increasing consideration from the cybersecurity community as a way to collaboratively train deep learning models with distributed profiles of cyber threats, with no disclosure of training data. Nevertheless, the adoption of FL in cybersecurity is still in its infancy, and a range of practical aspects have not been properly addressed yet. Indeed, the Federated Averaging algorithm at the core of the FL concept requires the availability of test data to control the FL process. Although this might be feasible in some domains, test network traffic of newly discovered attacks cannot be always shared without disclosing sensitive information. In this paper, we address the convergence of the FL process in dynamic cybersecurity scenarios, where the trained model must be frequently updated with new recent attack profiles to empower all members of the federation with the latest detection features. To this aim, we propose FLAD (adaptive Federated Learning Approach to DDoS attack detection), an FL solution for cybersecurity applications based on an adaptive mechanism that orchestrates the FL process by dynamically assigning more computation to those members whose attacks profiles are harder to learn, without the need of sharing any test data to monitor the performance of the trained model. Using a recent dataset of DDoS attacks, we demonstrate that FLAD outperforms state-of-the-art FL algorithms in terms of convergence time and accuracy across a range of unbalanced datasets of heterogeneous DDoS attacks. We also show the robustness of our approach in a realistic scenario, where we retrain the deep learning model multiple times to introduce the profiles of new attacks on a pre-trained model