144 research outputs found
Impact of Processing-Resource Sharing on the Placement of Chained Virtual Network Functions
Network Function Virtualization (NFV) provides higher flexibility for network
operators and reduces the complexity in network service deployment. Using NFV,
Virtual Network Functions (VNF) can be located in various network nodes and
chained together in a Service Function Chain (SFC) to provide a specific
service. Consolidating multiple VNFs in a smaller number of locations would
allow decreasing capital expenditures. However, excessive consolidation of VNFs
might cause additional latency penalties due to processing-resource sharing,
and this is undesirable, as SFCs are bounded by service-specific latency
requirements. In this paper, we identify two different types of penalties
(referred as "costs") related to the processingresource sharing among multiple
VNFs: the context switching costs and the upscaling costs. Context switching
costs arise when multiple CPU processes (e.g., supporting different VNFs) share
the same CPU and thus repeated loading/saving of their context is required.
Upscaling costs are incurred by VNFs requiring multi-core implementations,
since they suffer a penalty due to the load-balancing needs among CPU cores.
These costs affect how the chained VNFs are placed in the network to meet the
performance requirement of the SFCs. We evaluate their impact while considering
SFCs with different bandwidth and latency requirements in a scenario of VNF
consolidation.Comment: Accepted for publication in IEEE Transactions on Cloud Computin
Tracking Normalized Network Traffic Entropy to Detect DDoS Attacks in P4
Distributed Denial-of-Service (DDoS) attacks represent a persistent threat to
modern telecommunications networks: detecting and counteracting them is still a
crucial unresolved challenge for network operators. DDoS attack detection is
usually carried out in one or more central nodes that collect significant
amounts of monitoring data from networking devices, potentially creating issues
related to network overload or delay in detection. The dawn of programmable
data planes in Software-Defined Networks can help mitigate this issue, opening
the door to the detection of DDoS attacks directly in the data plane of the
switches. However, the most widely-adopted data plane programming language,
namely P4, lacks supporting many arithmetic operations, therefore, some of the
advanced network monitoring functionalities needed for DDoS detection cannot be
straightforwardly implemented in P4. This work overcomes such a limitation and
presents two novel strategies for flow cardinality and for normalized network
traffic entropy estimation that only use P4-supported operations and guarantee
a low relative error. Additionally, based on these contributions, we propose a
DDoS detection strategy relying on variations of the normalized network traffic
entropy. Results show that it has comparable or higher detection accuracy than
state-of-the-art solutions, yet being simpler and entirely executed in the data
plane.Comment: Accepted by TDSC on 24/09/202
A Clustering Strategy for Enhanced FL-Based Intrusion Detection in IoT Networks
The Internet of Things (IoT) is growing rapidly and so the need of ensuring
protection against cybersecurity attacks to IoT devices. In this scenario,
Intrusion Detection Systems (IDSs) play a crucial role and data-driven IDSs
based on machine learning (ML) have recently attracted more and more interest
by the research community. While conventional ML-based IDSs are based on a
centralized architecture where IoT devices share their data with a central
server for model training, we propose a novel approach that is based on
federated learning (FL). However, conventional FL is ineffective in the
considered scenario, due to the high statistical heterogeneity of data
collected by IoT devices. To overcome this limitation, we propose a three-tier
FL-based architecture where IoT devices are clustered together based on their
statistical properties. Clustering decisions are taken by means of a novel
entropy-based strategy, which helps improve model training performance. We
tested our solution on the CIC-ToN-IoT dataset: our clustering strategy
increases intrusion detection performance with respect to a conventional FL
approach up to +17% in terms of F1-score, along with a significant reduction of
the number of training rounds
Performance Evaluation of Video Server Replication in Metro/Access Networks
Internet traffic is increasingly becoming a media-streaming traffic. Especially, Video-on-Demand (VoD) services are pushing the demand for broadband connectivity to the Internet, and optical fiber technology is being deployed in the access network to keep up with such increasing demand. To provide a more scalable network architecture for video delivery, network operators are currently considering novel metro/access network architectures which can accommodate replicated video servers directly in their infrastructure. When servers for VoD delivery are placed nearer to the end users, part of the traffic can be offloaded from the core segment of the network, and the end users can experience better Quality of Service (QoS). While the deployment of caching systems for traffic offloading has been studied in the core network, no work has already investigated the potential performance gains by replicating the content in the metro/access segment of the network, even closer to the users. In our work, we will compare the performance of video server replication in different metro/access network architectures, i.e. a metro ring architecture and a tree-based architecture, by considering both active and passive technologies. We will evaluate using both simulative and analytical methodologies how content providers could benefit from the deployment of replicas of video servers in terms of blocking probability of the VoD requests
In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches
Volumetric distributed Denial-of-Service (DDoS) attacks have become one of
the most significant threats to modern telecommunication networks. However,
most existing defense systems require that detection software operates from a
centralized monitoring collector, leading to increased traffic load and delayed
response. The recent advent of Data Plane Programmability (DPP) enables an
alternative solution: threshold-based volumetric DDoS detection can be
performed directly in programmable switches to skim only potentially hazardous
traffic, to be analyzed in depth at the controller. In this paper, we first
introduce the BACON data structure based on sketches, to estimate
per-destination flow cardinality, and theoretically analyze it. Then we employ
it in a simple in-network DDoS victim identification strategy, INDDoS, to
detect the destination IPs for which the number of incoming connections exceeds
a pre-defined threshold. We describe its hardware implementation on a
Tofino-based programmable switch using the domain-specific P4 language, proving
that some limitations imposed by real hardware to safeguard processing speed
can be overcome to implement relatively complex packet manipulations. Finally,
we present some experimental performance measurements, showing that our
programmable switch is able to keep processing packets at line-rate while
performing volumetric DDoS detection, and also achieves a high F1 score on DDoS
victim identification.Comment: Accepted by IEEE Transactions on Network and Service Management
Special issue on Latest Developments for Security Management of Networks and
Service
Energy-efficient caching for Video-on-Demand in Fixed-Mobile Convergent networks
The success of novel bandwidth-consuming multimedia services such as Video-on-Demand (VoD) is leading to a tremendous growth of the Internet traffic. Content caching can help to mitigate such uncontrolled growth by storing video content closer to the users in core, metro and access network nodes. So far, metro and especially access networks supporting mobile and fixed users have evolved independently, leveraging logically (and often also physically) separate infrastructures; this means that mobile users cannot access caches placed in the fixed access network (and vice-versa), even if they are geographically close to them, and energy consumption implications of such undesired effect must be investigated. We define an optimization problem modeling an energy-efficient placement of caches in core, metro and fixed/mobile access nodes of the network. Then, we show how the evolution towards a Fixed-Mobile Converged metro/access network, where fixed and mobile users can share caches, can reduce the energy consumed for VoD content delivery
HDDP: Hybrid Domain Discovery Protocol for heterogeneous devices in SDN
Computer networks are adopting the new Software-Defined Networking (SDN) architecture, however not all devices can support it, mainly due to power and computational constraints. This paper proposes the Hybrid Domain Discovery Protocol (HDDP), a new discovery protocol that enhances theexisting OpenFlow Discovery Protocol (OFDP). HDDP allows thediscovery of hybrid network topologies composed of both SDNand non-SDN devices, which no other state-of-the-art protocolcan achieve. HDDP has been implemented in a software switchand emulated in diverse networks, where it discovers hybrid topologies by using a number of messages similar to competitors,as they only discover SDN devices.Comunidad de MadridUniversidad de Alcal
Performance Characterization and Profiling of Chained CPU-bound Virtual Network Functions
The increased demand for high-quality Internet connectivity resulting from the growing number of connected devices and advanced services has put significant strain on telecommunication networks. In response, cutting-edge technologies such as Network Function Virtualization (NFV) and Software Defined Networking (SDN) have been introduced to transform network infrastructure. These innovative solutions offer dynamic, efficient, and easily manageable networks that surpass traditional approaches. To fully realize the benefits of NFV and maintain the performance level of specialized equipment, it is critical to assess the behavior of Virtual Network Functions (VNFs) and the impact of virtualization overhead. This paper delves into understanding how various factors such as resource allocation, consumption, and traffic load impact the performance of VNFs. We aim to provide a detailed analysis of these factors and develop analytical functions to accurately describe their impact. By testing VNFs on different testbeds, we identify the key parameters and trends, and develop models to generalize VNF behavior. Our results highlight the negative impact of resource saturation on performance and identify the CPU as the main bottleneck. We also propose a VNF profiling procedure as a solution to model the observed trends and test more complex VNFs deployment scenarios to evaluate the impact of interconnection, co-location, and NFV infrastructure on performance
- …