Biblio

Software Defined Networking (SDN) is an emerging technology, which provides the flexibility in communicating among network. Software Defined Network features separation of the data forwarding plane from the control plane which includes controller, resulting centralized network. Due to centralized control, the network becomes more dynamic, and resources are managed efficiently and cost-effectively. Network Virtualization is transformation of network from hardware-based to software-based. Network Function Virtualization will permit implementation, adaptable provisioning, and even management of functions virtually. The use of virtualization of SDN networks permits network to strengthen the features of SDN and virtualization of NFV and has for that reason has attracted notable research awareness over the last few years. SDN platform introduces network security challenges. The network becomes vulnerable when a large number of requests is encapsulated inside packet\_in messages and passed to controller from switch for instruction, if it is not recognized by existing flow entry rules. which will limit the resources and become a bottleneck for the entire network leading to DDoS attack. It is necessary to have quick provisional methods to prevent the switches from breaking down. To resolve this problem, the researcher develops a mechanism that detects and mitigates flood attacks. This paper provides a comprehensive survey which includes research relating frameworks which are utilized for detecting attack and later mitigation of flood DDoS attack in Software Defined Network (SDN) with the help of NFV.

The digital transformation brought on by 5G is redefining current models of end-to-end (E2E) connectivity and service reliability to include security-by-design principles necessary to enable 5G to achieve its promise. 5G trustworthiness highlights the importance of embedding security capabilities from the very beginning while the 5G architecture is being defined and standardized. Security requirements need to overlay and permeate through the different layers of 5G systems (physical, network, and application) as well as different parts of an E2E 5G architecture within a risk-management framework that takes into account the evolving security-threats landscape. 5G presents a typical use-case of wireless communication and computer networking convergence, where 5G fundamental building blocks include components such as Software Defined Networks (SDN), Network Functions Virtualization (NFV) and the edge cloud. This convergence extends many of the security challenges and opportunities applicable to SDN/NFV and cloud to 5G networks. Thus, 5G security needs to consider additional security requirements (compared to previous generations) such as SDN controller security, hypervisor security, orchestrator security, cloud security, edge security, etc. At the same time, 5G networks offer security improvement opportunities that should be considered. Here, 5G architectural flexibility, programmability and complexity can be harnessed to improve resilience and reliability. The working group scope fundamentally addresses the following: •5G security considerations need to overlay and permeate through the different layers of the 5G systems (physical, network, and application) as well as different parts of an E2E 5G architecture including a risk management framework that takes into account the evolving security threats landscape. •5G exemplifies a use-case of heterogeneous access and computer networking convergence, which extends a unique set of security challenges and opportunities (e.g., related to SDN/NFV and edge cloud, etc.) to 5G networks. Similarly, 5G networks by design offer potential security benefits and opportunities through harnessing the architecture flexibility, programmability and complexity to improve its resilience and reliability. •The IEEE FNI security WG's roadmap framework follows a taxonomic structure, differentiating the 5G functional pillars and corresponding cybersecurity risks. As part of cross collaboration, the security working group will also look into the security issues associated with other roadmap working groups within the IEEE Future Network Initiative.

SDN represents a significant advance for the telecom world, since the decoupling of the control and data planes offers numerous advantages in terms of management dynamism and programmability, mainly due to its software-based centralized control. Unfortunately, these features can be exploited by malicious entities, who take advantage of the centralized control to extend the scope and consequences of their attacks. When this happens, both the legal and network technical fields are concerned with gathering information that will lead them to the root cause of the problem. Although forensics and incident response processes share their interest in the event information, both operate in isolation due to the conceptual and pragmatic challenges of integrating them into SDN environments, which impacts on the resources and time required for information analysis. Given these limitations, the current work focuses on proposing a framework for SDNs that combines the above approaches to optimize the resources to deliver evidence, incorporate incident response activation mechanisms, and generate assumptions about the possible origin of the security problem.

The fifth-generation (5G) mobile telecom network has been garnering interest in both academia and industry, with better flexibility and higher performance compared to previous generations. Along with functionality improvements, new attack vectors also made way. Network operators and regulatory organizations wish to have a more precise idea about the security posture of 5G environments. Meanwhile, various security metrics for IT environments have been around and attracted the community’s attention. However, 5G-specific factors are less taken into consideration.This paper considers such 5G-specific factors to identify potential gaps if existing security metrics are to be applied to the 5G environments. In light of the layered nature and multi-ownership, the paper proposes a new approach to the modular computation of security metrics based on cross-layer projection as a means of information sharing between layers. Finally, the proposed approach is evaluated through simulation.

Network function virtualization (NFV / VNF) and information-centric networking (ICN) are two trending technologies that have attracted expert's attention. NFV is a technique in which network functions (NF) are decoupling from commodity hardware to run on to create virtual communication services. The virtualized class nodes can bring several advantages such as reduce Operating Expenses (OPEX) and Capital Expenses (CAPEX). On the other hand, ICN is a technique that breaks the host-centric paradigm and shifts the focus to “named information” or content-centric. ICN provides highly efficient content retrieval network architecture where popular contents are cached to minimize duplicate transmissions and allow mobile users to access popular contents from caches of network gateways. This paper investigates the implementation of NFV in ICN. Besides, reviewing and discussing the weaknesses and strengths of each architecture in a critical analysis manner of both network architectures. Eventually, highlighted the current issues and future challenges of both architectures.

Mobile communication technology is developing rapidly, and this is integrated with technologies such as Software Defined Network (SDN), cloud computing, and Network Function Virtualization (NFV). Network Functions (NFs) are no longer deployed on dedicated hardware devices, while deployed in Virtual Machines (VMs) or containers as Virtual Network Functions (VNFs). If VNFs are tampered with or replaced, the communication system will not function properly. Our research is to enhance the security of VNFs using trusted computing technology. By adding Virtual Trusted Platform Module (vTPM) to the virtualization platform, the chain of trust extends from the VM operating system to VNFs within the VM. Experimental results prove that the solution can effectively protect the integrity of VNFs from being attacked.

The characteristics of resource sharing and centralized deployment of network function virtualization (NFV) make the physical boundary under the traditional closed management mode disappear, bringing many new security threats to the network. To improve the security of the NFV network, this paper proposes a network function virtualization security architecture based on mimic defense. At the same time, to ensure the differences between heterogeneous entities, a genetic algorithm-based heterogeneous entities pool construction method is proposed. Simulation results show that this method can effectively guarantee the difference between heterogeneous entities and increase the difficulty of attackers.

The new network based on software-defined network SDN and network function virtualization NFV will replace the traditional network, so it is urgent to study the network security architecture based on the new network environment. This paper presents a software - defined security SDS architecture. It is open and universal. It provides an open interface for security services, security devices, and security management. It enables different network security vendors to deploy security products and security solutions. It can realize the deployment, arrangement and customization of virtual security function VSFs. It implements fine-grained data flow control and security policy management. The author analyzes the different types of attacks that different parts of the system are vulnerable to. The defender can disable the network attacks by changing the server-side security configuration scheme. The future research direction of network security is put forward.

The rapid growth of IPv6 traffic makes security issues become more important. This paper proposes an IPv6 network security system that integrates signature-based Intrusion Detection Systems (IDS) and machine learning classification technologies to improve the accuracy of IPv6 denial-of-service (DoS) attacks detection. In addition, this paper has also enhanced IPv6 network security defense capabilities through software-defined networking (SDN) and network function virtualization (NFV) technologies. The experimental results prove that the detection and defense mechanisms proposed in this paper can effectively strengthen IPv6 network security.

The concept of federation in 5G and NFV networks aims to provide orchestration of services across multiple administrative domains. Edge robotics, as a field of robotics, implements the robot control on the network edge by relying on low-latency and reliable access connectivity. In this paper, we propose a solution that enables Edge robotics service to expand its service footprint or access coverage over multiple administrative domains. We propose application of Distributed ledger technologies (DLTs) for the federation procedures to enable private, secure and trusty interactions between undisclosed administrative domains. The solution is applied on a real-case Edge robotics experimental scenario. The results show that it takes around 19 seconds to deploy & federate a Edge robotics service in an external/anonymous domain without any service down-time.

Attack-awareness recognizes self-awareness for security systems regarding the occurring attacks. More frequent and intense attacks on cloud and network infrastructures are pushing security systems to the limit. With the end of Moore's Law, merely scaling against these attacks is no longer economically justified. Previous works have already dealt with the adoption of Software-defined Networking and Network Function Virtualization in security systems and used both approaches to optimize performance by the intelligent placement of security functions. In our previous works, we already made a case for taking the order of security functions into account and dynamically adapt this order. In this work, we propose a reordering framework, provide a proof-of-concept implementation, and validate this implementation in an evaluation environment. The framework's evaluation proves the feasibility of our concept.

The new generation of digital services are natively conceived as an ordered set of Virtual Network Functions, deployed across boundaries and organizations. In this context, security threats, variable network conditions, computational and memory capabilities and software vulnerabilities may significantly weaken the whole service chain, thus making very difficult to combat the newest kinds of attacks. It is thus extremely important to conceive a flexible (and standard-compliant) framework able to attest the trustworthiness and the reliability of each single function of a Service Function Chain. At the time of this writing, and to the best of authors knowledge, the scientific literature addressed all of these problems almost separately. To bridge this gap, this paper proposes a novel methodology, properly tailored within the ETSI-NFV framework. From one side, Software-Defined Controllers continuously monitor the properties and the performance indicators taken from networking domains of each single Virtual Network Function available in the architecture. From another side, a high-level orchestrator combines, on demand, the suitable Virtual Network Functions into a Service Function Chain, based on the user requests, targeted security requirements, and measured reliability levels. The paper concludes by further explaining the functionalities of the proposed architecture through a use case.

When disasters occur, they not only affect the human life. Therefore, communication in disaster management is very important. During the disaster recovery phase, the network infrastructure may be partially fragmented and mobile rescue operations may involve many teams with different roles which can dynamically change. Therefore, disaster management services require high flexibility both in terms of network infrastructure management and rescue group communication. Existing studies have shown that IP-based or traditional telephony solutions are not well-suited to deal with such flexible group communication and network management due to their connection-oriented communication, no built-in support for mobile devices, and no mechanism for network fragmentation. Recent studies show that information-centric networking offers scalable and flexible communication based on its name-based interest-oriented communication approach. However, considering the difficulty of deploying a new service on the existing network, the programmability and virtualization of the network are required. This paper presents our implementation of an information-centric disaster management system based on network function virtualization (vICSNF). We show a proof-of-concept system with a case study for Seoul disaster management services. The system achieves flexibility both in terms of network infrastructure management and rescue group communication. Obtained testbed results show that vICSNF achieves a low communication overhead compared to the IP-based approach and the auto-configuration of vICSNFs enables the quick deployment for disaster management services in disaster scenarios.

The age of the wireless network already advances to the fifth generation (5G) era. With software-defined networking (SDN) and network function virtualization (NFV), various scenarios can be implemented in the 5G network. Cloud computing, for example, is one of the important application scenarios for implementing SDN/NFV solutions. The emerging container technologies, such as Docker, can provide more agile service provisioning than virtual machines can do in cloud environments. It is a trend that virtual network functions (VNFs) tend to be deployed in the form of containers. The services provided by clouds can be formed by service function chaining (SFC) consisting of containerized VNFs. Nevertheless, the challenges and limitation regarding SFCs are reported in the literature. Various network services are bound to rely heavily on these novel technologies, however, the development of related technologies often emphasizes functions and ignores security issues. One noticeable issue is the SFC integrity. In brief, SFC integrity concerns whether the paths that traffic flows really pass by and the ones of service chains that are predefined are consistent. In order to examine SFC integrity in the cloud-native environment of 5G network, we propose a framework that can be integrated with NFV management and orchestration (MANO) in this work. The core of this framework is the anomaly detection mechanism for SFC integrity. The learning algorithm of our mechanism is based on extreme learning machine (ELM). The proposed mechanism is evaluated by its performance such as the accuracy of our ELM model. This paper concludes with discussions and future research work.

The increase of cyber attacks in both the numbers and varieties in recent years demands to build a more sophisticated network intrusion detection system (NIDS). These NIDS perform better when they can monitor all the traffic traversing through the network like when being deployed on a Software-Defined Network (SDN). Because of the inability to detect zero-day attacks, signature-based NIDS which were traditionally used for detecting malicious traffic are beginning to get replaced by anomaly-based NIDS built on neural networks. However, recently it has been shown that such NIDS have their own drawback namely being vulnerable to the adversarial example attack. Moreover, they were mostly evaluated on the old datasets which don't represent the variety of attacks network systems might face these days. In this paper, we present Reconstruction from Partial Observation (RePO) as a new mechanism to build an NIDS with the help of denoising autoencoders capable of detecting different types of network attacks in a low false alert setting with an enhanced robustness against adversarial example attack. Our evaluation conducted on a dataset with a variety of network attacks shows denoising autoencoders can improve detection of malicious traffic by up to 29% in a normal setting and by up to 45% in an adversarial setting compared to other recently proposed anomaly detectors.

Multi-tenant cloud networks have various security and monitoring service functions (SFs) that constitute a service function chain (SFC) between two endpoints. SF rule ordering overlaps and policy conflicts can cause increased latency, service disruption and security breaches in cloud networks. Software Defined Network (SDN) based Network Function Virtualization (NFV) has emerged as a solution that allows dynamic SFC composition and traffic steering in a cloud network. We propose an SDN enabled Universal Policy Checking (SUPC) framework, to provide 1) Flow Composition and Ordering by translating various SF rules into the OpenFlow format. This ensures elimination of redundant rules and policy compliance in SFC. 2) Flow conflict analysis to identify conflicts in header space and actions between various SF rules. Our results show a significant reduction in SF rules on composition. Additionally, our conflict checking mechanism was able to identify several rule conflicts that pose security, efficiency, and service availability issues in the cloud network.

Dynamic network security services have been proposed exploiting the benefits of Software Defined Networking (SDN) and Network Functions Virtualization (NFV) technologies. However, many of these services rely on controller interaction, which presents a performance and scalability challenge, and a threat vector. To overcome the performance issue, stateful data-plane designs have been proposed. Unfortunately, these solutions do not offer protection from attacks that exploit the SDN implementation of network functions such as topology and path update, or services such as the Address Resolution Protocol (ARP). In this work, we propose state-based SDN security protection mechanisms. Our stateful security data plane solution, OFMTL-SEC, is designed to provide protection against attacks on SDN and traditional network services. Specifically, we present a novel data plane protection against configuration-based attacks in SDN and against ARP spoofing. OFMTL-SEC is compared with the state-of-the-art solutions and offers increased security to SDNs with negligible performance impact.

Virtual network function provides tenant with flexible and scalable end-to-end service chaining in the cloud computing and data center environments. However, comparing with traditional hardware network devices, the uncertainty caused by software and virtualization of Network Function Virtualization expands the attack surface, making the network node vulnerable to a certain types of attacks. The existing approaches for solving the problem of reliability are able to reduce the impact of failure of physical devices, but pay little attention to the attack scenario, which could be persistent and covert. In this paper, a heterogeneous backup strategy is brought up, enhancing the intrusion tolerance of NFV SFC by dynamically switching the VNF executor. The validity of the method is verified by simulation and game theory analysis.

The EU SoftFIRE project has built an experimentation platform for NFV and SDN experiments, tailored for testing and evaluating 5G network applications and solutions. The platform is a fully orchestrated virtualisation testbed consisting of multiple component testbeds across Europe. Users of the platform can deploy their virtualisation experiments via the platform's Middleware. This paper introduces the SoftFIRE testbed and its Middleware, and presents a set of KPI results for evaluation of experiment deployment performance.

A honeypot system is used to trapping hackers, track and analyze new hacking methods. However, it does not only take time for construction and deployment but also costs for maintenance because these systems are always online even when there is no attack. Since the main purpose of honeypot systems is to collect more and more attack trafc if possible, the limitation of system capacity is also a major problem. In this paper, we propose Dynamic Virtual Network Honeypot (DVNH) which leverages emerging technologies, Network Function Virtualization and Software-Defined Networking. DVNH redirects the attack to the honeypot system thereby protects the targeted system. Our experiments show that DVNH enables efficient resource usage and dynamic provision of the Honeypot system.

Moving target defense (MTD) is becoming popular with the advancements in Software Defined Networking (SDN) technologies. With centralized management through SDN, changing the network attributes such as routes to escape from attacks is simple and fast. Yet, the available alternate routes are bounded by the network topology, and a persistent attacker that continuously perform the reconnaissance can extract the whole link-map of the network. To address this issue, we propose to use virtual shadow networks (VSNs) by applying Network Function Virtualization (NFV) abilities to the network in order to deceive attacker with the fake topology information and not reveal the actual network topology and characteristics. We design this approach under a formal framework for Internet Service Provider (ISP) networks and apply it to the recently emerged indirect DDoS attacks, namely Crossfire, for evaluation. The results show that attacker spends more time to figure out the network behavior while the costs on the defender and network operations are negligible until reaching a certain network size.

Network Function Virtualization (NFV) is a recent concept where virtualization enables the shift from network functions (e.g., routers, switches, load-balancers, proxies) on specialized hardware appliances to software images running on all-purpose, high-volume servers. The resource allocation problem in the NFV environment has received considerable attention in the past years. However, little attention was paid to the security aspects of the problem in spite of the increasing number of vulnerabilities faced by cloud-based applications. Securing the services is an urgent need to completely benefit from the advantages offered by NFV. In this paper, we show how a network service request, composed of a set of service function chains (SFC) should be modified and enriched to take into consideration the security requirements of the supported service. We examine the well-known security best practices and propose a two-step algorithm that extends the initial SFC requests to a more complex chaining model that includes the security requirements of the service.

Industrial control systems (ICS) are becoming more integral to modern life as they are being integrated into critical infrastructure. These systems typically lack application layer encryption and the placement of common network intrusion services have large blind spots. We propose the novel architecture, Cloud Based Intrusion Detection and Prevention System (CB-IDPS), to detect and prevent threats in ICS networks by using software defined networking (SDN) to route traffic to the cloud for inspection using network function virtualization (NFV) and service function chaining. CB-IDPS uses Amazon Web Services to create a virtual private cloud for packet inspection. The CB-IDPS framework is designed with considerations to the ICS delay constraints, dynamic traffic routing, scalability, resilience, and visibility. CB-IDPS is presented in the context of a micro grid energy management system as the test case to prove that the latency of CB-IDPS is within acceptable delay thresholds. The implementation of CB-IDPS uses the OpenDaylight software for the SDN controller and commonly used network security tools such as Zeek and Snort. To our knowledge, this is the first attempt at using NFV in an ICS context for network security.

The widespread adoption of social networking and cloud computing has transformed today's Internet to a trove of personal information. As a consequence, data breaches are expected to increase in gravity and occurrence. To counteract unintended data disclosure, a great deal of effort has been dedicated in devising methods for uncovering privacy leaks. Existing solutions, however, have not addressed the time- and data-intensive nature of leak detection. The shift from hardware-specific implementation to software-based solutions is the core idea behind the concept of Network Function Virtualization (NFV). On the other hand, the Software Defined Networking (SDN) paradigm is characterized by the decoupling of the forwarding and control planes. In this paper, an SDN/NFV-enabled architecture is proposed for improving the efficiency of leak detection systems. Employing a previously developed identification strategy, Personally Identifiable Information detector (PIID) and load balancer VNFs are packaged and deployed in OpenStack through an NFV MANO. Meanwhile, SDN controllers permit the load balancer to dynamically redistribute traffic among the PIID instances. In a physical testbed, tests are conducted to evaluate the proposed architecture. Experimental results indicate that the proportions of forwarding and parsing on total overhead is influenced by the traffic intensity. Furthermore, an NFV-enabled system with scalability features was found to outperform a non-virtualized implementation in terms of latency (85.1%), packet loss (98.3%) and throughput (8.41%).

Network Function Virtualization (NFV) is an implementation of cloud computing that leverages virtualization technology to provide on-demand network functions such as firewalls, domain name servers, etc., as software services. One of the methods that help us understand the design and implementation process of such a new system in an abstract way is architectural modeling. Architectural modeling can be presented through UML diagrams to show the interaction between different components and its stakeholders. Also, it can be used to analyze the security threats and the possible countermeasures to mitigate the threats. In this paper, we show some of the possible threats that may jeopardize the security of NFV. We use misuse patterns to analyze misuses based on privilege escalation and VM escape threats. The misuse patterns are part of an ongoing catalog, which is the first step toward building a security reference architecture for NFV.