Biblio

With the development of software defined network and network function virtualization, network operators can flexibly deploy service function chains (SFC) to provide network security services more than before according to the network security requirements of business systems. At present, most research on verifying the correctness of SFC is based on whether the logical sequence between service functions (SF) in SFC is correct before deployment, and there is less research on verifying the correctness after SFC deployment. Therefore, this paper proposes a method of using Colored Petri Net (CPN) to establish a verification model offline and verify whether each SF deployment in SFC is correct after online deployment. After the SFC deployment is completed, the information is obtained online and input into the established model for verification. The experimental results show that the SFC correctness verification method proposed in this paper can effectively verify whether each SF in the deployed SFC is deployed correctly. In this process, the correctness of SF model is verified by using SF model in the model library, and the model reuse technology is preliminarily discussed.

To prevent all sorts of attacks, the technology of security service function chains (SFC) is proposed in recent years, it becomes an attractive research highlights. Dynamic orchestration algorithm can create SFC according to the resource usage of network security functions. The current research on creating SFC focuses on a single domain. However in reality the large and complex networks are divided into security domains according to different security levels and managed separately. Therefore, we propose a cross-security domain dynamic orchestration algorithm to create SFC for network security functions based on ant colony algorithm(ACO) and consider load balancing, shortest path and minimum delay as optimization objectives. We establish a network security architecture based on the proposed algorithm, which is suitable for the industrial vertical scenarios, solves the deployment problem of the dynamic orchestration algorithm. Simulation results verify that our algorithm achieves the goal of creating SFC across security domains and demonstrate its performance in creating service function chains to resolve abnormal traffic flows.

Network function virtualization (NFV) simplies the coniguration and management of security services by migrating the network security functions from dedicated hardware devices to software middle-boxes that run on commodity servers. Under the paradigm of NFV, the service function chain (SFC) consisting of a series of ordered virtual network security functions is becoming a mainstream form to carry network security services. Allocating the underlying physical network resources to the demands of SFCs under given constraints over time is known as the SFC deployment problem. It is a crucial issue for infrastructure providers. However, SFC deployment is facing new challenges in trading off between pursuing the objective of a high revenue-to-cost ratio and making decisions in an online manner. In this paper, we investigate the use of reinforcement learning to guide online deployment decisions for SFC requests and propose a Policy network Assisted Monte Carlo Tree search approach named PACT to address the above challenge, aiming to maximize the average revenue-to-cost ratio. PACT combines the strengths of the policy network, which evaluates the placement potential of physical servers, and the Monte Carlo Tree Search, which is able to tackle problems with large state spaces. Extensive experimental results demonstrate that our PACT achieves the best performance and is superior to other algorithms by up to 30% and 23.8% on average revenue-to-cost ratio and acceptance rate, respectively.

The age of the wireless network already advances to the fifth generation (5G) era. With software-defined networking (SDN) and network function virtualization (NFV), various scenarios can be implemented in the 5G network. Cloud computing, for example, is one of the important application scenarios for implementing SDN/NFV solutions. The emerging container technologies, such as Docker, can provide more agile service provisioning than virtual machines can do in cloud environments. It is a trend that virtual network functions (VNFs) tend to be deployed in the form of containers. The services provided by clouds can be formed by service function chaining (SFC) consisting of containerized VNFs. Nevertheless, the challenges and limitation regarding SFCs are reported in the literature. Various network services are bound to rely heavily on these novel technologies, however, the development of related technologies often emphasizes functions and ignores security issues. One noticeable issue is the SFC integrity. In brief, SFC integrity concerns whether the paths that traffic flows really pass by and the ones of service chains that are predefined are consistent. In order to examine SFC integrity in the cloud-native environment of 5G network, we propose a framework that can be integrated with NFV management and orchestration (MANO) in this work. The core of this framework is the anomaly detection mechanism for SFC integrity. The learning algorithm of our mechanism is based on extreme learning machine (ELM). The proposed mechanism is evaluated by its performance such as the accuracy of our ELM model. This paper concludes with discussions and future research work.

Recently, the novel networking technology Software-Defined Networking(SDN) and Service Function Chaining(SFC) are rapidly growing, and security issues are also emerging for SDN and SFC. However, the research about security and safety on a novel networking environment is still unsatisfactory, and the vulnerabilities have been revealed continuously. Among these security issues, this paper addresses the ARP Poisoning attack to exploit SFC vulnerability, and proposes a method to defend the attack. The proposed method recognizes the repetitive ARP reply which is a feature of ARP Poisoning attack, and detects ARP Poisoning attack. The proposed method overcomes the limitations of the existing detection methods. The proposed method also detects the presence of an attack more accurately.

Service Function Chaining (SFC) provides a special capability that defines an ordered list of network services as a virtual chain and makes a network more flexible and manageable. However, SFC is vulnerable to various attacks caused by compromised switches, especially the middlebox-bypass attack. In this paper, we propose a system that can detect not only middlebox-bypass attacks but also other incorrect forwarding actions by compromised switches. The existing solutions to protect SFC against compromised switches and middlebox-bypass attacks can only solve individual problems. The proposed system uses both probe-based and statistics-based methods to check the probe packets with random pre-assigned keys and collect statistics from middleboxes for detecting any abnormal actions in SFC. It is shown that the proposed system takes only 0.08 ms for the packet processing while it prevents SFC from the middlebox-bypass attacks and compromised switches, which is the negligible delay.

Industrial control systems (ICS) are becoming more integral to modern life as they are being integrated into critical infrastructure. These systems typically lack application layer encryption and the placement of common network intrusion services have large blind spots. We propose the novel architecture, Cloud Based Intrusion Detection and Prevention System (CB-IDPS), to detect and prevent threats in ICS networks by using software defined networking (SDN) to route traffic to the cloud for inspection using network function virtualization (NFV) and service function chaining. CB-IDPS uses Amazon Web Services to create a virtual private cloud for packet inspection. The CB-IDPS framework is designed with considerations to the ICS delay constraints, dynamic traffic routing, scalability, resilience, and visibility. CB-IDPS is presented in the context of a micro grid energy management system as the test case to prove that the latency of CB-IDPS is within acceptable delay thresholds. The implementation of CB-IDPS uses the OpenDaylight software for the SDN controller and commonly used network security tools such as Zeek and Snort. To our knowledge, this is the first attempt at using NFV in an ICS context for network security.

Services provided online are subject to various types of attacks. Security appliances can be chained to protect a system against multiple types of network attacks. The sequence of appliances has a significant impact on the efficiency of the whole chain. While the operation of security appliance chains is currently based on a static order, traffic-aware reordering of security appliances may significantly improve efficiency and accuracy. In this paper, we present the vision of a self-aware system to automatically reorder security appliances according to incoming traffic. To achieve this, we propose to apply a model-based learning, reasoning, and acting (LRA-M) loop. To this end, we describe a corresponding system architecture and explain its building blocks.

Smart Internet of Things (IoT) applications will rely on advanced IoT platforms that not only provide access to IoT sensors and actuators, but also provide access to cloud services and data analytics. Future IoT platforms should thus provide connectivity and intelligence. One approach to connecting IoT devices, IoT networks to cloud networks and services is to use network federation mechanisms over the internet to create network slices across heterogeneous platforms. Network slices also need to be protected from potential external and internal threats. In this paper we describe an approach for enforcing global security policies in the federated cloud and IoT networks. Our approach allows a global security to be defined in the form of a single service manifest and enforced across all federation network segments. It relies on network function virtualisation (NFV) and service function chaining (SFC) to enforce the security policy. The approach is illustrated with two case studies: one for a user that wishes to securely access IoT devices and another in which an IoT infrastructure administrator wishes to securely access some remote cloud and data analytics services.