Biblio
To be able to meet demanding application performance requirements within a tight power budget, runtime power management must track hardware activity at a very fine granularity in both space and time. This gives rise to sophisticated power management algorithms, which need the underlying system to be both highly observable (to be able to sense changes in instantaneous power demand timely) and controllable (to be able to react to changes in instantaneous power demand timely). The end goal is allocating the power budget, which itself represents a very critical shared resource, in a fair way among active tasks of execution. Fundamentally, if not carefully managed, any system-wide shared resource can give rise to covert communication. Power budget does not represent an exception, particularly as systems are becoming more and more observable and controllable. In this paper, we demonstrate how power management vulnerabilities can enable covert communication over a previously unexplored, novel class of covert channels which we will refer to as POWERT channels. We also provide a comprehensive characterization of the POWERT channel capacity under various sharing and activity scenarios. Our analysis based on experiments on representative commercial systems reveal a peak channel capacity of 121.6 bits per second (bps).
Cyber physical system (CPS) is often deployed at safety-critical key infrastructures and fields, fault tolerance policies are extensively applied in CPS systems to improve its credibility; the same physical backup of hardware redundancy (SPB) technology is frequently used for its simple and reliable implementation. To resolve challenges faced with in simulation test of SPB-CPS, this paper dynamically determines the test resources matched with the CPS scale by using the adaptive allocation policies, establishes the hierarchical models and inter-layer message transmission mechanism. Meanwhile, the collaborative simulation time sequence push strategy and the node activity test mechanism based on the sliding window are designed in this paper to improve execution efficiency of the simulation test. In order to validate effectiveness of the method proposed in this paper, we successfully built up a fault-tolerant CPS simulation platform. Experiments showed that it can improve the SPB-CPS simulation test efficiency.
Content Delivery Networks(CDN) is a standout amongst the most encouraging innovations that upgrade performance for its clients' websites by diverting web demands from browsers to topographically dispersed CDN surrogate nodes. However, due to the variable nature of CDN, it suffers from various security and resource allocation issues. The most common attack which is used to bring down a whole network as well as CDN without even finding a loophole in the security is DDoS. In this proposal, we proposed a distributed virtual honeypot model for diminishing DDoS attacks and prevent intrusion in securing CDN. Honeypots are specially utilized to imitate the primary server with the goal that the attack is alleviated to the fake rather than the main server. Our proposed layer based model utilizes honeypot to be more effective reducing the cost of the system as well as maintaining the smooth delivery in geographically dispersed servers without performance degradation.
Through time inference attacks, adversaries fingerprint SDN controllers, estimate switches flow-table size, and perform flow state reconnaissance. In fact, timing a SDN and analyzing its results can expose information which later empowers SDN resource-consumption or saturation attacks. In the real world, however, launching such attacks is not easy. This is due to some challenges attackers may encounter while attacking an actual SDN deployment. These challenges, which are not addressed adequately in the related literature, are investigated in this paper. Accordingly, practical solutions to mitigate such attacks are also proposed. Discussed challenges are clarified by means of conducting extensive experiments on an actual cloud data center testbed. Moreover, mitigation schemes have been implemented and examined in details. Experimental results show that proposed countermeasures effectively block time inference attacks.
The next generation military environment requires a delay-tolerant network for sharing data and resources using an interoperable computerized, Command, Control, Communications, Intelligence, Surveillance and Reconnaissance (C4ISR) infrastructure. In this paper, we propose a new distributed SDN (Software-Defined Networks) architecture for tactical environments based on distributed cloudlets. The objective is to reduce the end-to-end delay of tactical traffic flow, and improve management capabilities, allowing flexible control and network resource allocation. The proposed SDN architecture is implemented over three layers: decentralized cloudlets layer where each cloudlet has its SDRN (Software-Defined Radio Networking) controller, decentralized MEC (Mobile Edge Computing) layer with an SDN controller for each MEC, and a centralized private cloud as a trusted third-part authority controlled by a centralized SDN controller. The experimental validations are done via relevant and realistic tactical scenarios based on strategic traffics loads, i.e., Tactical SMS (Short Message Service), UVs (Unmanned Vehicle) patrol deployment and high bite rate ISR (Intelligence, Surveillance, and Reconnaissance) video.
The borderless, dynamic, high dimensional and virtual natures of cyberspace have brought unprecedented hard situation for defenders. To fight uncertain challenges in versatile cyberspace, a security framework based on the cloud computing platform that facilitates containerization technology to create a security capability pool to generate and distribute security payload according to system needs. Composed by four subsystems of the security decision center, the image and container library, the decision rule base and the security event database, this framework distills structured knowledge from aggregated security events and then deliver security load to the managed network or terminal nodes directed by the decision center. By introducing such unified and standardized top-level security framework that is decomposable, combinable and configurable in a service-oriented manner, it could offer flexibility and effectiveness in reconstructing security resource allocation and usage to reach higher efficiency.
Network Function Virtualization (NFV) is a recent concept where virtualization enables the shift from network functions (e.g., routers, switches, load-balancers, proxies) on specialized hardware appliances to software images running on all-purpose, high-volume servers. The resource allocation problem in the NFV environment has received considerable attention in the past years. However, little attention was paid to the security aspects of the problem in spite of the increasing number of vulnerabilities faced by cloud-based applications. Securing the services is an urgent need to completely benefit from the advantages offered by NFV. In this paper, we show how a network service request, composed of a set of service function chains (SFC) should be modified and enriched to take into consideration the security requirements of the supported service. We examine the well-known security best practices and propose a two-step algorithm that extends the initial SFC requests to a more complex chaining model that includes the security requirements of the service.
Recently, data protection has become increasingly important in cloud environments. The cloud platform has global user information, rich storage resource allocation information, and a fuller understanding of data attributes. At the same time, there is an urgent need for data access control to provide data security, and software-defined network, as a ready-made facility, has a global network view, global network management capabilities, and programable network rules. In this paper, we present an approach, named High-Performance Software-Defined Data Access Network (HP-SDDAN), providing software-defined data access network architecture, global data attribute management and attribute-based data access network. HP-SDDAN combines the excellent features of cloud platform and software-defined network, and fully considers the performance to implement software-defined data access network. In evaluation, we verify the effectiveness and efficiency of HP-SDDAN implementation, with only 1.46% overhead to achieve attribute-based data access control of attribute-based differential privacy.
Load balancing and IP anycast are traffic routing algorithms used to speed up delivery of the Domain Name System. In case of a DDoS attack or an overload condition, the value of these protocols is critical, as they can provide intrinsic DDoS mitigation with the failover alternatives. In this paper, we present a methodology for predicting the next DNS response in the light of a potential redirection to less busy servers, in order to mitigate the size of the attack. Our experiments were conducted using data from the Nov. 2015 attack of the Root DNS servers and Logistic Regression, k-Nearest Neighbors, Support Vector Machines and Random Forest as our primary classifiers. The models were able to successfully predict up to 83% of responses for Root Letters that operated on a small number of sites and consequently suffered the most during the attacks. On the other hand, regarding DNS requests coming from more distributed Root servers, the models demonstrated lower accuracy. Our analysis showed a correlation between the True Positive Rate metric and the number of sites, as well as a clear need for intelligent management of traffic in load balancing practices.
Recent studies have shown that co-resident attacks have aroused great security threat in cloud. Since hardware is shared among different tenants, malicious tenants can launch various co-resident attacks, such as side channel attacks, covert channel attacks and resource interference attacks. Existing countermeasures have their limitations and can not provide comprehensive defense against co-resident attacks. This paper combines the advantages of various countermeasures and proposes a complete co-resident threat defense solution which consists of co-resident-resistant VM allocation (CRRVA), analytic hierarchy process-based threat score mechanism (AHPTSM) and attack-aware VM reallocation (AAVR). CRRVA securely allocates VMs and also takes load balance and power consumption into consideration to make the allocation policy more practical. According to the intrinsic characteristics of co-resident attacks, AHPTSM evaluates VM's threat score which denotes the probability that a VM is suffering or conducting co-resident attacks based on analytic hierarchy process. And AAVR further migrates VMs with extremely high threat scores and separates VM pairs which are likely to be malicious to each other. Extensive experiments in CloudSim have shown that CRRVA can greatly reduce the allocation co-resident threat as well as balancing the load for both CSPs and tenants with little impact on power consumption. In addition, guided by threat score distribution, AAVR can effectively guarantee runtime co-resident security by migrating high threat score VMs with less migration cost.
With the ever so growing boundaries for security in the cloud, it is necessary to develop ways to prevent from total cloud server failure. In this paper, we try to design a Game Strategy Block that sets up rules for security based on a tower defence game to secure the hypervisor from potential threats. We also try to define a utility function named the Virtual Machine Vitality Measure (VMVM) that could enlighten on the status of the virtual machines on the virtual environment.
In VANET, Sybil nodes generated by attackers cause serious damages to network protocols, resource allocation mechanisms, and reputation models. Other types of attacks can also be launched on the basis of Sybil attack, which bring more threats to VANET. To solve this problem, this paper proposes a Sybil nodes detection method based on RSSI sequence and vehicle driving matrix - RSDM. RSDM evaluates the difference between the RSSI sequence and the driving matrix by dynamic distance matching to detect Sybil nodes. Moreover, RSDM does not rely on VANET infrastructure, neighbor nodes or specific hardware. The experimental results show that RSDM performs well with a higher detection rate and a lower error rate.
The paper presents a conceptual framework for security embedded task offloading requirements for IoT-Fog based future communication networks. The focus of the paper is to enumerate the need of embedded security requirements in this IoT-Fog paradigm including the middleware technologies in the overall architecture. Task offloading plays a significant role in the load balancing, energy and data management, security, reducing information processing and propagation latencies. The motivation behind introducing the embedded security is to meet the challenges of future smart networks including two main reasons namely; to improve the data protection and to minimize the internet disturbance and intrusiveness. We further discuss the middleware technologies such as cloudlets, mobile edge computing, micro datacenters, self-healing infrastructures and delay tolerant networks for security provision, optimized energy consumption and to reduce the latency. The paper introduces concepts of system virtualization and parallelism in IoT-Fog based systems and highlight the security features of the system. Some research opportunities and challenges are discussed to improve secure offloading from IoT into fog.
Fog computing extends cloud computing technology to the edge of the infrastructure to support dynamic computation for IoT applications. Reduced latency and location awareness in objects' data access is attained by displacing workloads from the central cloud to edge devices. Doing so, it reduces raw data transfers from target objects to the central cloud, thus overcoming communication bottlenecks. This is a key step towards the pervasive uptake of next generation IoT-based services. In this work we study efficient orchestration of applications in fog computing, where a fog application is the cascade of a cloud module and a fog module. The problem results into a mixed integer non linear optimisation. It involves multiple constraints due to computation and communication demands of fog applications, available infrastructure resources and it accounts also the location of target IoT objects. We show that it is possible to reduce the complexity of the original problem with a related placement formulation, which is further solved using a greedy algorithm. This algorithm is the core placement logic of FogAtlas, a fog computing platform based on existing virtualization technologies. Extensive numerical results validate the model and the scalability of the proposed algorithm, showing performance close to the optimal solution with respect to the number of served applications.