Security issues in a Software Defined Network (SDN) environment like system vulnerabilities and intrusion attempts can pose a security risk for multi-tenant network managed by SDN. In this research work, Moving target defense (MTD)technique based on shuffle strategy - port hopping has been employed to increase the difficulty for the attacker trying to exploit the cloud network. Our research workMASON, considers the problem of multi-stage attacks in a network managed using SDN. SDN controller can be used to dynamically reconfigure the network and render attacker»s knowledge in multi-stage attacks redundant. We have used a threat score based on vulnerability information and intrusion attempts to identify Virtual Machines (VMs) in systems with high-security risk and implement MTD countermeasures port hopping to assess threat score reduction in a cloud network.
{"title":"MTD Analysis and evaluation framework in Software Defined Network (MASON)","authors":"Ankur Chowdhary, Adel Alshamrani, Dijiang Huang, Hongbin Liang","doi":"10.1145/3180465.3180473","DOIUrl":"https://doi.org/10.1145/3180465.3180473","url":null,"abstract":"Security issues in a Software Defined Network (SDN) environment like system vulnerabilities and intrusion attempts can pose a security risk for multi-tenant network managed by SDN. In this research work, Moving target defense (MTD)technique based on shuffle strategy - port hopping has been employed to increase the difficulty for the attacker trying to exploit the cloud network. Our research workMASON, considers the problem of multi-stage attacks in a network managed using SDN. SDN controller can be used to dynamically reconfigure the network and render attacker»s knowledge in multi-stage attacks redundant. We have used a threat score based on vulnerability information and intrusion attempts to identify Virtual Machines (VMs) in systems with high-security risk and implement MTD countermeasures port hopping to assess threat score reduction in a cloud network.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"44 2 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90910761","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Hongda Li, Fuqiang Zhang, Lu Yu, Jon Oakley, Hongxin Hu, R. Brooks
As data-intensive science becomes the norm in many fields of science, high-performance data transfer is rapidly becoming a core scientific infrastructure requirement. To meet such a requirement, there has been a rapid growth across university campus to deploy Science DMZs. However, it is challenging to efficiently monitor the traffic in Science DMZ because traditional intrusion detection systems (IDSes) are equipped with deep packet inspection (DPI), which is resource-consuming. We propose to develop a lightweight side-channel based anomaly detection system for traffic winnowing to reduce the volume of traffic finally monitored by the IDS. We evaluate our approach based on the experiments in a Science DMZ environment. Our evaluation demonstrates that our approach can significantly reduce the resource usage in traffic monitoring for Science DMZ.
{"title":"Towards Efficient Traffic Monitoring for Science DMZ with Side-Channel based Traffic Winnowing","authors":"Hongda Li, Fuqiang Zhang, Lu Yu, Jon Oakley, Hongxin Hu, R. Brooks","doi":"10.1145/3180465.3180474","DOIUrl":"https://doi.org/10.1145/3180465.3180474","url":null,"abstract":"As data-intensive science becomes the norm in many fields of science, high-performance data transfer is rapidly becoming a core scientific infrastructure requirement. To meet such a requirement, there has been a rapid growth across university campus to deploy Science DMZs. However, it is challenging to efficiently monitor the traffic in Science DMZ because traditional intrusion detection systems (IDSes) are equipped with deep packet inspection (DPI), which is resource-consuming. We propose to develop a lightweight side-channel based anomaly detection system for traffic winnowing to reduce the volume of traffic finally monitored by the IDS. We evaluate our approach based on the experiments in a Science DMZ environment. Our evaluation demonstrates that our approach can significantly reduce the resource usage in traffic monitoring for Science DMZ.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"23 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87186522","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Many of the emerging wide-area monitoring protection and control (WAMPAC) applications in modern electrical grids rely heavily on the availability and integrity of widespread phasor measurement unit (PMU) data. Therefore, it is critical to protect PMU networks against growing cyber-attacks and system faults. In this paper, we present a self-healing PMU network design that considers both power system observability and communication network characteristics. Our design utilizes centralized network control, such as the emerging software-defined networking (SDN) technology, to design resilient network self-healing algorithms against cyber-attacks. Upon detection of a cyber-attack, the PMU network can reconfigure itself to isolate compromised devices and re-route measurement data with the goal of preserving the power system observability. We have developed a proof-of-concept system in a container-based network testbed using integer linear programming to solve a graph-based PMU system model. We also evaluate the system performance regarding the self-healing plan generation and installation using the IEEE 30-bus system.
{"title":"Enabling a Resilient and Self-healing PMU Infrastructure Using Centralized Network Control","authors":"Y. Qu, Xin Liu, Dong Jin, Yuan Hong, Chen Chen","doi":"10.1145/3180465.3180472","DOIUrl":"https://doi.org/10.1145/3180465.3180472","url":null,"abstract":"Many of the emerging wide-area monitoring protection and control (WAMPAC) applications in modern electrical grids rely heavily on the availability and integrity of widespread phasor measurement unit (PMU) data. Therefore, it is critical to protect PMU networks against growing cyber-attacks and system faults. In this paper, we present a self-healing PMU network design that considers both power system observability and communication network characteristics. Our design utilizes centralized network control, such as the emerging software-defined networking (SDN) technology, to design resilient network self-healing algorithms against cyber-attacks. Upon detection of a cyber-attack, the PMU network can reconfigure itself to isolate compromised devices and re-route measurement data with the goal of preserving the power system observability. We have developed a proof-of-concept system in a container-based network testbed using integer linear programming to solve a graph-based PMU system model. We also evaluate the system performance regarding the self-healing plan generation and installation using the IEEE 30-bus system.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"45 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76324824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Juan Wang, Shirong Hao, Yi Li, Chengyang Fan, Jie Wang, Lin Han, Zhi Hong, Hongxin Hu
Network Function Virtualization (NFV) is an emerging technology to implement network functions in software, which reduces equipment costs (CAPEX) and operational cost (OPEX) through decoupling network functions from network dedicated devices and deploying them on high-volume standard servers and running as virtual instances. However, due to running in a shared and open environment and lacking the protection of proprietary hardware, virtual network functions (VNFs) face more security threats than traditional network functions. Hence, it is crucial to build a trusted execution environment to protect VNFs. In this paper, we first analyze the challenges for VNF security protection. We then propose a lightweight and trusted execution environment for securing VNFs based on SGX and Click. To demonstrate the feasibility of our approach, we implement a DDoS defense function on top of our environment and conduct paramilitary evaluations. Our evaluation results show that our system only introduces manageable performance overhead for protecting VNFs.
网络功能虚拟化(Network Function Virtualization, NFV)是一种在软件中实现网络功能的新兴技术,通过将网络功能与网络专用设备解耦,部署在大容量的标准服务器上,并作为虚拟实例运行,从而降低设备成本(CAPEX)和运营成本(OPEX)。然而,由于运行在共享、开放的环境中,缺乏专有硬件的保护,虚拟网络功能比传统网络功能面临更多的安全威胁。因此,构建可信任的执行环境来保护VNFs至关重要。本文首先分析了VNF安全保护面临的挑战。然后,我们提出了一个轻量级和可信的执行环境,用于保护基于SGX和Click的VNFs。为了证明我们的方法的可行性,我们在我们的环境之上实现了一个DDoS防御功能,并进行了准军事评估。我们的评估结果表明,我们的系统仅为保护VNFs引入了可管理的性能开销。
{"title":"Challenges Towards Protecting VNF With SGX","authors":"Juan Wang, Shirong Hao, Yi Li, Chengyang Fan, Jie Wang, Lin Han, Zhi Hong, Hongxin Hu","doi":"10.1145/3180465.3180476","DOIUrl":"https://doi.org/10.1145/3180465.3180476","url":null,"abstract":"Network Function Virtualization (NFV) is an emerging technology to implement network functions in software, which reduces equipment costs (CAPEX) and operational cost (OPEX) through decoupling network functions from network dedicated devices and deploying them on high-volume standard servers and running as virtual instances. However, due to running in a shared and open environment and lacking the protection of proprietary hardware, virtual network functions (VNFs) face more security threats than traditional network functions. Hence, it is crucial to build a trusted execution environment to protect VNFs. In this paper, we first analyze the challenges for VNF security protection. We then propose a lightweight and trusted execution environment for securing VNFs based on SGX and Click. To demonstrate the feasibility of our approach, we implement a DDoS defense function on top of our environment and conduct paramilitary evaluations. Our evaluation results show that our system only introduces manageable performance overhead for protecting VNFs.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"53 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76280937","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Network policies that offer vital functionalities are often organized in a chain. Current practice either assumes proper policy chains as a prior or relies on simple syntax-based input-output analysis. This paper examines and addresses several difficulties with this approach --- context-dependent policy interaction, unnecessarily coupled policies, and policies that must be jointly examined, proposing database integrity constraints as a means towards a semantic-based finer solution. Built on a unified logical framework to describe and reason about policy chains, our database solution gives (1) criteria that derive correct policy chain with a more accurate estimate of policy dependency, and (2) criteria that check and obtain atomic policy, unit of policy that is proper for policy chain.
{"title":"Database Criteria for Network Policy Chain","authors":"Anduo Wang","doi":"10.1145/3180465.3180471","DOIUrl":"https://doi.org/10.1145/3180465.3180471","url":null,"abstract":"Network policies that offer vital functionalities are often organized in a chain. Current practice either assumes proper policy chains as a prior or relies on simple syntax-based input-output analysis. This paper examines and addresses several difficulties with this approach --- context-dependent policy interaction, unnecessarily coupled policies, and policies that must be jointly examined, proposing database integrity constraints as a means towards a semantic-based finer solution. Built on a unified logical framework to describe and reason about policy chains, our database solution gives (1) criteria that derive correct policy chain with a more accurate estimate of policy dependency, and (2) criteria that check and obtain atomic policy, unit of policy that is proper for policy chain.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"43 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78590934","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
D. Anantha, B. Ramamurthy, B. Bockelman, D. Swanson
Network anomaly detection systems can be used to identify anomalous transfers or threats, which, when undetected, can trigger large-scale malicious events. Data-intensive science projects rely on high-throughput computing and high-speed networking resources for data analysis and processing. In this paper, we propose an anomaly detection framework and architecture for identifying anomalies in GridFTP transfers. Application-awareness plays an important role in our proposed architecture and is used to communicate GridFTP application metadata to the machine learning and anomaly detection system. We demonstrate the effectiveness of our architecture by evaluating the framework with a real-world, large-scale dataset of GridFTP transfers. Preliminary results show that our framework can be used to develop novel anomaly detection services with diverse feature sets for distributed and data-intensive projects.
{"title":"Identifying Anomalies in GridFTP transfers for Data-Intensive Science through Application-Awareness","authors":"D. Anantha, B. Ramamurthy, B. Bockelman, D. Swanson","doi":"10.1145/3180465.3180469","DOIUrl":"https://doi.org/10.1145/3180465.3180469","url":null,"abstract":"Network anomaly detection systems can be used to identify anomalous transfers or threats, which, when undetected, can trigger large-scale malicious events. Data-intensive science projects rely on high-throughput computing and high-speed networking resources for data analysis and processing. In this paper, we propose an anomaly detection framework and architecture for identifying anomalies in GridFTP transfers. Application-awareness plays an important role in our proposed architecture and is used to communicate GridFTP application metadata to the machine learning and anomaly detection system. We demonstrate the effectiveness of our architecture by evaluating the framework with a real-world, large-scale dataset of GridFTP transfers. Preliminary results show that our framework can be used to develop novel anomaly detection services with diverse feature sets for distributed and data-intensive projects.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"84 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83048782","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","authors":"","doi":"10.1145/3180465","DOIUrl":"https://doi.org/10.1145/3180465","url":null,"abstract":"","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"21 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2018-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74811576","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-08-30DOI: 10.1007/978-3-319-64200-0_12
A. Fujioka
{"title":"Adaptive Security in Identity-Based Authenticated Key Agreement with Multiple Private Key Generators","authors":"A. Fujioka","doi":"10.1007/978-3-319-64200-0_12","DOIUrl":"https://doi.org/10.1007/978-3-319-64200-0_12","url":null,"abstract":"","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"44 1","pages":"192-211"},"PeriodicalIF":0.0,"publicationDate":"2017-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86989440","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-08-30DOI: 10.1007/978-3-319-64200-0_13
Daode Zhang, Fuyang Fang, Bao Li, Xin Wang
{"title":"Deterministic Identity-Based Encryption from Lattices with More Compact Public Parameters","authors":"Daode Zhang, Fuyang Fang, Bao Li, Xin Wang","doi":"10.1007/978-3-319-64200-0_13","DOIUrl":"https://doi.org/10.1007/978-3-319-64200-0_13","url":null,"abstract":"","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"262 1","pages":"215-230"},"PeriodicalIF":0.0,"publicationDate":"2017-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76255638","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2017-08-30DOI: 10.1007/978-3-319-64200-0_6
Veronika Kuchta, G. Sharma, R. Sahu, T. Bhatia, O. Markowitch
{"title":"Secure Certificateless Proxy Re-encryption Without Pairing","authors":"Veronika Kuchta, G. Sharma, R. Sahu, T. Bhatia, O. Markowitch","doi":"10.1007/978-3-319-64200-0_6","DOIUrl":"https://doi.org/10.1007/978-3-319-64200-0_6","url":null,"abstract":"","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"93 1","pages":"85-101"},"PeriodicalIF":0.0,"publicationDate":"2017-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83837811","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: