Pub Date : 2019-08-28DOI: 10.1007/978-3-030-26834-3_11
Shohei Hiruta, Satoshi Ikeda, Shigeyoshi Shima, H. Takakura
{"title":"IDS Alert Priority Determination Based on Traffic Behavior","authors":"Shohei Hiruta, Satoshi Ikeda, Shigeyoshi Shima, H. Takakura","doi":"10.1007/978-3-030-26834-3_11","DOIUrl":"https://doi.org/10.1007/978-3-030-26834-3_11","url":null,"abstract":"","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"30 1","pages":"189-206"},"PeriodicalIF":0.0,"publicationDate":"2019-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76668025","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-08-28DOI: 10.1007/978-3-030-26834-3_4
K. Kurosawa, Akinaga Ueda, Hayato Matsuhashi, Y. Sakagami
{"title":"How to Solve Multiple Short-Exponent Discrete Logarithm Problem","authors":"K. Kurosawa, Akinaga Ueda, Hayato Matsuhashi, Y. Sakagami","doi":"10.1007/978-3-030-26834-3_4","DOIUrl":"https://doi.org/10.1007/978-3-030-26834-3_4","url":null,"abstract":"","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"1 1","pages":"53-64"},"PeriodicalIF":0.0,"publicationDate":"2019-08-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88556037","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In the digital healthcare era, it is utmost important to harness medical information scattered across healthcare institutions to support in-depth data analysis. However, the boundaries of cyberinfrastructure of healthcare providers place obstacles on data sharing. In this position paper, we firstly identify the challenges of medical data sharing and management. Then we introduce the background and give a brief survey on the state-of-the-art. Finally, we conclude the paper by discussing a few possible research directions to cope with the challenges in current medical information sharing.
{"title":"A Blockchain Future for Secure Clinical Data Sharing: A Position Paper","authors":"Yan Luo, Hao Jin, Peilong Li","doi":"10.1145/3309194.3309198","DOIUrl":"https://doi.org/10.1145/3309194.3309198","url":null,"abstract":"In the digital healthcare era, it is utmost important to harness medical information scattered across healthcare institutions to support in-depth data analysis. However, the boundaries of cyberinfrastructure of healthcare providers place obstacles on data sharing. In this position paper, we firstly identify the challenges of medical data sharing and management. Then we introduce the background and give a brief survey on the state-of-the-art. Finally, we conclude the paper by discussing a few possible research directions to cope with the challenges in current medical information sharing.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"46 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90940405","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Increasingly, campus networks manage a multitude of large-scale data transfers. Big data plays a pivotal role in university research and impacts domains such as engineering, agriculture, natural sciences, and humanities. Over the years, numerous solutions have been proposed to manage and secure large-scale data transfers efficiently. Examples consist of the inclusion of security policies at the network edge, optimized middlebox management, and the Science Demilitarized Zone (Science DMZ). These solutions either severely degrade data transfer performance or result in data flows completely bypassing the campus network security controls. In this paper, we present our experience with the design, development, and management of large-scale data transfers using software defined networking (SDN) and network functions virtualization (NFV). We also discuss the issues and challenges associated with securing large-scale data transfers in campus networks.
{"title":"Securing Large-scale Data Transfers in Campus Networks: Experiences, Issues, and Challenges","authors":"Deepak Nadig, B. Ramamurthy","doi":"10.1145/3309194.3309444","DOIUrl":"https://doi.org/10.1145/3309194.3309444","url":null,"abstract":"Increasingly, campus networks manage a multitude of large-scale data transfers. Big data plays a pivotal role in university research and impacts domains such as engineering, agriculture, natural sciences, and humanities. Over the years, numerous solutions have been proposed to manage and secure large-scale data transfers efficiently. Examples consist of the inclusion of security policies at the network edge, optimized middlebox management, and the Science Demilitarized Zone (Science DMZ). These solutions either severely degrade data transfer performance or result in data flows completely bypassing the campus network security controls. In this paper, we present our experience with the design, development, and management of large-scale data transfers using software defined networking (SDN) and network functions virtualization (NFV). We also discuss the issues and challenges associated with securing large-scale data transfers in campus networks.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"13 2 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80738221","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Software defined networking (SDN) offers a promising approach for the next generation of networking technology. However, at present there is no widely accepted model for network applications authorization. One reason for lack of access control system is the absence of clear definition of an authorization model in SDN. Porras et al citeporras2015securing recently developed SE-Floodlight for this purpose. They partly employed the notion of the well-known role-based access control (RBAC) model. They informally presented a role-based authorization system to manage applications access rights to network operations, submitted during the interaction between the application layer and the switch-side infrastructure. In this paper we develop a formal role-based authorization model in SDN using SE-Floodlight as a reference controller. Based on the formal model we discuss security aspects and propose some extensions. We also provide an administrative model for the authorization system. We show a configuration of the formal model for a use case scenario and discuss the security aspects of the authorization model and describe some security issues related to over-privileged apps, limitations of role hierarchy, app upgrading, and app downgrading problem. Finally, we propose a refined role hierarchy to address these problems.
{"title":"A Formal Access Control Model for SE-Floodlight Controller","authors":"Abdullah Al-Alaj, R. Sandhu, R. Krishnan","doi":"10.1145/3309194.3309195","DOIUrl":"https://doi.org/10.1145/3309194.3309195","url":null,"abstract":"Software defined networking (SDN) offers a promising approach for the next generation of networking technology. However, at present there is no widely accepted model for network applications authorization. One reason for lack of access control system is the absence of clear definition of an authorization model in SDN. Porras et al citeporras2015securing recently developed SE-Floodlight for this purpose. They partly employed the notion of the well-known role-based access control (RBAC) model. They informally presented a role-based authorization system to manage applications access rights to network operations, submitted during the interaction between the application layer and the switch-side infrastructure. In this paper we develop a formal role-based authorization model in SDN using SE-Floodlight as a reference controller. Based on the formal model we discuss security aspects and propose some extensions. We also provide an administrative model for the authorization system. We show a configuration of the formal model for a use case scenario and discuss the security aspects of the authorization model and describe some security issues related to over-privileged apps, limitations of role hierarchy, app upgrading, and app downgrading problem. Finally, we propose a refined role hierarchy to address these problems.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"1 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90802197","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In the Software Defined Networking (SDN) and Network Function Virtualization (NFV) era, it is critical to enable dynamic network access control. Traditionally, network access control policies are statically predefined as router entries or firewall rules. SDN enables more flexibility by re-actively installing flow rules into the switches to achieve dynamic network access control. However, SDN is limited in capturing network anomalies, which are usually important signs of security threats. In this paper, we propose to employ anomaly-based Intrusion Detection System (IDS) to capture network anomalies and generate SDN flow rules to enable dynamic network access control. We gain the knowledge of network anomalies from anomaly-based IDS by training an interpretable model to explain its outcome. Based on the explanation, we derive access control policies. We demonstrate the feasibility of our approach by explaining the outcome of an anomaly-based IDS built upon a Recurrent Neural Network (RNN) and generating SDN flow rules based on our explanation.
在SDN (Software Defined Networking)和NFV (Network Function Virtualization)时代,启用动态网络访问控制至关重要。传统的网络访问控制策略是静态地预定义为路由器表项或防火墙规则。SDN通过在交换机中重新安装流规则来实现动态的网络访问控制,从而提供了更大的灵活性。然而,SDN在捕获网络异常方面是有限的,而网络异常通常是安全威胁的重要标志。在本文中,我们建议采用基于异常的入侵检测系统(IDS)来捕获网络异常并生成SDN流规则,以实现动态网络访问控制。我们通过训练一个可解释的模型来解释其结果,从基于异常的IDS中获得网络异常的知识。根据解释,我们推导出访问控制策略。我们通过解释基于递归神经网络(RNN)的基于异常的IDS的结果,并根据我们的解释生成SDN流规则,证明了我们方法的可行性。
{"title":"Enabling Dynamic Network Access Control with Anomaly-based IDS and SDN","authors":"Hongda Li, Feng Wei, Hongxin Hu","doi":"10.1145/3309194.3309199","DOIUrl":"https://doi.org/10.1145/3309194.3309199","url":null,"abstract":"In the Software Defined Networking (SDN) and Network Function Virtualization (NFV) era, it is critical to enable dynamic network access control. Traditionally, network access control policies are statically predefined as router entries or firewall rules. SDN enables more flexibility by re-actively installing flow rules into the switches to achieve dynamic network access control. However, SDN is limited in capturing network anomalies, which are usually important signs of security threats. In this paper, we propose to employ anomaly-based Intrusion Detection System (IDS) to capture network anomalies and generate SDN flow rules to enable dynamic network access control. We gain the knowledge of network anomalies from anomaly-based IDS by training an interpretable model to explain its outcome. Based on the explanation, we derive access control policies. We demonstrate the feasibility of our approach by explaining the outcome of an anomaly-based IDS built upon a Recurrent Neural Network (RNN) and generating SDN flow rules based on our explanation.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"24 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87628985","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ankur Chowdhary, Dijiang Huang, Gail-Joon Ahn, Myong H. Kang, Anya Kim, Alexander Velazquez
The cloud networks managed by SDN can have multi-tier policy and rule conflicts. The application plane can have conflicting user-defined policies, and the infrastructure layer can have OpenFlow rules conflicting with each other. There is no scalable, and, automated programming framework to detect and resolve multi-tier conflicts in SDN-based cloud networks. We present an object-oriented programming framework - SDN Security Operation Center (SDNSOC), which handles policy composition at application plane, flow rule conflict detection and resolution at the control plane. We follow the design principles of object-oriented paradigm such as code-re-utilization, methods abstraction, aggregation for the implementation of SDNSOC on a multi-tenant cloud network. The key benefits obtained using this approach are (i) The network administrator is abstracted from complex-implementation details of SFC. The end-to-end policy composition of different network functions is handled by an object-oriented framework in an automated fashion. We achieve 37% lower latency in SFC composition compared to nearest competitors - SICS and PGA. (ii) Policy conflict detection between the existing traffic rules and incoming traffic is handled by SDNSOC in a scalable manner. The solution scales well on a large cloud network., and 18% faster security policy conflict detection on a cloud network with 100k OpenFlow rules compared to similar works - Brew, and Flowguard.
SDN管理的云网络可能存在多层策略和规则冲突。应用平面可能存在冲突的自定义策略,基础架构层可能存在冲突的OpenFlow规则。在基于sdn的云网络中,没有可扩展的自动化编程框架来检测和解决多层冲突。我们提出了一个面向对象的编程框架——SDN安全操作中心(SDN Security Operation Center, SDN),它在应用平面处理策略组合,在控制平面处理流规则冲突检测和解决。我们遵循代码重用、方法抽象、聚合等面向对象范式的设计原则,在多租户云网络上实现snsoc。使用这种方法获得的主要好处是:(i)网络管理员从SFC的复杂实现细节中抽象出来,不同网络功能的端到端策略组合由面向对象的框架以自动化的方式处理。与最接近的竞争对手(SICS和PGA)相比,我们在SFC组合中实现了37%的低延迟。(ii)由SDNSOC以可扩展的方式处理现有流量规则与传入流量之间的策略冲突检测。该解决方案在大型云网络上可很好地扩展。在使用100k OpenFlow规则的云网络上,与Brew和Flowguard等类似产品相比,安全策略冲突检测速度提高了18%。
{"title":"SDNSOC: Object Oriented SDN Framework","authors":"Ankur Chowdhary, Dijiang Huang, Gail-Joon Ahn, Myong H. Kang, Anya Kim, Alexander Velazquez","doi":"10.1145/3309194.3309196","DOIUrl":"https://doi.org/10.1145/3309194.3309196","url":null,"abstract":"The cloud networks managed by SDN can have multi-tier policy and rule conflicts. The application plane can have conflicting user-defined policies, and the infrastructure layer can have OpenFlow rules conflicting with each other. There is no scalable, and, automated programming framework to detect and resolve multi-tier conflicts in SDN-based cloud networks. We present an object-oriented programming framework - SDN Security Operation Center (SDNSOC), which handles policy composition at application plane, flow rule conflict detection and resolution at the control plane. We follow the design principles of object-oriented paradigm such as code-re-utilization, methods abstraction, aggregation for the implementation of SDNSOC on a multi-tenant cloud network. The key benefits obtained using this approach are (i) The network administrator is abstracted from complex-implementation details of SFC. The end-to-end policy composition of different network functions is handled by an object-oriented framework in an automated fashion. We achieve 37% lower latency in SFC composition compared to nearest competitors - SICS and PGA. (ii) Policy conflict detection between the existing traffic rules and incoming traffic is handled by SDNSOC in a scalable manner. The solution scales well on a large cloud network., and 18% faster security policy conflict detection on a cloud network with 100k OpenFlow rules compared to similar works - Brew, and Flowguard.","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"38 1","pages":""},"PeriodicalIF":0.0,"publicationDate":"2019-03-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80029412","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-01-01DOI: 10.1007/978-3-030-26834-3_6
Ryo Okishima, T. Nakanishi
{"title":"An Anonymous Credential System with Constant-Size Attribute Proofs for CNF Formulas with Negations","authors":"Ryo Okishima, T. Nakanishi","doi":"10.1007/978-3-030-26834-3_6","DOIUrl":"https://doi.org/10.1007/978-3-030-26834-3_6","url":null,"abstract":"","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"272 1","pages":"89-106"},"PeriodicalIF":0.0,"publicationDate":"2019-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75028313","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-09-03DOI: 10.1007/978-3-319-97916-8_3
Sota Onozawa, N. Kunihiro, M. Yoshino, Ken Naganuma
{"title":"Inference Attacks on Encrypted Databases Based on Order Preserving Assignment Problem","authors":"Sota Onozawa, N. Kunihiro, M. Yoshino, Ken Naganuma","doi":"10.1007/978-3-319-97916-8_3","DOIUrl":"https://doi.org/10.1007/978-3-319-97916-8_3","url":null,"abstract":"","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"281 1","pages":"35-47"},"PeriodicalIF":0.0,"publicationDate":"2018-09-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77897040","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2018-09-03DOI: 10.1007/978-3-319-97916-8_15
Yu Sasaki
{"title":"Integer Linear Programming for Three-Subset Meet-in-the-Middle Attacks: Application to GIFT","authors":"Yu Sasaki","doi":"10.1007/978-3-319-97916-8_15","DOIUrl":"https://doi.org/10.1007/978-3-319-97916-8_15","url":null,"abstract":"","PeriodicalId":20513,"journal":{"name":"Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization","volume":"114 1","pages":"227-243"},"PeriodicalIF":0.0,"publicationDate":"2018-09-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80774690","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: