Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175487
Julia Kułacz, Martyna Pawlus, Leonardo Boldrini, P. Grosso
This paper examines the Flexible Algorithm (FlexAlgo) for its potential to enable user-driven path control in intra-domain Segment Routing (SR) enabled networks. FlexAlgo is a relatively new approach to intra-domain routing that allows multiple custom algorithms to coexist within a single domain. This capability has the potential to provide users with greater control over the paths their data takes through a network. The research includes a thorough investigation of the FlexAlgo approach, including an examination of its underlying techniques, as well as a practical implementation of a FlexAlgo-based solution. We depict performed experiments where we implemented FlexAlgo in three different scenarios. We also present how we developed an automated tool for users to control traffic steering using preferred metrics and constraints. The results of this investigation demonstrate the capabilities of FlexAlgo as a means of enabling user-driven path control and therefore increase security and trust of users towards the network.
{"title":"Investigation of FlexAlgo for User-driven Path Control","authors":"Julia Kułacz, Martyna Pawlus, Leonardo Boldrini, P. Grosso","doi":"10.1109/NetSoft57336.2023.10175487","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175487","url":null,"abstract":"This paper examines the Flexible Algorithm (FlexAlgo) for its potential to enable user-driven path control in intra-domain Segment Routing (SR) enabled networks. FlexAlgo is a relatively new approach to intra-domain routing that allows multiple custom algorithms to coexist within a single domain. This capability has the potential to provide users with greater control over the paths their data takes through a network. The research includes a thorough investigation of the FlexAlgo approach, including an examination of its underlying techniques, as well as a practical implementation of a FlexAlgo-based solution. We depict performed experiments where we implemented FlexAlgo in three different scenarios. We also present how we developed an automated tool for users to control traffic steering using preferred metrics and constraints. The results of this investigation demonstrate the capabilities of FlexAlgo as a means of enabling user-driven path control and therefore increase security and trust of users towards the network.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122397221","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175472
Henrique B. Brum, C. R. P. D. Santos, T. Ferreto
Network monitoring is fundamental for the correct and expected functioning of today’s large computer networks, as it allows network operators to identify disruptive flows, such as microbursts and elephant flows. In-band Network Telemetry (INT) has become one of the main tools for collecting network information in recent years. By piggybacking information using data plane packets, INT can deliver real-time network statistics to monitoring applications. However, INT’s fine granularity comes with a high network overhead cost, especially when monitoring high-throughput flows. Knowing this limitation, this paper focuses on accurately collecting network statistics using INT while keeping the telemetry overhead to a minimum for two monitoring applications: microburst and elephant flow detection. To this end, we present DINT, a Dynamic INT algorithm capable of collecting fine-grained network metrics with minimum telemetry overhead that adapts itself to the latest network developments. We evaluated DINT against two other algorithms for the microburst and the elephant flow monitoring scenarios. The evaluation results showed that DINT offers higher adaptability than other techniques, providing a more accurate network view while requiring fewer telemetry data and, consequently, improving the performance of the monitoring applications.
{"title":"Providing Fine-grained Network Metrics for Monitoring Applications using In-band Telemetry","authors":"Henrique B. Brum, C. R. P. D. Santos, T. Ferreto","doi":"10.1109/NetSoft57336.2023.10175472","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175472","url":null,"abstract":"Network monitoring is fundamental for the correct and expected functioning of today’s large computer networks, as it allows network operators to identify disruptive flows, such as microbursts and elephant flows. In-band Network Telemetry (INT) has become one of the main tools for collecting network information in recent years. By piggybacking information using data plane packets, INT can deliver real-time network statistics to monitoring applications. However, INT’s fine granularity comes with a high network overhead cost, especially when monitoring high-throughput flows. Knowing this limitation, this paper focuses on accurately collecting network statistics using INT while keeping the telemetry overhead to a minimum for two monitoring applications: microburst and elephant flow detection. To this end, we present DINT, a Dynamic INT algorithm capable of collecting fine-grained network metrics with minimum telemetry overhead that adapts itself to the latest network developments. We evaluated DINT against two other algorithms for the microburst and the elephant flow monitoring scenarios. The evaluation results showed that DINT offers higher adaptability than other techniques, providing a more accurate network view while requiring fewer telemetry data and, consequently, improving the performance of the monitoring applications.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"198 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122527506","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175397
Csaba Györgyi, S. Laki, Stefan Schmid
Data plane programming gained much attention in the past years, having a fast-growing community both in academia and industry. Many tools have emerged to simplify and/or help the development of reliable data plane programs, including fuzzing, formal verification, and different code generators. However, even the tools themselves must be verified to meet the most stringent dependability requirements. In this paper, we investigate various tools and methods to verify code generators leveraging P4 through the example of P4RROT (an open source code generator focusing on the application layer). We show that our approach is efficient and can indeed successfully find bugs. We identify two bugs and propose reusable ideas, such as the use of ghost code.
{"title":"Toward Highly Reliable Programmable Data Planes: Verification of P4 Code Generation","authors":"Csaba Györgyi, S. Laki, Stefan Schmid","doi":"10.1109/NetSoft57336.2023.10175397","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175397","url":null,"abstract":"Data plane programming gained much attention in the past years, having a fast-growing community both in academia and industry. Many tools have emerged to simplify and/or help the development of reliable data plane programs, including fuzzing, formal verification, and different code generators. However, even the tools themselves must be verified to meet the most stringent dependability requirements. In this paper, we investigate various tools and methods to verify code generators leveraging P4 through the example of P4RROT (an open source code generator focusing on the application layer). We show that our approach is efficient and can indeed successfully find bugs. We identify two bugs and propose reusable ideas, such as the use of ghost code.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131479270","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175486
Francesco Settanni, L. Regano, C. Basile, A. Lioy
This paper presents an approach to the automatic remediation of threats reported by Cyber Threat Intelligence. Remediation strategies, named Recipes, are expressed in a close-to-natural language for easy validation. Thanks to the developed models, they are interpreted, contextualized, and then translated into CACAO Security playbooks, a standard format ready for automatic enforcement, without human intervention. The presented approach also allows sharing of remediation procedures on threat-sharing platforms (e.g. MISP) which improves the overall security posture. The effectiveness of the approach has been tested in the context of two EC-funded projects.
{"title":"A Model for Automated Cybersecurity Threat Remediation and Sharing","authors":"Francesco Settanni, L. Regano, C. Basile, A. Lioy","doi":"10.1109/NetSoft57336.2023.10175486","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175486","url":null,"abstract":"This paper presents an approach to the automatic remediation of threats reported by Cyber Threat Intelligence. Remediation strategies, named Recipes, are expressed in a close-to-natural language for easy validation. Thanks to the developed models, they are interpreted, contextualized, and then translated into CACAO Security playbooks, a standard format ready for automatic enforcement, without human intervention. The presented approach also allows sharing of remediation procedures on threat-sharing platforms (e.g. MISP) which improves the overall security posture. The effectiveness of the approach has been tested in the context of two EC-funded projects.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"6 6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123727485","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175490
Tatsuya Otoshi, Masayuki Murata, H. Shimonishi, T. Shimokawa
In 5G, flexible resource management, mainly by base stations, will enable support for a variety of use cases. However, in a situation where a large number of devices exist, such as in mMTC, devices need to allocate resources appropriately in an autonomous decentralized manner. In this paper, autonomous decentralized timeslot allocation is achieved by using a decision model for each device. As a decision model, we propose an extension of the Bayesian Attractor Model (BAM) using Bayesian estimation. The proposed model incorporates a feature of human decision-making called magnitude sensitivity, where the time to decision varies with the sum of the values of all alternatives. This allows the natural introduction of the behavior of making a decision quickly when a time slot is available and waiting otherwise. Simulation-based evaluations show that the proposed method can avoid time slot conflicts during congestion more effectively than conventional Q-learning based time slot selection.
{"title":"Distributed Timeslot Allocation in mMTC Network by Magnitude-Sensitive Bayesian Attractor Model","authors":"Tatsuya Otoshi, Masayuki Murata, H. Shimonishi, T. Shimokawa","doi":"10.1109/NetSoft57336.2023.10175490","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175490","url":null,"abstract":"In 5G, flexible resource management, mainly by base stations, will enable support for a variety of use cases. However, in a situation where a large number of devices exist, such as in mMTC, devices need to allocate resources appropriately in an autonomous decentralized manner. In this paper, autonomous decentralized timeslot allocation is achieved by using a decision model for each device. As a decision model, we propose an extension of the Bayesian Attractor Model (BAM) using Bayesian estimation. The proposed model incorporates a feature of human decision-making called magnitude sensitivity, where the time to decision varies with the sum of the values of all alternatives. This allows the natural introduction of the behavior of making a decision quickly when a time slot is available and waiting otherwise. Simulation-based evaluations show that the proposed method can avoid time slot conflicts during congestion more effectively than conventional Q-learning based time slot selection.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"85 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125009782","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175476
Radhika Sukapuram, Sikha Deka
In Multi-access Edge Computing, services are hosted at the edge of the network to reduce latency and congestion. Services comprise Network Functions which provide security and optimize the network, and signalling and data processing functions. Services are chained to constitute Service Function Chains (SFCs). For latency critical applications or when the cloud is inaccessible, we posit that all the services of an SFC must be cached at the edge. Since services may be common across SFCs and require resources, the set of services to evict when the cache is full must be chosen such that as many SFCs as possible have all their services cached. We call this the SFC Cache Replacement Problem (SFC-CRP) and argue that measuring the service hit rate is insufficient. For the first time, we define the problem, quantity how to measure whether all the services of an SFC are cached at the edge and formulate it as an optimization problem. We implement the solution and demonstrate its effectiveness over a simple LRU heuristic by evaluations using datasets which we have derived from real (Alibaba) cluster traces.
{"title":"Edge Service Caching for Service Function Chains","authors":"Radhika Sukapuram, Sikha Deka","doi":"10.1109/NetSoft57336.2023.10175476","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175476","url":null,"abstract":"In Multi-access Edge Computing, services are hosted at the edge of the network to reduce latency and congestion. Services comprise Network Functions which provide security and optimize the network, and signalling and data processing functions. Services are chained to constitute Service Function Chains (SFCs). For latency critical applications or when the cloud is inaccessible, we posit that all the services of an SFC must be cached at the edge. Since services may be common across SFCs and require resources, the set of services to evict when the cache is full must be chosen such that as many SFCs as possible have all their services cached. We call this the SFC Cache Replacement Problem (SFC-CRP) and argue that measuring the service hit rate is insufficient. For the first time, we define the problem, quantity how to measure whether all the services of an SFC are cached at the edge and formulate it as an optimization problem. We implement the solution and demonstrate its effectiveness over a simple LRU heuristic by evaluations using datasets which we have derived from real (Alibaba) cluster traces.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125358682","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175459
Daniele Bringhenti, R. Sisto, Fulvio Valenza
Nowadays virtual computer networks are characterized by high dynamism and complexity. However, these features made the traditional manual approaches for network security management error-prone, unoptimized and time-consuming. This paper discusses the research carried out during my Ph.D. program on network security automation. In particular, it presents an approach based on constraint programming that combines automation, formal verification, and optimization for network security management. This approach has been proved to be general enough by means of multiple applications that have been developed. In particular, this paper describes VEREFOO, a framework for the automatic configuration of security functions, and FATO, a framework for the automatic orchestration of security transients. This methodology is extensively evaluated using different metrics and tests, and it has been compared to state-of-the-art solutions and to the requirements of dynamic virtual networks.
{"title":"Towards Security Automation in Virtual Networks","authors":"Daniele Bringhenti, R. Sisto, Fulvio Valenza","doi":"10.1109/NetSoft57336.2023.10175459","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175459","url":null,"abstract":"Nowadays virtual computer networks are characterized by high dynamism and complexity. However, these features made the traditional manual approaches for network security management error-prone, unoptimized and time-consuming. This paper discusses the research carried out during my Ph.D. program on network security automation. In particular, it presents an approach based on constraint programming that combines automation, formal verification, and optimization for network security management. This approach has been proved to be general enough by means of multiple applications that have been developed. In particular, this paper describes VEREFOO, a framework for the automatic configuration of security functions, and FATO, a framework for the automatic orchestration of security transients. This methodology is extensively evaluated using different metrics and tests, and it has been compared to state-of-the-art solutions and to the requirements of dynamic virtual networks.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124092198","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A data processor having an execution unit and which includes a control means having a first and a second control store. The control means has an input for receiving a control store address. In response to the received control store address, the first control store provides sequencing information at a first output for selecting the next control store address. Also, in response to the received control store address, the second control store supplies control information at a second output for controlling the execution unit. The data processor also includes means for receiving a macroinstruction and selection means responsive to the macroinstruction and to the sequencing information for generating the control store address. In a preferred embodiment, the control store address is received by both the input of the first control store and the input of the second control store. Each control word in the first control store has a unique control store address. However, a control word, in the second control store may be selected by many different control store addresses.
{"title":"Message from the Chairs","authors":"D. Kidder","doi":"10.1109/TIME.2005.27","DOIUrl":"https://doi.org/10.1109/TIME.2005.27","url":null,"abstract":"A data processor having an execution unit and which includes a control means having a first and a second control store. The control means has an input for receiving a control store address. In response to the received control store address, the first control store provides sequencing information at a first output for selecting the next control store address. Also, in response to the received control store address, the second control store supplies control information at a second output for controlling the execution unit. The data processor also includes means for receiving a macroinstruction and selection means responsive to the macroinstruction and to the sequencing information for generating the control store address. In a preferred embodiment, the control store address is received by both the input of the first control store and the input of the second control store. Each control word in the first control store has a unique control store address. However, a control word, in the second control store may be selected by many different control store addresses.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114899139","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.1109/NetSoft57336.2023.10175422
Razvan-Mihai Ursu, Johannes Zerwas, Patrick Krämer, Navidreza Asadi, Phil Rodgers, Leon Wong, W. Kellerer
Cluster orchestrators such as Kubernetes (K8s) provide many knobs that cloud administrators can tune to conFigure their system. However, different configurations lead to different levels of performance, which additionally depend on the application. Hence, finding exactly the best configuration for a given system can be a difficult task. A particularly innovative approach to evaluate configurations and optimize desired performance metrics is the use of Digital Twins (DT). To achieve good results in short time, the models of the cloud network functions underlying the DT must be minimally complex but highly accurate. Developing such models requires detailed knowledge about the system components and their interactions. We believe that a data-driven paradigm can capture the actual behavior of a network function (NF) deployed in the cluster, while decoupling it from internal feedback loops. In this paper, we analyze the HTTP load balancing function as an example of an NF and explore the data-driven paradigm to learn its behavior in a K8s cluster deployment. We develop, implement, and evaluate two approaches to learn the behavior of a state-of-the-art load balancer and show that Machine Learning has the potential to enhance the way we model NF behaviors.
{"title":"Towards Digital Network Twins: Can we Machine Learn Network Function Behaviors?","authors":"Razvan-Mihai Ursu, Johannes Zerwas, Patrick Krämer, Navidreza Asadi, Phil Rodgers, Leon Wong, W. Kellerer","doi":"10.1109/NetSoft57336.2023.10175422","DOIUrl":"https://doi.org/10.1109/NetSoft57336.2023.10175422","url":null,"abstract":"Cluster orchestrators such as Kubernetes (K8s) provide many knobs that cloud administrators can tune to conFigure their system. However, different configurations lead to different levels of performance, which additionally depend on the application. Hence, finding exactly the best configuration for a given system can be a difficult task. A particularly innovative approach to evaluate configurations and optimize desired performance metrics is the use of Digital Twins (DT). To achieve good results in short time, the models of the cloud network functions underlying the DT must be minimally complex but highly accurate. Developing such models requires detailed knowledge about the system components and their interactions. We believe that a data-driven paradigm can capture the actual behavior of a network function (NF) deployed in the cluster, while decoupling it from internal feedback loops. In this paper, we analyze the HTTP load balancing function as an example of an NF and explore the data-driven paradigm to learn its behavior in a K8s cluster deployment. We develop, implement, and evaluate two approaches to learn the behavior of a state-of-the-art load balancer and show that Machine Learning has the potential to enhance the way we model NF behaviors.","PeriodicalId":223208,"journal":{"name":"2023 IEEE 9th International Conference on Network Softwarization (NetSoft)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131068867","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: