Maintaining the integrity of network devices policy across a different organization is very challenging since the devices are shared for multiple traffic forwarding purposes, including public Internet access. An organization's administrator can put unnecessary (i.e., wrong) policy that may leak the private traffic between the organizations to a public network. It can be avoided by exchanging the network traffic policy between the organizations but keeping the confidentiality of the policies among them (i.e., to avoid honest-but-curious adversary) is very challenging. Furthermore, there is also no guarantee that the policy is properly enforced into the network device. An administrator can intentionally put malicious policies that allow the attacker to enter the organization's network (i.e., malicious adversary). This paper proposed a cross-organization network traffic policy compilation that preserves the policy privacy and ensures its enforcement to the network devices. It utilizes a trusted execution environment (TEE) to compile the high-level traffic policies into low-level rules for the programmable network device. Then, the rules are easily pushed and optimized by using hardware programming abstraction.
{"title":"TEE-based Privacy-Preserve in Collaborative Traffic Policy Compilation for Programmable Devices","authors":"A. C. Risdianto, E. Chang","doi":"10.1145/3445968.3452091","DOIUrl":"https://doi.org/10.1145/3445968.3452091","url":null,"abstract":"Maintaining the integrity of network devices policy across a different organization is very challenging since the devices are shared for multiple traffic forwarding purposes, including public Internet access. An organization's administrator can put unnecessary (i.e., wrong) policy that may leak the private traffic between the organizations to a public network. It can be avoided by exchanging the network traffic policy between the organizations but keeping the confidentiality of the policies among them (i.e., to avoid honest-but-curious adversary) is very challenging. Furthermore, there is also no guarantee that the policy is properly enforced into the network device. An administrator can intentionally put malicious policies that allow the attacker to enter the organization's network (i.e., malicious adversary). This paper proposed a cross-organization network traffic policy compilation that preserves the policy privacy and ensures its enforcement to the network devices. It utilizes a trusted execution environment (TEE) to compile the high-level traffic policies into low-level rules for the programmable network device. Then, the rules are easily pushed and optimized by using hardware programming abstraction.","PeriodicalId":339365,"journal":{"name":"Proceedings of the 2021 ACM International Workshop on Software Defined Networks & Network Function Virtualization Security","volume":"59 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-04-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123230503","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
As network policies are becoming increasingly nuanced and complex, so too are the mechanisms required to ensure that the network is functioning as intended. In particular, since the dawn of software-defined networking and the shift towards high-level descriptions of intended network policy, traditional tools such as ping and traceroute have been insufficient to test that complex data plane configurations have been correctly implemented. As a result, novel data plane verification solutions have been proposed that use formal methods to ensure that network policies are adhered to and that the data plane is free of bugs. While the number of these verification solutions continues to grow, only a few are equipped to verify the data plane when a malicious adversary is present. As research continues to expand the remit of data plane functionality, these solutions may become key to securing an increasingly valuable attack target. In this survey, we review the work that has been dedicated to preventing and detecting attacks on data planes in software-defined networks and discuss some of the unsolved problems in this field that must be addressed in future adversarial verification solutions.
{"title":"A Survey on the Verification of Adversarial Data Planes in Software-Defined Networks","authors":"Conor Black, Sandra Scott-Hayward","doi":"10.1145/3445968.3452092","DOIUrl":"https://doi.org/10.1145/3445968.3452092","url":null,"abstract":"As network policies are becoming increasingly nuanced and complex, so too are the mechanisms required to ensure that the network is functioning as intended. In particular, since the dawn of software-defined networking and the shift towards high-level descriptions of intended network policy, traditional tools such as ping and traceroute have been insufficient to test that complex data plane configurations have been correctly implemented. As a result, novel data plane verification solutions have been proposed that use formal methods to ensure that network policies are adhered to and that the data plane is free of bugs. While the number of these verification solutions continues to grow, only a few are equipped to verify the data plane when a malicious adversary is present. As research continues to expand the remit of data plane functionality, these solutions may become key to securing an increasingly valuable attack target. In this survey, we review the work that has been dedicated to preventing and detecting attacks on data planes in software-defined networks and discuss some of the unsolved problems in this field that must be addressed in future adversarial verification solutions.","PeriodicalId":339365,"journal":{"name":"Proceedings of the 2021 ACM International Workshop on Software Defined Networks & Network Function Virtualization Security","volume":"56 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-04-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114286076","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The emerging 5G mobile network is a prominent technology for addressing networking related challenges of Internet of Things (IoT). The forthcoming 5G is expected to allow low-power massive IoT devices to produce high volumes of data that can be transmitted over ultra-reliable, low-latency wireless communication services. However, IoT systems encounter several security and privacy issues to prevent unauthorized access to IoT nodes. To address these challenges, this paper introduces a novel blockchain-based architecture that leverages Software Defined Network (SDN) and Network Function Virtualization (NFV) for securing IoT transactions. A novel security appliance is introduced in a form of Virtualized Network Functions (VNFs) for improving the scalability and performance of IoT networks. Then, we introduce a novel consensus algorithm to detect and report suspected IoT nodes and mitigate malicious traffic. We evaluate and compare our proposed solution against three well-known consensus algorithms, i.e., Proof of Work (PoW), Proof of Elapsed Time (PoET), and Proof of Stake (PoS). We demonstrate that the proposed solution provides substantially lower latency and higher throughput as well as trustworthy IoT communication.
{"title":"Towards a Blockchain-SDN Architecture for Secure and Trustworthy 5G Massive IoT Networks","authors":"Akram Hakiri, Behnam Dezfouli","doi":"10.1145/3445968.3452090","DOIUrl":"https://doi.org/10.1145/3445968.3452090","url":null,"abstract":"The emerging 5G mobile network is a prominent technology for addressing networking related challenges of Internet of Things (IoT). The forthcoming 5G is expected to allow low-power massive IoT devices to produce high volumes of data that can be transmitted over ultra-reliable, low-latency wireless communication services. However, IoT systems encounter several security and privacy issues to prevent unauthorized access to IoT nodes. To address these challenges, this paper introduces a novel blockchain-based architecture that leverages Software Defined Network (SDN) and Network Function Virtualization (NFV) for securing IoT transactions. A novel security appliance is introduced in a form of Virtualized Network Functions (VNFs) for improving the scalability and performance of IoT networks. Then, we introduce a novel consensus algorithm to detect and report suspected IoT nodes and mitigate malicious traffic. We evaluate and compare our proposed solution against three well-known consensus algorithms, i.e., Proof of Work (PoW), Proof of Elapsed Time (PoET), and Proof of Stake (PoS). We demonstrate that the proposed solution provides substantially lower latency and higher throughput as well as trustworthy IoT communication.","PeriodicalId":339365,"journal":{"name":"Proceedings of the 2021 ACM International Workshop on Software Defined Networks & Network Function Virtualization Security","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-04-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130011096","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Network attack and data breach statistics are abundant; from the 2020 Cisco Annual Internet Report citing an anticipated increase in Distributed Denial-of-Service (DDoS) attacks from 7.9 million in 2018 to 15.4 million by 2023, to almost daily reports of data breaches, hackers targeting network device vulnerabilities, attacks on network services etc. This is, of course, unsurprising. Our lives are increasingly reliant on communication networks. In 2020, because of the COVID-19 pandemic, we have seen the accelerated provision of health services in the home and an increased prevalence of home schooling and working. This has placed a significant burden on our home networks, one which cyber-criminals have been only too eager to exploit. The challenge to protect network users extends from there. So, what does cyber security look like in the networks of the future? The emergence of technologies such as Software-Defined Networking (SDN), Network Functions Virtualization (NFV), and Multi-Access Edge Computing (MEC) enable innovation in network security, but these technologies create additional attack surfaces. Dramatic advances in Machine Learning (ML) and Artificial Intelligence (AI) techniques are influencing security services and design for security, but they can also be exploited to produce sophisticated attacks. How can we leverage these technologies while managing the challenge of the attacker to better protect, secure and maintain resilient networks? Can we deliver scalable, analytics-based, security-focused network orchestration and management? This talk will introduce our latest research addressing these challenging questions, present developments in the field, and discuss future research directions.
{"title":"Security-focused Networks of the Future","authors":"Sandra Scott-Hayward","doi":"10.1145/3445968.3456870","DOIUrl":"https://doi.org/10.1145/3445968.3456870","url":null,"abstract":"Network attack and data breach statistics are abundant; from the 2020 Cisco Annual Internet Report citing an anticipated increase in Distributed Denial-of-Service (DDoS) attacks from 7.9 million in 2018 to 15.4 million by 2023, to almost daily reports of data breaches, hackers targeting network device vulnerabilities, attacks on network services etc. This is, of course, unsurprising. Our lives are increasingly reliant on communication networks. In 2020, because of the COVID-19 pandemic, we have seen the accelerated provision of health services in the home and an increased prevalence of home schooling and working. This has placed a significant burden on our home networks, one which cyber-criminals have been only too eager to exploit. The challenge to protect network users extends from there. So, what does cyber security look like in the networks of the future? The emergence of technologies such as Software-Defined Networking (SDN), Network Functions Virtualization (NFV), and Multi-Access Edge Computing (MEC) enable innovation in network security, but these technologies create additional attack surfaces. Dramatic advances in Machine Learning (ML) and Artificial Intelligence (AI) techniques are influencing security services and design for security, but they can also be exploited to produce sophisticated attacks. How can we leverage these technologies while managing the challenge of the attacker to better protect, secure and maintain resilient networks? Can we deliver scalable, analytics-based, security-focused network orchestration and management? This talk will introduce our latest research addressing these challenging questions, present developments in the field, and discuss future research directions.","PeriodicalId":339365,"journal":{"name":"Proceedings of the 2021 ACM International Workshop on Software Defined Networks & Network Function Virtualization Security","volume":"59 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-04-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121251803","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Proceedings of the 2021 ACM International Workshop on Software Defined Networks & Network Function Virtualization Security","authors":"","doi":"10.1145/3445968","DOIUrl":"https://doi.org/10.1145/3445968","url":null,"abstract":"","PeriodicalId":339365,"journal":{"name":"Proceedings of the 2021 ACM International Workshop on Software Defined Networks & Network Function Virtualization Security","volume":"120 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132865335","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: