Automated synthesis of NFV topology: A security requirement-oriented design

Cyber defense today heavily depends on expensive and proprietary hardware deployed at fixed locations. Network functions virtualization (NFV) reduces the limitations of these vendor specific hardware by allowing a flexible and dynamic implementation of virtual network functions in virtual machines running on commercial off-the-shelf servers. These network functions can work as a filter to distinguish between a legitimate packet and an attack packet, and can be deployed dynamically to balance the variable attack load. However, allocating resources to these virtual machines is an NP-hard problem. In this work, we propose a solution to this problem and determine the number and placement of the VMs. We design and implement NFVSynth, an automated framework that models the resource specifications, incoming packet processing requirements, and network bandwidth constraints. It uses satisfiability modulo theories (SMT) for modeling this synthesis problem and provides a satisfiable solution. We also present simulated experiments to demonstrate the scalability and usability of the solution.