-
Attaining High Bandwidth In Cloud Computing Through SDN-enabled Multi-tree Multicast
Authors:
Sayantan Guha,
Adel Alshamrani
Abstract:
Achieving high bandwidth utilization in cloud computing is essential for better network performance. However, it is difficult to attain high bandwidth utilization in cloud computing due to the complex and distributed natures of cloud computing resources. Recently, a growing demand for multicast transmission is perceived in cloud computing, due to the explosive growth of multi-point communication a…
▽ More
Achieving high bandwidth utilization in cloud computing is essential for better network performance. However, it is difficult to attain high bandwidth utilization in cloud computing due to the complex and distributed natures of cloud computing resources. Recently, a growing demand for multicast transmission is perceived in cloud computing, due to the explosive growth of multi-point communication applications, such as video conferencing, online gaming, etc. Nonetheless, the inherent complexity in multicast routing in cloud computing, existing multicast plans failed to produce effective and efficient protocol schemes, which limits the application of multicast communication on the Internet. In this paper, a technique is proposed in how the newly developed network architecture, Software Defined Network (SDN), can promote the design of the multicast protocol and improve the performance of the multicast transmission in the cloud computing. The approach is to use the SDN-cloud Computing-enabled multicast communication scheme with ultra-high bandwidth utilization. The bandwidth utilization is enhanced by measuring various routing trees for each multicast transmission session and distributing the traffic load over all available routes in the cloud computing resources. The SDN is utilized to tackle with various design hurdles in the cloud computing, including both the current ones with the conventional multicast pattern and the newly emerged ones with multi-tree multicast. The prototype implementation and experiments demonstrate the performance enhancement of the proposed approach in the cloud computing in compared to conventional single-tree multicast designs.
△ Less
Submitted 6 August, 2020;
originally announced August 2020.
-
A Survey of Moving Target Defenses for Network Security
Authors:
Sailik Sengupta,
Ankur Chowdhary,
Abdulhakim Sabur,
Adel Alshamrani,
Dijiang Huang,
Subbarao Kambhampati
Abstract:
Network defenses based on traditional tools, techniques, and procedures fail to account for the attacker's inherent advantage present due to the static nature of network services and configurations. To take away this asymmetric advantage, Moving Target Defense (MTD) continuously shifts the configuration of the underlying system, in turn reducing the success rate of cyberattacks. In this survey, we…
▽ More
Network defenses based on traditional tools, techniques, and procedures fail to account for the attacker's inherent advantage present due to the static nature of network services and configurations. To take away this asymmetric advantage, Moving Target Defense (MTD) continuously shifts the configuration of the underlying system, in turn reducing the success rate of cyberattacks. In this survey, we analyze the recent advancements made in the development of MTDs and define categorizations that capture the key aspects of such defenses. We first categorize these defenses into different sub-classes depending on what they move, when they move and how they move. In trying to answer the latter question, we showcase the use of domain knowledge and game-theoretic modeling can help the defender come up with effective and efficient movement strategies. Second, to understand the practicality of these defense methods, we discuss how various MTDs have been implemented and find that networking technologies such as Software Defined Networking and Network Function Virtualization act as key enablers for implementing these dynamic defenses. We then briefly highlight MTD test-beds and case-studies to aid readers who want to examine or deploy existing MTD techniques. Third, our survey categorizes proposed MTDs based on the qualitative and quantitative metrics they utilize to evaluate their effectiveness in terms of security and performance. We use well-defined metrics such as risk analysis and performance costs for qualitative evaluation and metrics based on Confidentiality, Integrity, Availability (CIA), attack representation, QoS impact, and targeted threat models for quantitative evaluation. Finally, we show that our categorization of MTDs is effective in identifying novel research areas and highlight directions for future research.
△ Less
Submitted 20 March, 2020; v1 submitted 2 May, 2019;
originally announced May 2019.
-
SUPC: SDN enabled Universal Policy Checking in Cloud Network
Authors:
Ankur Chowdhary,
Adel Alshamrani,
Dijiang Huang
Abstract:
Multi-tenant cloud networks have various security and monitoring service functions (SFs) that constitute a service function chain (SFC) between two endpoints. SF rule ordering overlaps and policy conflicts can cause increased latency, service disruption and security breaches in cloud networks. Software Defined Network (SDN) based Network Function Virtualization (NFV) has emerged as a solution that…
▽ More
Multi-tenant cloud networks have various security and monitoring service functions (SFs) that constitute a service function chain (SFC) between two endpoints. SF rule ordering overlaps and policy conflicts can cause increased latency, service disruption and security breaches in cloud networks. Software Defined Network (SDN) based Network Function Virtualization (NFV) has emerged as a solution that allows dynamic SFC composition and traffic steering in a cloud network. We propose an SDN enabled Universal Policy Checking (SUPC) framework, to provide 1) Flow Composition and Ordering by translating various SF rules into the OpenFlow format. This ensures elimination of redundant rules and policy compliance in SFC. 2) Flow conflict analysis to identify conflicts in header space and actions between various SF rules. Our results show a significant reduction in SF rules on composition. Additionally, our conflict checking mechanism was able to identify several rule conflicts that pose security, efficiency, and service availability issues in the cloud network.
△ Less
Submitted 1 November, 2018;
originally announced November 2018.
-
Adaptive MTD Security using Markov Game Modeling
Authors:
Ankur Chowdhary,
Sailik Sengupta,
Adel Alshamrani,
Dijiang Huang,
Abdulhakim Sabur
Abstract:
Large scale cloud networks consist of distributed networking and computing elements that process critical information and thus security is a key requirement for any environment. Unfortunately, assessing the security state of such networks is a challenging task and the tools used in the past by security experts such as packet filtering, firewall, Intrusion Detection Systems (IDS) etc., provide a re…
▽ More
Large scale cloud networks consist of distributed networking and computing elements that process critical information and thus security is a key requirement for any environment. Unfortunately, assessing the security state of such networks is a challenging task and the tools used in the past by security experts such as packet filtering, firewall, Intrusion Detection Systems (IDS) etc., provide a reactive security mechanism. In this paper, we introduce a Moving Target Defense (MTD) based proactive security framework for monitoring attacks which lets us identify and reason about multi-stage attacks that target software vulnerabilities present in a cloud network. We formulate the multi-stage attack scenario as a two-player zero-sum Markov Game (between the attacker and the network administrator) on attack graphs. The rewards and transition probabilities are obtained by leveraging the expert knowledge present in the Common Vulnerability Scoring System (CVSS). Our framework identifies an attacker's optimal policy and places countermeasures to ensure that this attack policy is always detected, thus forcing the attacker to use a sub-optimal policy with higher cost.
△ Less
Submitted 1 November, 2018;
originally announced November 2018.
-
TRUFL: Distributed Trust Management framework in SDN
Authors:
Ankur Chowdhary,
Adel Alshamrani,
Dijiang Huang,
Myong Kang,
Anya Kim,
Alexander Velazquez
Abstract:
Software Defined Networking (SDN) has emerged as a revolutionary paradigm to manage cloud infrastructure. SDN lacks scalable trust setup and verification mechanism between Data Plane-Control Plane elements, Control Plane elements, and Control Plane-Application Plane. Trust management schemes like Public Key Infrastructure (PKI) used currently in SDN are slow for trust establishment in a larger clo…
▽ More
Software Defined Networking (SDN) has emerged as a revolutionary paradigm to manage cloud infrastructure. SDN lacks scalable trust setup and verification mechanism between Data Plane-Control Plane elements, Control Plane elements, and Control Plane-Application Plane. Trust management schemes like Public Key Infrastructure (PKI) used currently in SDN are slow for trust establishment in a larger cloud environment. We propose a distributed trust mechanism - TRUFL to establish and verify trust in SDN. The distributed framework utilizes parallelism in trust management, in effect faster transfer rates and reduced latency compared to centralized trust management. The TRUFL framework scales well with the number of OpenFlow rules when compared to existing research works.
△ Less
Submitted 15 March, 2019; v1 submitted 1 November, 2018;
originally announced November 2018.
-
SDFW: SDN-based Stateful Distributed Firewall
Authors:
Ankur Chowdhary,
Dijiang Huang,
Adel Alshamrani,
Abdulhakim Sabur,
Myong Kang,
Anya Kim,
Alexander Velazquez
Abstract:
SDN provides a programmable command and control networking system in a multi-tenant cloud network using control and data plane separation. However, separating the control and data planes make it difficult for incorporating some security services (e.g., firewalls) into SDN framework. Most of the existing solutions use SDN switches as packet filters and rely on SDN controllers to implement firewall…
▽ More
SDN provides a programmable command and control networking system in a multi-tenant cloud network using control and data plane separation. However, separating the control and data planes make it difficult for incorporating some security services (e.g., firewalls) into SDN framework. Most of the existing solutions use SDN switches as packet filters and rely on SDN controllers to implement firewall policy management functions, which is impractical for implementing stateful firewalls since SDN switches only send session's initial packets and statistical data of flows to their controllers. For a data center networking environment, applying a Distributed FireWall (DFW) system to prevent attacker's lateral movements is highly desired, in which designing and implementing an SDN-based Stateful DFW (SDFW) demand a scalable distributed states management solution at the data plane to track packets and flow states. Our performance results show that SDFW achieves scalable security against data plane attacks with a marginal performance hit ~ 1.6% reduction in network bandwidth.
△ Less
Submitted 1 November, 2018;
originally announced November 2018.
-
Towards Refactoring DMARF and GIPSY OSS
Authors:
Aaradhna Goyal,
Ali Alshamrani,
Dhivyaa Nandakumar,
Dileep Vanga,
Dmitriy Fingerman,
Parul Gupta,
Riya Ray,
Srikanth Suryadevara
Abstract:
We present here an exploratory and investigatory study of the requirements, design, and implementation of two opensource software systems: the Distributed Modular Audio Recognition Framework (DMARF), and the General Intensional Programming System (GIPSY). The inception, development, and evolution of the two systems have overlapped and in terms of the involved developers, as well as in their applic…
▽ More
We present here an exploratory and investigatory study of the requirements, design, and implementation of two opensource software systems: the Distributed Modular Audio Recognition Framework (DMARF), and the General Intensional Programming System (GIPSY). The inception, development, and evolution of the two systems have overlapped and in terms of the involved developers, as well as in their applications. DMARF is a platform independent collection of algorithms for pattern recognition, identification and signal processing in audio and natural language text samples, become a rich platform for the research community in particular to use, test, and compare various algorithms in the broad field of pattern recognition and machine learning. Intended as a platform for intensional programming, GIPSY's inception was intended to push the field of intensional programming further, overcoming limitations in the available tools two decades ago. In this study, we present background research into the two systems and elaborate on their motivations and the requirements that drove and shaped their design and implementation. We subsequently elaborate in more depth about various aspects their architectural design, including the elucidation of some use cases, domain models, and the overall class diagram of the major components. Moreover, we investigated existing design patterns in both systems and provided a detailed view of the involved components in such patterns. Furthermore, we delve deeper into the guts of both systems, identifying code smells and suggesting possible refactorings. Patchsets of implementations of selected refactorings have been collected into patchsets and could be committed into future releases of the two systems, pending a review and approval of the developers and maintainers of DMARF and GIPSY.
△ Less
Submitted 25 November, 2014; v1 submitted 14 October, 2014;
originally announced October 2014.