Abstract
By virtualizing proprietary physical devices, Network Functions Virtualization (NFV) enables agile and cost-effective deployment of network services on top of a cloud infrastructure. However, the added complexity also increases the chance of incorrect or inconsistent configurations that could leave the services or infrastructure vulnerable to security threats. Therefore, the timely identification of such misconfigurations is important to ensure the security compliance of NFV. In this regard, a typical solution is to leverage formal method-based security verification as they can provide either a rigorous mathematical proof that all configurations satisfy the required security properties, or the counterexamples (i.e., misconfigurations causing the properties to be breached). To that end, a major challenge is that the sheer scale of large NFV environments can render formal security verification so costly that the significant delays before misconfigurations can be identified may leave a large attack window. In this paper, we propose a novel approach, MLFM, that combines the efficiency of Machine Learning (ML) and the rigor of Formal Methods (FM) for fast and provable identification of misconfigurations violating a security property in NFV. Our key idea lies in an iterative teacher-learner interaction in which the teacher (FM) can gradually (over many iterations) provide more representative training data (verification results), while the learner (ML) can leverage such data to gradually obtain more accurate ML models. As a result, a small portion of the configuration data will be enough to obtain a relatively accurate ML model. The model is then applied to the remaining data to prioritize the verification of what is more likely to cause violations. We experimentally evaluate our solution and compare it to an existing security verification tool to demonstrate its benefits.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Cloud Security Alliance. https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/. Accessed 11 Sept 2021
ETSI: Network Functions Virtualisation Architectural Framework. https://www.etsi.org/. Accessed 11 Sept 2021
Network Functions Virtualisation (NFV); NFV Security; Problem Statement. https://www.etsi.org/. Accessed 11 Sept 2021
Open Baton. http://openbaton.github.io/. Accessed 11 Sept 2021
Open Platform for NFV. https://www.opnfv.org/. Accessed 11 Sept 2021
Open Source MANO. https://osm.etsi.org/. Accessed 11 Sept 2021
OpenStack. http://www.openstack.org/. Accessed 11 Sept 2021
OpenStack Tacker. http://releases.openstack.org/teams/tacker.html. Accessed 11 Sept 2021
Sugar: a SAT-based Constraint Solver. http://cspsat.gitlab.io/sugar/. Accessed 8 Nov 2021
Verizon launches industry-leading large OpenStack NFV deployment. http://www.openstack.org/news/. Accessed 11 Sept 2021
Barakabitze, A.A., Ahmad, A., Mijumbi, R., Hines, A.: 5G network slicing using SDN and NFV: a survey of taxonomy, architectures and future challenges. Comput. Netw. 167, 106984 (2020)
Ben-Ari, M.: Mathematical Logic for Computer Science. Springer, Heidelberg (2012). https://doi.org/10.1007/978-1-4471-4129-7
Bursell, M., et al.: Network Functions Virtualisation (NFV), NFV security, security and trust guidance, v. 1.1. 1. In: Technical Report, GS NFV-SEC 003. European Telecommunications Standards Institute (2014)
Buss, S., Nordström, J.: Proof complexity and sat solving. Handb. Satisfiabil. 336, 233–350 (2021)
Chen, T., Guestrin, C.: Xgboost: a scalable tree boosting system. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 785–794 (2016)
Chen, Z., Jiang, F., Cheng, Y., Gu, X., Liu, W., Peng, J.: XGBoost classifier for DDoS attack detection and analysis in SDN-based cloud. In: IEEE International Conference on Big Data and Smart Computing (BigComp), pp. 251–256 (2018)
Danka, T., Horvath, P.: modAL: a modular active learning framework for Python. arXiv preprint arXiv:1805.00979 (2018)
Eén, N., Sörensson, N.: An extensible SAT-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24605-3_37
Ezudheen, P., Neider, D., D’Souza, D., Garg, P., Madhusudan, P.: Horn-ice learning for synthesizing invariants and contracts. In: Proceedings of the ACM on Programming Languages, vol. 2(OOPSLA), pp. 1–25 (2018)
Fayazbakhsh, S.K., Reiter, M.K., Sekar, V.: Verifiable network function outsourcing: requirements, challenges, and roadmap. In: Proceedings of the 2013 Workshop on Hot Topics in Middleboxes and Network Function Virtualization, pp. 25–30 (2013)
Flittner, M., Scheuermann, J.M., Bauer, R.: Chainguard: controller-independent verification of service function chaining in cloud computing. In: IEEE Conference on Network Function Virtualization and Software Defined Networks, pp. 1–7 (2017)
Garg, P., Löding, C., Madhusudan, P., Neider, D.: ICE: a robust framework for learning invariants. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 69–87. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_5
Gong, W., Zhou, X.: A survey of sat solver. In: Proceedings of AIP Conference, vol. 1836, p. 020059. AIP Publishing LLC (2017)
IEC ISO Std: ISO 27017. Information technology-Security techniques (DRAFT) (2012)
IETF, SFC: Internet Engineering Task, SFC Active WG Working Group Documents (2020). https://www.redhat.com/en/blog/2018-year-open-source-networking-csps
Jayaraman, K., Bjørner, N., Outhred, G., Kaufman, C.: Automated analysis and debugging of network connectivity policies. Micros. Res., 1–11 (2014)
Kazemian, P., Chang, M., Zeng, H., Varghese, G., McKeown, N., Whyte, S.: Real time network policy checking using header space analysis. In: 10th \(\{\)USENIX\(\}\) Symposium on Networked Systems Design and Implementation (NSDI 2013), pp. 99–111 (2013)
Kotulski, Z., et al.: Towards constructive approach to end-to-end slice isolation in 5G networks. EURASIP J. Inf. Secur. 2018(1), 1–23 (2018). https://doi.org/10.1186/s13635-018-0072-0
Kramer, O.: Scikit-learn. In: Machine Learning for Evolution Strategies. SBD, vol. 20, pp. 45–53. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33383-0_5
Thirunavukkarasu, S.L., et al.: Modeling NFV deployment to identify the cross-level inconsistency vulnerabilities. In: IEEE CloudCom (2019)
Lopes, N.P., Bjørner, N., Godefroid, P., Jayaraman, K., Varghese, G.: Checking beliefs in dynamic networks. In: 12th \(\{\)USENIX\(\}\) Symposium on Networked Systems Design and Implementation (NSDI 2015), pp. 499–512 (2015)
Madi, T., et al.: ISOTOP: auditing virtual networks isolation across cloud layers in OpenStack. ACM Trans. Priv. Secur. (TOPS) 22(1), 1–35 (2018)
Madi, T., Majumdar, S., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L.: Auditing security compliance of the virtualized infrastructure in the cloud: application to OpenStack. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 195–206 (2016)
Maji, P., Mullins, R.: On the reduction of computational complexity of deep convolutional neural networks. Entropy 20(4), 305 (2018)
Majumdar, S., et al.: Proactive verification of security compliance for clouds through pre-computation: application to openstack. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 47–66. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_3
Majumdar, S., et al.: LeaPS: learning-based proactive security auditing for clouds. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 265–285. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_15
Majumdar, S., et al.: Security compliance auditing of identity and access management in the cloud: application to OpenStack. In: IEEE 7th International Conference on Cloud Computing Technology and Science, pp. 58–65 (2015)
Majumdar, S., et al.: User-level runtime security auditing for the cloud. IEEE Trans. Inf. Forensics Secur. 13(5), 1185–1199 (2017)
Marchetto, G., Sisto, R., Yusupov, J., Ksentini, A.: Virtual network embedding with formal reachability assurance. In: 14th International Conference on Network and Service Management, pp. 368–372 (2018)
Mohamed, A.E.: Comparative study of four supervised machine learning techniques for classification. Inf. J. Appl. Sci. Technol. 7(2), 1–15 (2017)
Monard, M.C., Batista, G.E.: Learmng with skewed class distrihutions. Adv. Logic Artif. Intell. Robotics: LAPTEC 85(2002), 173 (2002)
Neutatz, F., Mahdavi, M., Abedjan, Z.: Ed2: a case for active learning in error detection. In: Proceedings of the 28th ACM International Conference on Information and Knowledge Management, pp. 2249–2252 (2019)
OpenStack Training Labs: OpenStack Training Labs. https://wiki.openstack.org/wiki/Documentation/training-labs
Oqaily, A., et al.: NFVGuard: verifying the security of multilevel network functions virtualization (NFV) stack. In: 2020 IEEE International Conference on Cloud Computing Technology and Science, pp. 33–40. IEEE (2020)
Quinn, P., Nadeau, T.: Rfc 7948, problem statement for service function chaining. Internet Engineering Task Force (IETF), ed (2015)
Ren, S., Zhang, X.: Synthesizing conjunctive and disjunctive linear invariants by K-means++ and SVM. Int. Arab J. Inf. Technol. 17(6), 847–856 (2020)
Sani, H.M., Lei, C., Neagu, D.: Computational complexity analysis of decision tree algorithms. In: Bramer, M., Petridis, M. (eds.) SGAI 2018. LNCS (LNAI), vol. 11311, pp. 191–197. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04191-5_17
Sassi, I., Anter, S., Bekkhoucha, A.: A graph-based big data optimization approach using hidden markov model and constraint satisfaction problem. J. Big Data 8(1), 1–29 (2021)
Schear, N., Cable II, P.T., Moyer, T.M., Richard, B., Rudd, R.: Bootstrapping and maintaining trust in the cloud. In: Proceedings of the 32Nd Annual Conference on Computer Security Applications, pp. 65–77 (2016)
Settles, B.: Active learning literature survey (2009)
Shin, M.K., Choi, Y., Kwak, H.H., Pack, S., Kang, M., Choi, J.Y.: Verification for NFV-enabled network services. In: ICTC (2015)
Souri, A., Navimipour, N.J., Rahmani, A.M.: Formal verification approaches and standards in the cloud computing: a comprehensive and systematic review. Comput. Stand. Interfaces 58, 1–22 (2018)
SP, NIST: 800–53. Recommended security controls for federal information systems, pp. 800–53 (2003)
Spinoso, S., Virgilio, M., John, W., Manzalini, A., Marchetto, G., Sisto, R.: Formal verification of virtual network function graphs in an SP-devops context. In: Dustdar, S., Leymann, F., Villari, M. (eds.) ESOCC 2015. LNCS, vol. 9306, pp. 253–262. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24072-5_18
Tamura, N., Banbara, M.: Sugar: a CSP to SAT translator based on order encoding. In: Proceedings of the Second International CSP Solver Competition (2008)
Tschaen, B., Zhang, Y., Benson, T., Banerjee, S., Lee, J., Kang, J.M.: Sfc-checker: checking the correct forwarding behavior of service function chaining. In: IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 134–140 (2016)
Vizel, Y., Gurfinkel, A., Shoham, S., Malik, S.: IC3 - flipping the E in ICE. In: Bouajjani, A., Monniaux, D. (eds.) VMCAI 2017. LNCS, vol. 10145, pp. 521–538. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52234-0_28
Wang, Y., Li, Z., Xie, G., Salamatian, K.: Enabling automatic composition and verification of service function chain. In: IEEE/ACM 25th International Symposium on Quality of Service (IWQoS), pp. 1–5 (2017)
Wang, Y., et al.: TenantGuard: scalable runtime verification of cloud-wide VM-level network isolation. In: The Network and Distributed System Security Symposium (2017)
Zhang, X., Li, Q., Wu, J., Yang, J.: Generic and agile service function chain verification on cloud. In: IEEE/ACM 25th International Symposium on Quality of Service, pp. 1–10 (2017)
Zhang, Y., Wu, W., Banerjee, S., Kang, J.M., Sanchez, M.A.: Sla-verifier: stateful and quantitative verification for service chaining. In: IEEE INFOCOM 2017-IEEE Conference on Computer Communications, pp. 1–9 (2017)
Acknowledgements
We thank the anonymous reviewers for their valuable comments. This work was supported by the Natural Sciences and Engineering Research Council of Canada and Ericsson Canada under the Industrial Research Chair in SDN/NFV Security and the Canada Foundation for Innovation under JELF Project 38599.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendix
Appendix
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Oqaily, A., Jarraya, Y., Wang, L., Pourzandi, M., Majumdar, S. (2022). MLFM: Machine Learning Meets Formal Method for Faster Identification of Security Breaches in Network Functions Virtualization (NFV). In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_23
Download citation
DOI: https://doi.org/10.1007/978-3-031-17143-7_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17142-0
Online ISBN: 978-3-031-17143-7
eBook Packages: Computer ScienceComputer Science (R0)