Skip to main content
SpringerLink
Log in
Book cover

European Symposium on Research in Computer Security

ESORICS 2022: Computer Security – ESORICS 2022 pp 466–489Cite as

MLFM: Machine Learning Meets Formal Method for Faster Identification of Security Breaches in Network Functions Virtualization (NFV)

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13556))

Abstract

By virtualizing proprietary physical devices, Network Functions Virtualization (NFV) enables agile and cost-effective deployment of network services on top of a cloud infrastructure. However, the added complexity also increases the chance of incorrect or inconsistent configurations that could leave the services or infrastructure vulnerable to security threats. Therefore, the timely identification of such misconfigurations is important to ensure the security compliance of NFV. In this regard, a typical solution is to leverage formal method-based security verification as they can provide either a rigorous mathematical proof that all configurations satisfy the required security properties, or the counterexamples (i.e., misconfigurations causing the properties to be breached). To that end, a major challenge is that the sheer scale of large NFV environments can render formal security verification so costly that the significant delays before misconfigurations can be identified may leave a large attack window. In this paper, we propose a novel approach, MLFM, that combines the efficiency of Machine Learning (ML) and the rigor of Formal Methods (FM) for fast and provable identification of misconfigurations violating a security property in NFV. Our key idea lies in an iterative teacher-learner interaction in which the teacher (FM) can gradually (over many iterations) provide more representative training data (verification results), while the learner (ML) can leverage such data to gradually obtain more accurate ML models. As a result, a small portion of the configuration data will be enough to obtain a relatively accurate ML model. The model is then applied to the remaining data to prioritize the verification of what is more likely to cause violations. We experimentally evaluate our solution and compare it to an existing security verification tool to demonstrate its benefits.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Among existing security verification tools, we do not compare to NFVGuard [44] as it actually forms the basis of our verification component, and we do not compare to TenantGuard [59] as it is based on custom algorithms instead of formal method.

References

  1. Cloud Security Alliance. https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/. Accessed 11 Sept 2021

  2. ETSI: Network Functions Virtualisation Architectural Framework. https://www.etsi.org/. Accessed 11 Sept 2021

  3. Network Functions Virtualisation (NFV); NFV Security; Problem Statement. https://www.etsi.org/. Accessed 11 Sept 2021

  4. Open Baton. http://openbaton.github.io/. Accessed 11 Sept 2021

  5. Open Platform for NFV. https://www.opnfv.org/. Accessed 11 Sept 2021

  6. Open Source MANO. https://osm.etsi.org/. Accessed 11 Sept 2021

  7. OpenStack. http://www.openstack.org/. Accessed 11 Sept 2021

  8. OpenStack Tacker. http://releases.openstack.org/teams/tacker.html. Accessed 11 Sept 2021

  9. Sugar: a SAT-based Constraint Solver. http://cspsat.gitlab.io/sugar/. Accessed 8 Nov 2021

  10. Verizon launches industry-leading large OpenStack NFV deployment. http://www.openstack.org/news/. Accessed 11 Sept 2021

  11. Barakabitze, A.A., Ahmad, A., Mijumbi, R., Hines, A.: 5G network slicing using SDN and NFV: a survey of taxonomy, architectures and future challenges. Comput. Netw. 167, 106984 (2020)

    Article  Google Scholar 

  12. Ben-Ari, M.: Mathematical Logic for Computer Science. Springer, Heidelberg (2012). https://doi.org/10.1007/978-1-4471-4129-7

    Book  MATH  Google Scholar 

  13. Bursell, M., et al.: Network Functions Virtualisation (NFV), NFV security, security and trust guidance, v. 1.1. 1. In: Technical Report, GS NFV-SEC 003. European Telecommunications Standards Institute (2014)

    Google Scholar 

  14. Buss, S., Nordström, J.: Proof complexity and sat solving. Handb. Satisfiabil. 336, 233–350 (2021)

    Google Scholar 

  15. Chen, T., Guestrin, C.: Xgboost: a scalable tree boosting system. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 785–794 (2016)

    Google Scholar 

  16. Chen, Z., Jiang, F., Cheng, Y., Gu, X., Liu, W., Peng, J.: XGBoost classifier for DDoS attack detection and analysis in SDN-based cloud. In: IEEE International Conference on Big Data and Smart Computing (BigComp), pp. 251–256 (2018)

    Google Scholar 

  17. Danka, T., Horvath, P.: modAL: a modular active learning framework for Python. arXiv preprint arXiv:1805.00979 (2018)

  18. Eén, N., Sörensson, N.: An extensible SAT-solver. In: Giunchiglia, E., Tacchella, A. (eds.) SAT 2003. LNCS, vol. 2919, pp. 502–518. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24605-3_37

    Chapter  Google Scholar 

  19. Ezudheen, P., Neider, D., D’Souza, D., Garg, P., Madhusudan, P.: Horn-ice learning for synthesizing invariants and contracts. In: Proceedings of the ACM on Programming Languages, vol. 2(OOPSLA), pp. 1–25 (2018)

    Google Scholar 

  20. Fayazbakhsh, S.K., Reiter, M.K., Sekar, V.: Verifiable network function outsourcing: requirements, challenges, and roadmap. In: Proceedings of the 2013 Workshop on Hot Topics in Middleboxes and Network Function Virtualization, pp. 25–30 (2013)

    Google Scholar 

  21. Flittner, M., Scheuermann, J.M., Bauer, R.: Chainguard: controller-independent verification of service function chaining in cloud computing. In: IEEE Conference on Network Function Virtualization and Software Defined Networks, pp. 1–7 (2017)

    Google Scholar 

  22. Garg, P., Löding, C., Madhusudan, P., Neider, D.: ICE: a robust framework for learning invariants. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 69–87. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9_5

    Chapter  Google Scholar 

  23. Gong, W., Zhou, X.: A survey of sat solver. In: Proceedings of AIP Conference, vol. 1836, p. 020059. AIP Publishing LLC (2017)

    Google Scholar 

  24. IEC ISO Std: ISO 27017. Information technology-Security techniques (DRAFT) (2012)

    Google Scholar 

  25. IETF, SFC: Internet Engineering Task, SFC Active WG Working Group Documents (2020). https://www.redhat.com/en/blog/2018-year-open-source-networking-csps

  26. Jayaraman, K., Bjørner, N., Outhred, G., Kaufman, C.: Automated analysis and debugging of network connectivity policies. Micros. Res., 1–11 (2014)

    Google Scholar 

  27. Kazemian, P., Chang, M., Zeng, H., Varghese, G., McKeown, N., Whyte, S.: Real time network policy checking using header space analysis. In: 10th \(\{\)USENIX\(\}\) Symposium on Networked Systems Design and Implementation (NSDI 2013), pp. 99–111 (2013)

    Google Scholar 

  28. Kotulski, Z., et al.: Towards constructive approach to end-to-end slice isolation in 5G networks. EURASIP J. Inf. Secur. 2018(1), 1–23 (2018). https://doi.org/10.1186/s13635-018-0072-0

    Article  Google Scholar 

  29. Kramer, O.: Scikit-learn. In: Machine Learning for Evolution Strategies. SBD, vol. 20, pp. 45–53. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33383-0_5

    Chapter  MATH  Google Scholar 

  30. Thirunavukkarasu, S.L., et al.: Modeling NFV deployment to identify the cross-level inconsistency vulnerabilities. In: IEEE CloudCom (2019)

    Google Scholar 

  31. Lopes, N.P., Bjørner, N., Godefroid, P., Jayaraman, K., Varghese, G.: Checking beliefs in dynamic networks. In: 12th \(\{\)USENIX\(\}\) Symposium on Networked Systems Design and Implementation (NSDI 2015), pp. 499–512 (2015)

    Google Scholar 

  32. Madi, T., et al.: ISOTOP: auditing virtual networks isolation across cloud layers in OpenStack. ACM Trans. Priv. Secur. (TOPS) 22(1), 1–35 (2018)

    Google Scholar 

  33. Madi, T., Majumdar, S., Wang, Y., Jarraya, Y., Pourzandi, M., Wang, L.: Auditing security compliance of the virtualized infrastructure in the cloud: application to OpenStack. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 195–206 (2016)

    Google Scholar 

  34. Maji, P., Mullins, R.: On the reduction of computational complexity of deep convolutional neural networks. Entropy 20(4), 305 (2018)

    Article  Google Scholar 

  35. Majumdar, S., et al.: Proactive verification of security compliance for clouds through pre-computation: application to openstack. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9878, pp. 47–66. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45744-4_3

    Chapter  Google Scholar 

  36. Majumdar, S., et al.: LeaPS: learning-based proactive security auditing for clouds. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 265–285. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_15

    Chapter  Google Scholar 

  37. Majumdar, S., et al.: Security compliance auditing of identity and access management in the cloud: application to OpenStack. In: IEEE 7th International Conference on Cloud Computing Technology and Science, pp. 58–65 (2015)

    Google Scholar 

  38. Majumdar, S., et al.: User-level runtime security auditing for the cloud. IEEE Trans. Inf. Forensics Secur. 13(5), 1185–1199 (2017)

    Article  Google Scholar 

  39. Marchetto, G., Sisto, R., Yusupov, J., Ksentini, A.: Virtual network embedding with formal reachability assurance. In: 14th International Conference on Network and Service Management, pp. 368–372 (2018)

    Google Scholar 

  40. Mohamed, A.E.: Comparative study of four supervised machine learning techniques for classification. Inf. J. Appl. Sci. Technol. 7(2), 1–15 (2017)

    Google Scholar 

  41. Monard, M.C., Batista, G.E.: Learmng with skewed class distrihutions. Adv. Logic Artif. Intell. Robotics: LAPTEC 85(2002), 173 (2002)

    Google Scholar 

  42. Neutatz, F., Mahdavi, M., Abedjan, Z.: Ed2: a case for active learning in error detection. In: Proceedings of the 28th ACM International Conference on Information and Knowledge Management, pp. 2249–2252 (2019)

    Google Scholar 

  43. OpenStack Training Labs: OpenStack Training Labs. https://wiki.openstack.org/wiki/Documentation/training-labs

  44. Oqaily, A., et al.: NFVGuard: verifying the security of multilevel network functions virtualization (NFV) stack. In: 2020 IEEE International Conference on Cloud Computing Technology and Science, pp. 33–40. IEEE (2020)

    Google Scholar 

  45. Quinn, P., Nadeau, T.: Rfc 7948, problem statement for service function chaining. Internet Engineering Task Force (IETF), ed (2015)

    Google Scholar 

  46. Ren, S., Zhang, X.: Synthesizing conjunctive and disjunctive linear invariants by K-means++ and SVM. Int. Arab J. Inf. Technol. 17(6), 847–856 (2020)

    Google Scholar 

  47. Sani, H.M., Lei, C., Neagu, D.: Computational complexity analysis of decision tree algorithms. In: Bramer, M., Petridis, M. (eds.) SGAI 2018. LNCS (LNAI), vol. 11311, pp. 191–197. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04191-5_17

    Chapter  Google Scholar 

  48. Sassi, I., Anter, S., Bekkhoucha, A.: A graph-based big data optimization approach using hidden markov model and constraint satisfaction problem. J. Big Data 8(1), 1–29 (2021)

    Article  Google Scholar 

  49. Schear, N., Cable II, P.T., Moyer, T.M., Richard, B., Rudd, R.: Bootstrapping and maintaining trust in the cloud. In: Proceedings of the 32Nd Annual Conference on Computer Security Applications, pp. 65–77 (2016)

    Google Scholar 

  50. Settles, B.: Active learning literature survey (2009)

    Google Scholar 

  51. Shin, M.K., Choi, Y., Kwak, H.H., Pack, S., Kang, M., Choi, J.Y.: Verification for NFV-enabled network services. In: ICTC (2015)

    Google Scholar 

  52. Souri, A., Navimipour, N.J., Rahmani, A.M.: Formal verification approaches and standards in the cloud computing: a comprehensive and systematic review. Comput. Stand. Interfaces 58, 1–22 (2018)

    Article  Google Scholar 

  53. SP, NIST: 800–53. Recommended security controls for federal information systems, pp. 800–53 (2003)

    Google Scholar 

  54. Spinoso, S., Virgilio, M., John, W., Manzalini, A., Marchetto, G., Sisto, R.: Formal verification of virtual network function graphs in an SP-devops context. In: Dustdar, S., Leymann, F., Villari, M. (eds.) ESOCC 2015. LNCS, vol. 9306, pp. 253–262. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24072-5_18

    Chapter  Google Scholar 

  55. Tamura, N., Banbara, M.: Sugar: a CSP to SAT translator based on order encoding. In: Proceedings of the Second International CSP Solver Competition (2008)

    Google Scholar 

  56. Tschaen, B., Zhang, Y., Benson, T., Banerjee, S., Lee, J., Kang, J.M.: Sfc-checker: checking the correct forwarding behavior of service function chaining. In: IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 134–140 (2016)

    Google Scholar 

  57. Vizel, Y., Gurfinkel, A., Shoham, S., Malik, S.: IC3 - flipping the E in ICE. In: Bouajjani, A., Monniaux, D. (eds.) VMCAI 2017. LNCS, vol. 10145, pp. 521–538. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-52234-0_28

    Chapter  Google Scholar 

  58. Wang, Y., Li, Z., Xie, G., Salamatian, K.: Enabling automatic composition and verification of service function chain. In: IEEE/ACM 25th International Symposium on Quality of Service (IWQoS), pp. 1–5 (2017)

    Google Scholar 

  59. Wang, Y., et al.: TenantGuard: scalable runtime verification of cloud-wide VM-level network isolation. In: The Network and Distributed System Security Symposium (2017)

    Google Scholar 

  60. Zhang, X., Li, Q., Wu, J., Yang, J.: Generic and agile service function chain verification on cloud. In: IEEE/ACM 25th International Symposium on Quality of Service, pp. 1–10 (2017)

    Google Scholar 

  61. Zhang, Y., Wu, W., Banerjee, S., Kang, J.M., Sanchez, M.A.: Sla-verifier: stateful and quantitative verification for service chaining. In: IEEE INFOCOM 2017-IEEE Conference on Computer Communications, pp. 1–9 (2017)

    Google Scholar 

Download references

Acknowledgements

We thank the anonymous reviewers for their valuable comments. This work was supported by the Natural Sciences and Engineering Research Council of Canada and Ericsson Canada under the Industrial Research Chair in SDN/NFV Security and the Canada Foundation for Innovation under JELF Project 38599.

Author information

Authors and Affiliations

  1. CIISE, Concordia University, Montreal, QC, Canada

    Alaa Oqaily, Lingyu Wang & Suryadipta Majumdar

  2. Ericsson Security Research, Ericsson Canada, Montreal, QC, Canada

    Yosr Jarraya & Makan Pourzandi

Authors
  1. Alaa Oqaily
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yosr Jarraya
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lingyu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Makan Pourzandi
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Suryadipta Majumdar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Alaa Oqaily or Lingyu Wang .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Appendix

Appendix

Table 1. Examples of NFV security properties [44]
Full size table
Fig. 11.
figure 11

The MLFM system architecture

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Oqaily, A., Jarraya, Y., Wang, L., Pourzandi, M., Majumdar, S. (2022). MLFM: Machine Learning Meets Formal Method for Faster Identification of Security Breaches in Network Functions Virtualization (NFV). In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17143-7_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17142-0

  • Online ISBN: 978-3-031-17143-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation