short-paper

Dynamic Defense Provision via Network Functions Virtualization

Authors:

Pritesh Chandaliya,

Akshaya Muralidharan,

Hongxin HuAuthors Info & Claims

SDN-NFVSec '17: Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

Pages 43 - 46

https://doi.org/10.1145/3040992.3041005

Published: 24 March 2017 Publication History

Abstract

Network Function Virtualization (NFV) is a critical part of a new defense paradigm providing high flexibility at a lower cost through software-based virtual instances. Despite the promise of the NFV, the original Intrusion Detection System (IDS) designed for NFV still draws heavily on processing power and requires significant CPU resources. In this paper, we provide a framework for dynamic defense provision by building in light intrusion detection network functions (NFs) over NFV. Without using the existing IDSes, our system constructs a light intrusion detection system by using a chain of network functions in NFV. The entire IDS is broken down into separate light network functions according to different protocols. The intrusion detection NFs cover various protocol stacks from the link layer to the application layer protocols. They also include different deep packet inspection NFs for different application layer protocols. The experimental results show the proposed system reduces resource consumption while performing valid intrusion detection functions.

References

[1]

Juan Deng et al., "VNGuard: An NFV/SDN combination framework for provisioning and managing virtual firewalls," Network Function Virtualization and Software Defined Network (NFV-SDN), 2015 IEEE Conference on, San Francisco, CA, 2015, pp. 107--114.

[2]

Battula, L.R., "Network Security Function Virtualization(NSFV) towards Cloud computing with NFV Over Openflow infrastructure: Challenges and novel approaches," in Advances in Computing, Communications and Informatics (ICACCI, 2014 International Conference on, vol., no., pp.1622--1628, 24--27 Sept. 2014.

[3]

Seyed K. Fayaz and Yoshiaki Tobioka and Vyas Sekar and Michael Bailey, "Bohatei: Flexible and Elastic DDoS Defense", 2015 24th USENIX Security Symposium (USENIX Security 15).

Digital Library

[4]

Taekhee Kim, Taehwan Koo, and Eunkyoung Paik, "SDN and NFV Benchmarking for Performance and Reliability", 2015 Asia-Pacific Network Operations and Management Symposium (APNOMS).

[5]

T. Wood, K. K. Ramakrishnan, Jinho Hwang, G. Liu and Wei Zhang, "Toward a software-based network: integrating software defined networking and network function virtualization," in IEEE Network, vol. 29, no. 3, pp. 36--41, May-June 2015.

Digital Library

[6]

H. Hu, W. Han, G. Ahn, and Z. Zhao, "FlowGuard: building robust firewalls for software-defined network," in HotSDN'14, Chicago, IL,USA, 2014.

Digital Library

[7]

R. Mijumbi, J. Serrat, J. L. Gorricho, N. Bouten, F. De Turck and R. Boutaba, "Network Function Virtualization: State-of-the-Art and Research Challenges," in IEEE Communications Surveys & Tutorials, vol. 18, no. 1, pp. 236--262, Firstquarter 2016.

Digital Library

[8]

Attila Csoma, Balázs Sonkoly, Levente Csikor, Felicián Németh, Andràs Gulyas, Wouter Tavernier, and Sahel Sahhaf. 2014. ESCAPE: extensible service chain prototyping environment using mininet, click, NETCONF and POX. In Proceedings of the 2014 ACM conference on SIGCOMM (SIGCOMM '14). ACM, New York, NY, USA.

Digital Library

[9]

Yong Li and Min Chen, "Software-Defined Network Function Virtualization: A Survey," in IEEE Access, vol. 3, no., pp. 2542--2553, 2015.

[10]

Konglong Tang, Yong Wang, Hao Liu, Yanxiu Sheng, Xi Wang, Zhiqiang Wei, "Design and Implementation of Push Notification System Based on the MQTT Protocol," International Conference on Information Science and Computer Applications, 2013.

[11]

Taekhee Kim, Taehwan Koo, and Eunkyoung Paik, "SDN and NFV Benchmarking for Performance and Reliability", 2015 Asia-Pacific Network Operations and Management Symposium (APNOMS).

[12]

Y. Ben-Itzhak, K. Barabash, R. Cohen, A. Levin and E. Raichstein, "EnforSDN: Network policies enforcement with SDN," 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), Ottawa, ON, 2015, pp. 80--88.

[13]

M. Vijayalakshmi, S. Mercy Shalinie and A. Arun Pragash, "IP traceback system for network and application layer attacks," Recent Trends In Information Technology (ICRTIT), 2012 International Conference on, Chennai, Tamil Nadu, 2012, pp. 439--444.

[14]

W. Kinney, "Protecting against application DDoS attacks with BIG-IP ASM: A Three-Step solution," 2012.

[15]

. Ranjan, R. Swaminathan, M. Uysal, A. Nucci and E. Knightly, "DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks," in IEEE/ACM Transactions on Networking, vol. 17, no. 1, pp. 26--39, Feb. 2009.

Digital Library

[16]

A. Gember, R. Grandl, A. Anand, T. Benson, and A. Akella. Stratos: Virtual Middleboxes as First-Class Entities. Technical Report TR1771, University of Wisconsin-Madison, June 2012.

[17]

Anat Bremler-Barr, Yotam Harchol, David Hay, and Yaron Koral, "Deep Packet Inspection as a Service," In Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and Technologies (CoNEXT), NY, USA, 271--282, 2014.

Digital Library

[18]

Joao Martins, Mohamed Ahmed, Costin Raiciu, Vladimir Olteanu, Michio Honda, Roberto Bifulco, and Felipe Huici, "ClickOS and the art of network function virtualization." In Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation (NSDI). USENIX Association, Berkeley, CA, USA, 459--473, 2014.

Digital Library

[19]

OpenDaylight project. http://www.opendaylight.org

Cited By

Bringhenti DMarchetto GSisto RValenza F(2023)Automation for Network Security Configuration: State of the Art and Research TrendsACM Computing Surveys10.1145/361640156:3(1-37)Online publication date: 5-Oct-2023
https://dl.acm.org/doi/10.1145/3616401
Yang SHe NLi FFu XYang SHe NLi FFu X(2022)Summarization and Future WorkResource Allocation in Network Function Virtualization10.1007/978-981-19-4815-2_7(129-135)Online publication date: 30-Aug-2022
https://doi.org/10.1007/978-981-19-4815-2_7
Yang SLi FTrajanovski SYahyapour RFu X(2021)Recent Advances of Resource Allocation in Network Function VirtualizationIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2020.301700132:2(295-314)Online publication date: 1-Feb-2021
https://doi.org/10.1109/TPDS.2020.3017001
Show More Cited By

Index Terms

Dynamic Defense Provision via Network Functions Virtualization
1. General and reference
  1. Document types
    1. General conference proceedings

Recommendations

Dynamic DDoS Defense Resource Allocation using Network Function Virtualization
SDN-NFVSec '17: Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

Distributed Denial of Service (DDoS) is one of the most common but destructive kind of cyberattacks. The DDoS attack traffic vastly includes the SYN packets. To handle excessive DDoS traffic without large impact on the benign traffic, it is important to ...
Modeling Native Software Components as Virtual Network Functions
SIGCOMM '16: Proceedings of the 2016 ACM SIGCOMM Conference

Virtual Network Functions (VNFs) are often realized using virtual machines (VMs) because they provide an isolated environment compatible with classical cloud computing technologies. However, VMs are demanding in terms of required resources (CPU and ...
Transparent, Live Migration of a Software-Defined Network
SOCC '14: Proceedings of the ACM Symposium on Cloud Computing

Increasingly, datacenters are virtualized and software-defined. Live virtual machine (VM) migration is becoming an indispensable management tool in such environments. However, VMs often have a tight coupling with the underlying network. Hence, cloud ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SDN-NFVSec '17: Proceedings of the ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization

March 2017

80 pages

ISBN:9781450349086

DOI:10.1145/3040992

General Chairs:
Gail-Joon Ahn
Arizona State University, USA
,
Guofei Gu
Texas A&M University, USA
,
Program Chairs:
Hongxin Hu
Clemson University, USA
,
Seungwon Shin
KAIST, Korea

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 March 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

CODASPY '17

Sponsor:

SIGSAC

CODASPY '17: Seventh ACM Conference on Data and Application Security and Privacy

March 24, 2017

Arizona, Scottsdale, USA

Acceptance Rates

SDN-NFVSec '17 Paper Acceptance Rate 4 of 10 submissions, 40%;

Overall Acceptance Rate 11 of 30 submissions, 37%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
267
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bringhenti DMarchetto GSisto RValenza F(2023)Automation for Network Security Configuration: State of the Art and Research TrendsACM Computing Surveys10.1145/361640156:3(1-37)Online publication date: 5-Oct-2023
https://dl.acm.org/doi/10.1145/3616401
Yang SHe NLi FFu XYang SHe NLi FFu X(2022)Summarization and Future WorkResource Allocation in Network Function Virtualization10.1007/978-981-19-4815-2_7(129-135)Online publication date: 30-Aug-2022
https://doi.org/10.1007/978-981-19-4815-2_7
Yang SLi FTrajanovski SYahyapour RFu X(2021)Recent Advances of Resource Allocation in Network Function VirtualizationIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2020.301700132:2(295-314)Online publication date: 1-Feb-2021
https://doi.org/10.1109/TPDS.2020.3017001
Liu QRuan HLi HLi XWang X(2020)REAL-GUARDProceedings of the 2020 International Conference on Cyberspace Innovation of Advanced Technologies10.1145/3444370.3444612(451-458)Online publication date: 4-Dec-2020
https://dl.acm.org/doi/10.1145/3444370.3444612
Park YKengalahalli NChang S(2018)Distributed Security Network Functions against Botnet Attacks in Software-defined Networks2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)10.1109/NFV-SDN.2018.8725657(1-7)Online publication date: Nov-2018
https://doi.org/10.1109/NFV-SDN.2018.8725657
Liu YLu YQiao WChen X(2018)A Dynamic Composition Mechanism of Security Service Chaining Oriented to SDN/NFV-Enabled NetworksIEEE Access10.1109/ACCESS.2018.28706016(53918-53929)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2018.2870601
Doriguzzi-Corin RScott-Hayward SSiracusa DSalvadori E(2017)Application-Centric provisioning of virtual security network functions2017 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)10.1109/NFV-SDN.2017.8169861(276-279)Online publication date: Nov-2017
https://doi.org/10.1109/NFV-SDN.2017.8169861

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten