skip to main content
10.1145/3626232.3653253acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

CCSM: Building Cross-Cluster Security Models for Edge-Core Environments Involving Multiple Kubernetes Clusters

Published: 19 June 2024 Publication History

Abstract

With the emergence of 5G networks and their large scale applications such as IoT and autonomous vehicles, telecom operators are increasingly offloading the computation closer to customers (i.e., on the edge). Such edge-core environments usually involve multiple Kubernetes clusters potentially owned by different providers. Confidentiality concerns could prevent those providers from sharing data freely with each other, which makes it challenging to perform common security tasks such as security verification across different clusters. In this work, we propose a solution for building cross-cluster security models to enable various security analyses, while preserving confidentiality for each cluster. We design a six-step methodology to model both the cross-cluster communication and cross-cluster event dependency, and we apply those models to different security use cases. We implement our solution based on a 5G edge-core environment that involves multiple Kubernetes clusters, and our experimental results demonstrate its efficiency (e.g., less than 8 seconds of processing time for a model with 3,600 edges and nodes) and accuracy (e.g., more than 96% for cross-cluster event prediction).

References

[1]
Abderaouf Khichane. 2023. Towards5Gs. https://github.com/Orange-OpenSource/towards5gs-helm
[2]
Ijaz Ahmad, Tanesh Kumar, Madhusanka Liyanage, Jude Okwuibe, Mika Ylianttila, and Andrei Gurtov. 2017. 5G Security: Analysis of Threats and Solutions. In IEEE CSCN.
[3]
Sima Bagheri, Hugo Kermabon-Bobinnec, Suryadipta Majumdar, Yosr Jarraya, Lingyu Wang, and Makan Pourzandi. 2023. Warping the Defence Timeline: Non-disruptive Proactive Attack Mitigation for Kubernetes Clusters. In IEEE ICC.
[4]
Cataldo Basile, Daniele Canavese, Christian Pitscheider, Antonio Lioy, and Fulvio Valenza. 2017. Assessing Network Authorization Policies via Reachability Analysis. Computers & Electrical Engineering, Vol. 64 (2017), 110--131.
[5]
Mihir Bellare, Thomas Ristenpart, Phillip Rogaway, and Till Stegers. 2009. Format-Preserving Encryption. In SAC.
[6]
Sören Bleikertz, Carsten Vogel, Thomas Groß, and Sebastian Mödersheim. 2015. Proactive Security Analysis of Changes in Virtualized Infrastructures. In ACSAC.
[7]
Tønnes Brekne and André Årnes. 2005. Circumventing IP-address Pseudonymization. In IASTED CCN.
[8]
Tønnes Brekne, André Årnes, and Arne Øslebø. 2006. Anonymization of IP Traffic Monitoring Data: Attacks on Two Prefix-Preserving Anonymization Schemes and some Proposed Remedies. In PET.
[9]
Justin Brickell and Vitaly Shmatikov. 2005. Privacy-preserving Graph Algorithms in the Semi-honest Model. In ASIACRYPT.
[10]
Hao Chen, Kim Laine, and Peter Rindal. 2017. Fast Private Set Intersection from Homomorphic Encryption. In ACM CCS.
[11]
Long Cheng, Ke Tian, Danfeng Daphne Yao, Lui Sha, and Raheem A Beyah. 2019. Checking is Believing: Event-Aware Program Anomaly Detection in Cyber-Physical Systems. IEEE TDSC, Vol. 18, 2 (2019), 825--842.
[12]
Xiang Cheng, Qian Luo, Ye Pan, Zitong Li, Jiale Zhang, and Bing Chen. 2021. Predicting the APT for Cyber Situation Comprehension in 5G-Enabled IoT Scenarios Based on Differentially Private Federated Learning. Security and Communication Networks (2021), 1--14.
[13]
CNCF. 2022. Survey. https://cncf.io/reports/cncf-annual-survey-2022
[14]
Gerald Combs. 2023. TShark. https://wireshark.org/docs/man-pages/tshark.html
[15]
Marius Corici, Pousali Chakraborty, and Thomas Magedanz. 2021a. A Study of 5G Edge-Central Core Network Split Options. MDPI Network, Vol. 1, 3 (2021), 354--368.
[16]
Marius Corici, Pousali Chakraborty, Thomas Magedanz, Andre S. Gomes, Luis Cordeiro, and Kashif Mahmood. 2021b. 5G Non-Public-Networks (NPN) Roaming Architecture. In International Conference on Network of the Future.
[17]
Mohan Dhawan, Rishabh Poddar, Kshiteej Mahajan, and Vijay Mann. 2015. SPHINX: Detecting Security Attacks in Software-Defined Networks. In NDSS.
[18]
Docker. 2023. Docker Swarm. https://docs.docker.com/engine/swarm
[19]
César Ducruet and Jean-Paul Rodrigue. 2013. Graph Theory: Measures and Indices. The Geography of Transport Systems (2013).
[20]
Morris Dworkin. 2016. Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption. Technical Report. NIST Special Publication.
[21]
Ericsson. . 5G Cloud Infrastructure. https://ericsson.com/en/cloud-infrastructure
[22]
ETSI. 2017. 3GPP Technical Specification (TS) 23.502 version 16.7.0 Release 16 - System Architecture for the 5G System. Technical Report.
[23]
ETSI. 2020. 3GPP Technical Specification (TS) 33.501 version 17.0.0 - Security Architecture and Procedures for 5G System. Technical Report.
[24]
Pete Evans. 2022. Rogers says services mostly restored after daylong outage left millions offline. https://cbc.ca/news/business/rogers-outage-cell-mobile-wifi-1.6514373
[25]
Diogo R Ferreira and Daniel Gillblad. 2009. Discovering Process Models From Unlabelled Event Logs. In BPM.
[26]
Enduring Security Framework. 2022. ESF Potential Threats to 5G Network Slicing. Technical Report. NSA, CISA, ODNI.
[27]
Free5GC. 2023. https://free5gc.org
[28]
Yu Gao, Shaoxu Song, Xiaochen Zhu, Jianmin Wang, Xiang Lian, and Lei Zou. 2018. Matching Heterogeneous Event Data. IEEE TKDE, Vol. 30, 11 (2018), 2157--2170.
[29]
Ali Güngör. 2023. UERANSIM. https://github.com/aligungr/UERANSIM
[30]
Bin Han, Antonio DeDomenico, Ghina Dandachi, Anastasios Drosou, Dimitrios Tzovaras, Roberto Querio, Fabrizio Moggio, Omer Bulakci, and Hans D Schotten. 2018. Admission and Congestion Control for 5G Network Slicing. In IEEE CSCN.
[31]
Yanxue Jia, Shi-Feng Sun, Hong-Sheng Zhou, Jiajun Du, and Dawu Gu. 2022. Shuffle-based Private Set Union: Faster and more Secure. In USENIX Security.
[32]
José María Jorquera Valero, Pedro Miguel Sánchez Sánchez, Alexios Lekidis, Javier Fernandez Hidalgo, Manuel Gil Pérez, M Shuaib Siddiqui, Alberto Huertas Celdran, and Gregorio Martínez Pérez. 2022. Design of a Security and Trust Framework for 5G Multi-Domain Scenarios. Journal of Network and Systems Management, Vol. 30, 1 (2022).
[33]
Jaewoo Kang and Jeffrey F Naughton. 2003. On Schema Matching with Opaque Column Names and Data Values. In ACM SIGMOD Conference.
[34]
Hugo Kermabon-Bobinnec, Mahmood Gholipourchoubeh, Sima Bagheri, Suryadipta Majumdar, Yosr Jarraya, Makan Pourzandi, and Lingyu Wang. 2022. ProSPEC: Proactive Security Policy Enforcement for Containers. In CODASPY.
[35]
Rabia Khan, Pardeep Kumar, Dushantha Nalin K Jayakody, and Madhusanka Liyanage. 2019. A Survey on Security and Privacy of 5G Technologies: Potential Solutions, Recent Advancements, and Future Directions. IEEE COMST, Vol. 22, 1 (2019), 196--248.
[36]
Los Alamos National Laboratory. 2023. NetworkX. https://networkx.org/
[37]
Mohammed Laroui, Boubakr Nour, Hassine Moungla, Moussa A Cherif, Hossam Afifi, and Mohsen Guizani. 2021. Edge and Fog Computing for IoT: A Survey on Current Research Activities & Future Directions. Computer Communications, Vol. 180 (2021), 210--231.
[38]
Schoening Consulting LLC. 2023. FF3. https://pypi.org/project/ff3
[39]
Suryadipta Majumdar, Yosr Jarraya, Taous Madi, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2016. Proactive Verification of Security Compliance for Clouds through Pre-Computation: Application to OpenStack. In ESORICS.
[40]
Suryadipta Majumdar, Yosr Jarraya, Momen Oqaily, Amir Alimohammadifar, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2017. LeaPS: Learning-Based Proactive Security Auditing for Clouds. In ESORICS.
[41]
Suryadipta Majumdar, Azadeh Tabiban, Meisam Mohammady, Alaa Oqaily, Yosr Jarraya, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2019. Proactivizer: Transforming Existing Verification Tools into Efficient Solutions for Runtime Security Enforcement. In ESORICS.
[42]
Meisam Mohammady, Lingyu Wang, Yuan Hong, Habib Louafi, Makan Pourzandi, and Mourad Debbabi. 2018. Preserving both Privacy and Utility in Network Trace Anonymization. In ACM CCS.
[43]
Viraaji Mothukuri, Prachi Khare, Reza M Parizi, Seyedamin Pouriyeh, Ali Dehghantanha, and Gautam Srivastava. 2021. Federated-Learning-based Anomaly Detection for IoT Security Attacks. IEEE IoTJ, Vol. 9, 4 (2021), 2545--2554.
[44]
CBC News. 2021. Rogers says service starting to return after Canada-wide wireless outage. https://cbc.ca/news/business/rogers-outage-1.5992954
[45]
Council of the European Union and European Parliament. 2016. General Data Protection Regulation (GDPR). Official Journal of the European Union - L, Vol. 119 (2016), 1--88.
[46]
OpenShift. 2023. OpenShift. https://docs.openshift.com/
[47]
OpenStack. 2015. https://wiki.openstack.org/wiki/Congress
[48]
Benny Pinkas, Thomas Schneider, and Michael Zohner. 2014. Faster Private Set Intersection Based on $$OT$$ Extension. In USENIX Security.
[49]
Wint Yi Poe, Jose Ordonez-Lucena, and Kashif Mahmood. 2020. Provisioning Private 5G Networks by means of Network Slicing: Architectures and Challenges. In IEEE ICC Workshops.
[50]
Al-Huthaifi Rasha, Tianrui Li, Wei Huang, Jin Gu, and Chongshou Li. 2023. Federated Learning in Smart Cities: Privacy and Security Survey. Information Sciences (2023).
[51]
Peter Schneider, Christian Mannweiler, and Sylvaine Kerboeuf. 2018. Providing Strong 5G Mobile Network Slice Isolation for Highly Sensitive Third-party Services. In IEEE WCNC.
[52]
Keiichi Shima. 2015. Crypto-PAn. https://github.com/keiichishima/yacryptopan
[53]
Mengkai Song, Zhibo Wang, Zhifei Zhang, Yang Song, Qian Wang, Ju Ren, and Hairong Qi. 2020. Analyzing User-Level Privacy Attack Against Federated Learning. IEEE JSAC, Vol. 38, 10 (2020), 2430--2444.
[54]
Zhou Su, Yuntao Wang, Tom H Luan, Ning Zhang, Feng Li, Tao Chen, and Hui Cao. 2021. Secure and Efficient Federated Learning for Smart Grid with Edge-Cloud Collaboration. IEEE Transactions on Industrial Informatics, Vol. 18, 2 (2021), 1333--1344.
[55]
Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. 2019. Container Security: Issues, Challenges, and the Road Ahead. IEEE Access, Vol. 7 (2019), 52976--52996.
[56]
Nan Sun, Jun Zhang, Paul Rimba, Shang Gao, Leo Yu Zhang, and Yang Xiang. 2018. Data-Driven Cybersecurity Incident Prediction: A Survey. IEEE COMST, Vol. 21, 2 (2018), 1744--1772.
[57]
Brendan Tschaen, Ying Zhang, Theo Benson, Sujata Banerjee, Jeongkeun Lee, and Joon-Myung Kang. 2016. SFC-Checker: Checking the Correct Forwarding Behavior of Service Function Chaining. In IEEE NFV-SDN.
[58]
Yunkai Wei, Sipei Zhou, Supeng Leng, Sabita Maharjan, and Yan Zhang. 2021. Federated Learning Empowered End-Edge-Cloud Cooperation for 5G HetNet Security. IEEE Network, Vol. 35, 2 (2021), 88--94.
[59]
Miaowen Wen, Qiang Li, Kyeong Jin Kim, David López-Pérez, Octavia A Dobre, H Vincent Poor, Petar Popovski, and Theodoros A Tsiftsis. 2021. Private 5G Networks: Concepts, Architectures, and Research Landscape. IEEE JSTSP, Vol. 16, 1 (2021), 7--25.
[60]
Wes McKinney. 2010. Data Structures for Statistical Computing in Python.
[61]
Shangyu Xie, Meisam Mohammady, Han Wang, Lingyu Wang, Jaideep Vaidya, and Yuan Hong. 2021. A Generalized Framework for Preserving both Privacy and Utility in Data Outsourcing. IEEE TKDE, Vol. 35, 1 (2021), 1--15.
[62]
Jun Xu, Jinliang Fan, Mostafa Ammar, and Sue B Moon. 2001. On the Design and Performance of Prefix-Preserving IP Traffic Trace Anonymization. In ACM SIGCOMM Workshop on Internet Measurement.
[63]
Jun Xu, Jinliang Fan, Mostafa H Ammar, and Sue B Moon. 2002. Prefix-Preserving IP Address Anonymization: Measurement-Based Security Evaluation and a New Cryptography-Based Scheme. In IEEE ICNP.
[64]
Ting-Fang Yen, Xin Huang, Fabian Monrose, and Michael K Reiter. 2009. Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications. In DIMVA.
[65]
Cong Zhang, Yu Chen, Weiran Liu, Min Zhang, and Dongdai Lin. 2023. Linear Private Set Union from $$Multi-Query$$ Reverse Private Membership Test. In USENIX Security.
[66]
Moubarak Zoure, Toufik Ahmed, and Laurent Réveillère. 2022. Network Services Anomalies in NFV: Survey, Taxonomy, and Verification Methods. IEEE TNSM, Vol. 19, 2 (2022), 1567--1584.

Index Terms

  1. CCSM: Building Cross-Cluster Security Models for Edge-Core Environments Involving Multiple Kubernetes Clusters

          Recommendations

          Comments

          Information & Contributors

          Information

          Published In

          cover image ACM Conferences
          CODASPY '24: Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy
          June 2024
          429 pages
          ISBN:9798400704215
          DOI:10.1145/3626232
          • General Chair:
          • João P. Vilela,
          • Program Chairs:
          • Haya Schulmann,
          • Ninghui Li
          Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

          Sponsors

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          Published: 19 June 2024

          Permissions

          Request permissions for this article.

          Check for updates

          Author Tags

          1. 5g
          2. cloud computing security
          3. kubernetes
          4. security model

          Qualifiers

          • Research-article

          Funding Sources

          Conference

          CODASPY '24
          Sponsor:

          Acceptance Rates

          Overall Acceptance Rate 149 of 789 submissions, 19%

          Contributors

          Other Metrics

          Bibliometrics & Citations

          Bibliometrics

          Article Metrics

          • 0
            Total Citations
          • 74
            Total Downloads
          • Downloads (Last 12 months)74
          • Downloads (Last 6 weeks)8
          Reflects downloads up to 23 Feb 2025

          Other Metrics

          Citations

          View Options

          Login options

          View options

          PDF

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader

          Figures

          Tables

          Media

          Share

          Share

          Share this Publication link

          Share on social media