NFV Anomaly Detection: Case Study through a Security Module

Abstract

Network function virtualization (NFV) is a key networking concept whose benefits include scalability, flexibility, and cost-effective service provisioning. In NFV, service function chains (SFCs) adaptable to customers' needs are created by chaining virtualized network functions (VNFs). VNFs and SFCs are sensitive elements that, if compromised, would affect network security. The detection of compromised VNFs and SFCs is imperative, and although anomaly detection can be used in such a context, there is a lack of research work on the use of anomaly detection in NFV. In this article, we exploit the use of anomaly detection mechanisms to identify suspicious VNFs and SFCs. We introduce, into a widely accepted NFV architecture, an NFV security module (NSM) that, by analyzing VNFs and SFCs' operations, detects anomalies possibly resulting from security attacks. To prove the concept, three mechanisms have been implemented and deployed in NSM to observe how anomaly detection performs, given quantitative and qualitative information. We found out that anomaly detection is effective for VNF and SFC security and, in the case of using entropy as anomaly detection technique, it presents accuracy of up to 98 percent without harming NFV environment operations.