Microservice-based Architectures Research Articles

An intelligent native network slicing security architecture empowered by federated learning

Network Slicing (NS) has transformed the landscape of resource sharing in networks, offering flexibility to support services and applications with highly variable requirements in areas such as the next-generation 5G/6G mobile networks (NGMN), vehicular networks, industrial Internet of Things (IoT), and verticals. Although significant research and experimentation have driven the development of network slicing, existing architectures often fall short in intrinsic architectural intelligent security capabilities. This paper proposes an architecture-intelligent security mechanism to improve the NS solutions. We idealized a security-native architecture that deploys intelligent microservices as federated agents based on machine learning, providing intra-slice and architectural operation security for the Slicing Future Internet Infrastructures (SFI2) reference architecture. It is noteworthy that federated-learning approaches match the highly distributed modern microservice-based architectures, thus providing a unifying and scalable design choice for NS platforms addressing both service and security. Using ML-Agents and Security Agents, our approach identified Distributed Denial-of-Service (DDoS) and intrusion attacks within the slice using generic and non-intrusive telemetry records, achieving an average accuracy of approximately 95.60% in the network slicing architecture and 99.99% for the deployed slice – intra-slice. This result demonstrates the potential for leveraging architectural operational security and introduces a promising new research direction for network slicing architectures.

Model-based reinforcement learning for service mesh fault resiliency in a web application-level

Microservice-based architectures enable different aspects of applications to be created and updated independently, even after deployment. Associated technologies such as service mesh provide fault resiliency through attribute configurations that govern self-adaptive application-level behavior in response to failures, in a manner transparent to the application and constituent microservices. While this provides tremendous flexibility, the configured values of these attributes and the relationships among them can significantly affect the performance and fault resilience of the overall application. It is thus important to perform fault injection and load testing on the application, prior to full deployment. However, given a large number of possible attribute combinations and the complexities of the distributed system underlying microservices and service mesh architectures, it is virtually impossible to determine through traditional software development practices the worst combinations of attribute values and load settings with respect to self-adaptive application-level fault resiliency. To this end, we present a model-based reinforcement learning approach that determines the combinations of attribute and load settings that result in the most significant fault resilience behaviors at an application level. We validate our approach through a case study on a simple request-response service using the Istio service mesh. Our analysis shows that, even for a simple service, our model-based reinforcement learning approach outperforms a baseline selection of action parameters. Further, we show that communicative multi-agent reinforcement learning improves the performance of both the non-communicative single and multi-agent learning paradigms.

KubeHound: Detecting Microservices’ Security Smells in Kubernetes Deployments

As microservice-based architectures are increasingly adopted, microservices security has become a crucial aspect to consider for IT businesses. Starting from a set of “security smells” for microservice applications that were recently proposed in the literature, we enable the automatic detection of such smells in microservice applications deployed with Kubernetes. We first introduce possible analysis techniques to automatically detect security smells in Kubernetes-deployed microservices. We then demonstrate the practical applicability of the proposed techniques by introducing KubeHound, an extensible prototype tool for automatically detecting security smells in microservice applications, and which already features a selected subset of the discussed analyses. We finally show that KubeHound can effectively detect instances of security smells in microservice applications by means of controlled experiments and by applying it to existing, third-party applications.

Blockchain-Based Services Implemented in a Microservices Architecture Using a Trusted Platform Module Applied to Electric Vehicle Charging Stations

Microservice architectures exploit container-based virtualized services, which rarely use hardware-based cryptography. A trusted platform module (TPM) offers a hardware root for trust in services that makes use of cryptographic operations. The virtualization of this hardware module offers high usability for other types of service that require TPM functionalities. This paper proposes the design of TPM virtualization in a container. To ensure integrity, different mechanisms, such as attestation and sealing, have been developed for the binaries and libraries stored in the container volumes. Through a REST API, the container offers the functionalities of a TPM, such as key generation and signing. To prevent unauthorized access to the container, this article proposes an authentication mechanism based on tokens issued by the Cognito Amazon Web Service. As a proof of concept and applicability in industry, a use case for electric vehicle charging stations using a microservice-based architecture is proposed. Using the EOS.IO blockchain to maintain a copy of the data, the virtualized TPM microservice provides the cryptographic operations necessary for blockchain transactions. Through a two-factor authentication mechanism, users can access the data. This scenario shows the potential of using blockchain technologies in microservice-based architectures, where microservices such as the virtualized TPM fill a security gap in these architectures.

Offline Mining of Microservice-Based Architectures (Extended Version)

Designing applications adhering to the key design principles of microservice-based architectures (MSAs) enables fully exploiting the potentials of cloud computing platforms. A specification of an application’s MSA can help determining whether it adheres to such principles, and reasoning on how to refactor it when this is not the case. However, manually generating such a specification is complex and costly, mainly due to the multitude of heterogeneous software services and service interactions forming an MSA. The main objective of this article is to automate the generation of the specification of an existing MSA. We introduce an offline technique for automatically mining the specification of an MSA from its Kubernetes deployment. The mined MSA is expressed in muTOSCA, a microservice-oriented profile of the OASIS standard TOSCA. We also provide an open-source prototype implementation of the proposed mining technique, called muTOM. Four case studies based on four different third-party applications show that our technique can effectively mine the MSAs of existing applications, being it more accurate than its state-of-the-art competitor. The proposed offline mining technique can help researchers and practitioners working with microservices, by enabling them to automatically mine the MSAs of their applications. The obtained MSAs can then be visualised and analysed with existing tools to enhance their adherence to the key design principles of MSAs.

ANALYSIS OF MONOLITHIC AND MICROSERVICE ARCHITECTURES FEATURES AND METRICS

In this paper the information technologies stack is presented. Thesetechnologies are used during network architecture deployment. The analysis of technological advantages and drawbacks under investigation for monolithic and network architectures will be useful during of cyber security analysis in telecom networks. The analysis of the main numeric characteristics was carried out with the aid of Kubectl. The results of a series of numerical experiments on the evaluation of the response speed to requests and the fault tolerance are presented. The characteristics of the of monolithic and microservice-based architectures scalability are under investigation. For the time series sets, which characterize the network server load, the value of the Hurst exponent was calculated.
 The research main goal is the monolithic and microservice architecture main characteristics analysis, time series data from the network server accruing, and their statistical analysis.
 The methodology of Kubernetes clusters deploying using Minikube, Kubectl, Docker has been used. Application deploy on AWS ECS virtual machine with monolithic architecture and on the Kubernetes cluster (AWS EKS) were conducted.
 The investigation results gives us the confirmation, that the microservices architecture would be more fault tolerance and flexible in comparison with the monolithic architecture. Time series fractal analysis on the server equipment load showed the presence of long-term dependency, so that we can treat the traffic implementation as a self-similar process.
 The scientific novelty of the article lies in the application of fractal analysis to real time series: use of the kernel in user space, kernel latency, RAM usage, caching of RAM collected over 6 months with a step of 10 seconds, establishing a long-term dependence of time series data.
 The practical significance of the research is methodology creation of the monolithic and microservice architectures deployment and exploitation, as well as the use of time series fractal analysis for the network equipment load exploration.

A method for monitoring the coupling evolution of microservice-based architectures

The microservice architecture is claimed to satisfy ongoing software development demands, such as resilience, flexibility, and velocity. However, developing applications based on microservices also brings some drawbacks, such as the increased software operational complexity. Recent studies have also pointed out the lack of methods to prevent problems related to the maintainability of these solutions. Disregarding established design principles during the software evolution may lead to the so-called architectural erosion, which can end up in a condition of unfeasible maintenance. As microservices can be considered a new architecture style, there are few initiatives to monitoring the evolution of software microservice-based architectures. In this paper, we introduce the SYMBIOTE method for monitoring the coupling evolution of microservice-based systems. More specifically, this method collects coupling metrics during runtime (staging or production environments) and monitors them throughout software evolution. The longitudinal analysis of the collected measures allows detecting an upward trend in coupling metrics that could represent signs of architectural degradation. To develop the proposed method, we performed an experimental analysis of the coupling metrics behavior using artificially generated data. The results of these experiment revealed the metrics behavior in different scenarios, providing insights to develop the analysis method for the identification of architectural degradation. We evaluated the SYMBIOTE method in a real-case open source project called Spinnaker. The results obtained in this evaluation show the relationship between architectural changes and upward trends in coupling metrics for most of the analyzed release intervals. Therefore, the first version of SYMBIOTE has shown potential to detect signs of architectural degradation during the evolution of microservice-based architectures.

Automated Analysis of Distributed Tracing: Challenges and Research Directions

Microservice-based architectures are gaining popularity for their benefits in software development. Distributed tracing can be used to help operators maintain observability in this highly distributed context, and find problems such as latency, and analyse their context and root cause. However, exploring and working with distributed tracing data is sometimes difficult due to its complexity and application specificity, volume of information and lack of tools. The most common and general tools available for this kind of data, focus on trace-level human-readable data visualisation. Unfortunately, these tools do not provide good ways to abstract, navigate, filter and analyse tracing data. Additionally, they do not automate or aid with trace analysis, relying on administrators to do it themselves. In this paper we propose using tracing data to extract service metrics, dependency graphs and work-flows with the objective of detecting anomalous services and operation patterns. We implemented and published open source prototype tools to process tracing data, conforming to the OpenTracing standard, and developed anomaly detection methods. We validated our tools and methods against real data provided by a major cloud provider. Results show that there is an underused wealth of actionable information that can be extracted from both metric and morphological aspects derived from tracing. In particular, our tools were able to detect anomalous behaviour and situate it both in terms of involved services, work-flows and time-frame. Furthermore, we identified some limitations of the OpenTracing format—as well as the industry accepted tracing abstractions—, and provide suggestions to test trace quality and enhance the standard.

Adaptive Microservice Scaling for Elastic Applications

Today, Internet users expect Web applications to be fast, performant, and always available. With the emergence of Internet of Things (IoT), data collection and the analysis of streams have become more and more challenging. Behind the scenes, application owners and cloud service providers work to meet these expectations, yet, the problem of how to most effectively and efficiently auto-scale a Web application to optimize for performance while reducing costs and energy usage is still a challenge. In particular, this problem has new relevance due to the continued rise of IoT and microservice-based architectures. A key concern, that is often not addressed by current auto-scaling systems, is the decision on which microservice to scale in order to increase performance. Our aim is to design a prototype auto-scaling system for microservice-based Web applications that can learn from the past service experience. The contributions of the work can be divided into two parts: 1) developing a pipeline for microservice auto-scaling and 2) evaluating a hybrid sequence and supervised learning model for recommending scaling actions. The pipeline has proven to be an effective platform for exploring auto-scaling solutions, as we will demonstrate through the evaluation of our proposed hybrid model. The results of the hybrid model show the merit of using a supervised model to identify which microservices should be scaled up more.

Docker [Software engineering

In episode 217 of Software Engineering Radio, host Charles Anderson talks with James Turnbull, a software developer and security specialist who's vice president of services at Docker. Lightweight Docker containers are rapidly becoming a tool for deploying microservice-based architectures.