Secure Middlebox Research Articles

Optimal Embedding of Aggregated Service Function Tree

Many hardware-based security middleboxes have been deployed in the networks to defend against different threats. However, these hardware middleboxes are hard to upgrade or migrate. The emergence of network functions virtualization (NFV), which realizes various security functions in the form of virtual network functions (VNFs), brings many benefits to network security. To improve the security level further, several VNFs are coordinated in a pre-defined order to form service function chains (SFCs). It is expected that the SFCs are embedded properly with low cost, including the VNF setup cost and the flow routing cost. In this paper, we find that when an SFC is required by multiple flows for the identical network security threats, the total cost could be reduced by embedding an aggregated service function tree (ASFT) instead of multiple independent SFCs. We formally characterize the integer programming model of this problem and prove that it is NP-hard. Then we propose a performance-guaranteed approximation algorithm and prove that the algorithm could find the optimal solution in a special case. Extensive experiments indicate that our method can reduce the total cost by <inline-formula><tex-math notation="LaTeX">$22.0\%$</tex-math></inline-formula> and <inline-formula><tex-math notation="LaTeX">$24.1\%$</tex-math></inline-formula> against two compared algorithms, respectively.

SICS: Secure and Dynamic Middlebox Outsourcing

There is an increasing trend that enterprises outsource their middlebox processing to a cloud for lower cost and easier management. However, outsourcing middleboxes brings threats to the enterprise's private information, including the traffic and rules of middleboxes, all of which are visible within the cloud. Existing solutions for secure middlebox outsourcing either incur significant performance overhead or do not support incremental updates. In this article, we present a secure and dynamic middlebox outsourcing framework, SICS, short for Secure In-Cloud Service. SICS encrypts each packet header and uses a label for in-cloud rule matching, which enables the cloud to perform its functionalities correctly with minimum header information leakage. Evaluation results show that SICS achieves higher throughput, faster construction and update speed, and lower resource overhead at the enterprise and in the cloud when compared with existing solutions.

A Secure Middlebox Framework for Enabling Visibility Over Multiple Encryption Protocols

Network middleboxes provide the first line of defense for enterprise networks. Many of them typically inspect packet payload to filter malicious attack patterns. However, the widespread use of end-to-end cryptographic protocols designed to promote security and privacy, either inhibits deep packet inspection in the network or forces enterprises to use solutions that are not secure. This article introduces a complete framework for building secure and practical network middleboxes, called EVE, which enables visibility over encrypted traffic. EVE securely processes encrypted traffic using a combination of hardware-based trusted execution and software security technology. For enhanced programmability and security, EVE provides a high-level programming interface based on the Rust language. The high-level APIs of EVE provide security and significantly ease the development effort by hiding the details of cryptographic operations, enclave processing, TCP reassembly, and out-of-band key sharing. Our evaluation shows EVE supports diverse use cases with multiple encryption protocols in a secure fashion while delivering high performance.

Practical Encrypted Network Traffic Pattern Matching for Secure Middleboxes

Network Function Virtualisation (NFV) advances the adoption of composable software middleboxes. Accordingly, cloud data centres become major NFV vendors for enterprise traffic processing. Due to the privacy concern of traffic redirection to the cloud, secure middlebox systems (e.g., BlindBox) draw much attention; they can process encrypted packets against encrypted rules directly. However, most of the existing systems supporting pattern matching based network functions require the enterprise gateway to tokenise packet payloads via sliding windows. Such tokenisation induces a considerable communication overhead, which can be over 100$\times$ to the packet size. To overcome this bottleneck, in this paper, we propose the first bandwidth-efficient encrypted pattern matching protocol for secure middleboxes. We resort to a primitive called symmetric hidden vector encryption (SHVE), and propose a variant of it, aka SHVE+, to achieve constant and moderate communication cost. To speed up, we devise encrypted filters to reduce the number of accesses to SHVE+ during matching highly. We formalise the security of our proposed protocol and conduct comprehensive evaluations over real-world rulesets and traffic dumps. The results show that our design can inspect a packet over 20k rules within 100 $\mu$s. Compared to prior work, it brings a saving of $94\%$ in bandwidth consumption.

Efficient Non-Dominated Multi-Objective Genetic Algorithm (NDMGA) and network security policy enforcement for Policy Space Analysis (PSA)

Computer network security is the first line of protection for guaranteeing information reliability. A computer network can be threatened when it does not have a well-designed or properly implemented network security policy. The major issue is that network operators cannot always support their network security strategy. Network operators often depend on security facilities to defend their Information Technology (IT) organizations. Different forms of security policies concerned with the network are distinct and circulated among various security middleboxes (MBs) organized into networks. Conversely, due to the inherent sophistication of security policies, it is not appropriate to use recent path-wise implementation algorithms. The present study solves the problem of policy implementation with MBs relatively faster compared to existing methods. In particular, this research models security policy implementation as a Weighted K Set Covering Problem (WKSCP) and employs a computational-geometry-based Policy Space Analysis (PSA) tool for a set of procedures as the security mechanism. Using the PSA tool leads to a Non-Dominated Multi-Objective Genetic Algorithm (NDMGA), which reveals the inherent complexities involved in a security policy and informs implementation of the policy enforcement algorithm. The resolution to this issue is to determine a collection of enforcement network nodes for an MB to execute on-datapath examination with globally distinct security policies. Therefore, the chosen policy enforcement nodes should be initially positioned on paths that are related to security strategies. Compared to the scope-wise strategy enforcement mechanism, where the procedures are executed over the objects of the network path, the scheme in this present work is implemented over the objects pertaining to the network nodes. A secure node may contain multiple paths, thus storing a large possible flow space that preserves the distribution and circumvents the ineffective usage of network bandwidth due to random traffic steering. Compared to current methodologies, the suggested NDMGA-based PSA tool yielded a 95% decrease in policy implemented nodes and a 93% decline in implemented rules.

Contribution au dialogue entre la psychanalyse, la psychiatrie et les neurosciences dans la recherche clinique actuelle individuelle et sociale, par l’étude des phénomènes d’automatisme

Computer network security is the first line of protection for guaranteeing information reliability. A computer network can be threatened when it does not have a well-designed or properly implemented network security policy. The major issue is that network operators cannot always support their network security strategy. Network operators often depend on security facilities to defend their Information Technology (IT) organizations. Different forms of security policies concerned with the network are distinct and circulated among various security middleboxes (MBs) organized into networks. Conversely, due to the inherent sophistication of security policies, it is not appropriate to use recent path-wise implementation algorithms. The present study solves the problem of policy implementation with MBs relatively faster compared to existing methods. In particular, this research models security policy implementation as a Weighted K Set Covering Problem (WKSCP) and employs a computational-geometry-based Policy Space Analysis (PSA) tool for a set of procedures as the security mechanism. Using the PSA tool leads to a Non-Dominated Multi-Objective Genetic Algorithm (NDMGA), which reveals the inherent complexities involved in a security policy and informs implementation of the policy enforcement algorithm. The resolution to this issue is to determine a collection of enforcement network nodes for an MB to execute on-datapath examination with globally distinct security policies. Therefore, the chosen policy enforcement nodes should be initially positioned on paths that are related to security strategies. Compared to the scope-wise strategy enforcement mechanism, where the procedures are executed over the objects of the network path, the scheme in this present work is implemented over the objects pertaining to the network nodes. A secure node may contain multiple paths, thus storing a large possible flow space that preserves the distribution and circumvents the ineffective usage of network bandwidth due to random traffic steering. Compared to current methodologies, the suggested NDMGA-based PSA tool yielded a 95% decrease in policy implemented nodes and a 93% decline in implemented rules.

Non‐dominated sorting particle swarm optimization (NSPSO) and network security policy enforcement for Policy Space Analysis

SummaryNetwork operators depend on security services with the aim of safeguarding their IT infrastructure. Various types of network security policies are employed on a global scale and are disseminated among several security middleboxes implemented in networks. But, owing to the complications in security policies, it is not quite efficient to directly use the path‐wise enforcement schemes that are prevalent. The major motivation of this work is to improve security levels and solve the policy enforcement problem. For the first time, this work reports the issue of policy enforcement on middleboxes. The major contribution of this work is to design security policy enforcement as a Weighted K Set Covering Problem, and we designed a Policy Space Analysis (PSA) tool intended for a group of operations in the security policy. This PSA tool was developed based on range‐signified hyper‐rectangles, which are indexed by the Hilbert R‐tree. Leveraging the PSA, we first investigated the topological features of various kinds of policies. Balancing the PSA tool in a non‐dominated sorting particle swarm optimization technique exposes the intrinsic difficulties of this security strategy and provides guidance for designing the enforcement approach. In addition, in this research, a new fuzzy rule‐based classification system is introduced for packet classification. A scope‐wise policy enforcement algorithm was proposed, which chooses a moderate number of enforcement network nodes for deploying multiple policy subsets in a greedy manner. This scheme is much quicker compared with the first one and therefore has found its application in real‐time deployments.

Toward Secure Outsourced Middlebox Services: Practices, Challenges, and Beyond

Modern enterprise networks heavily rely on ubiquitous network middleboxes for advanced traffic processing such as deep packet inspection, traffic classification, and load balancing. Recent advances in NFV have pushed forward the paradigm of migrating in-house middleboxes to third-party providers as software-based services for reduced cost yet increased scalability. Despite its potential, this new service model also raises new security and privacy concerns, as traffic is now redirected and processed in an untrusted environment. In this article, we survey recent efforts in the direction of enabling secure outsourced middlebox functions, and identify open challenges for researchers and practitioners to further investigate solutions toward secure middlebox services.

Global Flow Table: A convincing mechanism for security operations in SDN

One of the key challenges of network security is that security middle boxes, such as firewalls and Intrusion Detection Systems (IDSs), only have local view of the network. This lowers the efficiency of security detection and makes it difficult to locate the sources of the threats. There have been growing demands for security operations and appliances that are aware of the distribution and behavior of flows in the whole network; logically centralized control ability of Software-Defined Network (SDN) makes it possible for the network controller to acquire the global view of the network. In this paper, we propose a mechanism named Global Flow Table (GFT) which can provide security appliances and operators with paths of all the flows in SDN network, in addition to their sources, destinations, setup and terminate time, traffic volume and directions. A weak vertex cover based GFT algorithm which sacrifices less than 5% accuracy is also provided to improve scalability. Tests with different network topologies of cloud computing center and enterprise networks show promising performance. Utilizing the Global Flow Table, we built several applications to illustrate how GFT could benefit the security operations.

Efficient Network Security Policy Enforcement With Policy Space Analysis

Network operators rely on security services to protect their IT infrastructures. Different kinds of network security policies are defined globally and distributed among multiple security middleboxes deployed in networks. However, due to the complexity of security policy, it is inefficient to directly employ existing path-wise enforcement approaches. This paper models the enforcement of network security policy as the set-covering problem, and designs a computational-geometry-based policy space analysis (PSA) tool for set operations of security policy. Leveraging the PSA, this paper first investigates the topological characteristics of different types of policies. This heuristic information reveals intrinsic complexities of security policy and guides the design of our enforcement approach. Then the paper proposes a scope-wise policy enforcement algorithm that selects a modest number of enforcement network nodes to deploy multiple policy subsets in a greedy manner. This approach can be employed on network topologies of both datacenter and service provider. The efficiencies of the PSA tool and the enforcement algorithm are also evaluated. Compared with the header space analysis, the PSA achieves much better memory and time efficiencies on set operations of security policy. Additionally, the proposed enforcement algorithm is able to guarantee network security within a reasonable number of enforcement network nodes, without introducing many extra rules.

An elastic intrusion detection system for software networks

Internal users are the main causes of anomalous and suspicious behaviors in a communication network. Even when traditional security middleboxes are present, internal attacks may lead the network to outages or to leakage of sensitive information. In this article, we propose BroFlow, an Intrusion Detection and Prevention System based on Bro traffic analyzer and on the global network view of the software-defined networks (SDN) which is provided by the OpenFlow. BroFlow main contributions are (i) dynamic and elastic resource provision of traffic-analyzing machines under demand; (ii) real-time detection of DoS attacks through simple algorithms implemented in a policy language for network events; (iii) immediate reaction to DoS attacks, dropping malicious flows close of their sources, and (iv) near-optimal placement of sensors through a proposed heuristic for strategically positioning sensors in the network infrastructure, which is shared by multi-tenants, with a minimum number of sensors. We developed a prototype of the proposed system, and we evaluated it in a virtual environment of the Future Internet Testbed with Security (FITS). An evaluation of the system under attack shows that BroFlow guarantees the forwarding of legitimate packets at the maximal link rate, reducing up to 90 % of the maximal network delay caused by the attack. BroFlow reaches 50 % of bandwidth gain when compared with conventional firewalls approaches, even when the attackers are legitimate tenants acting in collusion. In addition, the system reduces the sensors number, while keeping full coverage of network flows.

Modelling and analysis of rule‐based network security middleboxes

This study presents an analytical model for rule-based network security middleboxes as those of network firewalls, intrusion detection systems and email spam filters. In these systems, incoming packets carrying requests arrive at the middlebox and obtain queued for processing in multiple stages. The stages consist of first a main stage for packet processing and then subsequent stages of rulebase interrogation in which rules or conditions are checked sequentially until a match is triggered. The service at these stages is characterised to be mutually exclusive; that is, only one stage is active at any time. The authors derive useful formulas that can predict the middlebox performance, taking into account its incoming request rate, the queue size and the processing capacity of the middlebox, and thereby proper engineering capacity of the middlebox can be achieved.

Dynamic Security Traversal in OpenFlow Networks with QoS Guarantee

To provide the essential network protection, data flows are forced to pass through the desired sequences of security devices (middleboxes) in a datacenter, which is called security traversal. In this paper, we identify the problem of quality of service (QoS) guarantee in security traversal and propose a scheme to dynamically change the security traversal path. The dynamic security traversal scheme is achieved by the proposed optimal security traversal with middlebox addition (OSTMA) mechanism which poses and solves the considered QoS-guaranteed problem as a constrained shortest path problem (CSP). Besides, we design a system framework with a centralized security traversal controller adopting the proposed OSTMA mechanism, which leverage the capability of OpenFlow networks to dynamically monitor the network condition information and reconfigure the security traversal path. Finally, our experiment shows results show that the proposed dynamic security traversal scheme can achieve QoS requirements while still reserving the scalability and flexibility of distributed security middleboxes.