ABSTRACT
Traditional Network Intrusion Detection Systems (NIDSes) are generally implemented on vendor proprietary appliances or middleboxes with poor versatility and flexibility. Emerging Network Function Virtualization (NFV) and Software-Defined Networking (SDN) technologies can virtualize NIDSes and elastically scale them to deal with attack traffic variations. However, such an elasticity feature must not come at the cost of decreased detection effectiveness and expensive provisioning. In this paper, we propose an innovative NIDS architecture, vNIDS, to enable safe and efficient virtualization of NIDSes. vNIDS addresses two key challenges with respect to effective intrusion detection and non-monolithic NIDS provisioning in virtualizing NIDSes. The former challenge is addressed by detection state sharing while minimizing the sharing overhead in virtualized environments. In particular, static program analysis is employed to determine which detection states need to be shared. vNIDS addresses the latter challenge by provisioning virtual NIDSes as microservices and employing program slicing to partition the detection logic programs so that they can be executed by each microservice separately. We implement a prototype of vNIDS to demonstrate the feasibility of our approach. Our evaluation results show that vNIDS could offer both effective intrusion detection and efficient provisioning for NIDS virtualization.
- Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis. In Proceedings of the 18th Network and Distributed System Security Symposium (NDSS 2011) .Google Scholar
- Flavio Bonomi, Rodolfo Milito, Jiang Zhu, and Sateesh Addepalli. 2012. Fog computing and its role in the internet of things. In Proceedings of the first edition of the MCC workshop on Mobile cloud computing. ACM, 13--16. Google ScholarDigital Library
- Kevin Borders, Jonathan Springer, and Matthew Burnside. 2012. Chimera: a declarative language for streaming network traffic analysis. In Proceedings of the 21st USENIX conference on Security symposium (USENIX Security 2012). USENIX Association, 19--19. Google ScholarDigital Library
- Anat Bremler-Barr, Yotam Harchol, and David Hay. 2016. OpenBox: a software-defined framework for developing, deploying, and managing network functions. In Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 511--524. Google ScholarDigital Library
- P Busschbach. 2013. Network functions virtualisation-challenges and solutions. Alcatel-Lucent Corp., France, Strategic White Paper (2013).Google Scholar
- Patrick Butler, Kui Xu, and Danfeng Yao. 2011. Quantitatively analyzing stealthy communication channels. In Applied Cryptography and Network Security. Springer, 238--254. Google ScholarDigital Library
- Stephen Chong, Jed Liu, Andrew C Myers, Xin Qi, Krishnaprasad Vikram, Lantian Zheng, and Xin Zheng. 2007. Secure web applications via automatic partitioning. In ACM SIGOPS Operating Systems Review, Vol. 41. ACM, 31--44. Google ScholarDigital Library
- Byung-Gon Chun, Sunghwan Ihm, Petros Maniatis, Mayur Naik, and Ashwin Patti. 2011. Clonecloud: elastic execution between mobile device and cloud. In Proceedings of the sixth conference on Computer systems. ACM, 301--314. Google ScholarDigital Library
- Lorenzo De Carli, Robin Sommer, and Somesh Jha. 2014. Beyond pattern matching: A concurrency model for stateful deep packet inspection. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 2014). ACM, 1378--1390. Google ScholarDigital Library
- Juan Deng, Hongda Li, Hongxin Hu, Kuang-Ching Wang, Gail-Joon Ahn, Ziming Zhao, and Wonkyu Han. 2017. On the Safety and Efficiency of Virtual Firewall Elasticity Control. In Proceedings of the 24th Network and Distributed System Security Symposium (NDSS 2017) .Google ScholarCross Ref
- Aleksandar Dragojević, Dushyanth Narayanan, Orion Hodson, and Miguel Castro. 2014. FaRM: Fast remote memory. In Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation (NSDI 2014). 401--414. Google ScholarDigital Library
- Nicola Dragoni, Saverio Giallorenzo, Alberto Lluch Lafuente, Manuel Mazzara, Fabrizio Montesi, Ruslan Mustafin, and Larisa Safina. 2017. Microservices: yesterday, today, and tomorrow. Present and Ulterior Software Engineering. Springer, 195--216.Google Scholar
- Holger Dreger, Anja Feldmann, Vern Paxson, and Robin Sommer. 2008. Predicting the resource consumption of network intrusion detection systems. In Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection (RAID 2008). Springer, 135--154. Google ScholarDigital Library
- Wendy Ellens, Piotr .Zuraniewski, Anna Sperotto, Harm Schotanus, Michel Mandjes, and Erik Meeuwissen. 2013. Flow-based detection of DNS tunnels. In IFIP International Conference on Autonomous Infrastructure, Management and Security. Springer, 124--135. Google ScholarDigital Library
- Greg Farnham and A Atlasis. 2013. Detecting DNS tunneling. SANS Institute InfoSec Reading Room, Vol. 9 (2013), 1--32.Google Scholar
- Seyed K Fayaz, Yoshiaki Tobioka, Vyas Sekar, and Michael Bailey. 2015. Bohatei: flexible and elastic DDoS defense. In Proceedings of the 24th USENIX Conference on Security Symposium (USENIX Security 2015). USENIX Association, 817--832. Google ScholarDigital Library
- Seyed Kaveh Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, and Jeffrey C Mogul. 2014. Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags. In Proceedings of the 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2014), Vol. 543. 546. Google ScholarDigital Library
- Jeanne Ferrante, Karl J Ottenstein, and Joe D Warren. 1987. The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 9, 3 (1987), 319--349. Google ScholarDigital Library
- Open Networking Foundation. 2014. OpenFlow-enabled SDN and network functions virtualisation. https://www.opennetworking.org/images/stories/downloads/sdn-resources/solution-briefs/sb-sdn-nvf-solution.pdf. (2014).Google Scholar
- Aaron Gember-Jacobson, Raajay Viswanathan, Chaithan Prakash, Robert Grandl, Junaid Khalid, Sourav Das, and Aditya Akella. 2014. OpenNF: Enabling innovation in network function control. In Proceedings of the 2014 ACM SIGCOMM Conference, Vol. 44. ACM, 163--174. Google ScholarDigital Library
- J Gross, T SRIDHAR, P GARG, C WRIGHT, and I GANGA. 2016. Geneve: Generic network virtualization encapsulation. IETF draft. (2016).Google Scholar
- Ibbad Hafeez, Aaron Yi Ding, and Sasu Tarkoma. 2017. Securing Edge Networks with Securebox. arXiv preprint arXiv:1712.07740 (2017).Google Scholar
- Susan Horwitz, Thomas Reps, and David Binkley. 1990. Interprocedural slicing using dependence graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 12, 1 (1990), 26--60. Google ScholarDigital Library
- Jinho Hwang, K K_ Ramakrishnan, and Timothy Wood. 2015. NetVM: high performance and flexible networking using virtualization on commodity platforms. IEEE Transactions on Network and Service Management, Vol. 12, 1 (2015), 34--47.Google ScholarDigital Library
- Murad Kablan, Azzam Alsudais, Eric Keller, and Franck Le. 2017. Stateless network functions: breaking the tight coupling of state and processing. In Proceedings of the 14th USENIX Conference on Networked Systems Design and Implementation (NSDI 2017). USENIX Association, 97--112. Google ScholarDigital Library
- Murad Kablan, Blake Caldwell, Richard Han, Hani Jamjoom, and Eric Keller. 2015. Stateless network functions. In Proceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization (HotMiddlebox 2015). ACM, 49--54. Google ScholarDigital Library
- Junaid Khalid, Aaron Gember-Jacobson, Roney Michael, Anubhavnidhi Abhashkumar, and Aditya Akella. 2016. Paving the way for NFV: simplifying middlebox modifications using StateAlyzr. In Proceedings of the 13th Usenix Conference on Networked Systems Design and Implementation (NSDI 2016). USENIX Association, 239--253. Google ScholarDigital Library
- Eddie Kohler, Robert Morris, Benjie Chen, John Jannotti, and M Frans Kaashoek. 2000. The Click modular router. ACM Transactions on Computer Systems (TOCS), Vol. 18, 3 (2000), 263--297. Google ScholarDigital Library
- Thomas Lengauer and Robert Endre Tarjan. 1979. A fast algorithm for finding dominators in a flowgraph. ACM Transactions on Programming Languages and Systems (TOPLAS), Vol. 1, 1 (1979), 121--141. Google ScholarDigital Library
- Bojie Li, Kun Tan, Layong Larry Luo, Yanqing Peng, Renqian Luo, Ningyi Xu, Yongqiang Xiong, Peng Cheng, and Enhong Chen. 2016. Clicknp: Highly flexible and high performance network processing with reconfigurable hardware. In Proceedings of the 2016 ACM SIGCOMM Conference. ACM, 1--14. Google ScholarDigital Library
- Edward S Lowry and Cleburne W Medlock. 1969. Object code optimization. Commun. ACM, Vol. 12, 1 (1969), 13--22. Google ScholarDigital Library
- Joao Martins, Mohamed Ahmed, Costin Raiciu, Vladimir Olteanu, Michio Honda, Roberto Bifulco, and Felipe Huici. 2014. ClickOS and the art of network function virtualization. In Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation (NSDI 2014). USENIX Association, 459--473. Google ScholarDigital Library
- Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner. 2008. OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Computer Communication Review, Vol. 38, 2 (2008), 69--74. Google ScholarDigital Library
- Yisroel Mirsky, Tomer Doitshman, Yuval Elovici, and Asaf Shabtai. 2018. Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection. In Proceedings of the 25th Network and Distributed System Security Symposium (NDSS 2018) .Google ScholarCross Ref
- Roberto Morabito, Vittorio Cozzolino, Aaron Yi Ding, Nicklas Beijar, and Jorg Ott. 2018. Consolidate IoT edge computing with lightweight virtualization. IEEE Network, Vol. 32, 1 (2018), 102--111.Google ScholarCross Ref
- John Ousterhout, Parag Agrawal, David Erickson, Christos Kozyrakis, Jacob Leverich, David Mazières, Subhasish Mitra, Aravind Narayanan, Guru Parulkar, Mendel Rosenblum, et al. 2010. The case for RAMClouds: scalable high-performance storage entirely in DRAM. ACM SIGOPS Operating Systems Review, Vol. 43, 4 (2010), 92--105. Google ScholarDigital Library
- Jianli Pan and Zhicheng Yang. 2018. Cybersecurity Challenges and Opportunities in the New Edge Computing Google ScholarDigital Library
- IoT World. In Proceedings of the 2018 ACM International Workshop on Security in Software Defined Networks & Network Function Virtualization. ACM, 29--32.Google Scholar
- Aurojit Panda, Sangjin Han, Keon Jang, Melvin Walls, Sylvia Ratnasamy, and Scott Shenker. 2016. NetBricks: taking the V out of NFV. In Proceedings of the 12th USENIX conference on Operating Systems Design and Implementation (OSDI 2016). USENIX Association, 203--216. Google ScholarDigital Library
- Ruoming Pang, Vern Paxson, Robin Sommer, and Larry Peterson. 2006. binpac: A yacc for writing application protocol parsers. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement. ACM, 289--300. Google ScholarDigital Library
- Milan Patel, B Naughton, C Chan, N Sprecher, S Abeta, A Neal, et al. 2014. Mobile-edge computing introductory technical white paper. White Paper, Mobile-edge Computing (MEC) industry initiative (2014).Google Scholar
- Vern Paxson. 1999. Bro: a system for detecting network intruders in real-time. Computer networks, Vol. 31, 23 (1999), 2435--2463. Google ScholarDigital Library
- Larry Peterson, Ali Al-Shabibi, Tom Anshutz, Scott Baker, Andy Bavier, Saurav Das, Jonathan Hart, Guru Palukar, and William Snow. 2016. Central office re-architected as a data center. IEEE Communications Magazine, Vol. 54, 10 (2016), 96--101. Google ScholarDigital Library
- Paul Quinn and Uri Elzur. 2016. Network service header. Internet Engineering Task Force, Internet-Draft draft-ietf-sfc-nsh-10 (2016).Google Scholar
- Shriram Rajagopalan, Dan Williams, Hani Jamjoom, and Andrew Warfield. 2013. Split/merge: system support for elastic execution in virtual middleboxes. In Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation (NSDI 2013). USENIX Association, 227--240. Google ScholarDigital Library
- S. K. N. Rao. 2014. SDN and its Use-Cases-NV and NFV. http://www.nectechnologies.in/en_TI/pdf/NTI_whitepaper_SDN_NFV.pdf. (2014).Google Scholar
- Thomas Reps and Genevieve Rosay. 1995. Precise interprocedural chopping. In ACM SIGSOFT Software Engineering Notes, Vol. 20. ACM, 41--52. Google ScholarDigital Library
- Martin Roesch and Chris Green. 2016. Snort Users Manual 2.9. 8.2. (2016).Google Scholar
- Rodrigo Roman, Javier Lopez, and Masahiro Mambo. 2018. Mobile edge computing, fog et al.: A survey and analysis of security threats and challenges. Future Generation Computer Systems, Vol. 78 (2018), 680--698.Google ScholarCross Ref
- Mahadev Satyanarayanan, Paramvir Bahl, Ramón Caceres, and Nigel Davies. 2009. The case for vm-based cloudlets in mobile computing. IEEE pervasive Computing, Vol. 8, 4 (2009). Google ScholarDigital Library
- Justine Sherry, Shaddi Hasan, Colin Scott, Arvind Krishnamurthy, Sylvia Ratnasamy, and Vyas Sekar. 2012. Making middleboxes someone else's problem: network processing as a cloud service. In Proceedings of the 2012 ACM SIGCOMM Conference, Vol. 42. ACM, 13--24. Google ScholarDigital Library
- Robin Sommer, Vern Paxson, and Nicholas Weaver. 2009. An architecture for exploiting multi-core processors to parallelize network intrusion prevention. Concurrency and Computation: Practice and Experience, Vol. 21, 10 (2009), 1255--1279. Google ScholarDigital Library
- Aditya K Sood and Richard J Enbody. 2013. Targeted cyberattacks: a superset of advanced persistent threats. IEEE security & privacy, Vol. 11, 1 (2013), 54--61. Google ScholarDigital Library
- Chen Sun, Jun Bi, Zhilong Zheng, Heng Yu, and Hongxin Hu. 2017. NFP: Enabling Network Function Parallelism in NFV. Proceedings of the 2017 ACM SIGCOMM Conference. ACM, 43--56. Google ScholarDigital Library
- Matthias Vallentin. 2011. Taming the Sheep: Detecting Sidejacking with Bro. http://matthias.vallentin.net/blog/2010/10/taming-the-sheep-detecting-sidejacking-with-bro/. (2011).Google Scholar
- Matthias Vallentin, Robin Sommer, Jason Lee, Craig Leres, Vern Paxson, and Brian Tierney. 2007. The NIDS cluster: Scalable, stateful network intrusion detection on commodity hardware. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID 2007). Springer, 107--126. Google ScholarDigital Library
- Mark Weiser. 1981. Program slicing. In Proceedings of the 5th international conference on Software engineering. IEEE Press, 439--449. Google ScholarDigital Library
- G. Wellbrock and T. J. Xia. 2014. How will optical transport deal with future network traffic growth?. In 2014 The European Conference on Optical Communication (ECOC). 1--3.Google Scholar
- Shinae Woo, Justine Sherry, Sangjin Han, Sue Moon, Sylvia Ratnasamy, and Scott Shenker. 2018. Elastic Scaling of Stateful Network Functions. In Proceedings of the 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 2018). USENIX Association, 299--312.Google Scholar
- Tianlong Yu, Seyed K Fayaz, Michael Collins, Vyas Sekar, and Srinivasan Seshan. 2017. PSI: Precise Security Instrumentation for Enterprise Networks. In Proceedings of the 24th Network and Distributed System Security Symposium (NDSS 2017) .Google ScholarCross Ref
- Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu. 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the internet-of-things. In Proceedings of the 14th ACM Workshop on Hot Topics in Networks (HotNets 2015). ACM, 5. Google ScholarDigital Library
- Wei Zhang, Guyue Liu, Wenhui Zhang, Neel Shah, Phillip Lopreiato, Gregoire Todeschi, KK Ramakrishnan, and Timothy Wood. 2016. OpenNetVM: A platform for high performance network service chains. In Proceedings of the 2016 workshop on Hot topics in Middleboxes and Network Function Virtualization (HotMiddlebox 2016). ACM, 26--31. Google ScholarCross Ref
- Yang Zhang, Bilal Anwer, Vijay Gopalakrishnan, Bo Han, Joshua Reich, Aman Shaikh, and Zhi-Li Zhang. 2017. ParaBox: Exploiting Parallelism for Virtual Network Functions in Service Chaining. In Proceedings of the Symposium on SDN Research. ACM, 143--149. Google ScholarDigital Library
Index Terms
- vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems
Recommendations
HoneyMix: Toward SDN-based Intelligent Honeynet
SDN-NFV Security '16: Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks & Network Function VirtualizationHoneynet is a collection of honeypots that are set up to attract as many attackers as possible to learn about their patterns, tactics, and behaviors. However, existing honeypots suffer from a variety of fingerprinting techniques, and the current ...
A low latency service function chain with SR-I/OV in software defined networks
AbstractA network flow is required to be processed by multiple network functions such as PGW and SGW in mobile networks as a service function chain (SFC). Compared to hardware-based network functions, virtualized network functions are more flexible for ...
Service Function Chaining Across OpenStack and Kubernetes Domains
DEBS '19: Proceedings of the 13th ACM International Conference on Distributed and Event-based SystemsRemarkable advantages of Containers (CNs) over Virtual Machines (VMs) such as lower overhead and faster startup has gained the attention of Communication Service Providers (CSPs) as using CNs for providing Virtual Network Functions (VNFs) can save costs ...
Comments