Modeling and Mitigating Security Threats in Network Functions Virtualization (NFV)

By virtualizing proprietary hardware networking devices, Network Functions Virtualization (NFV) allows agile and cost-effective deployment of diverse network services for multiple tenants on top of the same physical infrastructure. As NFV relies on virtualization, and as an NFV stack typically involves several levels of abstraction and multiple co-resident tenants, this new technology also unavoidably leads to new security threats. In this paper, we take the first step toward modeling and mitigating security threats unique to NFV. Specifically, we model both cross-layer and co-residency attacks on the NFV stack. Additionally, we mitigate such threats through optimizing the virtual machine (VM) placement with respect to given constraints. The simulation results demonstrate the effectiveness of our solution.

[1]  Xiaoyan Sun,et al.  Inferring the Stealthy Bridges Between Enterprise Network Islands in Cloud Using Cross-Layer Bayesian Networks , 2014, SecureComm.

[2]  Sushil Jajodia,et al.  Securing Networks Against Unpatchable and Unknown Vulnerabilities Using Heterogeneous Hardening Options , 2017, DBSec.

[3]  Kevin R. B. Butler,et al.  Detecting co-residency with active traffic analysis techniques , 2012, CCSW '12.

[4]  Wei Yang,et al.  A survey on security in network functions virtualization , 2016, 2016 IEEE NetSoft Conference and Workshops (NetSoft).

[5]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[6]  Zhuzhong Qian,et al.  AutoVNF: An Automatic Resource Sharing Schema for VNF Requests , 2017, J. Internet Serv. Inf. Secur..

[7]  Patrick McDaniel,et al.  Catch Me if You Can: A Closer Look at Malicious Co-Residency on the Cloud , 2019, IEEE/ACM Transactions on Networking.

[8]  Sushil Jajodia,et al.  Diversifying Network Services Under Cost Constraints for Better Resilience Against Unknown Attacks , 2016, DBSec.

[9]  Adlen Ksentini,et al.  Virtual Network Embedding with Formal Reachability Assurance , 2018, 2018 14th International Conference on Network and Service Management (CNSM).

[10]  Sushil Jajodia,et al.  Mitigating the insider threat of remote administrators in clouds through maintenance task assignments , 2019, J. Comput. Secur..

[11]  Ying Zhang,et al.  SFC-Checker: Checking the correct forwarding behavior of Service Function chaining , 2016, 2016 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN).

[12]  Ben Walters,et al.  QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[13]  Ying Zhang,et al.  SLA-verifier: Stateful and quantitative verification for service chaining , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[14]  Vyas Sekar,et al.  Verifiable network function outsourcing: requirements, challenges, and roadmap , 2013, HotMiddlebox '13.

[15]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[16]  Goldberg,et al.  Genetic algorithms , 1993, Robust Control Systems with Genetic Algorithms.

[17]  Yi Han,et al.  Virtual machine allocation policies against co-resident attacks in cloud computing , 2014, 2014 IEEE International Conference on Communications (ICC).

[18]  Eduardo B. Fernandez,et al.  Threats Against the Virtual Machine Environment of NFV , 2019, 2019 2nd International Conference on Computer Applications & Information Security (ICCAIS).

[19]  Lingyu Wang,et al.  Threat Modeling for Cloud Infrastructures , 2019, EAI Endorsed Trans. Security Safety.

[20]  Robert Bauer,et al.  ChainGuard: Controller-independent verification of service function chaining in cloud computing , 2017, 2017 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN).

[21]  Eric Wustrow,et al.  Trusted Click: Overcoming Security issues of NFV in the Cloud , 2017, SDN-NFV@CODASPY.

[22]  Jianping Wu,et al.  Generic and agile service function chain verification on cloud , 2017, 2017 IEEE/ACM 25th International Symposium on Quality of Service (IWQoS).

[23]  Neeraj Suri,et al.  A security metrics framework for the Cloud , 2011, Proceedings of the International Conference on Security and Cryptography.

[24]  Ahmed Meddahi,et al.  SecMANO: Towards Network Functions Virtualization (NFV) Based Security MANagement and Orchestration , 2016, 2016 IEEE Trustcom/BigDataSE/ISPA.

[25]  Rajkumar Buyya,et al.  CloudSim: a toolkit for modeling and simulation of cloud computing environments and evaluation of resource provisioning algorithms , 2011, Softw. Pract. Exp..

[26]  Sushil Jajodia,et al.  k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks , 2010, ESORICS.

[27]  Nils Gruschka,et al.  Attack Surfaces: A Taxonomy for Attacks on Cloud Services , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[28]  Lingyu Wang,et al.  QuantiC: Distance Metrics for Evaluating Multi-Tenancy Threats in Public Cloud , 2018, 2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom).

[29]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[30]  Xiaoyan Sun,et al.  Towards Actionable Mission Impact Assessment in the Context of Cloud Computing , 2017, DBSec.

[31]  Cataldo Basile,et al.  A novel approach for integrating security policy enforcement with dynamic network virtualization , 2015, Proceedings of the 2015 1st IEEE Conference on Network Softwarization (NetSoft).

[32]  Ahmed Meddahi,et al.  NFV Security Survey: From Use Case Driven Threat Analysis to State-of-the-Art Countermeasures , 2018, IEEE Communications Surveys & Tutorials.

[33]  Lingyu Wang,et al.  Modeling NFV Deployment to Identify the Cross-Level Inconsistency Vulnerabilities , 2019, 2019 IEEE International Conference on Cloud Computing Technology and Science (CloudCom).

[34]  Rajkumar Buyya,et al.  CloudSim: A Novel Framework for Modeling and Simulation of Cloud Computing Infrastructures and Services , 2009, ArXiv.

[35]  Faqir Zarrar Yousaf,et al.  Resource Sharing for a 5G Multi-tenant and Multi-service Architecture , 2017 .

[36]  Hung Q. Ngo,et al.  Towards a theory of insider threat assessment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[37]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[38]  Tarik Taleb,et al.  NFV: Security Threats and Best Practices , 2017, IEEE Communications Magazine.

[39]  Mohsen Guizani,et al.  Automated Attack and Defense Framework for 5G Security on Physical and Logical Layers , 2019, ArXiv.

[40]  Yang Wang,et al.  Enabling automatic composition and verification of service function chain , 2017, 2017 IEEE/ACM 25th International Symposium on Quality of Service (IWQoS).

[41]  Hyoungshick Kim,et al.  Security challenges with network functions virtualization , 2017, Future Gener. Comput. Syst..