Situational Awareness in Virtual Networks: The ASTRID Approach

Cloud-based services often follow the same logical structure of private networks. The lack of physical boundaries and the dependence on third party's infrastructural security mechanisms often undermine the confidence in the overall security level of virtualized applications. Integrating software instances of common security middleboxes into cloud networks helps overcome most suspicions, but leads to inefficient solutions. In this paper, we describe the vision behind the ASTRID project. The novelty of our concept lies in decoupling detection algorithms from monitoring and inspection tasks, seeking better integration with virtualization frameworks. We briefly elaborate on the overall conceptual architecture and the foundation of its implementation components. Additionally, we give insights on the expected impacts and opportunities brought by this novel paradigm over the existing approaches.

[1]  Tiziana Margaria,et al.  Tools and algorithms for the construction and analysis of systems: a special issue for TACAS 2017 , 2001, International Journal on Software Tools for Technology Transfer.

[2]  M. Repetto,et al.  Building situational awareness for network threats in fog/edge computing: Emerging paradigms beyond the security perimeter model , 2018, Future Gener. Comput. Syst..

[3]  Cataldo Basile,et al.  Virtualized security at the network edge: a user-centric approach , 2015, IEEE Communications Magazine.

[4]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[5]  Carlos Pignataro,et al.  Service Function Chaining (SFC) Architecture , 2015, RFC.

[6]  Liu Xin,et al.  A program vulnerabilities detection frame by static code analysis and model checking , 2011, 2011 IEEE 3rd International Conference on Communication Software and Networks.

[7]  Diane Barrett,et al.  Virtualization and Forensics: A Digital Forensic Investigator’s Guide to Virtual Environments , 2010 .

[8]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[9]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[10]  Tiziana Margaria,et al.  Leveraging Applications of Formal Methods, Verification, and Validation , 2012, Communications in Computer and Information Science.

[11]  Stephen Gilmore,et al.  Rigorous Graphical Modelling of Movement in Collective Adaptive Systems , 2016, ISoLA.

[12]  Wolfgang Kellerer,et al.  Anomaly Detection and Identification in Large-scale Networks based on Online Time-structured Traffic Tensor Tracking , 2016 .

[13]  Thomas Magedanz,et al.  Embedding security and privacy into the development and operation of cloud applications and services , 2016, 2016 17th International Telecommunications Network Strategy and Planning Symposium (Networks).

[14]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[15]  Frank Leymann,et al.  Standards-Based DevOps Automation and Integration Using TOSCA , 2014, 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing.

[16]  Levente Buttyán,et al.  A survey of security issues in hardware virtualization , 2013, CSUR.