A Resilience-Oriented and NFV-Supported Scheme for Failure Detection in Software-Defined Networking

Li, He

19 October 2018

As a recently emerging network paradigm, Software-Defined Networking (SDN) has attracted considerable attention from both industry and academia. The most significant advantage of SDN is that the paradigm disassociates the control logic (i.e., control plane) from the forwarding process (i.e., data plane), which are usually integrated into traditional network devices. Thanks to the property of centralized control, SDN enables the flexibility of dispatching flow policies to simplify network management. However, this property also makes the SDN environment vulnerable, which will cause network paralysis when the sole SDN controller runs malfunction. Although several works have been done on deploying multiple controllers to address the failure of a centralized controller, their drawbacks are leading to inefficiency and balance loss of controller utilization, provoking resource idling as well as being incapable to suffice flow outburst. Additionally, the network operators often put a great deal of effort into discovering failure nodes to recover their networks, which can be mitigated by applying failure detection before the network deterioration occurs. Network traffic prediction can serve as a practical approach to evaluate the state of the OpenFlow-based switch and consequently detect SDN node failures in advance. As far as prediction solution is concerned, most researchers investigate either statistical modeling approaches, such as Seasonal Autoregressive Integrated Moving Average (SARIMA), or Artificial Neural Network (ANN) methods, like Long Short-Term Memory (LSTM) Neural Network. Nonetheless, few of them study the model merging these two mechanisms regarding multi-step prediction. This thesis proposes a novel system associated with Network Function Virtualization (NFV) technique to enhance the resilience of SDN network. A hybrid prediction model based on the combination of SARIMA and LSTM is introduced as part of the detection module of this system, where the potential node breakdown can be readily determined so that it can implement smart prevention and fast recovery without human interaction. The results show the proposed scheme improves the performance concerning time complexity compared with that of previous work, reaching up to 95% accuracy while shortening the detection and recovery time by the new combined prediction model.

Software-Defined Networking

Network Resiliency

Network Prediction

Infinite CacheFlow: a Rule-caching Solution for Software Defined Networks

January 2014

abstract: New OpenFlow switches support a wide range of network applications, such as firewalls, load balancers, routers, and traffic monitoring. While ternary content addressable memory (TCAM) allows switches to process packets at high speed based on multiple header fields, today's commodity switches support just thousands to tens of thousands of forwarding rules. To allow for finer-grained policies on this hardware, efficient ways to support the abstraction of a switch are needed with arbitrarily large rule tables. To do so, a hardware-software hybrid switch is designed that relies on rule caching to provide large rule tables at low cost. Unlike traditional caching solutions, neither individual rules are cached (to respect rule dependencies) nor compressed (to preserve the per-rule traffic counts). Instead long dependency chains are ``spliced'' to cache smaller groups of rules while preserving the semantics of the network policy. The proposed hybrid switch design satisfies three criteria: (1) responsiveness, to allow rapid changes to the cache with minimal effect on traffic throughput; (2) transparency, to faithfully support native OpenFlow semantics; (3) correctness, to cache rules while preserving the semantics of the original policy. The evaluation of the hybrid switch on large rule tables suggest that it can effectively expose the benefits of both hardware and software switches to the controller and to applications running on top of it. / Dissertation/Thesis / M.S. Computer Science 2014

Computer science

Algorithms

Caching

Software Defined Networking

Stochastic optimization algorithms for adaptive modulation in software defined radio

Misra, Anup

05 1900

Adaptive modulation has been actively researched as a means to increase spectral efficiency of wireless communications systems. In general, analytic closed form models have been derived for the performance of the communications system as a function of the control parameters. However, in systems where general error correction coding is employed, it may be difficult to derive closed form performance functions of the communications systems. In addition, in closed form optimization, real time adaptation is not possible. Systems designed with deterministic state optimization are developed offline for a certain set of parameters and hardwired into mobile devices. In this thesis we present stochastic learning algorithms for adaptive modulation design. The algorithms presented allow for adaptive modulation system design in-dependent of error correction coding and modulation constellation requirements. In real time, the performance of the system is measured and stochastic approximation techniques are used to learn the optimal transmission parameters of the system. The technique is applied to Software Defined Radio (SDR) platforms, an emerging wireless technology which is currently being researched as a means of designing intelligent communications devices. The fundamental property that sets SDR apart from traditional radios is that the communications parameters are controlled in software, allowing for real-time control of physical layer communications. Our treatment begins by modeling the time evolution of the adaptive modulation process as a general state space Markov chain. We show the existence and uniqueness of the invariant measure and model performance functions as expectations with respect to the invariant measure. We consider constrained and unconstrained throughput optimization. We show that the cost functions considered are convex. Next we present stochastic approximation algorithms that are used to estimate the gradient of the cost function given only noisy estimates. We conclude by presenting simulation results obtained by the presented method. The learning based method is able to achieve the maximum throughput as dictated by exhaustive Monte Carlo simulation of the communications system, which provide an upper bound on performance. In addition, the learning algorithm is able to optimize communications under various error correction schemes. The tracking abilities of the algorithm are also demonstrated. We see that the proposed method is able to track optimal throughput settings as constraints are changed in time. / Applied Science, Faculty of / Electrical and Computer Engineering, Department of / Graduate

adaptive modulation

efficiency

software defined radio

stochastic

The effectiveness of an 'Employee's Choice Programme' in creating an equity culture and establishing private pensions in Thailand : a case study

Chantaraprapab, Panukorn

January 2013

This DBA thesis is an empirical study of the new private pension programme in Thailand, an Employee’s Choice (EC) programme, which is structured as a self-directed defined contribution plan that permits workers to make their own investment decisions for their pension assets. The growing acceptance of the new pension programme is placing greater responsibility for managing pension assets on workers. The shift from committee-directed pension plans to self-directed pension plans has meant that Thai workers now must make investment decisions, such as what type of plan to choose and how to allocate their pension assets among different asset classes. This raises some concerns about the financial literacy of workers and their ability to make informed decisions. This study aims to analyse the effectiveness of this programme by examining empirical evidence from a case study. Specifically, it asks whether workers are able to make appropriate investment decisions for their pension plans as investment theory has suggested. This study has shown that the new pension programme in this case study is effective. Most importantly, the study finds that, regardless of their level of financial literacy, workers are able to make reasonable investment choices as suggested by portfolio and lifecycle investing theories. Specifically, when workers were offered investment options ranging from low risk to high risk, workers are able to choose investment choices consistent with their age and risk tolerance. However, this study finds that financial literacy does matter if workers are asked to make asset allocation decisions instead of choosing between options. The study finds that workers with low levels of financial literacy are likely to allocate less of their pension assets in equities. The findings from this study make several contributions to the growing literature on household finance. In addition, this study has a number of important management implications for pension design. With the simple plan design which offers choices ranging from low risk to high risk, workers appear to make rational investment decisions regardless of their level of financial knowledge. Therefore, the simple plan design could be very useful for workers who have less financial knowledge. This research has also shown that many workers do not plan to review or revise their portfolios as lifecycle theory has suggested. The implication from this study is that the new self-directed pension programme is not effective in the long-run. There is, therefore, a definite need for a better pension design. Innovative pension design should be used in order to minimize workers’ investment mistakes. This study advocates the use of lifecycle funds and recommends policymakers to promote and support the usage of lifecycle funds in the Thai private pension context.

368.4

Towards Better Kernel and Network Monitoring of Software Actions

Lei, Yunsen

15 May 2020

Monitoring software actions is one of the most studied approaches to help security researchers understand how software interacts with the system or network. In many cases, monitoring is an important component to help detect attacks that use software vulnerabilities as a vector to compromise endpoints. Attacks are becoming more sophisticated and network use is growing dramatically. Both host-based and network-based monitoring are facing different challenges. A host-based approach has more insight into software's actions but puts itself at the risk of compromise. When deployed on the server endpoint, the lack of separation between different clients only further complicates the monitoring scope. Compared to network-based approaches, host-based monitoring usually loses control of a software's network trace once the network packet leaves the endpoint. On the other hand, network-based monitoring usually has full control of a software's network packets but confronts scalability problems as the network grows. This thesis focuses on the limitations of the current monitoring approaches and technologies and proposes different solutions to mitigate the current problem. For software-defined networking, we design and implement a host-based SDN system that achieves the same forwarding path control and packet rewriting functionality as a switch-based SDN. Our implementation empower the host-based SDN with more control in the network even without using any SDN-enabled middleboxes, allowing SDN adoption in large-scale deployments. We further corroborate flow reports from different host SDN agents to address the endpoint compromise problem. On the server endpoint, we leverage containers as a light-weight environment to separate different clients and build monitoring infrastructures to narrow down the monitoring scope that have the potential to facilitate further forensic analysis.

Security monitoring

Software-defined networking

Containerization

Flexible network management in software defined wireless sensor networks for monitoring application systems

Modieginyane, Kgotlaetsile Mathews

02 1900

Wireless Sensor Networks (WSNs) are the commonly applied information technologies of modern networking and computing platforms for application-specific systems. Today’s network computing applications are faced with high demand of reliable and powerful network functionalities. Hence, efficient network performance is central to the entire ecosystem, more especially where human life is a concern. However, effective management of WSNs remains a challenge due to problems supplemental to them. As a result, WSNs application systems such as in monitored environments, surveillance, aeronautics, medicine, processing and control, tend to suffer in terms of capacity to support compute intensive services due to limitations experienced on them. A recent technology shift proposes Software Defined Networking (SDN) for improving computing networks as well as enhancing network resource management, especially for life guarding systems. As an optimization strategy, a software-oriented approach for WSNs, known as Software Defined Wireless Sensor Network (SDWSN) is implemented to evolve, enhance and provide computing capacity to these resource constrained technologies. Software developmental strategies are applied with the focus to ensure efficient network management, introduce network flexibility and advance network innovation towards the maximum operation potential for WSNs application systems. The need to develop WSNs application systems which are powerful and scalable has grown tremendously due to their simplicity in implementation and application. Their nature of design serves as a potential direction for the much anticipated and resource abundant IoT networks. Information systems such as data analytics, shared computing resources, control systems, big data support, visualizations, system audits, artificial intelligence (AI), etc. are a necessity to everyday life of consumers. Such systems can greatly benefit from the SDN programmability strategy, in terms of improving how data is mined, analysed and committed to other parts of the system for greater functionality. This work proposes and implements SDN strategies for enhancing WSNs application systems especially for life critical systems. It also highlights implementation considerations for designing powerful WSNs application systems by focusing on system critical aspects that should not be disregarded when planning to improve core network functionalities. Due to their inherent challenges, WSN application systems lack robustness, reliability and scalability to support high computing demands. Anticipated systems must have greater capabilities to ubiquitously support many applications with flexible resources that can be easily accessed. To achieve this, such systems must incorporate powerful strategies for efficient data aggregation, query computations, communication and information presentation. The notion of applying machine learning methods to WSN systems is fairly new, though carries the potential to enhance WSN application technologies. This technological direction seeks to bring intelligent functionalities to WSN systems given the characteristics of wireless sensor nodes in terms of cooperative data transmission. With these technological aspects, a technical study is therefore conducted with a focus on WSN application systems as to how SDN strategies coupled with machine learning methods, can contribute with viable solutions on monitoring application systems to support and provide various applications and services with greater performance. To realize this, this work further proposes and implements machine learning (ML) methods coupled with SDN strategies to; enhance sensor data aggregation, introduce network flexibility, improve resource management, query processing and sensor information presentation. Hence, this work directly contributes to SDWSN strategies for monitoring application systems. / Thesis (PhD)--University of Pretoria, 2018. / National Research Foundation (NRF) / Telkom Centre of Excellence / Electrical, Electronic and Computer Engineering / PhD / Unrestricted

UCTD

Analysis of Topology Poisoning Attacks in Software-Defined Networking

Thanh Bui, Tien

January 2015

Software-defined networking (SDN) is an emerging architecture with a great potentialto foster the development of modern networks. By separating the controlplane from the network devices and centralizing it at a software-based controller,SDN provides network-wide visibility and flexible programmability to networkadministrators. However, the security aspects of SDN are not yet fully understood.For example, while SDN is resistant to some topology poisoning attacks inwhich the attacker misleads the routing algorithm about the network structure,similar attacks by compromised hosts and switches are still known to be possible.The goal of this thesis is to thoroughly analyze the topology poisoning attacksinitiated by compromised switches and to identify whether they are a threat toSDN. We identify three base cases of the topology poisoning attack, in which theattack that requires a single compromised switch is a new variant of topologypoisoning. We develop proof-of-concept implementations for these attacks inemulated networks based on OpenFlow, the most popular framework for SDN.We also evaluate the attacks in simulated networks by measuring how muchadditional traffic the attacker can divert to the compromised switches. A widerange of network topologies and routing algorithms are used in the simulations.The simulation results show that the discovered attacks are severe in many cases.Furthermore, the seriousness of the attacks increases according to the number oftunnels that the attacker can fabricate and also depends on the distance betweenthe tunnel endpoints. The simulations indicate that network design can help tomitigate the attacks by, for example, shortening the paths between switches in thenetwork, randomizing regular network structure, or increasing the load-balancingcapability of the routing strategy.

Software-defined networking

OpenFlow

Topology poisoning attack

Genetic Algorithm-Based Improved Availability Approach for Controller Placement in SDN

Asamoah, Emmanuel

13 July 2023

Thanks to the Software-Defined Networking (SDN) paradigm, which segregates the control and data layers of traditional networks, large and scalable networks can now be dynamically configured and managed. It is a game-changing networking technology that provides increased flexibility and scalability through centralized management. The Controller Placement Problem (CPP), however, poses a crucial problem in SDN because it directly impacts the efficiency and performance of the network. The CPP attempts to determine the most ideal number of controllers for any network and their corresponding relative positioning. This is to generally minimize communication delays between switches and controllers and maintain network reliability and resilience. In this thesis, we present a modified Genetic Algorithm (GA) technique to solve the CPP efficiently. Our approach makes use the GA’s capabilities to obtain the best controller placement correlation based on important factors such as network delay, reliability and availability. We further optimize the process by means of certain deduced constraints to allow faster convergence. In this study, our primary objective is to optimize the control plane design by identifying the optimal controller placement, which minimizes delay and significantly improves both the switch-to-controller and controller-to-controller link availability. We introduce an advanced genetic algorithm methodology and showcase a precise technique for optimizing the inherent availability constraints. To evaluate the trade-offs between the deployment of controllers and the associated costs of enhancing particular node link availabilities, we performed computational experiments on three distinct networks of varying sizes. Overall, our work contributes to the growth trajectory of SDN research by offering a novel GA-based resolution to the controller placement problem that can improve network performance and dependability.

Software-Defined Networking

Controller Placement

Genetic Algorithm

Attack-aware Security Function Management / Angriffsbewusste Verwaltung von Sicherheitsfunktionen

Iffländer, Lukas

January 2021

Over the last decades, cybersecurity has become an increasingly important issue. Between 2019 and 2011 alone, the losses from cyberattacks in the United States grew by 6217%. At the same time, attacks became not only more intensive but also more and more versatile and diverse. Cybersecurity has become everyone’s concern. Today, service providers require sophisticated and extensive security infrastructures comprising many security functions dedicated to various cyberattacks. Still, attacks become more violent to a level where infrastructures can no longer keep up. Simply scaling up is no longer sufficient. To address this challenge, in a whitepaper, the Cloud Security Alliance (CSA) proposed multiple work packages for security infrastructure, leveraging the possibilities of Software-defined Networking (SDN) and Network Function Virtualization (NFV). Security functions require a more sophisticated modeling approach than regular network functions. Notably, the property to drop packets deemed malicious has a significant impact on Security Service Function Chains (SSFCs)—service chains consisting of multiple security functions to protect against multiple at- tack vectors. Under attack, the order of these chains influences the end-to-end system performance depending on the attack type. Unfortunately, it is hard to predict the attack composition at system design time. Thus, we make a case for dynamic attack-aware SSFC reordering. Also, we tackle the issues of the lack of integration between security functions and the surrounding network infrastructure, the insufficient use of short term CPU frequency boosting, and the lack of Intrusion Detection and Prevention Systems (IDPS) against database ransomware attacks. Current works focus on characterizing the performance of security functions and their behavior under overload without considering the surrounding infrastructure. Other works aim at replacing security functions using network infrastructure features but do not consider integrating security functions within the network. Further publications deal with using SDN for security or how to deal with new vulnerabilities introduced through SDN. However, they do not take security function performance into account. NFV is a popular field for research dealing with frameworks, benchmarking methods, the combination with SDN, and implementing security functions as Virtualized Network Functions (VNFs). Research in this area brought forth the concept of Service Function Chains (SFCs) that chain multiple network functions after one another. Nevertheless, they still do not consider the specifics of security functions. The mentioned CSA whitepaper proposes many valuable ideas but leaves their realization open to others. This thesis presents solutions to increase the performance of single security functions using SDN, performance modeling, a framework for attack-aware SSFC reordering, a solution to make better use of CPU frequency boosting, and an IDPS against database ransomware. Specifically, the primary contributions of this work are: • We present approaches to dynamically bypass Intrusion Detection Systems (IDS) in order to increase their performance without reducing the security level. To this end, we develop and implement three SDN-based approaches (two dynamic and one static). We evaluate the proposed approaches regarding security and performance and show that they significantly increase the performance com- pared to an inline IDS without significant security deficits. We show that using software switches can further increase the performance of the dynamic approaches up to a point where they can eliminate any throughput drawbacks when using the IDS. • We design a DDoS Protection System (DPS) against TCP SYN flood at tacks in the form of a VNF that works inside an SDN-enabled network. This solution eliminates known scalability and performance drawbacks of existing solutions for this attack type. Then, we evaluate this solution showing that it correctly handles the connection establishment and present solutions for an observed issue. Next, we evaluate the performance showing that our solution increases performance up to three times. Parallelization and parameter tuning yields another 76% performance boost. Based on these findings, we discuss optimal deployment strategies. • We introduce the idea of attack-aware SSFC reordering and explain its impact in a theoretical scenario. Then, we discuss the required information to perform this process. We validate our claim of the importance of the SSFC order by analyzing the behavior of single security functions and SSFCs. Based on the results, we conclude that there is a massive impact on the performance up to three orders of magnitude, and we find contradicting optimal orders for different workloads. Thus, we demonstrate the need for dynamic reordering. Last, we develop a model for SSFC regarding traffic composition and resource demands. We classify the traffic into multiple classes and model the effect of single security functions on the traffic and their generated resource demands as functions of the incoming network traffic. Based on our model, we propose three approaches to determine optimal orders for reordering. • We implement a framework for attack-aware SSFC reordering based on this knowledge. The framework places all security functions inside an SDN-enabled network and reorders them using SDN flows. Our evaluation shows that the framework can enforce all routes as desired. It correctly adapts to all attacks and returns to the original state after the attacks cease. We find possible security issues at the moment of reordering and present solutions to eliminate them. • Next, we design and implement an approach to load balance servers while taking into account their ability to go into a state of Central Processing Unit (CPU) frequency boost. To this end, the approach collects temperature information from available hosts and places services on the host that can attain the boosted mode the longest. We evaluate this approach and show its effectiveness. For high load scenarios, the approach increases the overall performance and the performance per watt. Even better results show up for low load workloads, where not only all performance metrics improve but also the temperatures and total power consumption decrease. • Last, we design an IDPS protecting against database ransomware attacks that comprise multiple queries to attain their goal. Our solution models these attacks using a Colored Petri Net (CPN). A proof-of-concept implementation shows that our approach is capable of detecting attacks without creating false positives for benign scenarios. Furthermore, our solution creates only a small performance impact. Our contributions can help to improve the performance of security infrastructures. We see multiple application areas from data center operators over software and hardware developers to security and performance researchers. Most of the above-listed contributions found use in several research publications. Regarding future work, we see the need to better integrate SDN-enabled security functions and SSFC reordering in data center networks. Future SSFC should discriminate between different traffic types, and security frameworks should support automatically learning models for security functions. We see the need to consider energy efficiency when regarding SSFCs and take CPU boosting technologies into account when designing performance models as well as placement, scaling, and deployment strategies. Last, for a faster adaptation against recent ransomware attacks, we propose machine-assisted learning for database IDPS signatures. / In den letzten Jahrzehnten wurde Cybersicherheit zu einem immer wichtigeren Thema. Allein zwischen 2019 und 2011 stiegen die Verluste durch Cyberattacken in den Vereinigten Staaten um 6217%. Gleichzeitig wurden die Angriffe nicht nur intensiver, sondern auch immer vielseitiger und facettenreicher. Cybersicherheit ist zu einem allgegenwärtigen Thema geworden. Heute benötigen Dienstleistungsanbieter ausgefeilte und umfassende Sicherheitsinfrastrukturen, die viele Sicherheitsfunktionen für verschiedene Cyberattacken umfassen. Den- noch werden die Angriffe immer heftiger, so dass diese Infrastrukturen nicht mehr mithalten können. Ein einfaches Scale-Up ist nicht mehr ausreichend. Um dieser Herausforderung zu begegnen, schlug die Cloud Security Alliance (CSA) in einem Whitepaper mehrere Arbeitspakete für Sicherheitsinfrastruk turen vor, die die Möglichkeiten des Software-definierten Netzwerks (SDN) und der Netzwerkfunktionsvirtualisierung (NFV) nutzen. Sicherheitsfunktionen erfordern einen anspruchsvolleren Modellierungsansatz als normale Netzwerkfunktionen. Vor allem die Eigenschaft, als bösartig erachtete Pakete fallen zu lassen, hat erhebliche Auswirkungen auf Security Service Function Chains (SSFCs) – Dienstketten, die aus mehreren Sicherheitsfunktionen zum Schutz vor mehreren Angriffsvektoren bestehen. Bei einem Angriff beeinflusst die Reihenfolge dieser Ketten je nach Angriffstyp die Gesamtsystemleistung. Leider ist es schwierig, die Angriffszusammensetzung zur Designzeit vorherzusagen. Daher plädieren wir für eine dynamische, angriffsbewusste Neuordnung der SSFC. Außerdem befassen wir uns mit den Problemen der mangelnden Integration zwischen Sicherheitsfunktionen und der umgebenden Netzwerkinfrastruktur, der unzureichenden Nutzung der kurzfristigen CPU-Frequenzverstärkung und des Mangels an Intrusion Detection and Prevention Systems (IDPS) zur Abwehr von Datenbank-Lösegeldangriffen. Bisherige Arbeiten konzentrieren sich auf die Charakterisierung der Leistungsfähigkeit von Sicherheitsfunktionen und deren Verhalten bei Überlastung ohne Berücksichtigung der umgebenden Infrastruktur. Andere Arbeiten zielen darauf ab, Sicherheitsfunktionen unter Verwendung von Merkmalen der Netzwerkinfrastruktur zu ersetzen, berücksichtigen aber nicht die Integration von Sicherheitsfunktionen innerhalb des Netzwerks. Weitere Publikationen befassen sich mit der Verwendung von SDN für die Sicherheit oder mit dem Umgang mit neuen, durch SDN eingeführten Schwachstellen. Sie berücksichtigen jedoch nicht die Leistung von Sicherheitsfunktionen. Die NFV-Domäne ist ein beliebtes Forschungsgebiet, das sich mit Frameworks, Benchmarking-Methoden, der Kombination mit SDN und der Implementierung von Sicherheitsfunktionen als Virtualized Network Functions (VNFs) befasst. Die Forschung in diesem Bereich brachte das Konzept der Service-Funktionsketten (SFCs) hervor, die mehrere Netzwerkfunktionen nacheinander verketten. Dennoch berücksichtigen sie noch immer nicht die Besonderheiten von Sicherheitsfunktionen. Zu diesem Zweck schlägt das bereits erwähnte CSA-Whitepaper viele wertvolle Ideen vor, lässt aber deren Realisierung anderen offen. In dieser Arbeit werden Lösungen zur Steigerung der Leistung einzelner Sicherheitsfunktionen mittels SDN, Performance Engineering, Modellierung und ein Rahmenwerk für die angriffsbewusste SSFC-Neuordnung, eine Lösung zur besseren Nutzung der CPU-Frequenzsteigerung und ein IDPS gegen Datenbank-Lösegeld. Im Einzelnen sind die sechs Hauptbeiträge dieser Arbeit: • Wir stellen Ansätze zur dynamischen Umgehung von Intrusion-Detection-Systemen (IDS) vor, um deren Leistung zu erhöhen, ohne das Sicherheitsniveau zu senken. Zu diesem Zweck entwickeln und implementieren wir drei SDN-basierte Ansätze (zwei dynamische und einen statischen). Wir evaluieren sie hinsichtlich Sicherheit und Leistung und zeigen, dass alle Ansätze die Leistung im Vergleich zu einem Inline-IDS ohne signifikante Sicherheitsdefizite signifikant steigern. Wir zeigen ferner, dass die Verwendung von Software-Switches die Leistung der dynamischen Ansätze weiter steigern kann, bis zu einem Punkt, an dem sie bei der Verwendung des IDS etwaige Durchsatznachteile beseitigen können. • Wir entwerfen ein DDoS-Schutzsystem (DPS) gegen TCP-SYN-Flutangriffe in Form eines VNF, das innerhalb eines SDN-fähigen Netzwerks funktioniert. Diese Lösung eliminiert bekannte Skalierbarkeits-und Leistungsnachteile bestehender Lösungen für diesen Angriffstyp. Dann bewerten wir diese Lösung und zeigen, dass sie den Verbindungsaufbau korrekt handhabt, und präsentieren Lösungen für ein beobachtetes Problem. Als nächstes evaluieren wir die Leistung und zeigen, dass unsere Lösung die Leistung bis zum Dreifachen erhöht. Durch Parallelisierung und Parameterabstimmung werden weitere 76% der Leistung erzielt. Auf der Grundlage dieser Ergebnisse diskutieren wir optimale Einsatzstrategien. • Wir stellen die Idee der angriffsbewussten Neuordnung des SSFC vor und erläutern deren Auswirkungen anhand eines theoretischen Szenarios. Dann erörtern wir die erforderlichen Informationen zur Durchführung dieses Prozesses. Wir validieren unsere Behauptung von der Bedeutung der SSFC-Ordnung, indem wir das Verhalten einzelner Sicherheitsfunktionen und SSFCs analysieren. Aus den Ergebnissen schließen wir auf eine massive Auswirkung auf die Leistung bis zu drei Größenordnungen, und wir finden widersprüchliche optimale Aufträge für unterschiedliche Arbeitsbelastungen. Damit beweisen wir die Notwendigkeit einer dynamischen Neuordnung. Schließlich entwickeln wir ein Modell für den SSFC hinsichtlich der Verkehrszusammensetzung und des Ressourcenbedarfs. Dazu klassifizieren wir den Datenverkehr in mehrere Klassen und modellieren die Auswirkungen einzelner Sicherheitsfunktionen auf den Datenverkehr und die von ihnen erzeugten Ressourcenanforderungen als Funktionen des eingehenden Netzwerkverkehrs. Auf der Grundlage unseres Modells schlagen wir drei Ansätze zur Berechnung der gewünschten Reihenfolge für die Neuordnung vor. Auf der Grundlage dieses Wissens implementieren wir einen Rahmen für die angriffsbewusste SSFC-Neuordnung. Das Rahmenwerk platziert alle Sicherheitsfunktionen innerhalb eines SDN-fähigen Netzwerks und ordnet sie mit Hilfe von SDN-Flüssen neu an. Unsere Auswertung zeigt, dass das Rahmenwerk alle Routen wie gewünscht durchsetzen kann. Es passt sich allen Angriffen korrekt an und kehrt nach Beendigung der Angriffe in den ursprünglichen Zustand zurück. Wir finden mögliche Sicherheitsprobleme zum Zeitpunkt der Neuordnung und präsentieren Lösungen zu deren Beseitigung. Als Nächstes entwerfen und implementieren wir einen Ansatz zum Lastausgleich von Servern hinsichtlich ihrer Fähigkeit, in einen Zustand der Frequenzerhöhung der Zentraleinheit (CPU) zu gehen. Zu diesem Zweck sammelt der Ansatz Temperaturinformationen von verfügbaren Hosts und platziert den Dienst auf dem Host, der den verstärkten Modus am längsten erreichen kann. Wir evaluieren diesen Ansatz und zeigen seine Funktionalität auf. Für Hochlastszenarien erhöht der Ansatz die Gesamtleistung und steigert die Leistung pro Watt. Noch bessere Ergebnisse zeigen sich bei Niedriglast-Workloads, wo sich nicht nur alle Leistungsmetriken verbessern, sondern auch die Temperaturen und der Gesamtstromverbrauch sinken. • Zuletzt entwerfen wir ein IDPS, das vor Lösegeld-Angriffen auf Datenbanken schützt, die mehrere Abfragen umfassen, um ihr Ziel zu erreichen. Unsere Lösung modelliert diese Angriffe mit einem Colored Petri Net (CPN). Eine Proof-of-Concept-Implementierung zeigt, dass unser Ansatz in der Lage ist, die beobachteten Angriffe zu erkennen, ohne für gutartige Szenarien falsch positive Ergebnisse zu erzeugen. Darüber hinaus erzeugt un sere Lösung nur eine geringe Auswirkung auf die Leistung. Unsere Beiträge können dazu beitragen, die Leistungsfähigkeit von Sicherheitsinfrastrukturen zu erhöhen. Wir sehen vielfältige Anwendungsbereiche, von Rechenzentrumsbetreibern über Software- und Hardwareentwickler bis hin zu Sicherheits- und Leistungsforschern. Die meisten der oben aufgeführten Beiträge fanden in mehreren Forschungspublikationen Verwendung. Was die zukünftige Arbeit betrifft, so sehen wir die Notwendigkeit, bessere SDN-fähige Sicherheitsfunktionen und SSFC-Neuordnung in Rechenzentrumsnetzwerke zu integrieren. Künftige SSFC sollten zwischen verschiedenen Verkehrsarten unterscheiden, und Sicherheitsrahmen sollten automatisch lernende Modelle für Sicherheitsfunktionen unterstützen. Wir sehen den Bedarf, bei der Betrachtung von SSFCs die Energieeffizienz zu berücksichtigen und bei der Entwicklung von Leistungsmodellen sowie Platzierungs-, Skalierungs- und Bereitstellungsstrategien CPU-verstärkende Technologien in Betracht zu ziehen. Schließlich schlagen wir für eine schnellere Anpassung an die jüngsten Lösegeld-Angriffe maschinengestütztes Lernen für Datenbank-IDPS-Signaturen vor.

Software-defined networking

Computersicherheit

Virtualisierung

ddc:000

Algebraic Processors

Larjani, Pouya

09 1900

<p> Algebraic simplification is the task of reducing an algebraic expression to a simpler form without changing the meaning of the expression. Simplification is generally a difficult task and may have different meanings according to what the subject considers as "simple" . This thesis starts off by reverse-engineering the concept of algebraic processors in the IMPS interactive mathematical proof system - which is responsible for handling all the algebraic simplification tasks - and discusses its algorithm and usage in detail. Then it explores the idea of algebraic processors as generic programs that can be configured for any type of algebraic structure to simplify expressions of that type by first formalizing the theory of algebraic processors of IMPS and then extending it to provide solutions for related topics. Algebraic processors can be defined for any user-defined algebra, as long as it conforms to the structure defined in this paper. The processors are defined as external units that can communicate with other mechanized mathematics systems in a trustable fashion and provide a program and a proof of correctness for any requests of simplification. Finally, some related processors such as one for simplification in partial orders and equivalence classes are outlined with some discussion of possible future expansions.</p> / Thesis / Master of Science (MSc)