ThC4 – Network Security
Thursday, 20 June 2019, 14:00-15:30, Room 4
Session chair: Andrea F. Cattoni (Keysight Technologies, Denmark)
Telco Cloud Resilience: Synergies Between Fault and Security Management
Borislava Gajic (Nokia Bell Labs, Germany); Ruben Trapero Burgos (Atos, Spain); Diomidis S. Michalopoulos (Nokia Bell Labs, Germany)
This work capitalizes on the concept of network function virtualization at the telco cloud, and presents a joint study between fault management and security management. Specifically, the commonalities of fault and security management are put forward, along with a resource allocation study in common slice deployments. In this regard, a security threat analysis is presented, which sheds light onto the impact of security threats on network fault management. The interdependence between security and fault management is highlighted via three use cases, where distinct levels of resource trade-offs are identified. Along with such use cases, the paper provides also an overview of the resulting resource allocation process, where the requirements of the corresponding slice are analyzed towards an overall efficient resource usage.
Towards the Detection of Mobile DDoS Attacks in 5G Multi-Tenant Networks
Ana Serrano, Zeeshan Pervez, Qi Wang and Jose Alcaraz-Calero (University of the West of Scotland, United Kingdom (Great Britain))
The fifth-generation (5G) mobile networks target a variety of new use cases that involve a massive amount of heterogeneous devices connected to the same infrastructure. This trend also brings new security threats, and one of the most critical ones for the availability of network services is a Distributed Denial of Service (DDoS) attack. A small portion of the billions of connected devices can be employed as a botnet to trigger a massive DDoS flooding attack that can bring down important services or affect the complete infrastructure. Traditional security systems against DDoS attacks are generally designed to work in infrastructures with a particular topology. However, the mobility of many devices subscribed to the network should be taken into account when designing defence systems. Otherwise, both the detection and the trace back of the attacker will be limited to non-mobile devices as the source of the attack. This is specially relevant when security needs to be part of the definition of the network slices associated to the 5G networks. This paper presents a novel approach to overcome the limitation of traditional detection systems. A novel sensor provides the required information to trace back an attacker even if it is moving among different locations. The proposed approach is suitable to be deployed in almost all 5G network segments including the Edge. Architectural design is described and empirical experiments have validated the proposed approach.
Secure Location-Aware VM Deployment on the Edge Through OpenStack and ARM TrustZone
Teodora Sechkova, Enrico Barberis and Michele Paolino (Virtual Open Systems SAS, France)
In recent years, there is an ongoing computational shift from the data center to the network edge. Due to the increased hardware capabilities of devices, the edge can also benefit from the dynamic and scalable services provided by the virtualization technologies. In turn, the edge computing brings low-latency and reduced network traffic, location-awareness and local caching. However, the new capabilities unlock new challenges in terms of security, data and workload location. In this work, we focus on the threats caused by the heterogeneous and distributed nature of the edge infrastructure. We build a trusted edge based on the hardware isolation of ARM TrustZone. Moreover, we use it as a secure foundation to perform location-aware virtual machine deployment utilizing the dispersed nature of the infrastructure. We measure the performance of our solution and discuss the overall overhead and potential improvements.
Applying QKD to Improve Next-Generation Network Infrastructures
Victor Lopez (Telefonica, Spain); Antonio Pastor and Diego Lopez (Telefonica I+D, Spain); Alejandro Aguado Martin (Universidad Politécnica de Madrid, Spain); Vicente Martin (Universidad Politecnica de Madrid, Spain)
There is a great attention to quantum technologies in the ICT environment. In particular, when dealing with security matters, the most prominent quantum technology is Quantum Key Distribution (QKD). QKD allows the sharing of symmetric keys with information theoretic security (ITS, i.e. independently of the computational power of the attacker) between two remote network nodes. QKD is the only known method to share a key able to reach ITS. During the last two decades, there has been a tremendous technological progress in QKD research, that has led to the availability of QKD network demonstrators. Software Defined Networks (SDN) enables the automation of service provisioning within network operator infrastructures. With the advent of web-scale services and dynamic network requirements, operators can not anymore deploy their services based on manual intervention or using proprietary vendor solutions. Programmability is key in the next-generation network infrastructure and any new technology must be integrated with this paradigm. Let us highlight that this requirement is even more important with virtual environments, where a Virtual Network Function (VNF) can be deployed in any point-of-presence of the operator. The new 5G deployments will enable operators to have edge computing services supporting different capabilities, thus increasing even more the complexity to deliver services without any automation. In spite of the high potential of QKD, this technology has not yet found its path to wide adoption, commercialization and deployment. QKD is a physical technology that requires the existence of a quantum channel, a physical connection able to transmit quantum bits without perturbation, making hard its integration in networks. The aim of this document is to present how QKD can be deployed in next generation infrastructures, based on realistic scenarios. To do so, this paper describes the technological components of the solutions, as well as the use cases that motivate such effort. These use cases are described from a telecommunication provider’s point of view, as they are the actors in charge of deploying QKD systems in their networks.
An Analytical Cross Layer Model for MultipathTCP (MPTCP)
Garima Mishra (TCS (Research and Innovation), India); Samar Shailendra, Hemant Kumar Rath and Arpan Pal (Tata Consultancy Services, India)
Next-generation network smart devices are equipped with multiple radio interfaces. Multipath TCP (MPTCP) has been proposed in the literature to leverage these multiple interfaces. MPTCP has been augmented with several packet schedulers to split packets on these available interfaces. These schedulers work well in case of wired paths. However, in case of wireless links their performance degrades substantially. This is because the current scheduling algorithm does not explicitly account for the wireless channel characteristics while deciding the link. Moreover, there is not enough analytical work existing in the literature to model the effect of wireless channel properties over the transport layer schedulers. In this paper, we have presented a queuing based model to analyze the effect of wireless channel properties over the MPTCP scheduler. Additionally, we have proposed a packet scheduling algorithm for MPTCP based upon this model. We have compared the theoretical results of our model with that of the simulation results. We have also conducted experiments to evaluate the performance of the proposed packet scheduler using SimEvents based network simulator.