A Tenant-based Two-stage Approach to Auditing the Integrity of Virtual Network Function Chains Hosted on Third-Party Clouds
Authors: 
Momen Oqaily, Suryadipta Majumdar, Lingyu Wang, Mohammad Ekramul Kabir, Yosr Jarraya, A S M Asadujjaman, Makan Pourzandi, Mourad DebbabiAuthors Info & Claims
Pages 79 - 90
Abstract
There is a growing trend of hosting chains of Virtual Network Functions (VNFs) on third-party clouds for more cost-effective deployment. However, the multi-actor nature of such a deployment may allow a mismatch to silently arise between tenant-level specifications of VNF chains and their cloud provider-level deployment. Most existing auditing approaches would face difficulties in identifying such an integrity breach. First, relying on the cloud provider may not be sufficient, since modifications made by a stealthy attacker may seem legitimate to the provider. Second, the tenant cannot directly perform the auditing due to limited access to the provider-level data. In addition, shipping such data to the tenant would incur prohibitive overhead and confidentiality concerns. In this paper, we design a tenant-based, two-stage solution where the first stage leverages tenant-level side-channel information to identify suspected integrity breaches, and then the second stage automatically identifies and anonymizes selected provider-level data for the tenant to verify the suspected breaches from the first stage. The key advantages of our solution are: (i) the first stage gives tenants more control and transparency (with the capability of identifying integrity breaches without the provider's assistance), and (ii) the second stage provides tenants higher accuracy (with the capability of rigorous verification based on provider-level data). Our solution is integrated into OpenStack/Tacker (a popular choice for NFV deployment), and its effectiveness is demonstrated via experiments (e.g., up to 90% accuracy with the first stage alone).
References
[1]
Jay Aikat, Aditya Akella, Jeffrey S Chase, Ari Juels, Michael K Reiter, Thomas Ristenpart, Vyas Sekar, and Michael Swift. 2017. Rethinking security in the era of cloud computing. IEEE S&P (2017).
[2]
Ammar Latif, Ash Khamas, Sundeep Goswami, Vara Prasad Talari, and Dr Young Jung. 2022. Telco Meets AWS Cloud: Deploying DISH's 5G Network in AWS Cloud. Available at: https://aws.amazon.com/blogs/industries/telco-meets-awscloud- deploying-dishs-5g-network-in-aws-cloud/.
[3]
Marco Anisetti, Claudio A Ardagna, Filippo Gaudenzi, Ernesto Damiani, Nicla Diomede, and Patrizio Tufarolo. 2018. Moon cloud: a cloud platform for ICT security governance. In 2018 IEEE (GLOBECOM). IEEE.
[4]
Dogu Arifler, Gustavo de Veciana, and Brian L Evans. 2004. Network tomography based on flow level measurements. In 2004 IEEE International Conference on Acoustics, Speech, and Signal Processing, Vol. 2. IEEE, ii--437.
[5]
Dominic Battré, Natalia Frejnik, Siddhant Goel, Odej Kao, and Daniel Warneke. 2011. Inferring network Topologies in Infrastructure as a Service Cloud. In CCGRID. IEEE.
[6]
Kai Bu, Yutian Yang, Zixuan Guo, Yuanyuan Yang, Xing Li, and Shigeng Zhang. 2018. FlowCloak: Defeating middlebox-bypass attacks in software-defined networking. In IEEE INFOCOM. IEEE.
[7]
Monchai Bunyakitanon, Aloizio Pereira da Silva, Xenofon Vasilakos, Reza Nejabati, and Dimitra Simeonidou. 2020. Auto-3P: An Autonomous VNF Performance Prediction & Placement Framework based on machine learning. CN (2020).
[8]
Aiyou Chen, Jin Cao, and Tian Bu. 2010. Network tomography: Identifiability and Fourier domain estimation. IEEE TSP (2010).
[9]
Frederik Michel Dekking, Cornelis Kraaikamp, Hendrik Paul Lopuhaä, and Ludolf Erwin Meester. 2005. A Modern Introduction to Probability and Statistics: Understanding why and how. Springer Science & Business Media.
[10]
Nick Duffield. 2006. Network tomography of binary network performance characteristics. IEEE TIT 52, 12 (2006), 5373--5388.
[11]
ETSI. 2018. Network functions virtualisation (NFV) release 3; Management and orchestration; Architecture enhancement for security management specification.
[12]
Seyed Kaveh Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, and Jeffrey C Mogul. 2014. Enforcing Network-Wide Policies in the Presence of Dynamic Middlebox Actions using FlowTags. In USENIX NSDI.
[13]
Seyed Kaveh Fayazbakhsh, Michael K Reiter, and Vyas Sekar. 2013. Verifiable network function outsourcing: requirements, challenges, and roadmap. In MNFV.
[14]
Johannes M Flittner, Matthias Scheuermann. 2017. ChainGuard: Controllerindependent verification of service function chaining in cloud computing. In IEEE SDN.
[15]
Jinho Hwang, K K_ Ramakrishnan, and Timothy Wood. 2015. NetVM: High performance and flexible networking using virtualization on commodity platforms. IEEE TNSM (2015).
[16]
Fariha Tasmin Jaigirdar, Carsten Rudolph, and Chris Bain. 2021. Risk and compliance in IoT-health data propagation: A security-aware provenance based approach. In ICDH.
[17]
Steve TK Jan, Qingying Hao, Tianrui Hu, Jiameng Pu, Sonal Oswal, Gang Wang, and Bimal Viswanath. 2020. Throwing darts in the dark? detecting bots with limited data using neural data augmentation. In IEEE S&P.
[18]
Peipei Jiang, QianWang, Muqi Huang, CongWang, Qi Li, Chao Shen, and Kui Ren. 2021. Building In-the-Cloud Network Functions: Security and Privacy Challenges. Proc. IEEE 109, 12 (2021), 1888--1919. https://doi.org/10.1109/JPROC.2021.3127277
[19]
Jon Dugan et al. 2021. active measurements of the maximum achievable bandwidth on IP networks. Available at: https://iperf.fr/iperf-doc.php.
[20]
Younggyun Koh, Rob Knauerhase, Paul Brett, Mic Bowman, Zhihua Wen, and Calton Pu. 2007. An analysis of performance interference effects in virtual environments. In ISPASS.
[21]
Sudershan Lakshmanan Thirunavukkarasu. Master's thesis 2020. Caught-in- Translation: Detecting Cross-level Inconsistency Attacks in NFV.
[22]
Zilong Lin, Yong Shi, and Zhi Xue. 2018. IDSGAN: Generative adversarial networks for attack generation against intrusion detection. arXiv preprint arXiv:1809.02077 (2018).
[23]
Linux. 2021. Traceroute. Available at: t.ly/tq0k.
[24]
LinuxPerf. 2021. Profiling with performance counters. Available at: t.ly/miMd.
[25]
Guyue Liu, Hugo Sadok, Anne Kohlbrenner, Bryan Parno, Vyas Sekar, and Justine Sherry. 2021. Don't Yank My Chain: Auditable {NF} Service Chaining. In 18th USENIX Symposium on Networked Systems Design and Implementation (NSDI 21).
[26]
Guido Marchetto, Riccardo Sisto, Jalolliddin Yusupov, and Adlen Ksentini. 2018. Virtual network embedding with formal reachability assurance. In IEEE CNSM.
[27]
Yiduo Mei, Ling Liu, Xing Pu, Sankaran Sivathanu, and Xiaoshe Dong. 2011. Performance analysis of network I/O workloads in virtualized data centers. IEEE TSC 6, 1 (2011), 48--63.
[28]
Vaishnavi Moorthy, Revathi Venkataraman, and T Rama Rao. 2020. Security and privacy attacks during data communication in software defined mobile clouds. Computer Communications (2020).
[29]
Priyanka Naik, Dilip Kumar Shaw, and Mythili Vutukuru. 2016. NFVPerf: Online performance monitoring and bottleneck detection for NFV. In NFV-SDN.
[30]
Netfilter Org. 2021. IPTables. Available at: https://www.netfilter.org/.
[31]
Numpy. 2021. The fundamental package for scientific computing with Python. https: https://scikit-learn.org/stable/.
[32]
OpenStack. 2021. OpenStack. Available at: https://www.openstack.org/.
[33]
OpenStack. 2021. Tacker. Available at: t.ly/8dh7.
[34]
OPNFV Group. 2021. Available at: https://www.opnfv.org/.
[35]
OProfile. 2022. Linux system profiler. Available at: t.ly/rqN0.
[36]
Alaa Oqaily, LT Sudershan, Yosr Jarraya, Suryadipta Majumdar, Mengyuan Zhang, Makan Pourzandi, Lingyu Wang, and Mourad Debbabi. 2020. NFVGuard: Verifying the Security of Multilevel (NFV) Stack. In CloudCom.
[37]
Momen Oqaily, Yosr Jarraya, Mengyuan Zhang, Lingyu Wang, Makan Pourzandi, and Mourad Debbabi. 2019. iCAT: An Interactive Customizable Anonymization Tool. ESORICS, Springer, 658--680.
[38]
OSM Group. 2021. Open Source MANO. Available at: https://osm.etsi.org/.
[39]
Manuel Peuster and Holger Karl. 2016. Understand your chains: Towards performance profile-based network service management. In EWSDN.
[40]
Manuel Peuster and Holger Karl. 2017. Profile your chains, not functions: Automated network service profiling in devops environments. In NFV-SDN.
[41]
Ben Pfaff, Justin Pettit, Teemu Koponen, Ethan Jackson, Andy Zhou, Jarno Rajahalme, Jesse Gross, Alex Wang, Joe Stringer, Pravin Shelar, et al. 2015. The design and implementation of open vswitch. In NSDI. USENIX.
[42]
Raphael Vicente Rosa, Christian Esteve Rothenberg, and Robert Szabo. 2015. VBaaS: VNF benchmark-as-a-service. In EWSDN.
[43]
Scikit-learn. 2021. Machine Learning in Python. https: https://numpy.org/.
[44]
Mustafizur R Shahid, Gregory Blanc, Houda Jmila, Zonghua Zhang, and Hervé Debar. 2020. Generative Deep Learning for Internet of Things Network Traffic Generation. In PRDC.
[45]
Snort Org. 2021. snort. Available at: https://www.snort.org/.
[46]
Soumith Chintala, Emily Denton, Martin Arjovsky, Michael Mathieu. 2021. How to Train a GAN? Tips and tricks to make GANs work. Available at: https://github.com/soumith/ganhacks.
[47]
Tcpdump. 2021. Tcpdump. Available at:http://www.tcpdump.org/index.html.
[48]
Nguyen Canh Thang and Minho Park. 2019. Detecting compromised switches and middlebox-bypass attacks in service function chaining. In ITNAC. IEEE.
[49]
Sudershan Lakshmanan Thirunavukkarasu, Mengyuan Zhang, Alaa Oqaily, Gagandeep Singh Chawla, Lingyu Wang, Makan Pourzandi, and Mourad Debbabi. 2019. Modeling NFV deployment to identify the cross-level inconsistency vulnerabilities. In CloudCom. IEEE.
[50]
Ke Tian, Steve TK Jan, Hang Hu, Danfeng Yao, and Gang Wang. 2018. Needle in a haystack: Tracking down elite phishing domains in the wild. In IMC. 429--442.
[51]
Brendan Tschaen, Ying Zhang, Theo Benson, Sujata Banerjee, Jeongkeun Lee, and Joon-Myung Kang. 2016. Sfc-checker: Checking the correct forwarding behavior of service function chaining. In NFV-SDN.
[52]
Ubuntu. 2021. Cloud Images. Available at: https://cloud-images.ubuntu.com/.
[53]
Fulvio Valenza, Serena Spinoso, and Riccardo Sisto. 2019. Formally specifying and checking policies and anomalies in service function chaining. Journal of Network and Computer Applications 146 (2019), 102419.
[54]
Steven Van Rossem, Wouter Tavernier, Didier Colle, Mario Pickavet, and Piet Demeester. 2019. Profile-based resource allocation for virtualized network functions. IEEE TNSM 16, 4 (2019), 1374--1388.
[55]
Steven Van Rossem, Wouter Tavernier, Didier Colle, Mario Pickavet, and Piet Demeester. 2020. VNF Performance Modelling: From stand-alone to chained topologies. CN 181 (2020).
[56]
VMware. 2020. VMware Expands Its VMware Ready for Telco Cloud Program to Accelerate the Deployment of 5G Services. Available at:t.ly/BIIW.
[57]
Denis Volkhonskiy, Ivan Nazarov, and Evgeny Burnaev. 2020. Steganographic generative adversarial networks. In Twelfth international conference on machine vision (ICMV 2019), Vol. 11433. SPIE, 991--1005.
[58]
HanWang, Hossein Sayadi, Avesta Sasan, Setareh Rafatirad, and Houman Homayoun. 2020. Hybrid-shield: Accurate and efficient cross-layer countermeasure for run-time detection and mitigation of cache-based side-channel attacks. In CCD.
[59]
Si Yu, Gui Xiaolin, Lin Jiancai, Zhang Xuejun, and Wang Junfei. 2013. Detecting vms co-residency in cloud: Using cache-based side channel attacks. Elektronika (2013).
[60]
Xiaoli Zhang, Qi Li, JianpingWu, and Jiahai Yang. 2017. Generic and agile service function chain verification on cloud. In IWQoS.
[61]
Xiaoli Zhang, Qi Li, Zeyu Zhang, Jianping Wu, and Jiahai Yang. 2020. VSFC: Generic and agile verification of service function chains in the cloud. IEEE/ACM ToN (2020).
[62]
Ying Zhang, Wenfei Wu, Sujata Banerjee, Joon-Myung Kang, and Mario A Sanchez. 2017. SLA-verifier: Stateful and quantitative verification for service chaining. In INFOCOM.
Recommendations
A survey of cloud computing data integrity schemes
Cloud computing has gained tremendous popularity in recent years. By outsourcing computation and storage requirements to public providers and paying for the services used, customers can relish upon the advantages of this new paradigm. Cloud computing ...
Collaboration-Based Cloud Computing Security Management Framework
CLOUD '11: Proceedings of the 2011 IEEE 4th International Conference on Cloud ComputingAlthough the cloud computing model is considered to be a very promising internet-based computing platform, it results in a loss of security control over the cloud-hosted assets. This is due to the outsourcing of enterprise IT assets hosted on third-...
A Comprehensive Study of Co-residence Threat in Multi-tenant Public PaaS Clouds
Information and Communications SecurityAbstractPublic Platform-as-a-Service (PaaS) clouds are always multi-tenant. Applications from different tenants may reside on the same physical machine, which introduces the risk of sharing physical resources with a potentially malicious application. This ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
April 2023
304 pages
ISBN:9798400700675
DOI:10.1145/3577923
- General Chair:
- Mohamed Shehab,
- Program Chairs:
- Maribel Fernandez,
- Ninghui Li
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 24 April 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Industrial Research Chair in SDN/NFV Security and the Canada Foundation for Innovation
Conference
CODASPY '23
Sponsor:
CODASPY '23: Thirteenth ACM Conference on Data and Application Security and Privacy
April 24 - 26, 2023
NC, Charlotte, USA
Acceptance Rates
Overall Acceptance Rate 149 of 789 submissions, 19%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 104Total Downloads
- Downloads (Last 12 months)38
- Downloads (Last 6 weeks)5
Reflects downloads up to 27 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in