This work is a sequel of the studies in the analysis of vulnerabilities in computer systems. It applied boolean algebras to develop a mathematical model describing the exploits of the NVD data source when using the classification based on the concept of measurement. Quasimeasure has been offered for the boolean algebra, proved that she is a measure from the point of view of measure theory. Shows that the algebraic structure is also algebra of events.

Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database

In recent time, software defined networking (SDN) has evolved into a new and promising networking paradigm. In the SDN-based cloud, the essential features of SDN, including global view of the whole network, software-based traffic analysis, centralized control over the network, etc. can greatly improve the DDoS attack detection and mitigation capabilities of the cloud. However, integration of SDN in the cloud itself introduces new DDoS attack vulnerabilities. Limited flow-table size is a vulnerability that can be exploited by the adversaries to perform DDoS attacks on the SDN-based cloud. In this paper, we first discuss various essential features of SDN that makes it a suitable networking technology for cloud computing. In addition, we represent the flow table-space of a switch by using a queuing theory based mathematical model. Further, we propose a novel flow-table sharing approach to protect the SDN-based cloud from flow table overloading DDoS attacks. This approach utilizes idle flow-table of other OpenFlow switches in the network to protect the switch’s flow-table from overloading. Our approach increases the resistance of the cloud system against DDoS attacks with minimal involvement of the SDN controller. Thus, it has very low communication overhead. Our claims are well supported by the extensive simulation-based experiments.

Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment

Currently, advanced communications and networks greatly enhance user experiences and have a major impact on all aspects of people’s lifestyles in terms of work, society, and the economy. However improving competitiveness and sustainable vehicle network services, such as higher user experience, considerable resource utilization and effective personalized services, is a great challenge. Addressing these issues, this paper proposes a virtual network resource management based on user behavior to further optimize the existing vehicle communications. In particular, ensemble learning is implemented in the proposed scheme to predict the user’s voice call duration and traffic usage for supporting user-centric mobile services optimization. Sufficient experiments show that the proposed scheme can significantly improve the quality of services and experiences and that it provides a novel idea for optimizing vehicle networks.

User-Oriented Virtual Mobile Network Resource Management for Vehicle Communications

While there have been extensive studies of denial of service (DoS) attacks and DDoS attack mitigation, such attacks remain challenging to mitigate. For example, Low-Rate DDoS (LR-DDoS) attacks are known to be difficult to detect, particularly in a software-defined network (SDN). Hence, in this paper we present a flexible modular architecture that allows the identification and mitigation of LR-DDoS attacks in SDN settings. Specifically, we train the intrusion detection system (IDS) in our architecture using six machine learning (ML) models (i.e., J48, Random Tree, REP Tree, Random Forest, Multi-Layer Perceptron (MLP), and Support Vector Machines (SVM)) and evaluate their performance using the Canadian Institute of Cybersecurity (CIC) DoS dataset. The findings from the evaluation demonstrate that our approach achieves a detection rate of 95%, despite the difficulty in detecting LR-DoS attacks. We also remark that in our deployment, we use the open network operating system (ONOS) controller running on Mininet virtual machine in order for our simulated environment to be as close to real-world production networks as possible. In our testing topology, the intrusion prevention detection system mitigates all attacks previously detected by the IDS system. This demonstrates the utility of our architecture in identifying and mitigating LR-DDoS attacks.

/pdf/a-flexible-sdn-based-architecture-for-identifying-and-2h3oonc43x.pdf

A Flexible SDN-Based Architecture for Identifying and Mitigating Low-Rate DDoS Attacks Using Machine Learning

Conventional Internet of Things (IoT) ecosystems involve data streaming from sensors, through Fog devices to a centralized Cloud server. Issues that arise include privacy concerns due to third party management of Cloud servers, single points of failure, a bottleneck in data flows and difficulties in regularly updating firmware for millions of smart devices from a point of security and maintenance perspective. Blockchain technologies avoid trusted third parties and safeguard against a single point of failure and other issues. This has inspired researchers to investigate blockchain’s adoption into IoT ecosystem. In this paper, recent state-of-the-arts advances in blockchain for IoT, blockchain for Cloud IoT and blockchain for Fog IoT in the context of eHealth, smart cities, intelligent transport and other applications are analyzed. Obstacles, research gaps and potential solutions are also presented.

A survey on the adoption of blockchain in IoT: challenges and solutions

The Software-Defined Network (SDN) is a new and promising network architecture. At the same time, SDN will surely become a new target of cyber attackers. In this paper, we point out one critical vulnerability in SDNs, the size of flow table, which is most likely to be attacked. Due to the expensive and power-hungry features of Ternary Content Addressable Memory (TCAM), a flow table usually has a limited size, which can be easily disabled by a flow table overloading attack (a transformed DDoS attack). To provide a security service in SDN, we proposed a QoS-aware mitigation strategy, namely, peer support strategy, which integrates the available idle flow table resource of the whole SDN system to mitigate such an attack on a single switch of the system. We established a practical mathematical model to represent the studied system, and conducted a thorough analysis for the system in various circumstances. Based on our analysis, we found that the proposed strategy can effectively defeat the flow table overloading attacks. Extensive simulations and testbed-based experiments solidly support our claims. Moreover, our work also shed light on the implementation of SDN networks against possible brute-force attacks.

Defending Against Flow Table Overloading Attack in Software-Defined Networks

DDoS attacks are rampant in cloud environments and continually evolve into more sophisticated and intelligent modalities, such as low-rate DDoS attacks. But meanwhile, the cloud environment is also developing in constant. Now container technology and microservice architecture are widely applied in cloud environment and compose container-based cloud environment. Comparing with traditional cloud environments, the container-based cloud environment is more lightweight in virtualization and more flexible in scaling service. Naturally, a question that arises is whether these new features of container-based cloud environment will bring new possibilities to defeat DDoS attacks. In this paper, we establish a mathematical model based on queueing theory to analyze the strengths and weaknesses of the container-based cloud environment in defeating low-rate DDoS attack. Based on this, we propose a dynamic DDoS mitigation strategy, which can dynamically regulate the number of container instances serving for different users and coordinate the resource allocation for these instances to maximize the quality of service. And extensive simulations and testbed-based experiments demonstrate our strategy can make the limited system resources be utilized sufficiently to maintain the quality of service acceptable and defeat DDoS attack effectively in the container-based cloud environment.

/pdf/exploring-new-opportunities-to-defeat-low-rate-ddos-attack-4bdvl8sf78.pdf

Exploring New Opportunities to Defeat Low-Rate DDoS Attack in Container-Based Cloud Environment

In this Modern era, Software Defined Network (SDN), Network Function Virtualization (NFV), and cloud computing participating of Fifth Generation (5G) network emergence. This paper presents a robust security scheme to provide fortification against major threats along with user privacy in 5G network, two additional entities are introduced. For mobile users, initial authentication is provided at access points by an inventive Highly Secured Authentication and Handover Mechanism (HS-AOHM) scheme which minimizes handover latency without loss of user privacy. Then the authorized user packets are arrived at dispatcher in which a novel Tree Based Switch Assignment (TBSA) algorithm is incorporated. TBSA mitigates the flow table overloading attack by assigning packets to underloaded switches. In controller, DDoS attack is detected with the assist of entropy analysis. Then the suspicious packets are redirected to scrubbing Virtual Network Function (sVNF) in cloud. In sVNF, suspicious packets are classified into normal packets and malicious packets by using Hybrid Fuzzy with Artificial Neural Network (HF-ANN) classifier based on packet features. Normal packets are allowed to access applications whereas malicious packets are dropped at sVNF. Extensive simulation shows security improvement in 5G network in terms of handover latency, holding time, switch failure rate, detection accuracy, and delay.

Deployment of Robust Security Scheme in SDN Based 5G Network over NFV Enabled Cloud Environment

Due to the lightweight features, the combination of container technology and microservice architecture makes container-based cloud environment more efficient and agile than VM-based cloud environment. However, it also greatly amplifies the dynamism and complexity of the cloud environment and increases the uncertainty of security issues in the system concurrently. In this case, the effectiveness of defense mechanisms with fixed strategies would fluctuate as the updates occur in cloud environment. We refer this problem as effectiveness drift problem of defense mechanisms, which is particularly acute in the proactive defense mechanisms, such as moving target defense (MTD). To tackle this problem, we present DSEOM, a framework that can automatically perceive updates of container-based cloud environment, rapidly evaluate the effectiveness change of MTD and dynamically optimize MTD strategies. Specifically, we establish a multi-dimensional attack graphs model to formalize various complex attack scenarios. Combining with this model, we introduce the concept of betweenness centrality to effectively evaluate and optimize the implementation strategies of MTD. In addition, we present a series of security and performance metrics to quantify the effectiveness of MTD strategies in DSEOM. And we conduct extensive experiments to illustrate the existence of the effectiveness drift problem and demonstrate the usability and scalability of DSEOM.

/pdf/dseom-a-framework-for-dynamic-security-evaluation-and-1o53619wmm.pdf

DSEOM: A Framework for Dynamic Security Evaluation and Optimization of MTD in Container-Based Cloud

A software-defined network (SDN) is a technology that supports computer network administrators. However, the centralized control plane architecture of SDNs makes them vulnerable to harmful security threats. In this paper, we propose a secure cloud (SecSDN-cloud) architecture that includes user authentication, routing, attack resistance, and third-party monitoring. The goal of this paper is to design an SDN-cloud environment with integrated security that can resist three different attack types: flow table overloading, control plane saturation, and Byzantine attacks. A novel digital signature with chaotic secure hashing is used for user authentication, followed by an enhanced particle swarm optimization multi-class routing protocol to improve the quality of service. Controllers are assigned to switches by integrating an enhanced genetic algorithm with a modified cuckoo search algorithm. The malicious flow identification includes the analysis of five-tuples constructed from features extracted from packets. We implemented the proposed SecSDN-cloud in the OMNeT++ simulator and evaluated its performance in terms of packet loss, end-to-end delay, throughput, latency, and bandwidth.

Bin Yuan

Papers

Defending Against Flow Table Overloading Attack in Software-Defined Networks

Exploring New Opportunities to Defeat Low-Rate DDoS Attack in Container-Based Cloud Environment

Deployment of Robust Security Scheme in SDN Based 5G Network over NFV Enabled Cloud Environment

DSEOM: A Framework for Dynamic Security Evaluation and Optimization of MTD in Container-Based Cloud

SecSDN-Cloud: Defeating Vulnerable Attacks Through Secure Software-Defined Networks