Project

SHIELD - Securing against intruders and other threats through a NFV-enabled environment

Goal: Create a virtualised security infrastructure by exploiting NFV-enabled network.
Key points:
- vNSF (virtual Network Security Functions) deployed as needed, as a preliminary defence or in real-time to counter on-going attacks
- big data analysis to detect attacks
- trusted computing technology to monitor the integrity of the infrastructure itself and to create a trusted and secure subnet
This is a H2020 project, September 2016 - March 2018
More information at https://www.shield-h2020.eu/

Methods: TPM, Big Data Analysis, Trusted Computing, NFV, vNSF, MACsec

Date: 1 September 2016 - 28 February 2019

Updates
0 new
4
Recommendations
0 new
0
Followers
0 new
14
Reads
0 new
336

Project log

Marco De Benedictis
added 2 research items
Network Functions Virtualisation (NFV) is a novel paradigm for softwarisation of network functions that allows an operator to leverage large scale virtualisation to enhance availability and flexibility of typical network and security services offered to end users. Virtual Network Functions are proposed as an alternative to traditional hardware appliances, with the aim of reducing maintenance and upgrade costs and enhance the provisioning and on-demand placement of network functions. Although promising, this paradigm introduces relevant challenges in the field of security, as the attack surface of a virtualised architecture is larger than a traditional hardware-based network platform. In fact, not only it is affected by both generic threats of virtualisation and networking domains, it also introduces new threats due to the combination of these domains. In this work, we propose the design of a centralized monitoring and reporting solution to assess the trustworthiness of a NFV infrastructure, named Trust Monitor. Moreover, we present an open-source prototype for the proposed solution, which is tailored for the Security-as-a-Service use case and integrated with a reference NFV framework.
Cloud computing has deeply affected the structure of modern ICT infrastructures. It represents an enabling technology for novel paradigms such as Network Function Virtualisation (NFV), which proposes the virtualisation of network functions to enhance the flexibility of networks and to reduce the costs of infrastructure management. Besides potential benefits, NFV inherits the limitations of traditional virtualisation where the isolation of resources comes at the cost of a performance overhead. Lightweight forms of virtualisation, like containers, aim to mitigate this limitation. Furthermore, they allow the agile composition of complex services. These characteristics make containers a suitable technology for NFV environment. A major concern towards the exploitation of containers is security. Since containers provide less isolation than virtual machines, they can expose the whole host to vulnerabilities. In this work we investigate container-related threats and propose a secure design for a Virtual Network Function deployed in a lightweight NFV environment.
Dimitris Katsianis
added an update
SHIELD exploits NFV for adaptive monitoring of an IT infrastructure and for feeding the data to an analytics engine to detect attacks in real time. An intelligent reaction system is then activated to reconfigure the SDN/NFV infrastructure so that the attacks are thwarted. The SDN/NFV infrastructure itself is protected from attacks thanks to trusted computing techniques that permit to quickly identify misbehaving nodes.
During the last leg of the project, SHIELD has released the final version of the platform prototype, which is available at the official Github account. In addition, the conclusions of the technical development work, along with the final architectural design, have been published in deliverables and are available at the project website.
The SHIELD consortium has participated to several dissemination events to maximise the impact of the project results within both scientific and industrial communities. The consortium has been invited to present the project results during the Software Defined Networks Security workshop at CODE-2018, organised by ENISA in Munich (Germany) on July 11st 2018. The project held a panel session on Collaborative info-sharing on September 27th 2018 within the CyberTech 2018 event in Rome (Italy). A presentation of the SHIELD architecture and of its demonstrations was given at the InfoCom World 2018 industrial event in Athens (Greece) on November 21st 2018, within a dedicated session on EU funded projects’ results. SHIELD participated to the ICT 2018: Imagine Digital event, organised by the European Commission in Vienna (Austria) on 4-6 December 2018. The event focused on the European Union’s priorities in the digital transformation of society and industry, and SHIELD presented a networking session named Big Data & Machine Learning for network security: approaches and benchmarks on December 5th, 2018. Finally, SHIELD will participate to the H2020 Project Clustering Workshop organised by the GHOST project on March 28th, 2019.
With respect to standardisation activities, the consortium participated at the Trusted Computing Group annual members meeting in Lisbon (Portugal) on October 16th 2018 to present the SHIELD project and its use of Trusted Computing technologies and mechanisms to enhance security of virtualised infrastructures. Moreover, a Proof of Concept on network management security, leveraging the SHIELD intelligent reaction system, was presented at the ETSI Experiential Network Intelligence (ENI) working group in Leganes (Spain) on 3-5 December 2018.
The paper entitled “Application of distributed computing and machine learning technologies to cybersecurity” has been presented to the Computer & Electronics Security Applications Rendez-vous (C&ESAR 2018) conference in Rennes (France), on 19-21 November 2018. The Future Generation Computer Systems (Elsevier) journal has accepted the paper “Integrity verification of Docker containers for a lightweight cloud environment”, whose publication is expected in Volume 97 (August 2019).
During this period, the consortium has participated to the organisation of scientific workshops as well. The 1st International Workshop on Cyber Threat Intelligence Management (CyberTIM 2018) has been co-organised by the SHIELD, PROTECTIVE and C3ISP projects in conjunction with the ARES 2018 conference in Hamburg (Germany), on 27-30 August 2018. Moreover, SHIELD is co-organising the 1st International Workshop on Cyber-Security Threats, Trust and Privacy Management in Software-defined and Virtualized Infrastructures(SecSoft 2019) together with other EU Cyber-security and 5G projects, namely ASTRID, SPEAR, CYBER-TRUST, REACT and 5GENESIS.
The SHIELD consortium has organised several communication events to showcase the final version of the platform prototype and demonstrate its performance and functionality in realistic scenarios. First, a tutorial entitled “Modern Network-based Security: Softwarized Networking, Trusted Computing, and Artificial Intelligence for Cybersecurity” has been organised within the 5th International Conference on Information Systems Security and Privacy (ICISSP 2019) on 23-25 February 2019 in Prague (Czech Republic). This tutorial aimed at introducing modern network technologies (Software Defined Networking, and Network Function Virtualization) and then show how to use them along with Trusted Computing, Machine Learning, and Artificial Intelligence techniques to create a trusted protection infrastructure to effectively counter cyberattacks. The technical aspects were complemented by a market and economic analysis, to evaluate benefits versus costs, and by a live showcase of project demonstrations. Within the same event, SHIELD has presented the ETSI ENI PoC in a dedicated booth for the entire duration of the conference. SHIELD has run an exercise based on an enterprise use case together with internal personnel coming from different departments and business units of Telefónica, including technical operational staff, on 7th March 2019. Valuable feedback and recommendations have been provided, including an initial definition of commercial models, network integration and standardisation needs. In parallel, Space Hellas conducted an internal pilot, using the SHIELD technologies in the company’s operational network infrastructure, with quite promising results, as assessed by cybersecurity experts during an internal workshop held on March 5th, 2019. Finally, the CESICAT cybersecurity agency has been involved in a pilot that showcased the SHIELD capability to extract statistics regarding network anomalies in an ISP infrastructure on 11th March 2019.
The SHIELD project has participated to the organisation of the European Network for Cybersecurity (NECS) Winter School 2019 in cooperation with C3ISP EU project, AEGIS and the CINI Cyber Security National Lab, from 18 to 22 February 2019 near Trento (Italy). Within this event, SHIELD has contributed with three theoretical lectures on the key pillars of the project, namely Network Function Virtualization, Artificial Intelligence and Trusted Computing, and a practical session comprising project demonstrations and a hands-on session on Machine Learning application to cybersecurity. Full details of the school program, along with the lectures’ material and Pictures, are available on the official website.
All the demonstration videos are available through the EU SHIELD project YouTube channel, along with a brief overview of the project goals.
Contact us at info[at]shield-h2020.eu Visit us at https://www.shield-h2020.eu Follow us on Twitter @shield_h2020 Connect with us LinkedIn SHIELD EU Project
 
Marco De Benedictis
added a research item
Virtualisation techniques are growing in popularity and importance, given their application to server consolidation and to cloud computing. Remote Attestation is a well-known technique to assess the software integrity of a node. It works well with physical platforms, but not so well with virtual machines hosted in a full virtualisation environment (such as the Xen hypervisor or Kernel-based Virtual Machine) and it is simply not available for a lightweight virtualisation environment (such as Docker). On the contrary, the latter is increasingly used, especially in lightweight cloud platforms, because of its flexibility and limited overhead as compared to virtual machines. This paper presents a solution for security monitoring of a lightweight cloud infrastructure, which exploits Remote Attestation to verify the software integrity of cloud applications during their whole life-cycle. Our solution leverages mainstream tools and architectures, like the Linux Integrity Measurement Architecture, the OpenAttestation platform and the Docker container engine, making it practical and readily available in a real-world scenario. Compared to a standard Docker deployment, our solution enables run-time verification of container applications at the cost of a limited overhead.
Dimitris Papadopoulos
added a research item
SHIELD is a distributed cyber-security system that leverages Network Function Virtualisation for dynamically deploying virtual Network Security Functions. The security functions send network traffic's monitoring data to a big-data store. The Data Analysis and Remediation Engine executes security analyt-ics modules on top of monitoring data modules in order to detect threats. The security analytics heavily leverage Machine Learning algorithms for detecting anomalies and classifying threats. This paper presents the different Machine Learning algorithms and details the obtained results and the direction taken by the project with regards to its implementation, including business capabilities for the cybersecurity solution. 1 Introduction to SHIELD: Machine-Learning-based Security SHIELD is an information-driven cybersecurity platform, based on Software Defined Network (SDN), Network Function Virtualisation (NFV), big Data Analytics (DA) and infrastruc-ture's attestation. SHIELD's goal is the design and development of a novel cybersecurity framework , focusing on offering Security-as-a-Service in an evolved telco environment. All stakehold-ers (ISPs, companies, end users, cybersecurity agencies and security vendors) are considered in the project SHIELD's architecture, which consists of the following key components: (i) the virtual Network Security Functions (vNSFs) implement the traffic processing functionalities; (ii) the vNSF Orchestrator manages the vNSFs lifecycle; (iii) the Network Infrastructure supports the execution and management of the vNSFs; (iv) the vNSF Store makes the vNSFs available to the vNSFO; (v) the Trust Monitor verifies the infrastructure and its services' integrity; (vi) the Data Analytics and Remediation Engine (DARE) acts as an information-driven intrusion detection and prevention platform; and (vii) the Security Dashboard provides a graphical front-end of the platform that allows the operators to apply mitigation actions. The overall-simplified-SHIELD's workflow for detecting a threat is: (1) vNSFs spread over the network, collect network traffic's information and send it to the DARE's data store; (2) the DARE's security analytics' engines continuously analyse the data available in the data store; and (3) upon detection of a potential threat, the DARE notifies the operator through the dashboard. The work described in this article has received funding by the European Union Horizon 2020 research and innovation programme, under project SHIELD 800 (Grant Agreement no. 700199).
Dimitris Katsianis
added 2 research items
Software Defined Networking (SDN) and Network Function Virtualisation (NFV) are transforming modern networks towards a service-oriented architecture. At the same time, the cybersecurity industry is rapidly adopting Machine Learning (ML) algorithms to improve detection and mitigation of complex attacks. Traditional intrusion detection systems perform signature-based detection, based on well-known malicious traffic patterns that signify potential attacks. The main drawback of this method is that attack patterns need to be known in advance and signatures must be preconfigured. Hence, typical systems fail to detect a zero-day attack or an attack with unknown signature. This work considers the use of machine learning for advanced anomaly detection, and specifically deploys the Apache Spot ML framework on an SDN/NFV-enabled testbed running cybersecurity services as Virtual Network Functions (VNFs). VNFs are used to capture traffic for ingestion by the ML algorithm and apply mitigation measures in case of a detected anomaly. Apache Spot utilises Latent Dirichlet Allocation to identify anomalous traffic patterns in Netflow, DNS and proxy data. The overall performance of Apache Spot is evaluated by deploying Denial of Service (Slowloris, BoNeSi) and a Data Exfiltration attack (iodine).
Machine Learning (ML) technologies applied to Cybersecurity, especially in the area of network cyber threat detection, are a promising choice, but they require additional research in the applicability of a wide range of available algorithms. Such algorithms usually require training using good-quality and quantitatively significant datasets, which are rarely publicly available. To this end, in this paper we describe a novel experimental framework, that we call the Mouseworld, that combines NFV and SDN to create an environment able to (1) blend and transmit real and synthetic traffic and (2) collect and label this traffic in order to be utilised for training and validating ML algorithms that will be applied to the detection of cybersecurity threats. The Mouseworld framework includes a set of traffic generation, collection and labelling modules, jointly with analytics and algorithm training and visualization components. The OSM open-source network orchestrator is utilized to control and manage the framework and to deploy the training and validation scenarios. We present a preliminary result on the area of Security threat detection as a demonstration of the framework viability. https://www.shield-h2020.eu/shield-h2020/documents/scientific-papers/CyberTIM2018_NFV_ML_training.pdf
Dimitris Katsianis
added an update
During the past months, SHIELD released the second edition of the architectural documents and technical specifications for the data analytics engine as well as the NFV platform. The documents are publicly available at the project website: https://www.shield-h2020.eu/documents/project-deliverables.htm.
 
Dimitris Katsianis
added a research item
SHIELD is an EU-funded project, targeting at the design and development of a novel cybersecurity framework, with the aim of which offers security-as-a-Service in an evolved telco environment. The SHIELD framework leverages NFV (Network Functions Virtualization) and SDN (Software-Defined Networking) for virtualization and dynamic placement of virtualised security appliances in the network (virtual Network Security Functions – vNSFs), Big Data analytics for real-time incident detection and mitigation, as well as attestation techniques for securing both the infrastructure and the services. This paper presents a detail Roadmapping analysis and identifies the factors that will affect market adoption and the evolution of SHIELD or similar cybersecurity solutions.
Eleni Trouva
added a research item
Organisations are witnessing an unprecedented escalation of cyber-crime attacks and struggle to protect against them. Rethinking security is required to cope with numerous new challenges arising today: the sophistication of new attacks, the increasing weakness of traditional security controls, the explosion of data to be collected and analysed to detect threats and the ongoing transformation of IT – such as virtualisation and cloud computing.
Dimitris Katsianis
added an update
SHIELD exploits NFV for adaptive monitoring of an IT infrastructure and for feeding the data to an analytics engine to detect attacks in real time. An intelligent reaction system is then activated to reconfigure the SDN/NFV infrastructure so that the attacks are thwarted. The SDN/NFV infrastructure itself is protected from attacks thanks to trusted computing techniques that permit to quickly identify misbehaving nodes.
 
Dimitris Katsianis
added a project reference
Marco De Benedictis
added a research item
This demo showcases some of the capabilities foreseen for the security infrastructure designed by the H2020 SHIELD project. SHIELD exploits NFV for adaptive monitoring of an IT infrastructure and for feeding the data to an analytics engine to detect attacks in real time. An intelligent reaction system is then activated to reconfigure the SDN/NFV infrastructure so that the attacks are thwarted. The SDN/NFV infrastructure itself is protected from attacks thanks to trusted computing techniques, that permit to quickly identify misbehaving nodes. The proposed demo will present detection and reaction to a DDoS attack (by on-the-fly deployment of new virtual network security functions and/or change of network paths), as well as detection of software attacks against virtual network functions (executed in Docker containers) and unauthorized modification of the SDN switching tables and NFV configurations.
Dimitris Katsianis
added a research item
The increasing number of IoT devices raises concerns about the amount of data they generate and-more importantly-their content, having security and privacy implications. The Things are mostly constrained by typical embedded design limitations from non-extensible functionalities to poor or non-existent configuration; adding security features to these devices is therefore impractical. This paper presents a network security infrastructure suitable for IoT devices, which aims at offloading the security from the devices to the nearest network edge they are connected to. First, the SECURED architecture for the network edge device (NED) is detailed: its components, security policy refinement and translation, and the way it addresses mobility of the things. Then, the SHIELD architecture proposes to extend and strengthen the security of the IoT devices by leveraging the dynamic deployment of security controls with analyt-ics, which permits orchestrated security at the entire infrastructure level-allowing a new threat detection paradigm.
Dimitris Katsianis
added a research item
SHIELD is an EU-funded project, targeting at the design and development of a novel cybersecurity framework, which offers security-as-a-Service in an evolved telco environment. The SHIELD framework leverages NFV (Network Functions Virtualization) and SDN (Software-Defined Networking) for virtualization and dynamic placement of virtualised security appliances in the network (virtual Network Security Functions – vNSFs), Big Data analytics for real-time incident detection and mitigation, as well as attestation techniques for securing both the infrastructure and the services. This papers discusses key use cases and requirements for the SHIELD framework and presents a high-level architectural approach.
Antonio Lioy
added a project goal
Create a virtualised security infrastructure by exploiting NFV-enabled network.
Key points:
- vNSF (virtual Network Security Functions) deployed as needed, as a preliminary defence or in real-time to counter on-going attacks
- big data analysis to detect attacks
- trusted computing technology to monitor the integrity of the infrastructure itself and to create a trusted and secure subnet
This is a H2020 project, September 2016 - March 2018
More information at https://www.shield-h2020.eu/