Network Functions Virtualisation (NFV) is a novel paradigm for softwarisation of network functions that allows an operator to leverage large scale virtualisation to enhance availability and flexibility of typical network and security services offered to end users. Virtual Network Functions are proposed as an alternative to traditional hardware appliances, with the aim of reducing maintenance and upgrade costs and enhance the provisioning and on-demand placement of network functions. Although promising, this paradigm introduces relevant challenges in the field of security, as the attack surface of a virtualised architecture is larger than a traditional hardware-based network platform. In fact, not only it is affected by both generic threats of virtualisation and networking domains, it also introduces new threats due to the combination of these domains. In this work, we propose the design of a centralized monitoring and reporting solution to assess the trustworthiness of a NFV infrastructure, named Trust Monitor. Moreover, we present an open-source prototype for the proposed solution, which is tailored for the Security-as-a-Service use case and integrated with a reference NFV framework.
Cloud computing has deeply affected the structure of modern ICT infrastructures. It represents an enabling technology for novel paradigms such as Network Function Virtualisation (NFV), which proposes the virtualisation of network functions to enhance the flexibility of networks and to reduce the costs of infrastructure management. Besides potential benefits, NFV inherits the limitations of traditional virtualisation where the isolation of resources comes at the cost of a performance overhead. Lightweight forms of virtualisation, like containers, aim to mitigate this limitation. Furthermore, they allow the agile composition of complex services. These characteristics make containers a suitable technology for NFV environment. A major concern towards the exploitation of containers is security. Since containers provide less isolation than virtual machines, they can expose the whole host to vulnerabilities. In this work we investigate container-related threats and propose a secure design for a Virtual Network Function deployed in a lightweight NFV environment.
Virtualisation techniques are growing in popularity and importance, given their application to server consolidation and to cloud computing. Remote Attestation is a well-known technique to assess the software integrity of a node. It works well with physical platforms, but not so well with virtual machines hosted in a full virtualisation environment (such as the Xen hypervisor or Kernel-based Virtual Machine) and it is simply not available for a lightweight virtualisation environment (such as Docker). On the contrary, the latter is increasingly used, especially in lightweight cloud platforms, because of its flexibility and limited overhead as compared to virtual machines. This paper presents a solution for security monitoring of a lightweight cloud infrastructure, which exploits Remote Attestation to verify the software integrity of cloud applications during their whole life-cycle. Our solution leverages mainstream tools and architectures, like the Linux Integrity Measurement Architecture, the OpenAttestation platform and the Docker container engine, making it practical and readily available in a real-world scenario. Compared to a standard Docker deployment, our solution enables run-time verification of container applications at the cost of a limited overhead.
SHIELD is a distributed cyber-security system that leverages Network Function Virtualisation for dynamically deploying virtual Network Security Functions. The security functions send network traffic's monitoring data to a big-data store. The Data Analysis and Remediation Engine executes security analyt-ics modules on top of monitoring data modules in order to detect threats. The security analytics heavily leverage Machine Learning algorithms for detecting anomalies and classifying threats. This paper presents the different Machine Learning algorithms and details the obtained results and the direction taken by the project with regards to its implementation, including business capabilities for the cybersecurity solution. 1 Introduction to SHIELD: Machine-Learning-based Security SHIELD is an information-driven cybersecurity platform, based on Software Defined Network (SDN), Network Function Virtualisation (NFV), big Data Analytics (DA) and infrastruc-ture's attestation. SHIELD's goal is the design and development of a novel cybersecurity framework , focusing on offering Security-as-a-Service in an evolved telco environment. All stakehold-ers (ISPs, companies, end users, cybersecurity agencies and security vendors) are considered in the project SHIELD's architecture, which consists of the following key components: (i) the virtual Network Security Functions (vNSFs) implement the traffic processing functionalities; (ii) the vNSF Orchestrator manages the vNSFs lifecycle; (iii) the Network Infrastructure supports the execution and management of the vNSFs; (iv) the vNSF Store makes the vNSFs available to the vNSFO; (v) the Trust Monitor verifies the infrastructure and its services' integrity; (vi) the Data Analytics and Remediation Engine (DARE) acts as an information-driven intrusion detection and prevention platform; and (vii) the Security Dashboard provides a graphical front-end of the platform that allows the operators to apply mitigation actions. The overall-simplified-SHIELD's workflow for detecting a threat is: (1) vNSFs spread over the network, collect network traffic's information and send it to the DARE's data store; (2) the DARE's security analytics' engines continuously analyse the data available in the data store; and (3) upon detection of a potential threat, the DARE notifies the operator through the dashboard. The work described in this article has received funding by the European Union Horizon 2020 research and innovation programme, under project SHIELD 800 (Grant Agreement no. 700199).
Software Defined Networking (SDN) and Network Function Virtualisation (NFV) are transforming modern networks towards a service-oriented architecture. At the same time, the cybersecurity industry is rapidly adopting Machine Learning (ML) algorithms to improve detection and mitigation of complex attacks. Traditional intrusion detection systems perform signature-based detection, based on well-known malicious traffic patterns that signify potential attacks. The main drawback of this method is that attack patterns need to be known in advance and signatures must be preconfigured. Hence, typical systems fail to detect a zero-day attack or an attack with unknown signature. This work considers the use of machine learning for advanced anomaly detection, and specifically deploys the Apache Spot ML framework on an SDN/NFV-enabled testbed running cybersecurity services as Virtual Network Functions (VNFs). VNFs are used to capture traffic for ingestion by the ML algorithm and apply mitigation measures in case of a detected anomaly. Apache Spot utilises Latent Dirichlet Allocation to identify anomalous traffic patterns in Netflow, DNS and proxy data. The overall performance of Apache Spot is evaluated by deploying Denial of Service (Slowloris, BoNeSi) and a Data Exfiltration attack (iodine).
Machine Learning (ML) technologies applied to Cybersecurity, especially in the area of network cyber threat detection, are a promising choice, but they require additional research in the applicability of a wide range of available algorithms. Such algorithms usually require training using good-quality and quantitatively significant datasets, which are rarely publicly available. To this end, in this paper we describe a novel experimental framework, that we call the Mouseworld, that combines NFV and SDN to create an environment able to (1) blend and transmit real and synthetic traffic and (2) collect and label this traffic in order to be utilised for training and validating ML algorithms that will be applied to the detection of cybersecurity threats. The Mouseworld framework includes a set of traffic generation, collection and labelling modules, jointly with analytics and algorithm training and visualization components. The OSM open-source network orchestrator is utilized to control and manage the framework and to deploy the training and validation scenarios. We present a preliminary result on the area of Security threat detection as a demonstration of the framework viability. https://www.shield-h2020.eu/shield-h2020/documents/scientific-papers/CyberTIM2018_NFV_ML_training.pdf
SHIELD is an EU-funded project, targeting at the design and development of a novel cybersecurity framework, with the aim of which offers security-as-a-Service in an evolved telco environment. The SHIELD framework leverages NFV (Network Functions Virtualization) and SDN (Software-Defined Networking) for virtualization and dynamic placement of virtualised security appliances in the network (virtual Network Security Functions – vNSFs), Big Data analytics for real-time incident detection and mitigation, as well as attestation techniques for securing both the infrastructure and the services. This paper presents a detail Roadmapping analysis and identifies the factors that will affect market adoption and the evolution of SHIELD or similar cybersecurity solutions.
Organisations are witnessing an unprecedented escalation of cyber-crime attacks and struggle to protect against them. Rethinking security is required to cope with numerous new challenges arising today: the sophistication of new attacks, the increasing weakness of traditional security controls, the explosion of data to be collected and analysed to detect threats and the ongoing transformation of IT – such as virtualisation and cloud computing.
This demo showcases some of the capabilities foreseen for the security infrastructure designed by the H2020 SHIELD project. SHIELD exploits NFV for adaptive monitoring of an IT infrastructure and for feeding the data to an analytics engine to detect attacks in real time. An intelligent reaction system is then activated to reconfigure the SDN/NFV infrastructure so that the attacks are thwarted. The SDN/NFV infrastructure itself is protected from attacks thanks to trusted computing techniques, that permit to quickly identify misbehaving nodes. The proposed demo will present detection and reaction to a DDoS attack (by on-the-fly deployment of new virtual network security functions and/or change of network paths), as well as detection of software attacks against virtual network functions (executed in Docker containers) and unauthorized modification of the SDN switching tables and NFV configurations.
The increasing number of IoT devices raises concerns about the amount of data they generate and-more importantly-their content, having security and privacy implications. The Things are mostly constrained by typical embedded design limitations from non-extensible functionalities to poor or non-existent configuration; adding security features to these devices is therefore impractical. This paper presents a network security infrastructure suitable for IoT devices, which aims at offloading the security from the devices to the nearest network edge they are connected to. First, the SECURED architecture for the network edge device (NED) is detailed: its components, security policy refinement and translation, and the way it addresses mobility of the things. Then, the SHIELD architecture proposes to extend and strengthen the security of the IoT devices by leveraging the dynamic deployment of security controls with analyt-ics, which permits orchestrated security at the entire infrastructure level-allowing a new threat detection paradigm.
SHIELD is an EU-funded project, targeting at the design and development of a novel cybersecurity framework, which offers security-as-a-Service in an evolved telco environment. The SHIELD framework leverages NFV (Network Functions Virtualization) and SDN (Software-Defined Networking) for virtualization and dynamic placement of virtualised security appliances in the network (virtual Network Security Functions – vNSFs), Big Data analytics for real-time incident detection and mitigation, as well as attestation techniques for securing both the infrastructure and the services. This papers discusses key use cases and requirements for the SHIELD framework and presents a high-level architectural approach.