Thomas F. La Porta’s research while affiliated with William Penn University and other places

Massive Machine-Type Communications (mMTC) are one of the three main use cases powered by 5G and beyond networks. These are distinguished by the need to serve a large number of devices which are characterized by non-intensive traffic and low energy consumption. While the sporadic nature of the mMTC traffic does not pose an exertion on the efficient operation of the network, multiplexing the traffic from a large number of these devices within the cell certainly does. This traffic from the Base Station (BS) is then transported further towards the Core Network (CN), where it is combined with the traffic from other BSs. Therefore, planning carefully the network resources, both on the Radio Access Network (RAN) and the CN, for this type of traffic is of paramount importance. To do this, the statistics of the traffic pattern that arrives at the BS and the CN should be known. To this end, in this paper, we derive first the distribution of the inter-arrival times of the traffic at the BS from a general number of mMTC users within the cell, assuming a generic distribution of the traffic pattern by individual users. Then, using the previous result we derive the distribution of the traffic pattern at the CN. Further, we validate our results on traces for channel conditions and by performing measurements in our testbed. Results show that adding more mMTC users in the cell and more BSs in the network in the long term does not increase the variability of the traffic pattern at the BS and at the CN. Furthermore, this arrival process at all points of our interest in the network is shown to be Poisson both for homogeneous and heterogeneous traffic. However, the empirical observations show that a huge number of packets is needed for this process to converge, and this number of packets increases with the number of users and/or BSs.

Software-defined networking (SDN) is a centralized, dynamic, and programmable network management technology that enables flexible traffic control and scalability. SDN facilitates network administration through a centralized view of the underlying physical topology; tampering with this topology view can result in catastrophic damage to network management and security. To underscore this issue, we introduce Marionette, a new topology poisoning technique that manipulates OpenFlow link discovery packet forwarding to alter topology information. Our approach exposes an overlooked yet widespread attack vector, distinguishing itself from traditional link fabrication attacks that tamper, spoof, or relay discovery packets at the data plane. Unlike localized attacks observed in existing methods, our technique introduces a globalized topology poisoning attack that leverages control privileges. Marionette implements a reinforcement learning algorithm to compute a poisoned topology target, and injects flow entries to achieve a long-lived stealthy attack. Our evaluation shows that Marionette successfully attacks five open-source controllers and nine OpenFlow-based discovery protocols. Marionette overcomes the state-of-the-art topology poisoning defenses, showcasing a new class of topology poisoning that initiates on the control plane. This security vulnerability was ethically disclosed to OpenDaylight, and CVE-2024-37018 has been assigned.

Load balancing in software-defined networks (SDNs) is commonly realized with a centralized architecture. Dynamic load balancing relies on the SDN controller to periodically collect traffic statistics from network switches and make decisions in a timely manner. In this paper, we examine the extent to which an adversary that has compromised a switch can influence the load balancing algorithm by misreporting its own traffic statistics. We design an attack that allows an adversary to perform preliminary reconnaissance, which means learning network traffic distributions and setting attack parameters, and then accurately model and estimate the reward from misreporting while evading detection. Our evaluation offers three insights: 1) network traffic exhibits discernible patterns by reconnaissance; 2) the reconnaissance can be used to design misreporting attacks that can effectively draw unfair proportions of network traffic to the adversary under the guise of honest behavior; and 3) reconnaissance itself can be accelerated by misreporting to launch more targeted attacks.

Through using edge computing services, mobile devices can run complex tasks with the help of network-based computing resources. However, servers in the edge cloud are not only constrained to limited resources, but also must make allocation decisions with only limited information available. The clients requesting computing resources may also have limited information about the servers available to them. We focus on a distributed resource allocation method in which servers operate independently and do not communicate with each other, but interact with clients to make allocation decisions for those clients' tasks. We follow a two-round bidding approach to assign tasks to edge cloud servers. Servers may choose to preempt previous tasks to allocate more useful ones, and clients may choose to track the outcomes of their tasks to inform their future decisions. Results show that user learning improves system performance by 50-80% when servers are heterogeneous in pricing aggressiveness.

While one of the main features of 5G networks is provisioning very high rates with low (or no) variability to cellular users, it has been shown that this turns out to be very ineffective for operators because it leads to an abundance of unused network resources. Yet, reallocating the unused resources to the same users, after providing them with the same constant rate, increases back the variability in data rates. A more efficient way would be to provide different low-variability data rates to the users depending on their channel conditions while trying to bring the wasted resources to the lowest possible extent. To that end, in this paper, two approaches are considered; one with reserved resources for every user and the other where the amount of resources is decided on the fly, depending on their current channel conditions. Then, for each approach, we look at different allocation policies and derive the corresponding maximum achievable constant rate for every user jointly with the level of resource utilization, showing which policy is more beneficial. Further, the performance is evaluated on a real 5G trace using both extensive simulations and real measurements conducted on OpenAirInterface. Results show that no-resource reservation policies increase the utilization of resources and data rates at the expense of increased rate variability across all the users. Moreover, all the policies proposed in this paper outperform state-of-the-art approaches by at least 2×, bringing the waste of resources down to 15%.

Edge computing has become a very popular service that enables mobile devices to run complex tasks with the help of network-based computing resources. However, edge clouds are often resource-constrained, which makes resource allocation a challenging issue. In addition, edge cloud servers must make allocation decisions with only limited information available, since the arrival of future client tasks might be impossible to predict, and the states and behavior of neighboring servers might be obscured. We focus on a distributed resource allocation method in which servers operate independently and do not communicate with each other, but interact with clients (tasks) to make allocation decisions. We follow a two-round bidding approach to assign tasks to edge cloud servers, and servers are allowed to preempt previous tasks to allocate more useful ones. We evaluate the performance of our system using realistic simulations and real-world trace data from a high-performance computing cluster. Results show that our heuristic improves system-wide performance by 20-25% over previous work when accounting for the time taken by each approach. In this way, an ideal trade-off between performance and speed is achieved.

Load balancers enable efficient use of network resources by distributing traffic fairly across them. In software-defined networking (SDN), load balancing is most often realized by a controller application that solicits traffic load reports from network switches and enforces load balancing decisions through flow rules. This separation between the control and data planes in SDNs creates an opportunity for an adversary at a compromised switch to misreport traffic loads to influence load balancing. In this paper, we evaluate the ability of such an adversary to control the volume of traffic flowing through a compromised switch by misreporting traffic loads. We take a probabilistic approach to model the attack and develop algorithms for misreporting that allow an adversary to tune attack parameters toward specific adversarial goals. We validate the algorithms with a virtual network testbed, finding that through misreporting the adversary can control traffic flow to a high degree by drawing a target amount of load (e.g., + 200%) to within a 2% to 10% error of that target. This is yet another example of how depending on untrustworthy reporting in making control decisions can lead to fundamental security failures.

Cloud file systems offer organizations a scalable and reliable file storage solution. However, cloud file systems have become prime targets for adversaries, and traditional designs are not equipped to protect organizations against the myriad of attacks that may be initiated by a malicious cloud provider, co-tenant, or end-client. Recently proposed designs leveraging cryptographic techniques and trusted execution environments (TEEs) still force organizations to make undesirable trade-offs, consequently leading to either security, functional, or performance limitations. In this paper, we introduce BFS , a cloud file system that leverages the security capabilities provided by TEEs to bootstrap new security protocols that deliver strong security guarantees, high-performance, and a transparent POSIX-like interface to clients. BFS delivers stronger security guarantees and up to a $2.5\times$ speedup over a state-of-the-art secure file system. Moreover, compared to the industry standard NFS, BFS achieves up to $2.2\times$ speedups across micro-benchmarks and incurs $\lt 1\times$ overhead for most macro-benchmark workloads. BFS demonstrates a holistic cloud file system design that does not sacrifice an organizations' security yet can embrace all of the functional and performance advantages of outsourcing.