[en] The escalating number of cyberattacks poses a significant threat to digital infrastructures. Defining and deploying accurate countermeasures is challenging because of (1) the variety of threats and their possible evolution over time and (2) the need to enforce them as fast as possible, especially for fast-propagating attacks. Intent-Based Networking (IBN) stands for a promising solution for security management, especially to mitigate attacks through the specification of reaction intents, saving time and avoiding error-prone tasks. Nevertheless, most current IBN solutions rely on centralized architectures performing time-consuming operations, which makes them inappropriate to timely deploy countermeasures, especially in the case of fast-propagating attacks spreading large-scale systems. As a solution to shorten the reaction time while supporting scalability, we first consider fast micro-services technologies (e.g., Unikernels) as the substrate of security functions acting as Policy Enforcement Points (PEP). Second, we propose to enable an opportunistic synchronization of those PEPs to react, at least partially but autonomously, against the ongoing attacks in a decentralized fashion. Such a solution raises challenges related to the consistency and performance of the overall enforced reaction policies. This paper presents the early stage of the PhD, outlining the specific challenges, limitations, and research required to leverage decentralized reaction using opportunistic synchronization of micro-services in an IBN framework for security.
Disciplines :
Computer science
Author, co-author :
Nguyen, Do Duc Anh; IMT Atlantique, SOTERN - IRISA (UMR CNRS 6074), France
Alain, Pierre; Université de Rennes, SOTERN - IRISA (UMR CNRS 6074), France
FRANCOIS, Jérôme ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SEDAN ; Inria Nancy Grand Est, France
External co-authors :
yes
Language :
English
Title :
Intent-Based Attack Mitigation through Opportunistic Synchronization of Micro-Services
Publication date :
2024
Event name :
2024 IEEE 10th International Conference on Network Softwarization (NetSoft) - PhD Symposium
Event place :
Saint Louis, Usa
Event date :
24-06-2024 => 28-06-2024
Audience :
International
Main work title :
2024 IEEE 10th International Conference on Network Softwarization, NetSoft 2024
Publisher :
Institute of Electrical and Electronics Engineers Inc.
This work has been partially supported by the French National Research Agency under the France 2030 label (Superviz ANR-22-PECY-0008). The views reflected herein do not necessarily reflect the opinion of the French government.
A. Leivadeas et al., "A survey on intent-based networking, " IEEE Communications Surveys & Tutorials, vol. 25, no. 1, pp. 625-655, 2023.
S. Mohurle and M. Patil, "A brief study of wannacry threat: Ransomware attack 2017, " International journal of advanced research in computer science, vol. 8, no. 5, pp. 1938-1940, 2017.
S. Y. A. Fayi, "What petya/notpetya ransomware is and what its remidiations are, " in 15th international conference on information technology. Springer, 2018, pp. 93-100.
D. Bringhenti, G. Marchetto, R. Sisto, F. Valenza, and J. Yusupov, "Automated optimal firewall orchestration and configuration in virtualized networks, " in IEEE/IFIP NOMS, 2020, pp. 1-7.
J. Kim et al., "IBCS: Intent-based cloud services for security applications, " IEEE Comm. Mag., vol. 58, no. 4, pp. 45-51, 2020.
D. Lopez, E. Lopez, L. Dunbar, J. Strassner, and R. Kumar, "Framework for Interface to Network Security Functions, " RFC 8329, Feb. 2018.
W. Chao and S. Horiuchi, "Intent-based cloud service management, " in ICIN, 2018, pp. 1-5.
M. Toy, "Intent-based networking for connectivity and cloud services, " Advances in Networks, vol. 9, no. 1, p. 19, 2021.
T. Szyrkowiec et al., "Automatic intent-based secure service creation through a multilayer SDN network orchestration, " Journal of Optical Communications and Networking, vol. 10, no. 4, pp. 289-297, 2018.
F. Pederzolli et al., "SDN application-centric orchestration for multi-layer transport networks, " in ICTON. IEEE, 2016, pp. 1-4.
P. Sköldström et al., "Dismi-an intent interface for application-centric transport network services, " in ICTON, 2017, pp. 1-4.
B. Tian et al., "Safely and automatically updating in-network ACL configurations with intent language, " in Proceedings of the ACM Special Interest Group on Data Communication, 2019, pp. 214-226.
S. Rivera, J. Griffioen, Z. Fei, and J. H. Hayes, "Expressing and managing network policies for emerging HPC systems, " in PEARC on Rise of the Machines (learning), 2019, pp. 1-7.
M. Riftadi and F. Kuipers, "P4I/O: Intent-based networking with P4, " in NetSoft. IEEE, 2019, pp. 438-443.
M. Jain et al., "Intent-based, voice-assisted, self-healing SDN framework, " JNCET, vol. 10, no. 2, 2020.
M. F. Hyder and M. A. Ismail, "INMTD: Intent-based moving target defense framework using software defined networks, " ETASR, vol. 10, no. 1, pp. 5142-5147, 2020.
D. Bringhenti et al., "Automatic, verifiable and optimized policy-based security enforcement for SDN-aware IoT networks, " Computer Networks, vol. 213, p. 109123, 2022.
I. Nadareishvili et al., Microservice architecture: Aligning principles, practices, and culture. O'Reilly Media, Inc., 2016.
N. Zhang, H. Li, H. Hu, and Y. Park, "Towards effective virtualization of intrusion detection systems, " in Proceedings of the ACM International Workshop on Security in SDN & NFV, 2017, pp. 47-50.
S. Abidi et al., "A web service security governance approach based on dedicated micro-services, " Procedia Computer Science, vol. 159, pp. 372-386, 2019.
D. Lu, D. Huang, A. Walenstein, and D. Medhi, "A secure microservice framework for IoT, " in IEEE SOSE, 2017, pp. 9-18.
W. Jin, R. Xu, T. You, Y.-G. Hong, and D. Kim, "Secure edge computing management based on independent microservices providers for gatewaycentric IoT networks, " IEEE Access, vol. 8, pp. 187 975-187 990, 2020.
J. Franc,ois, I. Aib, and R. Boutaba, "Firecol: A collaborative protection network for the detection of flooding DDoS attacks, " IEEE/ACM Transactions on networking, vol. 20, no. 6, pp. 1828-1841, 2012.
A. Bremler-Barr and M. Sabag, "Preventing the flood: Incentive-based collaborative mitigation for drdos attacks, " in 2022 IFIP Networking Conference (IFIP Networking). IEEE, 2022, pp. 1-9.
B. Rashidi et al., "Cofence: A collaborative ddos defence using network function virtualization, " in CNSM. IEEE, 2016, pp. 160-166.
S. Hameed and H. A. Khan, "Leveraging SDN for collaborative DDoS mitigation, " in NetSys. IEEE, 2017, pp. 1-6.
Z. Abou El Houda, A. Hafid, A. Khoukhi, LyeHafid, and L. Khoukhi, "Co-iot: A collaborative ddos mitigation scheme in iot environment based on blockchain using sdn, " in 2019 IEEE Global Communications Conference (GLOBECOM). IEEE, 2019, pp. 1-6.
A. Dutta, E. Al-Shaer, and B.-T. Chu, "A collaborative & distributed framework for defending distributed denial of service (ddos) attack, " in Proceedings of the 16th Annual Symposium on Information Assurance (ASIA'21), 2021, pp. 62-72.
S. Yu, W. Zhou, S. Guo, and M. Guo, "A feasible IP traceback framework through dynamic deterministic packet marking, " IEEE Transactions on Computers, vol. 65, no. 5, pp. 1418-1427, 2015.
R. Wang et al., "In-band network telemetry based fine-grained traceability against IP address spooling attack, " in ACM ICEA, 2021, pp. 229-233.
A. Nguyen, F. Autrel, A. Bouabdallah, and G. Doyen, "A robust approach for the detection and prevention of conflicts in I2NSF security policies, " in IEEE/IFIP NOMS 2023 2023. IEEE, 2023.
