Automated synthesis of NFV topology: A security requirement-oriented design

2017 13th International Conference on Network and Service Management (CNSM) Pub Date : 2017-11-01 DOI:10.23919/CNSM.2017.8256033

A. Jakaria, M. Rahman, Carol J. Fung

{"title":"Automated synthesis of NFV topology: A security requirement-oriented design","authors":"A. Jakaria, M. Rahman, Carol J. Fung","doi":"10.23919/CNSM.2017.8256033","DOIUrl":null,"url":null,"abstract":"Cyber defense today heavily depends on expensive and proprietary hardware deployed at fixed locations. Network functions virtualization (NFV) reduces the limitations of these vendor specific hardware by allowing a flexible and dynamic implementation of virtual network functions in virtual machines running on commercial off-the-shelf servers. These network functions can work as a filter to distinguish between a legitimate packet and an attack packet, and can be deployed dynamically to balance the variable attack load. However, allocating resources to these virtual machines is an NP-hard problem. In this work, we propose a solution to this problem and determine the number and placement of the VMs. We design and implement NFVSynth, an automated framework that models the resource specifications, incoming packet processing requirements, and network bandwidth constraints. It uses satisfiability modulo theories (SMT) for modeling this synthesis problem and provides a satisfiable solution. We also present simulated experiments to demonstrate the scalability and usability of the solution.","PeriodicalId":211611,"journal":{"name":"2017 13th International Conference on Network and Service Management (CNSM)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 13th International Conference on Network and Service Management (CNSM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.23919/CNSM.2017.8256033","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Cyber defense today heavily depends on expensive and proprietary hardware deployed at fixed locations. Network functions virtualization (NFV) reduces the limitations of these vendor specific hardware by allowing a flexible and dynamic implementation of virtual network functions in virtual machines running on commercial off-the-shelf servers. These network functions can work as a filter to distinguish between a legitimate packet and an attack packet, and can be deployed dynamically to balance the variable attack load. However, allocating resources to these virtual machines is an NP-hard problem. In this work, we propose a solution to this problem and determine the number and placement of the VMs. We design and implement NFVSynth, an automated framework that models the resource specifications, incoming packet processing requirements, and network bandwidth constraints. It uses satisfiability modulo theories (SMT) for modeling this synthesis problem and provides a satisfiable solution. We also present simulated experiments to demonstrate the scalability and usability of the solution.

查看原文本刊更多论文

NFV拓扑的自动合成:面向安全需求的设计

如今的网络防御严重依赖于部署在固定地点的昂贵专有硬件。网络功能虚拟化(NFV)允许在商用现成服务器上运行的虚拟机中灵活、动态地实现虚拟网络功能，从而减少了这些供应商特定硬件的限制。这些网络功能可以作为一个过滤器，区分合法报文和攻击报文，并可以动态部署，以平衡不同的攻击负载。然而，为这些虚拟机分配资源是一个np难题。在这项工作中，我们提出了一个解决这个问题的方案，并确定了虚拟机的数量和位置。我们设计并实现NFVSynth，这是一个自动化框架，可以对资源规范、传入数据包处理需求和网络带宽限制进行建模。利用可满足模理论(SMT)对该综合问题进行建模，并给出了一个可满足的解。我们还提供了模拟实验来证明该解决方案的可扩展性和可用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 13th International Conference on Network and Service Management (CNSM)

自引率

0.00%

发文量