A provably efficient in-network computing services deployment approach for security burst

IF 4.6 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-09-25 DOI:10.1016/j.comnet.2025.111737

Danyang Zheng , Chao Wang , Honghui Xu , Wenyi Tang , Yihan Zhong , Xiaojun Cao

{"title":"A provably efficient in-network computing services deployment approach for security burst","authors":"Danyang Zheng , Chao Wang , Honghui Xu , Wenyi Tang , Yihan Zhong , Xiaojun Cao","doi":"10.1016/j.comnet.2025.111737","DOIUrl":null,"url":null,"abstract":"<div><div>The emerging in-network computing (INC) technique delegates computations to the network data plane, enabling clients' data to be processed during transmission. However, processing transmitted data within INC-enabled network devices may lead to security concerns and broaden the attack surface as sensitive data can be exposed during computation, making the network more susceptible to various cyber-attacks. To protect against such cyber-attacks, especially in security-sensitive applications such as finance and healthcare, clients might periodically enhance service security requirements regarding the importance of their to-be-transmitted data. This periodic security enhancement is called a “security burst” (SEB). To meet such enhancement, one may implement security-aware network functions (S-NFs) like firewall and deep packet inspection on smart routers or switches along the forwarding path while maximizing the re-utilization of this path. Despite the growing interest in INC and security service deployment, existing solutions typically assume static security requirements and overlook the dynamic, on-demand security enhancements such as SEBs. Furthermore, prior approaches rarely consider the re-utilization of existing in-path services, leading to higher additional costs. To fill this gap, this work shows pioneering efforts in tackling SEB for INC-enabled services. Assuming that re-employing the resources along the original forwarding path does not incur bandwidth cost, we formally establish a novel problem called INC-enabled Service Migration for SEB (ISME) to optimize additional cost and prove its NP-hardness. To solve this problem, we design an efficient cost-security-burst (CSB) measure and develop an innovative CSB measure-based security enhancement (CSB-SE) algorithm, which is mathematically proved to be logarithm approximate. Extensive simulations show that CSB-SE guarantees logarithm-approximate performance and outperforms the benchmark by an average of 37.11 % regarding the total service cost and 102.38 % in terms of the additional cost.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"272 ","pages":"Article 111737"},"PeriodicalIF":4.6000,"publicationDate":"2025-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625007030","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

The emerging in-network computing (INC) technique delegates computations to the network data plane, enabling clients' data to be processed during transmission. However, processing transmitted data within INC-enabled network devices may lead to security concerns and broaden the attack surface as sensitive data can be exposed during computation, making the network more susceptible to various cyber-attacks. To protect against such cyber-attacks, especially in security-sensitive applications such as finance and healthcare, clients might periodically enhance service security requirements regarding the importance of their to-be-transmitted data. This periodic security enhancement is called a “security burst” (SEB). To meet such enhancement, one may implement security-aware network functions (S-NFs) like firewall and deep packet inspection on smart routers or switches along the forwarding path while maximizing the re-utilization of this path. Despite the growing interest in INC and security service deployment, existing solutions typically assume static security requirements and overlook the dynamic, on-demand security enhancements such as SEBs. Furthermore, prior approaches rarely consider the re-utilization of existing in-path services, leading to higher additional costs. To fill this gap, this work shows pioneering efforts in tackling SEB for INC-enabled services. Assuming that re-employing the resources along the original forwarding path does not incur bandwidth cost, we formally establish a novel problem called INC-enabled Service Migration for SEB (ISME) to optimize additional cost and prove its NP-hardness. To solve this problem, we design an efficient cost-security-burst (CSB) measure and develop an innovative CSB measure-based security enhancement (CSB-SE) algorithm, which is mathematically proved to be logarithm approximate. Extensive simulations show that CSB-SE guarantees logarithm-approximate performance and outperforms the benchmark by an average of 37.11 % regarding the total service cost and 102.38 % in terms of the additional cost.

查看原文本刊更多论文

一种有效的安全突发网络计算服务部署方法

新兴的网络内计算（INC）技术将计算委托给网络数据平面，使客户端的数据在传输过程中得到处理。然而，在支持inc的网络设备中处理传输的数据可能会导致安全问题，并扩大攻击面，因为敏感数据可能在计算过程中暴露，使网络更容易受到各种网络攻击。为了防止此类网络攻击，特别是在金融和医疗保健等对安全敏感的应用程序中，客户可能会定期提高其待传输数据的重要性方面的服务安全要求。这种周期性的安全性增强称为“安全突发”（SEB）。为了满足这种增强，可以在转发路径上的智能路由器或交换机上实现安全感知网络功能（S-NFs），如防火墙和深度包检测，同时最大限度地提高该路径的重用性。尽管人们对INC和安全服务部署越来越感兴趣，但现有的解决方案通常假设静态安全需求，而忽略了动态的、随需应变的安全增强，例如seb。此外，先前的方法很少考虑对现有路径内服务的重用，从而导致更高的额外成本。为了填补这一空白，这项工作显示了在为支持inc的服务解决SEB方面的开创性努力。假设沿着原转发路径重新使用资源不会产生带宽成本，我们正式建立了一个新的问题，称为incc -enabled Service Migration for SEB (ISME)，以优化额外成本并证明其np -硬度。为了解决这一问题，我们设计了一种高效的成本安全突发（CSB）措施，并开发了一种创新的基于CSB措施的安全增强（CSB- se）算法，该算法在数学上被证明是对数近似的。大量的模拟表明，CSB-SE保证了对数近似的性能，并且在总服务成本方面平均优于基准37.11%，在额外成本方面平均优于基准102.38%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.