Ankur Chowdhary

VC-bots: a vehicular cloud computing testbed with mobile robots

Smart vehicles with computing, sensing, and communication capabilities are gaining popularity. With various vehicular applications equipped, these smart vehicles not only improve driving safety, but also facilitate data collection and information sharing for traffic optimization, insurance estimation, and infotainment. However, developing and testing such cloud based vehicular application is challenging due to the high cost of running the application on actual cars in various traffic scenarios. For the same reason it is also difficult to understand and model the network protocol behavior among multiple vehicles. In this paper we proposed VC-bots, a vehicular cloud testbed using mobile robot vehicles, which can emulate different types of vehicles for testing vehicular network protocols and vehicular cloud applications in various scenarios, which can be easily reconfigured without any infrastructure assistance. To facilitate software integration, we also developed a message based service framework for applications running on the robot vehicle and in the cloud.

Brew: A Security Policy Analysis Framework for Distributed SDN-Based Cloud Environments

The ease of programmability in Software-Defined Networking (SDN) makes it a great platform implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. However, implementing security solutions in such an environment is fraught with policy conflicts and consistency issues with the hardness of this problem being affected by the distribution scheme for the SDN controllers. In this paper we present Brew, a security policy analysis framework implemented on an OpenDaylight SDN controller, that has comprehensive conflict detection and resolution modules to ensure that no two flow rules in a distributed SDN-based cloud environment have conflicts at any layer; thereby assuring consistent conflict-free security policy implementation and preventing information leakage. We present techniques for global prioritization of flow rules in a decentralized environment, extend firewall rule conflict classification from a traditional environment to SDN flow rule conflicts by recognizing and classifying conflicts stemming from cross-layer conflicts and provide strategies for unassisted resolution of these conflicts. Alternately, if administrator input is desired to resolve conflicts, a novel visualization scheme is implemented to help the administrators view the conflicts graphically. We demonstrate the correctness, feasibility and scalability of our framework through a proof-of-concept prototype.

Security policy checking in distributed SDN based clouds

Separation of network control from devices in Software Defined Network (SDN) allows for centralized implementation and management of security policies in a cloud computing environment. The ease of programmability also makes SDN a great platform implementation of various initiatives that involve application deployment, dynamic topology changes, and decentralized network management in a multi-tenant data center environment. Dynamic change of network topology, or host reconfiguration in such networks might require corresponding changes to the flow rules in the SDN based cloud environment. Verifying adherence of these new flow policies in the environment to the organizational security policies and ensuring a conflict free environment is especially challenging. In this paper, we extend the work on rule conflicts from a traditional environment to an SDN environment, introducing a new classification to describe conflicts stemming from cross-layer conflicts. Our framework ensures that in any SDN based cloud, flow rules do not have conflicts at any layer; thereby ensuring that changes to the environment do not lead to unintended consequences. We demonstrate the correctness, feasibility and scalability of our framework through a proof-of-concept prototype.

MTD Analysis and evaluation framework in Software Defined Network (MASON)

Security issues in a Software Defined Network (SDN) environment like system vulnerabilities and intrusion attempts can pose a security risk for multi-tenant network managed by SDN. In this research work, Moving target defense (MTD)technique based on shuffle strategy - port hopping has been employed to increase the difficulty for the attacker trying to exploit the cloud network. Our research workMASON, considers the problem of multi-stage attacks in a network managed using SDN. SDN controller can be used to dynamically reconfigure the network and render attacker»s knowledge in multi-stage attacks redundant. We have used a threat score based on vulnerability information and intrusion attempts to identify Virtual Machines (VMs) in systems with high-security risk and implement MTD countermeasures port hopping to assess threat score reduction in a cloud network.

Dynamic Game based Security framework in SDN-enabled Cloud Networking Environments

SDN provides a way to manage complex networks by introducing programmability and abstraction of the control plane. All networks suffer from attacks to critical infrastructure and services such as DDoS attacks. We make use of the programmability provided by the SDN environment to provide a game theoretic attack analysis and countermeasure selection model in this research work. The model is based on reward and punishment in a dynamic game with multiple players. The network bandwidth of attackers is downgraded for a certain period of time, and restored to normal when the player resumes cooperation. The presented solution is based on Nash Folk Theorem, which is used to implement a punishment mechanism for attackers who are part of DDoS traffic, and reward for players who cooperate, in effect enforcing desired outcome for the network administrator.

Science DMZ: SDN based secured cloud testbed

Software Defined Networking (SDN) presents a unique opportunity to manage and orchestrate cloud networks. The educational institutions, like many other industries face a lot of security threats. We have established an SDN enabled Demilitarized Zone (DMZ) — Science DMZ to serve as testbed for securing ASU Internet2 environment. Science DMZ allows researchers to conduct in-depth analysis of security attacks and take necessary countermeasures using SDN based command and control (C&C) center. Demo URL: https : //www.youtube.corn/watchlv = 8yo2lTNV 3r4.

Software Defined Stochastic Model for Moving Target Defense

Moving Target Defense (MTD) has emerged as a good solution to deal with dynamic attack surface. The goal is to make it difficult for an attacker to exploit network resources. But it is challenging to provide zero downtime guarantees when performing network rearrangement or when a physical host acts as a single point of failure for virtual servers. In this paper, we introduce Software Defined Networking (SDN) based continuous time modeling techniques to perform virtual machine migration and MTD techniques while maintaining high service availability and system security. This solution will not only increase attackers uncertainty but will also provide low downtime and high availability guarantee for the network.

Moving Target Defense for the Placement of Intrusion Detection Systems in the Cloud

A lot of software systems are deployed in the cloud. Owing to realistic demands for an early product launch, oftentimes there are vulnerabilities that are present in these deployed systems (or eventually found out). The cloud service provider can find and leverage this knowledge about known vulnerabilities and the underlying communication network topology of the system to position network and host-based Intrusion Detection Systems (IDS) that can effectively detect attacks. Unfortunately, deploying IDS on each host and network interface impacts the performance of the overall system. Thus, in this paper, we address the problem of placing a limited number of IDS by using the concept of Moving Target Defense (MTD). In essence, we propose an MTD system that allows a defender to shift the detection surfaces and strategically switch among the different IDS placement configurations in each round. To find a secure switching strategy, we (1) formulate the problem of placing a limited number of IDS systems in a large cloud network as a Stackelberg Game between the cloud administrator and an (external or stealthy) attacker, (2) design scalable methods to find the optimal strategies for switching IDS placements at the start of each round, and (3) formally define the problem of identifying the most critical vulnerability that should be fixed, and propose a solution for it. We compare the strategy generated by our method to other state-of-the-art strategies, showcasing the effectiveness and scalability of our method for real-world scenarios.

A Defense System for Defeating DDoS Attacks in SDN based Networks

Software-Defined Networking (SDN) is a network architecture that aims at providing high flexibility through the decoupling of the network logic from the forwarding functions. The ease of programmability makes SDN a great platform implementation of various initiatives that involve application deployment, security solutions, and decentralized network management in a multi-tenant data center environment. Although this can introduce many applications in different areas and leads to the high impact on several aspects, security of SDN architecture remains an open question and needs to be revisited based on the new concept of SDN. Current SDN-based attack detection mechanisms have some limitations. In this paper, we investigate two of those limitations: Misbehavior Attack and NewFlow Attack. We propose a secure system that periodically collects network statistics from the forwarding elements and apply Machine Learning (ML) classification algorithms. Our framework ensures that the proposed solution makes the SDN architecture more self-adaptive, and intelligent while reacting to network changes.