Antonio Pastor

CogNet: A network management architecture featuring cognitive capabilities

It is expected that the fifth generation mobile networks (5G) will support both human-to-human and machine-to-machine communications, connecting up to trillions of devices and reaching formidable levels of complexity and traffic volume. This brings a new set of challenges for managing the network due to the diversity and the sheer size of the network. It will be necessary for the network to largely manage itself and deal with organisation, configuration, security, and optimisation issues. This paper proposes an architecture of an autonomic self-managing network based on Network Function Virtualization, which is capable of achieving or balancing objectives such as high QoS, low energy usage and operational efficiency. The main novelty of the architecture is the Cognitive Smart Engine introduced to enable Machine Learning, particularly (near) real-time learning, in order to dynamically adapt resources to the immediate requirements of the virtual network functions, while minimizing performance degradations to fulfill SLA requirements. This architecture is built within the CogNet European Horizon 2020 project, which refers to Cognitive Networks.

SHIELD: A novel NFV-based cybersecurity framework

SHIELD is an EU-funded project, targeting at the design and development of a novel cybersecurity framework, which offers security-as-a-Service in an evolved telco environment. The SHIELD framework leverages NFV (Network Functions Virtualization) and SDN (Software-Defined Networking) for virtualization and dynamic placement of virtualised security appliances in the network (virtual Network Security Functions - vNSFs), Big Data analytics for real-time incident detection and mitigation, as well as attestation techniques for securing both the infrastructure and the services. This papers discusses key use cases and requirements for the SHIELD framework and presents a high-level architectural approach.

The Mouseworld, a security traffic analysis lab based on NFV/SDN

Machine Learning (ML) technologies applied to Cybersecurity, especially in the area of network cyber threat detection, are a promising choice, but they require additional research in the applicability of a wide range of available algorithms. Such algorithms usually require training using good-quality and quantitatively significant datasets, which are rarely publicly available. To this end, in this paper we describe a novel experimental framework, that we call the Mouseworld, that combines NFV and SDN to create an environment able to (1) blend and transmit real and synthetic traffic and (2) collect and label this traffic in order to be utilised for training and validating ML algorithms that will be applied to the detection of cybersecurity threats. The Mouseworld framework includes a set of traffic generation, collection and labelling modules, jointly with analytics and algorithm training and visualization components. The OSM open-source network orchestrator is utilized to control and manage the framework and to deploy the training and validation scenarios. We present a preliminary result on the area of Security threat detection as a demonstration of the framework viability.

Practical Experience in NFV Security Field: Virtual Home Gateway

This chapter describes the experience in secure design during the process of implementation of the virtualization functionalities in a business unit of Telefonica, an integrated global telco operator. The trial was based on one of the first representative use cases of network function virtualization (NFV) technology: virtual home gateway (vHGW), also known as virtual customer premise equipment (vCPE), with real residential broadband customers. This NFV-based model offloads functionalities from physical HGW devices to the network, like network address translation (NAT), dynamic host configuration protocol (DHCP) or IPv6 firewall. This implementation not only allows an increase in operational efficiency, but it also opens a door to new security services opportunities. An introduction to the specific ETSI NFV security standards is provided and used as a reference for the security context. Later, the security design and the implemented model are explained. Also, the findings and solutions relevant in this network architecture to protect the users and the infrastructure are detailed. Finally, we present a study of new security services based on the vHGW architecture.

Trust in SDN/NFV environments

The SDN and NFV architectures heavily rely on specific software modules executed at distributed nodes. These modules may act differently from their expected behaviour due to errors or attacks. Remote attestation is a procedure able to reliably report the software state of a node to a third party. It can be used to evaluate the software integrity of a SDN/NFV node and hence its trustworthiness to execute the desired applications. The use of remote attestation in network environments is quite new, and it is raising interest not only in the research community but also in the industry, as demonstrated by its consideration in the ETSI NFV standardisation effort. In this chapter, we present a solution to evaluate trust in SDN/NFV environments by exploiting remote attestation and propose some enhancements with respect to the basic architecture. From the implementation point of view, two approaches are compared for attestation of virtualised instances, and their respective performance is evaluated. Additionally, we discuss how the remote attestation architecture fits in the management and orchestration of SDN/NFV environments.