Kimmo Ahola

Adaptive Risk Management with Ontology Linked Evidential Statistics and SDN

New technologies have increased the dynamism of distributed systems; advances such as Software Defined Networking (SDN) and cloud computing enable unprecedented service flexibility and scalability. By their nature, they are in a constant state of flux, presenting tough challenges for system security. Here an adaptive -- in real time - risk management system capable of keeping abreast of these developments is considered. This paper presents an on-going work on combining a hierarchical threat ontology, real-time risk analysis, and SDN to an efficient whole. The main contribution of this paper is on finding the suitable architectures, components, necessary requirements, and favorable modifications on the systems and system modelling (including the models involving the security analysis) to reach this goal.

Securing VNF communication in NFVI

In a modern telco cloud, network functions are performed by groups of single or interconnected virtual machines (VMs), which form virtualized network functions (VNFs). Securing these VNFs is both important and challenging, since the VNFs might be performing some mission critical operations and exchanging sensitive information among each other. The problem lies in the implementation of current cloud infrastructure where security of traffic is not considered at large. The exchanged traffic among VNFs is mostly unencrypted and subject to eavesdropping. In this paper, we present possible approaches along with the implementation setup to solve the problem of securing communication among VNFs. We also discuss performance overhead measurements of our testbed setup along with relevant challenges and directions for future work.

Testbed for security orchestration in a network function virtualization environment

We present a testbed implementation for the development, evaluation and demonstration of security orchestration in a network function virtualization environment. As a specific scenario, we demonstrate how an intelligent response to DDoS and various other kinds of targeted attacks can be formulated such that these attacks and future variations can be mitigated. We utilise machine learning to characterise normal network traffic, attacks and responses, then utilise this information to orchestrate virtualized network functions around affected components to isolate these components and to capture, redirect and filter traffic (e.g. honeypotting) for additional analysis. This allows us to maintain a high level of network quality of service to given network functions and components despite adverse network conditions.

Micro-Segmenting 5G.

The forthcoming 5G mobile networks shall be heterogeneous in nature and embody a large number and variety of devices. Moreover, Internet of Things applications – like surveillance and maintenance – will use 5G extensively due to its high availability and quality of connectivity. However, the heterogeneous services, applications, users, devices, and the large amount of network traffic will bring challenges for the security of the mobile network. It will be important to provide isolated segments from the network for applications that require a high level of security. This paper presents the potential of micro-segmenting 5G networks. Microsegmentation is a concept that has been considered in data center networking to enforce the security of a data center by monitoring the flows inside the data center. In this paper we describe how the micro-segmentation concept could fit into the 5G security architecture and provide scenarios of how software mobile networks can facilitate securing IoT.

Security Wrapper Orchestration in Cloud

We present an architecture and implementation of the security wrapper concept for the protection of virtualized network functions in a cloud environment. The security wrapper is the enclosing of a set of virtualized resources within a data plane transparent protective envelope in the network forwarding graph. The extent and capabilities of this envelope are dynamic. We present a prototype implementation of the security wrapper and analyze its behaviour in different operation scenarios. Measurements of the wrapper orchestration delays, resource overhead and data plane traffic impact indicate that the proposed mechanism can be deployed in virtualized networks with little overhead while remaining relatively transparent to the traffic traversing the security wrapper boundary.

Security Awareness in Software-Defined Multi-Domain 5G Networks

Fifth generation (5G) technologies will boost the capacity and ease the management of mobile networks. Emerging virtualization and softwarization technologies enable more flexible customization of network services and facilitate cooperation between different actors. However, solutions are needed to enable users, operators, and service providers to gain an up-to-date awareness of the security and trustworthiness of 5G systems. We describe a novel framework and enablers for security monitoring, inferencing, and trust measuring. The framework leverages software-defined networking and big data technologies to customize monitoring for different applications. We present an approach for sharing security measurements across administrative domains. We describe scenarios where the correlation of multi-domain information improves the accuracy of security measures with respect to two threats: end-user location tracking and Internet of things (IoT) authentication storms. We explore the security characteristics of data flows in software networks dedicated to different applications with a mobile network testbed.

Securing the Communication in Private Heterogeneous Mobile Ad hoc Networks

Mobile ad hoc networking has been a hot research topic for a decade or so, and many paradigms have been making use of it. One of these paradigms is the Personal Networks (PN). It is an emerging concept where the user’s personal devices form a virtual network which is secure and private, and reacts to changing environment and context intelligently. A fundamental property of the PN is that personal devices form private multi-hop clusters in an ad hoc manner whenever they come across each other. To this end, this paper presents a pair-wise key based scheme for forming secured private clusters in mobile ad hoc networks. The solution tackles the problem of node authentication combined with traffic encryption in relatively small ad hoc networks using proactive neighbour discovery and authentication. Additionally, the paper proves the feasibility of this solution by means of prototyping and experimental performance analysis.