Vasilis Maglaris

On the optimal allocation of virtual resources in cloud computing networks

Cloud computing builds upon advances on virtualization and distributed computing to support cost-efficient usage of computing resources, emphasizing on resource scalability and on demand services. Moving away from traditional data-center oriented models, distributed clouds extend over a loosely coupled federated substrate, offering enhanced communication and computational services to target end-users with quality of service (QoS) requirements, as dictated by the future Internet vision. Toward facilitating the efficient realization of such networked computing environments, computing and networking resources need to be jointly treated and optimized. This requires delivery of user-driven sets of virtual resources, dynamically allocated to actual substrate resources within networked clouds, creating the need to revisit resource mapping algorithms and tailor them to a composite virtual resource mapping problem. In this paper, toward providing a unified resource allocation framework for networked clouds, we first formulate the optimal networked cloud mapping problem as a mixed integer programming (MIP) problem, indicating objectives related to cost efficiency of the resource mapping procedure, while abiding by user requests for QoS-aware virtual resources. We subsequently propose a method for the efficient mapping of resource requests onto a shared substrate interconnecting various islands of computing resources, and adopt a heuristic methodology to address the problem. The efficiency of the proposed approach is illustrated in a simulation/emulation environment, that allows for a flexible, structured, and comparative performance evaluation. We conclude by outlining a proof-of-concept realization of our proposed schema, mounted over the European future Internet test-bed FEDERICA, a resource virtualization platform augmented with network and computing facilities.

Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments

Software Defined Networks (SDNs) based on the OpenFlow (OF) protocol export control-plane programmability of switched substrates. As a result, rich functionality in traffic management, load balancing, routing, firewall configuration, etc. that may pertain to specific flows they control, may be easily developed. In this paper we extend these functionalities with an efficient and scalable mechanism for performing anomaly detection and mitigation in SDN architectures. Flow statistics may reveal anomalies triggered by large scale malicious events (typically massive Distributed Denial of Service attacks) and subsequently assist networked resource owners/operators to raise mitigation policies against these threats. First, we demonstrate that OF statistics collection and processing overloads the centralized control plane, introducing scalability issues. Second, we propose a modular architecture for the separation of the data collection process from the SDN control plane with the employment of sFlow monitoring data. We then report experimental results that compare its performance against native OF approaches that use standard flow table statistics. Both alternatives are evaluated using an entropy-based method on high volume real network traffic data collected from a university campus network. The packet traces were fed to hardware and software OF devices in order to assess flow-based data-gathering and related anomaly detection options. We subsequently present experimental results that demonstrate the effectiveness of the proposed sFlow-based mechanism compared to the native OF approach, in terms of overhead imposed on usage of system resources. Finally, we conclude by demonstrating that once a network anomaly is detected and identified, the OF protocol can effectively mitigate it via flow table modifications.

With evolution for revolution: managing FEDERICA for future Internet research

Over the last two decades the importance of data networking for human beings and systems has increased beyond any expectation in size, complexity, and impact on society. Today, technology offers the ubiquitous and constant possibility of being connected to the Internet at a wide range of speeds. Traditional management solutions have up to now followed an evolutionary path, although the scale of the Internet and emerging novel architectures such as peer-to-peer, ad hoc networks, as well as virtualization-capable network infrastructures require focused and possibly revolutionary changes in management approaches. This article elaborates on challenges posed by the renaissance of virtualization as experienced in the planning, development, and operation of the FEDERICA infrastructure. The European Community cofunded project FEDERICA, like other worldwide initiatives such as FIND/GENI in the United States, NWGN in Japan, and the FIRE program in Europe, is supporting the development of the future Internet. FEDERICA extends the virtualization capabilities of the current hardware and software to provide a flexible infrastructure to host disruptive testing by networking researchers.

Data fusion algorithms for network anomaly detection: classification and evaluation

In this paper, the problem of discovering anomalies in a large-scale network based on the data fusion of heterogeneous monitors is considered. We present a classification of anomaly detection algorithms based on data fusion, and motivated by this classification, the operational principles and characteristics of two different representative approaches, one based on the Demster-Shafer theory of evidence and one based on principal component analysis, are described. The detection effectiveness of these strategies are evaluated and compared under different attack scenarios, based on both real data and simulations. Our study and corresponding numerical results revealed that in principle the conditions under which they operate efficiently are complementary, and therefore could be used effectively in an integrated way to detect a wider range of attacks..

Leveraging SDN for Efficient Anomaly Detection and Mitigation on Legacy Networks

In this paper, we investigate the applicability of Software-Defined Networking (SDN), and specifically the use of the OpenFlow protocol as a means to enhance the legacy Remote Triggered Black-Hole (RTBH) routing approach, towards Distributed Denial of Service (DDoS) attack mitigation. More specifically, we exploit the network programmability of OpenFlow to match and handle traffic on a per-flow level, in order to preserve normal operation of the victim, while pushing the mitigation process upstream towards the edge of the network. To this end, we implemented and evaluated a sketch-based anomaly detection and identification mechanism, capable of pinpointing the victim and remotely triggering the mitigation of the offending network traffic. The evaluation is based on the combination of datasets containing real DDoS attacks and normal background traffic from an operational university campus network. Our results demonstrated that the proposed approach succeeds in identifying the victim of the attack and efficiently filtering the malicious sources.

A novel framework for mobile attack strategy modelling and vulnerability analysis in wireless ad hoc networks

Global dissemination of information and tools for computer networks, has allowed for major system attacks affecting critical network points and resulting in significant network performance degradation. In this paper, we present a probabilistic modelling framework for the propagation of an energy-constrained mobile threat in a wireless ad hoc network. The motivation behind this approach can be found in the topology-constrained character of the ad hoc setting, its dynamic nature and the stochastic characteristics of the interactions among the involved events. The introduced formulation is used to identify and evaluate different attack strategies and approaches. Through modelling and simulation, we evaluate the impact of various parameters associated with the operational characteristics of the mobile attacker on an outbreak spreading and the network evolution. Furthermore, a new metric, which indicates the overall infection-capability of each attack strategy is proposed and used to characterise the potential of each strategy to harm the network.

Policy-based orchestration of NFV services in Software-Defined Networks

In this paper we investigate synergies between Network Functions Virtualization (NFV) architectures and Software-Defined Networks (SDN). We identify value adding capabilities such technologies may offer to telecom providers regarding agile management and deployment of network functions across their infrastructures. Specifically, we propose a modular NFV architecture that permits policy-based management of Virtualized Network Functions (VNFs). Hence we can handle the lifecycle of VNFs and dynamically instantiate business applications as Service Chains of diverse VNFs delivered to large scale customers. To describe network resources, network control functions and VNFs capabilities we introduced an Information Model that abstracts these elements. In order to verify the proposed architecture we considered the case of multiple Content Delivery Network (CDN) providers having CDN caching nodes hosted by another operator. We implemented and deployed VNFs capable to map virtual links on the physical substrate and monitor the traffic of each client, ultimately providing the means to instantiate and orchestrate a policy-based traffic engineering service as a business application.

One step ahead to multisensor data fusion for DDoS detection

This work introduces the use of data fusion in the field of DDoS anomaly detection. We present Dempster-Shafer Theory of Evidence (D-S), the mathematical foundation for the development of a novel DDoS detection engine. Based on a data fusion paradigm, we combine evidence generated from multiple simple metrics to feed our D-S inference engine and detect attacks on a single network element (high bandwidth link).The main advantages of our approach are the modeling power of the Theory of Evidence in expressing beliefs in some hypotheses, its flexibility to handle uncertainty and ignorance and its ability to provide quantitative measurement of the belief and plausibility in our detection results. Furthermore we propose a system that can be trained (supervised learning) with minimum human effort, using in parallel expert knowledge about each metric detection ability.We evaluate our detection engine prototype through an extensive set of experiments on an operational network using real network traffic, with the use of a popular DDoS attack generator. Based on these results we discuss the performance of our D-S scheme in contrast to simple thresholds on single metrics, as well as against an alternative data fusion technique based on an Artificial Neural Network. We conclude that our data fusion is a promising approach that significantly increases the DDOS detection rate (true positives) while keeping the false positive alarm rate low.

The NOVI information models

The NOVI Information Model (IM) and the corresponding data models are the glue between the software components in the NOVI Service Layer. The IM enables the communication among the various components of the NOVI Architecture and supports the various functionalities it offers. The NOVI IM consists of three main ontologies: resource, monitoring and policy ontology that have evolved over time to accommodate the emerging requirements of the NOVI architecture. This article presents the NOVI IM and its ontologies, together with an overview of how the NOVI software prototypes have benefited from using the IM.

Performance Comparison of Web Services Security: Kerberos Token Profile Against X.509 Token Profile

Web services (WS) security is the set of standards that provides means for applying security to WS. In this paper we present the performance of the WS security Kerberos token profile in contrast to the X.509 token profile. The measurements are based on the Apache wss4j library for the X.509 token profile and the extensions we have made on the same library in order to support the Kerberos token profile. The Kerberos token profile is based exclusively on symmetric cryptography, whereas the X.509 profile uses public key cryptography for encrypting the symmetric encryption key used for deciphering the message. These differences in the nature of cryptography are reflected and quantified on the measurements we have performed. The performance evaluation and numerical results, demonstrated that Kerberos token profile has up to 28% packet throughput improvement over the X.509 Token profile, under full CPU load on the server.