Younghee Park

VNGuard: An NFV/SDN combination framework for provisioning and managing virtual firewalls

Network Function Virtualization (NFV) together with cloud technology enables users to request creating flexible virtual networks (VNs). Users also have specific security requirements to protect their VNs. Especially, due to changeable network perimeters, constant VM migrations, and user-centric security needs, VNs require new security features that traditional firewalls fail to provide, because traditional firewalls rely greatly on restricted network topology and entry points to provide effective security protection. To address this challenge, we propose VNGuard, a framework for effective provision and management of virtual firewalls to safeguard VNs, leveraging features provided by NFV and Software Defined Networking (SDN). VNGuard defines a high-level firewall policy language, finds optimal virtual firewall placement, and adapts virtual firewalls to VN changes. To demonstrate the feasibility of our approach, we have implemented core components of VNGuard on top of ClickOS. Our experimental results demonstrate the effectiveness and efficiency of virtual firewalls built on VNGuard.

A Sticky Policy Framework for Big Data Security

Big data security is one of the hottest research topics in big data computing and service applications, because of the lack of research results and mature security technologies and solutions to provide adequate big data security. Big data security faces the need to effectively enforce security policies to protect sensitive data. Trying to satisfy this need, a security policy solution is presented in the paper. Firstly, an implementation independent and fine-grained policy meta-model is proposed for abstraction from underlying technologies and better reuse. Then, a sticky policy framework is adopted with policy enforcement and evaluation discussed in detail. Finally, a healthcare scenario is used to evaluate the process of policy modeling and enforcement.

Enabling Dynamic Access Control for Controller Applications in Software-Defined Networks

Recent findings have shown that network and system attacks in Software-Defined Networks (SDNs) have been caused by malicious network applications that misuse APIs in an SDN controller. Such attacks can both crash the controller and change the internal data structure in the controller, causing serious damage to the infrastructure of SDN-based networks. To address this critical security issue, we introduce a security framework called AEGIS to prevent controller APIs from being misused by malicious network applications. Through the run-time verification of API calls, AEGIS performs a fine-grained access control for important controller APIs that can be misused by malicious applications. The usage of API calls is verified in real time by sophisticated security access rules that are defined based on the relationships between applications and data in the SDN controller. We also present a prototypical implementation of AEGIS and demonstrate its effectiveness and efficiency by performing six different controller attacks including new attacks we have recently discovered.

Watermarking for detecting freeloader misbehavior in software-defined networks

Software-defined networking (SDN) provides network operators a high level of flexibility and programability through the separation of the control plane from the data plane. When initiating traffic, users are required to install flow rules that direct the traffic routing. This process requires communication between control and data plane and results in significant overhead and enables the controller to monitor the traffic and its source. In this paper, we introduce a novel misbehavior, called freeloading, where attackers bypass the process of installing flow rules. The attackers thus can send traffic with an unfair advantage in delay (enabling them to launch more timely threats) and significantly reduce the risk of attacker detection by the network controller (especially if further threats were launched). To prevent such attack, we develop a flow watermarking technique that embeds a secret message into the data payload. It facilitates ownership of the established flow rules, so that only the legitimate owners of flow rules can send packets using their own rules and the network can help detect the misuse cases of the installed flow rules.

IoTGuard: Scalable and agile safeguards for Internet of Things

The Internet of Things (IoT) is emerging as a force to be reckoned with on the internet and in the economy overall. The IoT is being incorporated into home, hospital and smart grid infrastructures. However, the IoT brings with it a host of potential new security breaches and attacks. This paper proposes IoTGuard as a multi-dimensional security framework to protect against such IoT attacks. It is made up of different systems that will detect abnormal traffic on IoT devices, identify malicious traffic patterns, and monitor IoT device system status. Through this intertwined system architecture, IoTGuard aims to monitor and inspect all traffic from IoT devices. The experimental results demonstrate a promising security architecture to protect the IoT environment.

Impact of reviewer social interaction on online consumer review fraud detection

BackgroundOnline consumer reviews have become a baseline for new consumers to try out a business or a new product. The reviews provide a quick look into the application and experience of the business/product and market it to new customers. However, some businesses or reviewers use these reviews to spread fake information about the business/product. The fake information can be used to promote a relatively average product/business or can be used to malign their competition. This activity is known as reviewer fraud or opinion spam. The paper proposes a feature set, capturing the user social interaction behavior to identify fraud. The problem being solved is one of the characteristics that lead to fraud rather than detecting fraud.MethodsNeural network algorithm is used to evaluate the proposed feature set and compare it against the state-of-the-art feature sets in detecting fraud. The feature set considers the user’s social interaction on the Yelp platform to determine if the user is committing fraud. The neural network algorithm helps in comparing the feature set with other feature sets used to detect fraud. Any attempt to find the characteristics that lead to fraud has a prerequisite to be good enough to detect fraud as well.ResultsThe F1 score obtained using neural networks is on par with all the well-known methods for detecting fraud, a value of 0.95. The effectiveness of the feature set is in rivaling the other approaches to fraud detection.ConclusionsA user’s social interaction on a digital platform such as Yelp is equally important in evaluating the user as social interaction is in real life. The characteristics that lead to fraud can be intuitively captured. The characteristics such as number of friends, number of followers and the number of times the user has provided a review which was helpful to multiple people provide the neural network with a base to form a relationship between opinion fraud and social interaction characteristics.

A Lightweight Encryption and Secure Protocol for Smartphone Cloud

User data on mobile devices are always transferred into Cloud for flexible and location-independent access to services and resources. The issues of data security and privacy data have been often reverted to contractual partners and trusted third parties. As a matter of fact, to project data, data encryption and user authentication are fundamental requirements between the mobile devices and the Cloud before a data transfer. However, due to limited resources of the smartphones and the unawareness of security from users, data encryption has been the last priority in mobile devices, and the authentication between two entities always depends on a trusted third party. In this paper, we propose a lightweight encryption algorithm and a security handshaking protocol for use specifically between in mobile devices and in Cloud, with the intent of securing data on the user side before it is migrated to cloud storages. The proposed cryptographic scheme and security protocol make use of unique device specific identifiers and user supplied credentials. It aims to achieve a usersoriented approach for Smartphone Cloud. Through experiments, we demonstrated that the proposed cryptographic scheme requires less power consumption on mobile devices.

Favored Encryption Techniques for Cloud Storage

Data has been often offloaded to the cloud for high accessibility due to the advanced cloud infrastructure. However, we often ignore the safety of our data and completely rely on the cloud service provider. Data protection and encryption are the most important foundations in order to construct reliable and secure cloud environments. Recently, a lot of industries have used and developed various data encryption techniques that would be a fundamental solution to achieve data protection. This paper investigates current encryption and key management techniques used by the industry. We evaluate the popular techniques to find the elements that affect system performance. Finally, we compare various encryption techniques and suggest future directions for high performance and scalable encryption techniques.

Towards Effective Virtualization of Intrusion Detection Systems

Traditional Intrusion Detection Systems (IDSes) are generally implemented on vendor proprietary appliances or middleboxes, which usually lack a general programming interface, and their versatility and flexibility are also very poor. Emerging Network Function Virtualization (NFV) technology can virtualize IDSes and elastically scale them to deal with attack traffic variations. However, existing NFV solutions treat a virtualized IDS as a monolithic piece of software, which could lead to inflexibility and significant waste of resources. In this paper, we propose a novel approach to virtualize IDSes as microservices where the virtualized IDSes can be customized on demand, and the underlying microservices could be shared and scaled independently. We also conduct experiments, which demonstrate that virtualizing IDSes as microservices can gain greater flexibility and resource efficiency.

Dynamic Defense Provision via Network Functions Virtualization

Network Function Virtualization (NFV) is a critical part of a new defense paradigm providing high flexibility at a lower cost through software-based virtual instances. Despite the promise of the NFV, the original Intrusion Detection System (IDS) designed for NFV still draws heavily on processing power and requires significant CPU resources. In this paper, we provide a framework for dynamic defense provision by building in light intrusion detection network functions (NFs) over NFV. Without using the existing IDSes, our system constructs a light intrusion detection system by using a chain of network functions in NFV. The entire IDS is broken down into separate light network functions according to different protocols. The intrusion detection NFs cover various protocol stacks from the link layer to the application layer protocols. They also include different deep packet inspection NFs for different application layer protocols. The experimental results show the proposed system reduces resource consumption while performing valid intrusion detection functions.