Intent-Driven Security Policy Management for Software-Defined Systems

Chowdhary, Ankur; Sabur, Abdulhakim; Vadnere, Neha; Huang, Dijiang

doi:10.1109/tnsm.2022.3183591

Cited by 6 publications

(5 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The research work presented in 38 introduces a robust security policy enforcement mechanism that offers a standardized set of intent rules, effectively shielding the network administrator from the intricacies of the SDN controller's format. Furthermore, this mechanism significantly alleviates the complexities associated with checking flow rules conflicts at the data plane.…”

Section: Related Workmentioning

confidence: 99%

Efficient handling of ACL policy change in SDN using reactive and proactive flow rule installation

Hussain,

Amin,

Gantassi

et al. 2024

Sci Rep

View full text Add to dashboard Cite

Software-defined networking (SDN) is a pioneering network paradigm that strategically decouples the control plane from the data and management planes, thereby streamlining network administration. SDN's centralized network management makes configuring access control list (ACL) policies easier, which is important as these policies frequently change due to network application needs and topology modifications. Consequently, this action may trigger modifications at the SDN controller. In response, the controller performs computational tasks to generate updated flow rules in accordance with modified ACL policies and installs flow rules at the data plane. Existing research has investigated reactive flow rules installation that changes in ACL policies result in packet violations and network inefficiencies. Network management becomes difficult due to deleting inconsistent flow rules and computing new flow rules per modified ACL policies. The proposed solution efficiently handles ACL policy change phenomena by automatically detecting ACL policy change and accordingly detecting and deleting inconsistent flow rules along with the caching at the controller and adding new flow rules at the data plane. A comprehensive analysis of both proactive and reactive mechanisms in SDN is carried out to achieve this. To facilitate the evaluation of these mechanisms, the ACL policies are modeled using a 5-tuple structure comprising Source, Destination, Protocol, Ports, and Action. The resulting policies are then translated into a policy implementation file and transmitted to the controller. Subsequently, the controller utilizes the network topology and the ACL policies to calculate the necessary flow rules and caches these flow rules in hash table in addition to installing them at the switches. The proposed solution is simulated in Mininet Emulator using a set of ACL policies, hosts, and switches. The results are presented by varying the ACL policy at different time instances, inter-packet delay and flow timeout value. The simulation results show that the reactive flow rule installation performs better than the proactive mechanism with respect to network throughput, packet violations, successful packet delivery, normalized overhead, policy change detection time and end-to-end delay. The proposed solution, designed to be directly used on SDN controllers that support the Pyretic language, provides a flexible and efficient approach for flow rule installation. The proposed mechanism can be employed to facilitate network administrators in implementing ACL policies. It may also be integrated with network monitoring and debugging tools to analyze the effectiveness of the policy change mechanism.

show abstract

Section: Related Workmentioning

confidence: 99%

Efficient handling of ACL policy change in SDN using reactive and proactive flow rule installation

Hussain,

Amin,

Gantassi

et al. 2024

Sci Rep

View full text Add to dashboard Cite

show abstract

“…The objective is to convert abstract user intents into network-executable policies and automate the network policy configuration process [24]. While some solutions have been proposed, such as the work by Chowdhary et al [25] for efficient security policy management. However, this solution still requires users to possess prior knowledge of network security services.…”

Section: A Security Service Automationmentioning

confidence: 99%

“…Intent-Based Networking (IBN) has emerged as a promising approach to address this problem. Intent-driven security management [23][24][25][26][27][28][29] has received considerable attention from researchers. However, existing research primarily focuses on configuring specific security functions or operational security during service orchestration, overlooking the application of SFC-enabled security services.…”

Section: Introductionmentioning

confidence: 99%

An Autonomous Deployment Mechanism for AI Security Services

Wang,

Zhou,

et al. 2024

IEEE Access

View full text Add to dashboard Cite

Future network architectures are expected to be autonomous, intelligent, and service-based, posing new security challenges. To address these challenges, the Artificial Intelligence (AI) security service emerges as a promising solution. However, the complex service configurations and performance guarantees hinder the autonomous deployment of the AI security service. This paper proposes an autonomous deployment mechanism in Software-Defined Networking/Network Function Virtualization (SDN/NFV) enabled networks. First, our mechanism introduces user and decision planes on top of the control plane, enabling hierarchical intent expression and translation from user security intent to security policies. Then, we analyze the embedding problem of the AI-based Security Function Chain (AISFC) during security policy generation. We formulate the AISFC embedding problem as an Integer Linear Programming (ILP) task to minimize the total response delay. By decomposing it into AISF placement and routing, we design a heuristic algorithm with polynomial time complexity. Finally, we validate the proposed mechanism through a prototype system and numerical simulations, demonstrating its ability to autonomously translate, implement, and guarantee the user security intent. Comparative analysis shows that our approach considering the relationship between available computing resources and delay achieves smaller response delays than the baseline. Furthermore, our algorithm achieves a gap from optimality approximately 28.57% smaller than the greedy algorithm and supports networks that are 4.34 times larger in scale than the exact solution within a 2-second execution time.

show abstract

“…Capturing non-complicated high-level requirements to generate extensive policies is a challenge tackled by intent driven policy management. This approach is actively prospected by the software network community, and has been successfully transposed to security issues, as INTPOL [ 26 ] proposes. However, it remains mainly centred on programmable switches, while our approach targets a wider spectrum of resources to operate.…”

Section: Related Workmentioning

confidence: 99%

PALANTIR: An NFV-Based Security-as-a-Service Approach for Automating Threat Mitigation

Compastié

Martínez

Fernández

et al. 2023

Sensors

View full text Add to dashboard Cite

Small and medium enterprises are significantly hampered by cyber-threats as they have inherently limited skills and financial capacities to anticipate, prevent, and handle security incidents. The EU-funded PALANTIR project aims at facilitating the outsourcing of the security supervision to external providers to relieve SMEs/MEs from this burden. However, good practices for the operation of SME/ME assets involve avoiding their exposure to external parties, which requires a tightly defined and timely enforced security policy when resources span across the cloud continuum and need interactions. This paper proposes an innovative architecture extending Network Function Virtualisation to externalise and automate threat mitigation and remediation in cloud, edge, and on-premises environments. Our contributions include an ontology for the decision-making process, a Fault-and-Breach-Management-based remediation policy model, a framework conducting remediation actions, and a set of deployment models adapted to the constraints of cloud, edge, and on-premises environment(s). Finally, we also detail an implementation prototype of the framework serving as evaluation material.

show abstract

Intent-Driven Security Policy Management for Software-Defined Systems

Cited by 6 publications

References 39 publications

Efficient handling of ACL policy change in SDN using reactive and proactive flow rule installation

Efficient handling of ACL policy change in SDN using reactive and proactive flow rule installation

An Autonomous Deployment Mechanism for AI Security Services

PALANTIR: An NFV-Based Security-as-a-Service Approach for Automating Threat Mitigation

Contact Info

Product

Resources

About