4.7 Article

Dynamic Network Security Function Enforcement via Joint Flow and Function Scheduling

Journal

Publisher

IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
DOI: 10.1109/TIFS.2022.3142995

Keywords

Network security; network function virtualization (NFV); software defined networking (SDN)

Funding

  1. NSFC [62132011, U20B2049, 61872209, 61822207]
  2. Fundamental Research Funds for the Central Universities [2042021gf0006]
  3. Beijing National Research Centre for Information Science and Technology (BNRist) [BNR2020RC01013]

Ask authors/readers for more resources

NFV is a new networking paradigm focusing on dynamic network function deployment, but existing studies lack effective solutions for security function enforcement. FuncE proposes a method for efficient real-time security function enforcement through unified dynamic flow and function scheduling, achieving near-optimal solutions and significantly reducing latency compared to existing solvers.
Network Function Virtualization (NFV) is a new networking paradigm to enable dynamic network function deployment in networks. Existing studies focused on optimized function deployment and management in NFV. Unfortunately, these studies did not well address the problem of efficient security function enforcement in networks, which is the goal of deploying network functions (NFs), i.e., for real-time security function enforcement on the traffic, since optimal function deployment does not mean efficient security function enforcement on network traffic. In particular, they incurred significant NF enforcement cost. In order to address this issue, in this paper, we propose FuncE that aims to solve the efficient real-time security function enforcement problem by developing unified dynamic flow and function scheduling. We formulate the problem as an integer linear programming problem and prove that it is NP-hard. We tackle the problem by decomposing it and developing heuristics to achieve near-optimal solutions. We conduct comprehensive experiments by using real topologies to demonstrate the effectiveness of the FuncE design. The experimental results demonstrate that FuncE achieves near-optimal network function enforcement, which incurs over 100 times less latency than the existing the optimal solver. In particular, compared to the state-of-art defenses, FuncE processes the same number of candidate flows using over 50% less VNFs, while ensuring the same level of function enforcement.

Authors

I am an author on this paper
Click your name to claim this paper and add it to your profile.

Reviews

Primary Rating

4.7
Not enough ratings

Secondary Ratings

Novelty
-
Significance
-
Scientific rigor
-
Rate this paper

Recommended

No Data Available
No Data Available