Dynamic Network Security Function Enforcement via Joint Flow and Function Scheduling

Network Function Virtualization (NFV) is a new networking paradigm to enable dynamic network function deployment in networks. Existing studies focused on optimized function deployment and management in NFV. Unfortunately, these studies did not well address the problem of efficient security function enforcement in networks, which is the goal of deploying network functions (NFs), i.e., for real-time security function enforcement on the traffic, since optimal function deployment does not mean efficient security function enforcement on network traffic. In particular, they incurred significant NF enforcement cost. In order to address this issue, in this paper, we propose FuncE that aims to solve the efficient real-time security function enforcement problem by developing unified dynamic flow and function scheduling. We formulate the problem as an integer linear programming problem and prove that it is NP-hard. We tackle the problem by decomposing it and developing heuristics to achieve near-optimal solutions. We conduct comprehensive experiments by using real topologies to demonstrate the effectiveness of the FuncE design. The experimental results demonstrate that FuncE achieves near-optimal network function enforcement, which incurs over 100 times less latency than the existing the optimal solver. In particular, compared to the state-of-art defenses, FuncE processes the same number of candidate flows using over 50% less VNFs, while ensuring the same level of function enforcement.

Automated summary

NFV is a new networking paradigm focusing on dynamic network function deployment, but existing studies lack effective solutions for security function enforcement. FuncE proposes a method for efficient real-time security function enforcement through unified dynamic flow and function scheduling, achieving near-optimal solutions and significantly reducing latency compared to existing solvers.