Establishing the Software-Defined Networking Based ..., Study notes of Computer Networks

mobile cloud computing research. After building the MobiCloud, G-PLaNE and studying the MCC model, I have been using Software Defined Networking (SDN) ...

Typology: Study notes

2022/2023

Uploaded on 05/11/2023

agrata
agrata 🇺🇸

4

(7)

258 documents

1 / 136

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Establishing the Software-Defined Networking Based Defensive System in Clouds
by
Tianyi Xing
A Dissertation Presented in Partial Fulfillment
of the Requirement for the Degree of
Doctor of Philosophy
Approved October 2014 by the
Graduate Supervisory Committee:
Dijiang Huang, Chair
Guoliang Xue
Arunabha Sen
Deepankar Medhi
ARIZONA STATE UNIVERSITY
December 2014
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Establishing the Software-Defined Networking Based ... and more Study notes Computer Networks in PDF only on Docsity!

Establishing the Software-Defined Networking Based Defensive System in Clouds

by Tianyi Xing

A Dissertation Presented in Partial Fulfillment of the Requirement for the Degree of Doctor of Philosophy

Approved October 2014 by the Graduate Supervisory Committee: Dijiang Huang, Chair Guoliang Xue Arunabha Sen Deepankar Medhi

ARIZONA STATE UNIVERSITY

December 2014

ABSTRACT

Cloud computing is regarded as one of the most revolutionary technologies in the past decades. It provides scalable, flexible and secure resource provisioning services, which is also the reason why users prefer to migrate their locally processing work- loads onto remote clouds. Besides commercial cloud system (i.e., Amazon EC2[15]), ProtoGENI [9] and PlanetLab [68] have further improved the current Internet-based resource provisioning system by allowing end users to construct a virtual network- ing environment. By archiving the similar goal but with more flexible and efficient performance, I present the design and implementation of MobiCloud [83] that is a geo-distributed mobile cloud computing platform, and G-PLaNE [85] that focuses on how to construct the virtual networking environment upon the self-designed resource provisioning system consisting of multiple geo-distributed clusters. Furthermore, I conduct a comprehensive study to layout existing Mobile Cloud Computing (MCC) service models and corresponding representative related work in [41]. A new user- centric mobile cloud computing service model is proposed to advance the existing mobile cloud computing research. After building the MobiCloud, G-PLaNE and studying the MCC model, I have been using Software Defined Networking (SDN) approaches to enhance the system security in the cloud virtual networking environment. I present an OpenFlow based IPS solution called SDNIPS [86] that includes a new IPS architecture based on Open vSwitch (OVS) in the cloud software-based networking environment. It is enabled with elasticity service provisioning and Network Reconfiguration (NR) features based on POX controller. Finally, SDNIPS demonstrates the feasibility and shows more efficiency than traditional approaches through a thorough evaluation. At last, I propose an OpenFlow-based defensive module composition framework called CloudArmour that is able to perform query, aggregation, analysis, and con-

i

DEDICATION

In Memory Of My Grandparents

iii

ACKNOWLEDGEMENTS

First, I want to truly express my foremost gratitude to my advisor, Dr. Dijiang Huang, for his mentoring, guidance and support during my PhD study. His excellent guidance, profound insight in research and extraordinary dedication to work helped me to finish my dissertation smoothly and successfully. He is a modest, precise, amiable, understanding person. He is the mentor not only for my study but also for my life. I always feel lucky to be supervised by him. By working with him for several years, I have been shaped into a better person. Without his mentoring, I would not be able to become who I am today. I would also like to thank my committees for their supports. Dr. Guoliang Xue, Dr. Arun Sen and Dr. Deep Medhi provided me with invaluable advice and comments on my research. Their feedback helped me to improve the dissertation in many ways. I am also thankful to all members from SNAC lab and friends for their kind supports. I am paticularly thankful to Dr. Yang Qin, Dr. Zhibin Zhou, Yuan Wang, Zhengyang Xiong, Huijun Wu, Bing Li, Ziming Zhao, Yiming Jing, Chun-Jen Chung, for their inspiring discussions. Lastly, but absolutely not least, my family were always supporting me and stood by me through the good times and bad. I have been living separately with my wife, Chau Lam, since I started my PhD program back in 2010. Due to my busy study, my wife visited me at Phoenix from NYC almost every month and she never complained about it. Without her considerate thought and kind understanding, I would not be able to finish my PhD program.

iv

CHAPTER Page

5 CONSTRUCTING VIRTUAL NETWORKS IN A GEO-DISTRIBUTED

LIST OF TABLES

Table Page 2.1 Comparison table of GENI Projects................................. 6 2.2 Summary of MCC Services and Applications......................... 7 2.3 Security Solutions Comparison Table................................ 17 4.1 Single VM Creation Specification................................... 32 7.1 Network Reconfiguration Actions.................................... 62 7.2 SDNIPS Actions Selection Guidance................................ 67 7.3 NSaaS Elastic Operations........................................... 82 8.1 TSAM API Summarization......................................... 112 8.2 CloudArmour Application Module API Summarization............... 113

ix

LIST OF FIGURES

Chapter 1

INTRODUCTION

Cloud computing has grown rapidly in recent few years due to the increasing net- work bandwidth, mature virtualization techniques, and emerging cloud based business demands. Besides the traditional service models of cloud computing, i.e., IaaS, PaaS and SaaS, new models keep coming out to provide new types of services, e.g., StaaS (Storage as a Service), DaaS (Desktop as a Service), NaaS (Network as a Service), etc. After the neonatal stage of cloud computing, especially within the recent few years, cloud computing has shifted its focus from fixed users oriented to dynamic mo- bile users oriented, from local to global, from centralized to distributed architecture. Among all issues related to clouds, mobile cloud computing platform, user centric mobile cloud service model, and virtual networking security have been regarded as most critical concerns as well as my research focus. 1.1 Mobile Cloud Computing System Today, the Internet web service is the major way that we access information from fixed or mobile terminals. Information is stored on Internet clouds, where comput- ing, communication, and storage services are common services provided for Internet users. In a non-distant future, many of our queries will be beyond current Internet scope and will be about the people, the physical environments that surround us, and virtual environments that we will be involved. With the Internet environment getting improved, mobile phones will overtake PCs as the most common web access entities worldwide by 2014 as predicted by Gartner [53]. Current mobile devices have many advanced features such as mobility, communication and sensing capabilities, and can

1

serve as the personal information gateway for mobile users. However, when running complex data mining and storing operations, the computation, energy, and storage limitations of mobile devices demand an integrated solution relying on cloud-based computation and storage support. As a result, a new research field, called Mobile Cloud Computing (MCC), is emerging to meet the increasing demand and address the issues. The trend of the MCC system is not just aiming to provide services for users in some certain areas, but is especially looking forward to establishing connections among mobile users all over the world. Due to the mobility of MCC users, a geograph- ically distributed cloud system is a natural choice that allows users to connect to the cloud resource that is geographically “close” to their mobile devices, which usually means less communication delay compared to the centralized approach. Here, a ge- ographically distributed MCC system refers to an infrastructure combining multiple cloud clusters (with dedicated computing, storage, and communication resources) lo- cated at different locations. Unlike the centralized service provisioning data centers, in geographically distributed data centers, users’ requests will be responded by the closest and least loaded data centers, that guarantees better user experience. Many cloud service providers, like Google and Amazon, place their data centers all over the world to provide rapid resource and service access for end users.

1.2 Mobile Cloud Computing Service Model One the mobile cloud computing platform is physically established, another signif- icant research topic goes to the logic part, i.e., service model. In MCC, a mobile entity can be considered as either a physical mobile device or a mobile computing/storage software agent within a virtualized cloud resource provisioning system. In the lat- ter view of the cloud system, a software agent’s main functionality is the mobility

2

mers, malicious code authors, and other criminals have been able to conduct their activities with relative impunity. PaaS providers have traditionally suffered most from this type of attacks; however, recent evidence shows that hackers have begun to target IaaS vendors as well [46]. Future areas of concern include password and key cracking, launching dynamic attack points, hosting malicious data, botnet command and control, etc.

  1. Malicious Insiders. The threat of a malicious insider is well-known to most organizations. This threat is amplified for consumers of cloud services by the con- vergence of IT services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. In traditional computer networking systems, security protection is usually deployed at the edge of the system, for example, the firewall system. However, an attacker can break the firewall or DMZ and get access into the internal network, these attack consequences can be very servere. Since all resources in the same domain is trusted among each other by default, insider attacks can cause more damage than outsider attacks.
  2. Data Integrate. Storage is one of the most important and common scenarios in clouds. Therefore, compromising stored data, e.g., deletion or alteration of records without a backup of the original content, becomes another critical security issue in clouds. The authentication and authorization of the data must securely guarantee that unauthorized or unauthenticated parties must be prevented from gaining access to privacy data. The threat of data compromise increases in the cloud, due to the number of and interactions between risks and challenges which are either unique to cloud, or more dangerous because of the architectural or operational characteristics of the cloud environment.
  3. Virtualization Hijacking. One of the significant characteristics of the cloud computing is the virutalization, which enables better resources utilization and fine

4

grained resource isolation. IaaS vendors provide their services by sharing the physi- cal infrastructure in a scalable fashion. However, the underlying components building up the infrastructure (e.g., CPU, GPU, etc.) were not dedicated designed to deliver strong isolation capability in a multi-tenant environment. To address this issues, hy- pervisor is designed and introduced to fill the gap between the physical infrastructure and guest operating system. However, the existing hypervisor is not flawless and can still be compromised in that it enables users to gain access to inappropriate level of control to guest OS. A defense in depth strategy is recommended, and should include compute, storage, and network security enforcement and monitoring. Strong com- partmentalization should be also employed to guarantee that individual customers do not impact the operations of other tenants running on the same cloud service provider. Customers should not have access to any other tenant’s actual or residual data, network traffic, etc.

1.4 Outline My research interests mainly involve the cloud infrastructure design and imple- mentation, cloud service design and implementation, software defined network, cloud network security, etc. The outline of this dissertation is arranged as follows: Chapter 2 discusses the related work for all related research areas, and a brief summary of them. Chapter 3 mainly discusses the research challenges and expected objective for my research. MobiCloud and G-PLaNE system are discussed in chapter 4 and 5 respectively. Chapter 6 introduces a new MCC model and corresponding exemplar architecture. Chapter 7 discusses a SDN-enabled IPS system in cloud environment. A SDN-enabled modular composition framework called CloudArmour is discussed in chapter 8. Finally, chapter 9 concludes this dissertation and discusses the future work.

5

resources available from the world to provide resources with network programmability and sensing features. Seattle [26] has an efficient design that can easily make spare nodes join their available resource pool to be further utilized to provide python based experiments. All GENI related projects [68, 9, 54, 25, 26, 69, 74, 21, 16, 43, 76] and our proposed MobiCloud are summarized in Table 2.1.

2.2 Mobile Cloud System and Services

Table 2.2: Summary of MCC Services and Applications

MCC Services and Applications Service Models MCC Service Types Representative Approaches MaaSC MaaSP MaaSB Mobile Cloud Computation CloneCloud [28] X MAUI [32] X ThinkAir [49] X Mobile Cloud Storage Dropbox, Box, iCloud, GoogleDrive and Skydrive [31]

X WhereStore [77] X STACEE [60] X X Security and Privacy CloudAV [63] X Secure Web Referral Services for Mo- bile Cloud Computing [50]

X Zscaler [12] X Google Wallet [37] X Context Awareness An Integrated Cloud-based Framework for Mobile Phone Sensing [34]

X X

I summarize existing MCC services and applications in Table 2.2. I defined 3 service models, Mobile as a Service Consumer (MaaSC), Mobile as a Service Provider (MaaSP), Mobile as a Service Broker (MaaSB), based on the role of mobile devices in the MCC environment. The service models are classified based on the role of the mobile device, such as service consumer, service provider, and service broker. More detail on the service model will be discusses in chapter 6. I also discuss corresponding

7

representative projects. Each service or application can be categorized into one or multiple service models. MaaSC is the most common MCC service model because most of existing mobile devices are still restricted by their computation and energy capacities. As an example, clonecloud [28] provides the computation task offloading service for mobile devices. In this case, the mobile device is the service consumer since it only gets benefit from the service provided by cloud rather than providing services for other users.

2.2.1 Mobile Cloud Computation Computation task offloading is a demanding feature for mobile devices relying on Internet clouds to perform resources-intensive computation tasks. Partitioning computation tasks and allocating them between mobile devices and clouds can be very inefficient during the application runtime considering various performance metrics such as energy consumption, CPU power, network delay, etc. How to efficiently and intelligently offload the computation tasks onto the cloud is one of the main research issues of MCC. CloneCloud [28] and MAUI [32] are two pioneer work in this area. They both can automatically offload computing tasks to the cloud. CloneCloud serves as an application partitioner as well as an execution runtime environment that allows unmodified mobile applications seamlessly offloading parts of the executions from mobile devices onto a cloud server. The offloading decision is made by optimizing execution time and energy usage for mobile devices. Contrast to CloneCloud, MAUI allows modifying offloading applications at the coding level to maximize the energy saving of mobile devices. Thinkair [49] demands dedicated virtual machines (VMs) in clouds as part of a complete smartphone system, and removes the restrictions on applications/inputs/environmental conditions by using an online method-level offloading.

8