Collaborative detection framework for security attacks on the internet of things

The objective of the research presented in thisdissertation is to detect the attacks targeting the network availability e.g., the volumeattacks and data authenticity e.g., data forgery d

Department of Computer Science and Information Engineering

College of Engineering National Chung Cheng University

Doctoral dissertation

Collaborative detection framework for security

attacks on the Internet of Things

Nguyen Van Linh

Advisor: Prof Po-Ching Lin, Ph.D.

Co-advisor: Prof Ren-Hung Hwang, Ph.D.

Taiwan, R.O.C, Fall 2019

（本聯請隨論文繳回學校圖書館，供國家圖書館做為授權管理用） ID:106CCU00392111本授權書所授權之論文為授權人在 國立中正 大學(學院) 資訊工程研究所 系所 _ 組 108 學年度第 一 學期取得 博 士學位之論文。

論文題目： Collaborative detection framework for security attacks on the Internet

of Things

指導教授： 林柏青,Po-Ching Lin　

茲同意將授權人擁有著作權之上列論文全文 ( 含摘要 ) ，提供讀者基於個人非營利性質之線上檢索、閱覽、下載或列印，此項授權係非專屬、無償授權國家圖書館及本人畢業學校之圖書館，不限地域、時間與次數，以微縮、光碟或數位化方式將上列論文進行重製，並同意公開傳輸數位檔案。

The road to scientific research has never been a flat one, especially to me After threeyears of fighting for my dream, being a cybersecurity scientist, finally, I also have a chance

to express my sincere gratitude to the people who have given me passion and strength

in this fight I would like to sincerely express the deepest appreciation to my belovedsupervisors, Prof Po-Ching Lin and Prof Ren-Hung Hwang, who both have encouraged

me to surpass the critical points of this research I could not have imagined, withouttheir valuable assistance and timely encouragement, whether I was on the right track To

me, their insightful comments, tough questions, and particularly thoughtful reviews havecertainly motivated me a lot to finish this extremely hard work on time

I’d like to sincerely thank National Chung Cheng University (CCU) for offering me a fullscholarship Also, the precious and constant sponsorship from Prof.Lin and Prof.Hwang,Department of Computer Science and Information Engineering (CSIE@CCU), and TaiwanInformation Security Center in National Sun Yat-sen University (TWISC@NSYSU) isextremely vital for my research and living in Taiwan

Also, a thank you to my professors at CCU/NSYSU who taught me great courses orworked with me in meaningful projects A thank you to Ms Huang and Ms Chen whohave given me exciting Chinese courses, that certainly helped me to forget all tiredness

at work and keep fighting I would like to thank the staff of CSIE@CCU for their greatsupport in the document procedure Thank all members of Network and System SecurityLab, my beloved friends in CCU, Karate club, and Badminton team who are alwayswilling to encourage and cheer with me at the memorable time of my Ph.D journey.Finally, thanks to my parents, my darling, and all my friends for their unconditionalsupport and patience during the courses of this work Last but not least, I would like tothank my life partner, Lan-Huong, for her constant encouragement, sacrifices and endlesslove in me, that motivated me a lot to firmly pursue the doctoral program till the end Ibelieve that, without the encouragement and supports, I could never be strong enough toovercome the difficulties and finish this research successfully

i

A connected world of Internet of Things (IoT) has become a visible reality closer than everand that is now being fueled by the appearance of 5G and beyond 5G (B5G) connectivitytechnologies However, besides bringing up the hope of a better life for the human beingthrough promising applications, at the same time, the complicated structure of IoT andthe diversity of the stakeholders in accessing the networks also raises grave concerns thatour life may be extremely vulnerable than ever with daily threats of security attacks,disinformation, and privacy violation The objective of the research presented in thisdissertation is to detect the attacks targeting the network availability (e.g., the volumeattacks) and data authenticity (e.g., data forgery dissemination attacks) in the perceptionlayer and the network layer of IoT networks Further, our research targets to excluderesponsible attackers, misbehavior nodes and unreliable stakeholders from active networkparticipation or even mitigate the magnitude of such attacks significantly at the edge ofthe networks in a timely fashion

While most existing solutions in the context of security detection in IoT are based on driven learning and plausibility checks on the traffic near the victim or a single networkhop, we propose in this dissertation a collaborative security defense framework, so-calledTrioSys, which primarily relies on three main approaches First, the system evaluates thebehavior of traffic/nodes based on learning cooperatively accumulated information, e.g.,traffic request distribution targeting a specific address over a time interval, and fusing thetrustworthiness of post-detection results from multiple layer trusted engines such as theedge-based(regional)/cloud-based (global) detection systems Second, by largely targeting

data-at filtering malicious traffic/bogus messages directly data-at/near the source/nodes/edge, oursystem provides an extremely effect protection approach with low latency response tothe attacks, particularly before their malicious traffic have a chance to pour into thenetworks or affect to the decision of the unsuspecting nodes such as the control system of

an autonomous vehicle Finally, in each specific case of the application deployment, i.e.,

in IoT eMBB or IoT uRRLC, we propose a proper strategy to implement the detectionmechanisms for the platform For example, in the autonomous driving case (IoT uRRLC),

we propose a novel method to exploit passive source localization techniques from physicalsignals of multi-array beamforming antennas in V2X-supported vehicles and motionprediction to verify the truthfulness of the claimed GPS location in V2X messages without

requiring the availability of many dedicated anchors or a strong assumption of the honestmajority rule as in conventional approaches.

In summary, this work has been developed that consists of two main contributions: (1)TrioSys, a robust and effective platform for detecting and filtering the attacks in IoT,particularly compatible with 5G applications and network models; (2) a novel near-sourcedetection for DDoS defense in IoT eMBB slice and two physical signal-driven verificationschemes for V2X (i.e., IoT uRLLC) Also, besides our comprehensive survey on thestate-of-the-art attacks against network availability/data authenticity and countermeasureapproaches, our findings on relevant security issues can certainly provide useful suggestionsfor future work

Keywords – Internet of Things Security, 5G/B5G Security, Distributed Denial-of-servicedefense, Misbehavior Detection in 5G V2X

iii

2 Van-Linh Nguyen, Po-Ching Lin, and Ren-Hung Hwang, “Energy depletion attacks

in Low Power Wireless networks,” IEEE Access, Vol.7, Apr 2019

3 Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “MECPASS: DistributedDenial of Service Defense Architecture for Mobile Networks,” IEEE Network, Vol

32, No 1, pp 118-124, Jan.-Feb 2018

4 Van-Linh Nguyen, Po-Ching Lin, and Ren-Hung Hwang, “Web Attacks: beatingmonetisation attempts,” Network Security Journal (Elsevier), No.5, pp 1-20, May2019

5 Ren-Hung Hwang, Min-Chun Peng, Van-Linh Nguyen, and Yu-Lun Chang, “AnLSTM-Based Deep Learning Approach for Classifying Malicious Traffic at the PacketLevel,” Applied Sciences, Vol 9, No 16, pp.3414-3428 , Aug 2019

6 Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “Enhancing misbehaviordetection in 5G Vehicle-to-Vehicle communications,” submitted to IEEE Transactions

on Vehicular Technology (major revision)

7 Ren-Hung Hwang, Min-Chun Peng, Chien-Wei Huang, Po-Ching Lin andVan-Linh Nguyen, “PartPack: An unsupervised deep learning model for earlyanomaly detection in network traffic,” submitted in Aug 2019 to IEEE Transactions

on Emerging Topics in Computational Intelligence

Conference Papers

1 Ren-Hung Hwang, Van-Linh Nguyen, and Po-Ching Lin, “StateFit: A securityframework for SDN programmable data plane model,” The 15th InternationalSymposium on Pervasive Systems, Algorithms and Networks (ISPAN), Yichang,

China, Oct 2018.

2 Po-Ching Lin, Ping-Chung Li, and Van-Linh Nguyen,“Inferring OpenFlow rules byactive probing in software-defined networks,” The 19th International Conference onAdvanced Communications Technology (ICACT), Pyongchang, South Korea, Jan.2017

3 Van-Linh Nguyen, Po-Ching Lin and Ren-Hung Hwang, “Physical signal-drivenfusion for V2X misbehavior detection,” IEEE Vehicular Networking Conference, LosAngeles, USA, 2019

Projects that I have contributions on

1 Po-Ching Lin and Van-Linh Nguyen “Security protection system for V2X in 5Gnetworks,” a three-year granted MOST project, 2019/08/01 - 2022/07/31

v

1.1 Motivation 1

1.2 The featured security attacks on IoT 3

1.3 The collaborative security defense approach 5

1.4 Problem statement, challenges and our research position 6

1.5 Goals 10

1.6 Contributions 11

1.7 Structure of the Dissertation 11

2 Background 13 2.1 Internet of Things and existing security issues: A glance 13

2.2 Enabling technologies promoting the changes to IoT security research 16

2.3 Summary 22

3 TrioSys: A collaborative security attack detection system for IoT 25 3.1 Related work 25

3.2 Assumption and Adversary model 27

3.2.1 Assumption 27

3.2.2 Adversary model 28

3.3 Generic architecture 30

3.4 System description 32

3.5 Detection and filtering 35

3.6 Data sharing and update management 37

3.7 Data fusion 38

3.8 Summary 39

4 TrioSys implementation for enhanced mobile broadband networks 41 4.1 Related work 41

4.1.1 Overview of DDoS attacks 41

vii

4.1.2 State-of-the-art DDoS defense 44

4.2 TrioSys for filtering DDoS attacks 47

4.2.1 Local detectors 48

4.2.2 The central detectors 54

4.3 Evaluation 56

4.3.1 Simulated traffic 56

4.3.2 Performance evaluation 57

4.4 System core and filtering rule updates 61

4.4.1 Proposal model for updating security rules 62

4.4.2 Performance evaluation 66

4.5 Conclusion 70

5 TrioSys implementation for ultra reliable low latency networks 71 5.1 Introduction 71

5.2 Related Work 75

5.3 Assumption and Attack model 76

5.3.1 Vehicle configuration & source information 77

5.3.2 Assumption 77

5.3.3 Attack model 78

5.4 System model 79

5.5 TrioSys for detecting location forgery attacks 84

5.5.1 Verifying the truthfulness of V2X messages 84

5.5.2 Calibration methods to improve the detection precision 90

5.5.3 Vehicle maneuver prediction for misbehavior detection 94

5.5.4 Assistive signal-based verification 101

5.6 Evaluation results 104

5.6.1 Overall performance 105

5.6.2 System parameter influence 107

5.7 Conclusion 117

6 Conclusion & future work 119 6.1 Conclusion 119

6.2 Research discussion 120

6.3 Challenges and Future work 124

Illustration of 5G Authentication and 5G beamforming analysis 131

List of Figures

1.2.1 The overview of IoT Attack types At our most motivation on the practicalattacks, without a loss of generality, we address two typical types ofattacks in this work: (1) DDoS attacks in cellular networks; (2) false datadissemination attacks in V2X 41.4.1 The general network model and the security attacks From thecommunication perspective, this model also reveals a common scheme:IoT devices are supposed to connect to the Internet through a cellularinfrastructure 72.1.1 IoT conceptual architecture and layer classification by the coverage andrelevant business sectors Low-power wireless networks support connectivityfor massive IoT constrained devices with the communication range at 10-50km and latency > 1s at best IoT uRLLC offers the connectivity tohigh-end applications such as V2X or remote surgery that often require avery low latency ( < 1s) 142.1.2 A glance of IoT devices The IoT devices can be categorized into two types:the constrained or unconstrained ones The constraints may refer to energy,computation and cost 152.1.3 The relationship of low-power personal networks (LPAN)/low-powerwide area networks (LPWAN) and IP-based protocol stacks (Internetdomain) Most protocols in both domains are changed to satisfy the energyconsumption requirement and the simplicity of LPW devices 172.2.1 The architecture of 5G network and the position of our proposal (bold/redtext) Our system primarily located at MEC (5G LA/DN) 182.2.2 The abstract of multi-access edge computing system [23] and the position

of our proposal (bold/red color) Our system accommodates in MEC VNFs 192.2.3 The abstract of SECaaS-based security architecture with the support ofSDN and the programmable model We structure major detection andfiltering engines as configurable components embedded into programmablefacilities such as switches/MEC-based servers 223.2.1 The position of the attacks in the structure of three layers (Things/Devices,Edge and Cloud) Most of the broadcast false data come from theThings/Devices layer or physical/MAClayer, while the spoofing and volumeattacks such as DoS/DDoS target the network layer or application layer 29

ix

3.3.1 Structure of the TrioSys system, in which D-TrioSys means the detector

is embedded in the device; M-TrioSys denotes the detector deployed atMEC-based servers; C-TrioSys is the detector located at the cloud center

In practice, the core and cloud can belong to a layer, e.g., regional datacenter 313.4.1 Illustration of the collaboration in the connection of TrioSys instances.M-TrioSys and C-TrioSys for different applications can be located on thesame server but support a chain of different detection engines, according tothe traffic classification in the slices 344.1.1 Illustration of the DDoS attacks targeting to exceed the network bandwidth

of the perimeter networks near the remote server (victim) 424.1.2 Classification of the DDoS defense mechanisms based on their deploymentlocation The closer the defense is to the target, the more accurately thedefense can detect the attack traffic but the less they satisfy the ultimategoal of DDoS defense 464.1.3 The conceptual MEC architecture, in which MEC servers collect the rawdata streams from registered IoT and mobile devices, classify them intodifferent groups on the basis of the data type 484.2.1 The architecture of MECPASS DDoS defense system, where the local nodesare M-TrioSys detectors and the central nodes are C-TrioSys The anti-spoofing and anti-DDoS are sequentially grouped into a chain of detectionengines 494.2.2 The illustration of the anti-spoofing mechanism, in which the TEID valuemust be the same in both the GTP-C packets and the GTP-U packets 504.2.3 The illustration of the ON/OFF model ON cycle means packet transmissionexists for an interval of time (Ton), after which the element is idle for anothertime interval (Tof f); this alternation of communication and idleness repeatsover time (per Tobservation) 514.2.4 The central nodes handle handover process, where they will fuse the datafrom the location nodes’ aggregation for further analysis 554.3.1 The simulated traffic with three scenarios: (1) UDP spoofing packets; (2)high-rate (TCP sending bytes > 100kB per 10s) and low-rate (TCP sendingbytes ∼ 30kB per 10s); (3) benign traffic (using ON-OFF model) 574.3.2 The evaluation results of the system in various attack cases 594.4.1 The proposed architecture for updating the DDoS detection engines, namelyStateFit, and the work flow of the system 634.4.2 The system log of the testing workflow 684.4.3 Latency of consistent updates in ONOS 1.11 [84] 695.1.1 Flow chart of the verification model, in which we only verify the authorizedmessages signed by legitimate identities, i.e., to reduce the computationoverhead for validating unnecessary messages 73

5.3.1 The illustration of the attack cases and consequences in V2Vcommunications Two attackers (Tx1, Tx2) and many benign vehicles are

on two roads (Road 1, Road 2) An attacker (Tx1) broadcasts BSM/CAM

to claim it is braking (marker 1) or suddenly stops (marker 4), but in fact,

it stops at the side of LANE 2 of Road 1 Another attacker (Tx2) on Road 2broadcasts that it is moving to the street junction at high speed (90km/h),but it actually stops at the roadside 805.4.1 Geometric model of 2D multi-array antenna configuration and theillustration of a false location claim (the spot at the right side) of theattacker 815.5.1 Performance results of the proposal in various conditions: a) selection of αb) distance between Tx-Rx (α = 5) c) noise variance d) number of vehiclesunder verification (exchange data with the Rx) 885.5.2 The abstract architecture of the TrioSys-based misbehavior detectionsystem: (1) Path prediction on vehicle (leader); (2) Platoon control plan

on MEC-based system 915.5.3 Illustration of the vehicle movement behaviors: the vehicle is supposed tokeep constant velocity at the straight road segment (first segment), turn atthe bend and change the speed (second segment), and then accelerate aftermoving into the straight area (third segment) In practice, depending tothe road condition, the motion model of the vehicle may vary By applyingthe motion model to our prediction, we can estimate the next location ofthe vehicle (state k) from the state of the previous step, i.e., k − 1 ( as thecoordinate illustration at the top left of the figure) 975.5.4 Illustration of the threat zone in front of the Rx Depending on the Tx’slocation, the priority of the system can be at three levels: Emergency,PotentialThreat, InNotice 1005.6.1 Performance of this work in various conditions: a) ROC curve of false datadetection b) Accuracy of the system with variances of the distance betweenTx-Rx 1065.6.2 Performance of the system for different threshold value of α (a) and Motionmodel probabilities (b) for the prediction according to the road shape (asillustrated in Fig 5.5.3) 1085.6.3 The estimation performance with two motion model selections (CV andIMM) in the prediction compared to the threshold to report the attack.The combination of UKF and IMM gives higher accuracy than that of UKFand CV 1095.6.4 A comparison of the average error of UKF and EKF with theposition/velocity/acceleration estimation 1105.6.5 Performance of this work in various conditions: a) Accuracy of the system

in various cases of fading inference (Rician factor κ = 10 and κ =100) b)Detection delay for multiple vehicle verification where the system can trackhundreds of vehicles (although it is not common) with a low latency, e.g.,200ms 1125.6.6 A comparison of the performance of multi-array localization-basedverification (MLV) [98] and our trajectory-based verification (TRV) 115

xi

5.6.7 A comparison of the performance of multi-array localization-basedverification (MLV) [98] and our trajectory-based verification (TRV) inthe case of receiving multiple vehicles 116A.1 The same usage of uplink TEID in control data and uplink packets inthe initial stage of 5G authentication reinforces our theory to verify thespoofing sources in 5G networks 131A.2 Channel beamspace in 5G with multiple path interference existence 132

List of Tables

2.1.1 Security modes in IEEE 802.15.4 154.1.1 Overview of several surveys about non-spoofing DDoS attacks in recent years 434.1.2 Overview of several featured works on the collaborative DDoS defenseapproach in recent years and the position of our work 474.3.1 Performance evaluation of the our DDoS defense proposal for mobile IoTdevices 584.4.1 Overview of addressing security updates in the next-generation networks,e.g., SDN, and our research position 624.4.2 The hardware and tool requirements 674.4.3 Response time to update the detectors on the programmable switches invarious scenarios 685.4.1 Notations to be used in this research 815.5.1 Tracking variable values of the system used for checking the consistencybetween the claimed value of a given message source and the estimate ofthe actual state of the vehicle (illustration with location information) 995.5.2 Data fusion in our misbehavior detection 103

xiii

5G 5th generation of the networking technology 1

ADAS Advanced Driver-Assistance Systems 72

AMF Access and Mobility Function 18

BSM Basic-safety messages 9

CACC Cooperative Adaptive Cruise Control 72

CCTV Closed Circuit Television 3

DDoS Distributed denial-of-service 8

DNS Domain Name System 2

EDA Energy depletion attacks 16

eMBB enhanced Mobile Broad Band 10

FOV Field of View 99

GTP General Packet Radio Service tunneling protocol 49GTP-C GPRS Tunnelling Protocol – Control 49

GTP-U GPRS Tunnelling Protocol – User 49

HD High-resolution Dynamic 90

ICMP Internet Control Message Protocol 42, 43

IDS Intrusion Detection System 26

IMSI International Mobile Subscriber Identity 49

IoT Internet of Things 1

LADN Local Area Data Network 18

LIDAR LIght Detection and Ranging 77

xv

LOS Light-of-Sight 9, 73, 76

LPW Low-power Wireless 14

LTE Long-term Evolution 47

MEC Multi-access Edge Computing 1, 6

MIMO Multiple-input and Multiple-output 18

MME Mobility Management Entity 48

MSISDN Mobile Station International Subscriber Directory Number 49NFV Network Function Virtualization 5

NIES Normalised Innovation Error Squared 98

NLOS non-Light-of-Sight 9, 76

NRF Network Repository Function 17

NSSF Network Slice Selection Function 17

NTP Network Transfer Protocol 43

OFDMA orthogonal frequency division multiple access 80

ONOS Open Network Operating System 20

PCF Policy Control Function 17

PDP Packet Data Protocol 49

PEB Position Error Bound 86

PGW Packet Gateway 49

PISA Protocol-Independent Switch Architecture 20

PKI public key infrastructure 29, 72

RAN Radio Access Network 7

RSU Road-side Unit 10

SDA Service-defined Architecture 6

SDN Software defined Networking 5

SECaaS Security as a service 21

SFC Service function chaining 20

SGW Serving Gateway 49

SMF Session Management Function 18

TEID Tunnel Endpoint Identifier 49

UDM Unified Data Management 17, 18

UDM User Plane Function 18

UDP User Diagram Protocol 42

UE User Equippment 42

UKF Unscented Kalman Filter 90

ULA Uniform Linear Array 80

uRLLC Ultra-Reliable Low-Latency Communication 10V2I Vehicle-to-Infrastructure 4

V2V Vehicle-to-Vehicle 4

V2X Vehicle-to-everything 2

VLC visible light communication 77

WSMP Wave Short Message Protocol 27

xvii

Chapter 1

Introduction

The heterogeneous, distributed, and dynamically evolving nature of the Internet of Things(IoT) introduce new and unexpected risks that cannot be solved by state-of-the-art securitysolutions [1] In this sense, protecting such a gigantic connected world is extremely hardand potentially requires the joint efforts of many stakeholders and further novel approaches.This chapter serves as an introduction to the principles of the attacks, along with a broadoverview of existing defense approaches in this area Moreover, through the lens of 5thgeneration of the networking technology (5G) and emerging enabling technologies, wetarget to highlight our contributions in solving the remaining challenges that are still underscrutiny so far Specifically, the motives are presented in Section 1.1 To clarify our position

in the research map and the genesis of our work, we cover an overview of closely relatedstate-of-the-art attack and defense research in Section 1.2 and Section 1.3 respectively.After that, we define the problems and research issues in Section 1.4 Subsequently,Section 1.5 presents the goals of our work Finally, a discussion of our contributions foreach addressed problem is shown in Section 1.6

1.1 Motivation

The improvement and evolution of technology potentially bring up both the opportunitiesand challenges for the security field, particularly in the IoT era Several enablingtechnologies such as network slicing [2], service chaining [3], virtualization, and Multi-accessEdge Computing (MEC) [4] have created a tide of proposing novel security protection

approaches1, from the deployment placement to the defense model [5] Unfortunately, theapproaches based on these emerging network models are still at the day-one Besides, atthe same time, the advent of IoT also brings many significant risks and leaves the door forthe attacker to improve their evasion ability against the security system and exploit newvulnerabilities For example, by exploiting hundreds of thousands of IoT cameras, theattacker launched one of the biggest DDoS attacks in history targeting systems operated

by Domain Name System (DNS) provider Dyn in 2016 [6] With the availability of billions

of IoT devices, now launching such a powerful DDoS is no longer uncommon or out ofhand of smart attackers

Also, a vital challenge is that the diversity of applications and interoperability 2

requirements for billions of connected devices in IoT are creating tremendous difficultiesfor building a robust security protection model The reasons are many First, the massivetraffic and data types from IoT devices introduce new challenges not only in profiling

a well-represented pattern of a benign entity but also in optimizing the resources fordata processing of hundreds of thousands of connections per second Second, due to thecost, various IoT applications may have different interests of protection requirements,including preventing the attacks in a timely fashion For example, constrained IoT devicesmay favor securing their networks with an acceptable delay, while Vehicle-to-everything(V2X) requires that the security system comes with not only the highly accurate detectionability but also timely processing As a result, there may have heterogeneous securityconfiguration running on the networks and that means the weak network nodes, e.g.,outdated devices3, can accidentally be the doors for the attacker to hack into the networkinfrastructure Besides, in the connected world owned by hundreds of stakeholders, theprivacy leak-related issues also complicate the attempts to create such a robust securitysystem These obstacles all contribute to motivating us to pursue a novel approach toprotect the network infrastructure against the attacks and threats, particularly addressfor IoT

Due to the broad scope of IoT security research, in this work, we primarily prefer to findthe answers that grouped into the following fundamental issues:

1 These technologies are proposed in mind to enhance the security For example, network slicing promises to isolate the network into multiple classes and each of them can be applied a separate security treatment This model incredibly helps since, to enhance the performance and save the cost, the future networks such as 5G may accommodate many tenants and applications.

2 Different device types with various technologies and security protection levels connect each other under the same network infrastructure.

3 E.g., the devices are mount to the body of street lights/buildings and selfdom/never updated with security patches

2

1 Dealing with the existing security threats and attacks, an interesting question is

“what kind of security attacks are IoT networks most vulnerable to so far?” Therefore,analyzing existing vulnerabilities and attack approaches and then finding the newvariants of the attacks if any are the first part of our core research

2 Given a potential deployment of the enabling technologies, e.g., MEC and networkslicing, what is the preferable security protection architecture and where to place it

to prevent/mitigate featured attacks effectively? What are the significant changes

in the design compared with the conventional models?

3 How to mitigate/prevent the existing attacks but still maintain high efficiency,affordable cost, high readiness for a potential deployment and compatibility withthe next-generation networking technologies, e.g., 5G?

To address each issue, in the following section, we first overview the featured securityattacks along with the state-of-the-art defense approaches and then clarify our researchposition

1.2 The featured security attacks on IoT

The security attacks on IoT are diverse, involving many types (e.g., network attacks) andcoming from various sources (e.g., hardware/software) Fig 1.2.1 covers an overview ofprominent attacks in IoT Unsurprisingly, most of the attacks on the list are also common inlegacy networks, e.g., wired and IP-based networks [7] This is possible because nowadays,due to the cost, network providers still maintain various types of network infrastructureand technologies in parallel Moreover, the potentially insecure sources may come from asignificant number of Internet-connected devices, which have not yet been updated foryears, e.g., public CCTV cameras Lack of using strong cryptographic schemes in theIoT devices in a heterogeneous network [8] also contributes to weaken the protectioncapabilities of the whole network and leave the door for new variants of the attacks.While the attacks are diverse, due to the interests and motivation, the attacker may tend

to focus on several attractive targets, e.g., crucial servers or payment gateway Therefore,several attacks listed in Fig 1.2.1 may only appear in academical research At our mostmotivation on the practical attacks, without a loss of generality, we address two typicaltypes of attacks in this work The first is DDoS attacks, which are one of the most common

in the current network environments (IHS report, 2018 [9]) and are often merited as the

IoT Security attacks

Physical attacks Network attacks Software attacks Encryption attacksNode tampering

Sybil attacks

Figure 1.2.1: The overview of IoT Attack types At our most motivation on the practicalattacks, without a loss of generality, we address two typical types of attacks in this work:(1) DDoS attacks in cellular networks; (2) false data dissemination attacks in V2X

top notorious threats in cybersecurity reports [10] The second is false data disseminationattacks to the vehicle in the platoon or driverless cars [11], and it may significantly impact

on the safety of human life in the next years These two attacks cover two differentstrategies of the attacker to damage the featured IoT applications For example, DDoSattacks can clog a network by flooding it with a large volume of redundant/meaninglesstraffic, thus threatening the availability of the relevant services or the working applications.The damage can be amplified and even interrupt part of the Internet in a large scale,

if the victim is the provider of core Internet functions, e.g., Dyn DNS services [6] Incontrast, in the near future, cars with drivers may be partly replaced by autonomousvehicles This trend promises to provide more safety and fuel savings Such autonomousvehicles are expected to increasingly use wireless connectivity such as Vehicle-to-Vehicle(V2V) and Vehicle-to-Infrastructure (V2I) for sharing data with the nearby vehicles ormerely to improve the coverage, particularly in the intersections where a vehicle’s camera

or radar is ineffective 4 Here, an insider attacker is intently engaged in exploiting thesharing to disseminate false information to the surrounding receivers Trusting the data,

an automatic control system may be trapped to change to a wrong lane, or accelerate

4 The camera/LIDAR/radar can be disabled by a simple attack, e.g., use LED/reflector or poorly performed under heavy fog [12]

4

unexpectedly and then potentially lead to a crash.

Note that, in practice, particularly in the current network environment, the ransomware

or phishing attacks are raging that may also be considered as variants of two attack typesabove However, due to the difference of the defense architecture, we will not address 5

such the attacks in this dissertation

In summary, given many security attacks on IoT, we address two typical attacks towardstwo typical targets in this work: the network availability in mobile networks and dataauthenticity in autonomous driving/V2X The detail of the attacks and assumption will

be clarified in the specific cases in later chapters

1.3 The collaborative security defense approach

Recently, several attempts have been proposed to catch up with the trend of designingsecurity protection architecture for large-scale inter-connected networks such as IoT.Notably, ANASTACIA, SecurityIoT[14], [15] and 5G Ensure [16] of the huge H2020project [1] have been leading the efforts They target to propose a trustworthy-by-designsecurity framework, which will address self-protection, self-healing and self-configurablecapabilities They also aim to automate the security protection decisions through theuse of new enabling networking technologies such as Software defined Networking (SDN)and Network Function Virtualization (NFV) However, the projects are still under heavy-working and the lack of proposals for specific applications and attack cases is a visibleshortcoming Moreover, the collaboration architecture of multiple protection instancesover distributed geographic areas has not yet mentioned On the other hand, the technicalspecification from 3GPP [11] reveals the first abstract of 5G security architecture, includingthe novel authentication mechanisms; however, major parts of it do not address specificattacks as well In an effort of conducting a comprehensive IoT system architecture withthe awareness of enabling technologies, the authors [17] cover an extensive survey onthe topics The outstanding contribution in that work is to clarify the benefit of using

a software-oriented security architecture in cyber-physical systems and IoT, along withidentifying the security challenges/attacks on three layers of the IoT networks (applicationlayer, network layer, and perception layer) In another attempt, the authors [18] present acomprehensive end-to-end security approach with the target to integrate trust mechanisms

5 However, we have still done the work related to this problem during my Ph.D time For more information, the readers may like checking our solution in our published technical paper[13].

in providing security to applications from hardware However, the work is limited atworking on IoT resource-constrained edge devices Unlike the mentioned approaches, theauthors in [19] introduce a proposal of Service-defined Architecture (SDA), in which deviceconfigurations are a reflex of the real service needs and combination of information-centricnetworking benefits with named-services So far, a robust protection architecture for IoTdata exchanging, storage and processing unlikely gets done soon.

Unlike prior work, in this work, we pursue a novel approach to collaborate the defenseengines (if necessary), which aims to improve the detection/prevention precision andenhance the secure of the networks For that target, along with building the self-analysislocal detection engines, we also propose a probability-based data fusion on multiple sourceswith the root of various reliability to improve the detection accuracy Meanwhile, theinvolvement of MEC in our architecture significantly boosts to realize a long-awaitedsolution, which is to filter the malicious traffic near the source without requiring amodification to the well-established network protocols, that has never been a trivialproblem before In principle, this work aims to target various aspects of IoT security

at both of designing a general collaborative defense architecture and proposing novelmechanisms for detecting variants of the attacks in specific IoT applications, e.g., V2X

1.4 Problem statement, challenges and our research position

IoT itself is a heterogeneous network, in which hundreds of various networking technologiesand applications are supposed to involve Due to this diversity, there are enormouschallenges to address the security attacks in a general case, i.e., the vulnerabilities andexploitation techniques are supposed to be much different for each network layer or onlyavailable in specific devices Fig 1.4.1 illustrates such a general network model Fromthe communication perspective, this model also reveals a common scheme: IoT devicesare supposed to connect to the Internet through a cellular infrastructure and MEC Toaddress two typical attacks in this network model, we first propose a general defensearchitecture Specific implementations of the architecture for each IoT application will

be presented separately in later chapters In principle, the problems and challenges ofdesigning the defense framework and its detection/verification components to addresseach attack type can be grouped into a general problem and two specific issues as below

6

Figure 1.4.1: The general network model and the security attacks From thecommunication perspective, this model also reveals a common scheme: IoT devicesare supposed to connect to the Internet through a cellular infrastructure.

General problem (Security defense architecture) From the design perspective, thereare many approaches to detect/prevent cybsecurity attacks Host-based, network-based orhybrid frameworks are already common in legacy networks and supposed to still play animportant role in IoT [17], [20], [21] However, due to the diversity of devices, protocols,and stakeholders 6 accessing the networks in IoT, these models still require significantchanges For example, in the large networks like IoT, the methods relying on modifyingthe core functions of routers or well-established protocols [10], [22], [23] are not likely thefirst options, if not impossible, to deploy or maintain in practice due to the cost (capitalexpenditures) The appearance of new technologies such as network slicing at Radio AccessNetwork (RAN) and MEC also promises to make the moving of detection to the near thesource feasible than ever Unfortunately, so far, designing a robust and implementablesecurity platform on such enabling technologies still poses various challenges For example,the new system must deal well with not only detecting the attacks on the devices itselfbut also support to extend the features, maintain the updates and handle the remotecontrol over many local/regional detectors located at distributed geographical areas Theother challenges can be:

(a) The time of communication among network nodes in several IoT applications such

as autonomous driving is potentially very short 7 This short connection can createhuge troubles for the conventional detection mechanisms, e.g., the accuracy or evendata collection

6 including service providers, tenants, and end-users

7 E.g., the requirement latency is < 100ms [24]

(b) The system must deal with possibly explosive traffic situations, e.g., DDoS or fromhundreds of V2V connections in real-time This challenge increases the pressure forthe scalability requirement of any solution.

(c) Data come from multiple sources with various reliability and availability for usage

A wrong data source selection can accidentally disable the effectiveness of a powerfulprotection system since the attacker can intentionally infect the false data in suchsources

(d) Stringent requirement of a fast response to the attacks; otherwise, loss of life maycause seriously, e.g., in autonomous driving

As the key part of the research, we detail our conceptual defense architecture for IoT, mainmodules, workflow model, and our clarification on the difference between our approachwith the legacy work in Chapter 3 Note that the involvement of MEC in major ofcomponents of our architecture is one of the promising features to bring up the feasibility

of our solution in satisfying high-performance and low-latency applications such as V2XApp Our published papers contributing to this part include [6], [8], [25]

Besides the conceptual architecture, implementing it for the specific environment toaddress the relevant attacks is also a critical task and our major efforts in this work.Specifically, the issues about the implementation of the proposal defense architecture fortwo typical attacks can be organized into two specific problems as follows

Specific problem 1(Detecting Distributed denial-of-service (DDoS) attack in IoT mobilenetworks): In this problem, the IoT devices are assumed to connect to the cellular networkand a botnet of hundred thousands of IoT devices is supposed to create a volume attack(flooding the redundant traffic) against a victim, e.g., a website or critical server Thetarget of these attack types is to consume all resources of the victim servers or bandwidth

of the network near the victim For DDoS defense, a lot of studies have been done over thedecades However, to this research, we focus on dealing with the attackers on the mobilenetworks, even that they are moving The goal is to filter as many redundant traffic aspossible, particularly near the source The challenges for solving this problem include:(a) The system must deal with high mobility UEs and the issues of the hand-overprocess in cellular networks

(b) The spoofing traffic must be filtered before they pour to the core network

(c) The system must be able to handle the attacks of hundred thousands of IoT devices

8

without degrading the network performance or significantly requiring more resources.Addressing this problem in Chapter 4, we provide a detailed overview of the state-of-the-artDDoS defense and techniques and then clarify the difference in our approach along withinherent concepts Besides, we also detail the structure, main module and workflow model

of the DDoS defense mechanism Our published papers contributing to this part include[6], [25]

Specific Problem 2 (Misbehavior detection in 5G V2X (IoT connected vehicle) ): AfterDDOS defense, for several applications, e.g., vehicular communication, the passing trafficrequires more treatment Specifically, that is to verify the truthfulness of the receivedmessages, whether the location in Basic-safety messages (BSM) is correct as claimed Thetruthfulness of sharing data is the key factor 8 for promoting the reliability and safety

in the cooperative driving model of autonomous vehicles For the sake of safety driving,sharing information is inevitable in many cases, e.g., the vehicles are moving in a blindcrossing area where their camera or active radar system may not be useful In such cases,V2X-supported vehicles are usually required to exchange beacon messages periodically thatincorporate user-specific information such as location and speed to maintain cooperativeawareness, e.g., the safe inter-vehicle spacing However, leveraging the anonymity9, acompromised vehicle may intentionally disseminate false location data to fool the receivers

in adjusting the position wrongly, which can lead to dangerous situations such as rear-endcollision accidents During the cooperative driving mode, since a connected vehicle’sdecision-making process depends highly on the incoming V2X messages, it is crucial thatthe vehicle can detect and filter the false data The challenges for solving this probleminclude:

(a) The system must address the reliable source information for misbehavior analysis.(b) A detection mechanism should not rely on the honest majority rule, i.e., the detection

of the nearby/neighbor vehicles, since the attacker can be any of them

(c) A misbehavior detection mechanism must work for both Light-of-Sight (LOS) andnon-Light-of-Sight (NLOS) area efficiently

The clarification of our proposal for data exchange treatment presents in Chapter 5

8 Message integrity and authentication are protected by the PKI infrastructure and specified by the standards such as SAE J1939 https://en.wikipedia.org/wiki/SAE_J1939

9 We assume that the network providers will enforce the pseudonyms systems such as SCMS [26] to preserve the privacy of the V2X-supported vehicles

Through the research, we conclude that the information exploiting from physical signalscan give a good reference to verify the truthfulness of data in V2X message Further, ourapproach is getting closer to a potential deployment due to the promise of 5G beamformingtechnology and multi-array antennas Our work in the papers [27], [28] cover this part.Besides the location verification approach above, we also extend the work towards abroader view: the false data can be any, instead of only the location, and the source can

be from the attacker or even damaged sensors The second issue is cooperation amongmultiple detectors Normally, the vehicles should only trust the mechanisms runninglocally, i.e., trust itself However, to increase the effectiveness of the system, besides theimprovements on the detection mechanism itself, a potential approach is to ask the help

of reliable Road-side Unit (RSU) or engines at MEC servers, which can be trusted (sincethey are handled by authorized agency/providers) The paper contributing to addressthis problem is [29]

Finally, we note that the number of detectors and verifiers in a gigantic network like IoTcan be hundreds and much more A non-trivial question is how to update such detectorswithout interrupting the protection Also, we need to remotely install detectors for theon-demand devices, e.g., when the clients request We address this issue by using theSDN-based control application and distribution mechanism based on delivering compiledfilters to programmable devices The update mechanism and evaluation are performed

on the DDoS defense architecture which is presented at the end of Chapter 4 and in ourpublished paper [25]

2 Being able to deal with high-mobility attackers or large-scale traffic flow

3 Being able to detect the attacks near their source

While we are embracing and engaged with the evolution of new technologies such as

10

5G/B5G10, the approach in this work also leans on proposing a robust framework whichcan serve well the protection requirements of specific applications, while also easier toimplement (i.e., software-oriented approach) with a minimum requirement on the readiness

of core technologies, e.g., MEC servers Also, by pursuing the approach in designing

a security protection architecture in general and then implementing its instances, wehopefully get the bottom line of the core problems, even having never seen in developing astandalone security/detection solution We hope that the findings from this whole processwill contribute valuable information to the research community and further to developmore complicated solutions/prototypes in the future

1.6 Contributions

This work consists of two main contributions:

• TrioSys, a robust and effective platform for detecting and filtering the attacks inIoT, particularly compatible with 5G applications and network models

• A novel near-source detection for DDoS defense in mobile networks and two physicalsignal-driven verification mechanisms for misbehavior detection in V2X

Also, besides our comprehensive survey on state-of-the-art attacks against networkavailability/data authenticity and countermeasure approaches, our findings on relevantsecurity issues can certainly provide useful suggestions for future work

1.7 Structure of the Dissertation

This dissertation is organized in six chapters with three main parts In the first part,Chapter 1 and Chapter 2, we introduce and motivate our work and provide fundamentalinformation about the collaborative security approach, problem statement, remainingchallenges and assistive technologies used in our work The main contributions of our workare presented in the second part, including Chapter 3, Chapter 4, and Chapter 5 First,

we contribute to present a robust conceptual security defense framework that collaboratesvarious engines at multiple layers of IoT (Chapter 3) Then we present the architecturalimplementation in two specific cases, the attacks against IoT eMBB (Chapter 4) and

10 Beyond 5G

IoT uRLLC slice (Chapter 5) The novel mechanisms for malicious traffic detection andverifying the truthfulness of data are detailed in these two chapters In the last part, i.e.,Chapter 6, we conclude the dissertation and overview the principle of our findings for thequestions and problems listed above.

12

Chapter 2

Background

Before addressing the research problems in detail, in this chapter, we give an overview ofthe IoT network structure and relevant security issues Through a glance at the securityand enabling technologies in IoT, we address the featured attacks and defense approachesdominating the field and locate our research position Since our defense solutions are basedprimarily on the availability of several prerequisites, e.g., edge servers, so the enablingtechnologies supporting in our work are also highlighted in this chapter A significantproportion of the information and perspectives in this chapter are partially derived fromthe survey in our published papers, e.g., [8], [25]

2.1 Internet of Things and existing security issues: A glance

IoT technologies are booming and promising to reshape the way of human interaction.According to IHS Statista 2018 [9], the number of IoT devices can soar over 70 billion in

2025, and 70% of them will be low-power and low-cost devices Since IoT networks mayconnect the devices of various applications in different networks, e.g., LoRa or wired, theheterogeneous issues are inevitable The challenge of such heterogeneous networks is tokeep such devices in secure communication while satisfying the stringent requirement oflimited resources or energy

From the energy usage and computing capacity, the IoT devices can be categorized intotwo types: the constrained or unconstrained ones The constraints may refer to energy,computation, and cost For example, the constrained devices include the sensors thatmay cost no more than 10 USD and have few capacities of self-computation, e.g., LoRa

devices In contrast, the unconstrained devices consist of a wide range of devices fromsmartphones to autonomous vehicles Their characteristics are abundant energy source oreasy to recharge, self-computation ability, and high cost if the deployment requires manydevice units An overview of a conceptual IoT architecture and layer classification by thecoverage and relevant business sectors is presented in Fig 2.1.1 A glance of IoT devices

is shown in Fig 2.1.2

Home surveilance

Water Metering

Vehicle-to-everything Smart health

IoT Gateway

4G

Application Platform /IoT API services

Communication range 10m - 50 Km, latency > 1s Communication range, 20m – 5km, latency < 1s

Unfortunately, whether these IoT devices are constrained or not, many of them may notoften come with the state-of-the-art and reliable security mechanisms [20] due to thefollowing reasons:

1 In the profit-driven business, security is often an afterthought of most manufacturers,i.e., not given priority over functionality[20] Notably, data of some devices conveyedover the air interface are unencrypted [30]–[33] or secured with weak cryptographyschemes For example, Table 2.1.1 illustrates the security schemes defined in theIEEE 802.15.4 Standard for the IoT mTC networks, where the bottom cryptographicschemes mean more secure Unfortunately, implementations of any security practiceare heavy in terms of resource usage, and an Low-power Wireless (LPW) device

14

Figure 2.1.2: A glance of IoT devices The IoT devices can be categorized into two types:the constrained or unconstrained ones The constraints may refer to energy, computationand cost.

Table 2.1.1: Security modes in IEEE 802.15.4

Cryptography schemes Description

Confid-entiality

grity

-AES-CCM-32 Encryption & 32-bit MAC X X

AES-CCM-64 Encryption & 64-bit MAC X X

AES-CCM-128 Encryption & 128-bit MAC X X

may be so constrained to gain all security recommendations To keep the cost ofthe device to a minimum [21], the manufacturers may not prefer the most reliablesecurity scheme That means the sensors, equipment, and their connected networksare potentially vulnerable to security attacks

2 Due to the priority in producing low-cost devices, most manufacturers may cut offthe security maintenance (such as never issue a security patch for the devices intheir lifetime) Unfortunately, this bad behavior is not uncommon [20], [34] Lackingregular protection measures weakens the sensors to resist security attacks, eventhose exploiting well-known vulnerabilities

3 The attached energy source of an LPW device is limited and sometimes hard to

replace (e.g., mounted in the body of objects or scattered across a wide range ofinaccessible terrain) Any damage to the battery may require a long time and highcost to maintain.

4 The nature of open wireless medium access makes major IoT networks susceptible tosecurity attacks, e.g., jamming or gathering information via sniffing by unauthorizeddevices in range

Lacking reliable security mechanisms in communication protocols, maintenance ability,and the inconsistency of such protection models are thus the top concerns of why IoTnetworks are more vulnerable to security attacks than the conventional networks

According to our survey [8], the networking technologies connecting those devices areadapted to the constraints, including the protocol stacks (as illustrated in Fig 2.1.3) As aresult, the security attacks in each network type have specific characteristics For instance,distributed denial-of-service attacks primarily appear to target the unconstrained devicesbut few such attacks are found in the rest In contrast, the Energy depletion attacks(EDA) may intentionally target the battery-equipped devices, e.g., Zigbee-based motes, todegrade their limited energy An overview of the security attacks in IoT has been listed

in Fig 1.2.1, Chapter 1 Also, through our thorough survey [8], we see that the securityattacks on the LPW networks have not yet been disseminated in practice, at least at themoment of this writing (possibly because most LPW networks are intranet or deployedfor the testing purpose), let alone the impact directly on human life Therefore, at ourmost motivation on the critical applications, in this work, we focus on two notoriousattacks on the IoT unconstrained networks: DDoS against the network availability ofthe current cellular networks and data forgery dissemination attacks in next-generationvehicular communication (5G V2X) The detail of these attacks is covered in Chapter 4and Chapter 5

2.2 Enabling technologies promoting the changes to IoT security

research

To keep our research in touch with the up-to-date technologies, in this section, we presentseveral prerequisites that are supposed to use in building the functionality in our system(in the next chapters) For each term, we cover an overview and then hint its role toour work In other words, the summary from this chapter provides a brief on how each

16

Low-Power Phy (IEEE 802.15.4)

Low-Power MAC (IEEE 802.15.4)

6LoWPANRPL, IPv4, IPv6TCP/UDPCoAP, MQTTApplication

PHY (802.3, 802.11, 802.16, LTE )

MAC (802.3, 802.11, 802.16, LTE )

Application(Restful API)

LPWAN domainFigure 2.1.3: The relationship of low-power personal networks (LPAN)/low-power widearea networks (LPWAN) and IP-based protocol stacks (Internet domain) Most protocols

in both domains are changed to satisfy the energy consumption requirement and thesimplicity of LPW devices

assisting technology contributes to building the components of TrioSys

5G connectivity technology

4G is the fourth generation of broadband cellular network technology that has beencommercially deployed since 2009 Interestingly, most commercial cellular infrastructuresover the world are still running 4G or possibly its advanced version (e.g., LTE-Advanced,LTE-Advanced Pro) Although 4G may be soon replaced by 5G, so far most availabledevices and simulation frameworks have been developed based on the 4G standards Thus,several of our evaluations still rely on the 4G structure, e.g., in [6]; however, even in thatcase, we also suggest several modifications if necessary for future networks

5G is a commonly used term for certain advanced wireless technologies of the generation networking and a hot research field Besides the term, 5G, means thenetwork technology using the spectrum under 6GHz, industry associations such as3GPP recommend to refer to 5G as any system using “5G NR” (5G New Radio, onthe consensus by late 2018) 5G-relevant communications such as 5G cellular-V2X and 5Gfor industrial IoT are in this term A 5G network architecture is illustrated in Fig 2.2.1.Several glossary terms consist of Policy Control Function (PCF), Network RepositoryFunction (NRF), Network Slice Selection Function (NSSF), Unified Data Management

fifth-(UDM),User Plane Function (UDM), Access and Mobility Function (AMF), and SessionManagement Function (SMF) The detail of 5G architecture can be referred to in technicalspecifications issued by associations and standard organizations such as 3GPPP andInternational Telecommunication Union (ITU) [35] In this architecture, our securitysystem contributes to the UPF layer, particularly the Local Area Data Network (LADN).For 5G, LADN implies a network accessed only in specific locations or small geographicalareas, so-called cells Like existing cellular networks, when a user moves from one cell toanother, their 5G-supported devices will be automatically handed over to the new cellwithout interruption to the communication Note that the new 5G devices also have 4GLTE capability, as the new networks use 4G for initially establishing the connection withthe cell [35], as well as in locations where 5G access is unavailable.

RAN

DU CU UE

AMF AUSF SMF

Regional Certificate

Data Network (LA/DN)

Virtualization Infrastructure

MEC App MEC Cache

Our system

18

The details of these mechanisms are presented in Chapter 5.

Multi-access Edge Computing

MEC is under development, and it is intended to form an open standard and extend edgecomputing capabilities in various networks owned by different operators MEC promises

to be a fundamental component of 5G/B5G, and can be deployed near the eNodeB/gNB[36], [37] It is supposed to handle both user traffic and control traffic to perform relatedprocessing tasks near the clients Due to such features, MEC can significantly help thebuilt-in security defenses to detect and eliminate unwanted traffic close to the sources

or cut off attacks such as DDoS before they become volumetric [38] Without loss ofgenerality, we assume that MEC servers can decode information from all protocol stacklayers to provide processing capacity and packet orientation towards proper operations due

to their inherent features in collecting real-time network data like subscriber locations andmovement directions [36] We also suppose that MEC servers collect the raw data streamsfrom registered IoT and mobile devices, classify them into different groups on the basis ofthe type of data, and then transmit them to the corresponding MEC-based applications

In our security architecture model, the detection engine and filtering modules are nativeMEC-based applications By combining a chain of various engines can help to achieve thegoals of preventing and mitigating many attacks, even if they start from different slices.The position of our MEC-based detectors is illustrated in Fig 2.2.2

Our system

Figure 2.2.2: The abstract of multi-access edge computing system [23] and the position

of our proposal (bold/red color) Our system accommodates in MEC VNFs

Software-defined networks and Programmable network model

The explosion of IoT and mobile devices, virtualization technologies, and the advent ofcloud services are driving the networking industry to re-examine conventional architectures.The first target of SDN is to simplify the network complexity by disassociating theforwarding process of network packets (i.e., the data plane) from the routing process (i.e.,the control plane), and then leverage the powerful ability of centralized servers at thecloud to handle the control plane However, several challenges of SDN such as security,scalability, and elasticity [39], give few options to let the SDN technologies replace thetraditional networking model Recently, several industrial SDN frameworks, e.g., OpenNetwork Operating System (ONOS) [40], [41], promise to offer valuable implementationsfor overcoming both scalability and elasticity The cluster model of SDN controllers isthus the key to mitigate the signaling overload of the control plane ONOS also becomesthe core of CORD™ project (Central Office Re-architected as a Datacenter), which isintent on a complete integrated platform for the services such as Internet-as-a-service andmonitoring-as-a-service In a case of this work [25], we also have implemented the controlpart in our system by using the ONOS APIs and SDN-control architecture to evaluatethe scalability of the architecture in the next-generation network model

Without a programmable data plane, the development of SDN switches may rely on theview of various vendors/manufactures A promising trend is to abstract the forwardinglayer to a programmable model, e.g., Protocol-Independent Switch Architecture (PISA).This model enables flexible mechanisms for parsing packets and matching headers, andthus frees the programmers from heavy dependence on a hardware framework of a specificvendor At present, producing high performance and reliable commodity devices is acompetitive race of major switch manufacturers (vendor-supplied), e.g., Barefoot Tofino[42] Many implementations [43] have targeted a programmable data plane model Forexample, P4 is a leading open-source, well supported by a large number of technicalcontributions from companies, universities and individuals P4 programs are designedwith the spirit of the PISA architecture such as general-purpose CPUs, system(s)-on-chip,network processors, and ASICs [44] In our model, P4 is primarily used to implement thedetectors for programmable devices such as BMv2 switches [25]

Service chaining & Security as a service

Service function chaining (SFC) is a capability that leverages SDN capabilities to create achain of connected network services (e.g., firewalls and intrusion detection systems) in a

20