Section: New Results

Orchestration

Mutualization of Monitoring Functions in Edge Computing

Participants : Jérôme François [contact] , Mohamed Abderrahim [Orange Labs] , Meryem Ouzzif [Orange Labs] , Karine Guillouard [Orange Labs] , Adrien Lebre [STACK Inria team, IMT Atlantique] , Charles Prud'Homme [IMT Atlantique] , Xavier Lorca [IMT Mines Albi, France] .

By relying on small sized and massively distributed infrastructures, the edge computing paradigm aims at supporting the low latency and high bandwidth requirements of the next generation services that will leverage IoT devices (e.g., video cameras, sensors). To favor the advent of this paradigm, management services, similar to the ones that made the success of cloud computing platforms, should be proposed. However, they should be designed in order to cope with the limited capabilities of the resources that are located at the edge. In that sense, they should mitigate as much as possible their footprint. Among the different management services that need to be revisited, we investigated in [10] the monitoring one. Monitoring functions tend to become compute-, storage-and network-intensive, in particular because they will be used by a large part of applications that rely on real-time data. To reduce as much as possible the footprint of the whole monitoring service, we proposed to mutualize identical processing functions among different tenants while ensuring their quality-of-service (QoS) expectations. We formalized our approach as a constraint satisfaction problem and show through micro-benchmarks its relevance to mitigate compute and network footprints.

This work has been achieved in the context of the Inria-Orange joint lab (section 9.2.2.1).

Software-Defined Security for Clouds

Participants : Rémi Badonnel [contact] , Olivier Festor, Maxime Compastié.

Cloud infrastructures provide new facilities to build elaborated added-value services by composing and configuring a large variety of computing resources, from virtualized hardware devices to software products. They are however further exposed to security attacks than traditional environments. We have pursued our efforts on a software-defined security strategy based on the TOSCA language, in order to support the protection of cloud resources using unikernel techniques [11]. This language enables the specification of cloud services and their orchestration. We have extended it to drive the integration and configuration of security mechanisms within cloud resources, at the design and operation phases, according to different security levels. We rely on unikernel techniques to elaborate cloud resources using a minimal set of libraries, in order to reduce the attack surface. We have designed a framework to interpret this extended language and to generate and configure protected unikernel virtual machines, in accordance with contextual changes. The adaptation is typically performed through the regeneration of protected unikernel virtual machines in a dynamic manner. We have quantified the benefits and limits of this approach through extensive series of experiments. As future work, we are interested in investigating security issues specifically related to cloud resource migrations, and evaluating to what extent our hardening techniques can be complemented by security chains.

This word has been achieved in the context of the Inria-Orange joint lab (section 9.2.2.1).

Chaining of Security Functions

Participants : Rémi Badonnel [contact] , Abdelkader Lahmadi, Stephan Merz, Nicolas Schnepf.

Software-defined networking offers new opportunities for protecting end users and their applications. It enables the elaboration of security chains that combines different security functions, such as firewalls, intrusion detection systems, and services for preventing data leakage. In that context, we have continued our efforts on the orchestration and verification of security chains, in collaboration with Stephan Merz from the VeriDis project-team at Inria Nancy, and concretized with the PhD defense of Nicolas Schnepf in September 2019 [3]. In particular, we have proposed this year an approach for automating the merging of security chains in software-defined networks [24]. This method complements the inference-based generation techniques that we proposed in [9]. The merging algorithms are designed to compose several security chains into a single one, in order to minimize the number of security functions and rules, while preserving the semantics of the initial chains. The algorithms have been implemented in Python and have been integrated into a proof-of-concept prototype that also contains the learning and inference components [23]. The performance of this implementation has been evaluated through extensive experiments. In particular, we have compared different approaches to merging security chains in terms of the complexity of the resulting chains, their accuracy, and the overhead incurred in computing the combined chains. The proposed solution is able to minimize the number of security functions and rules. It also facilitates the building of security chains at runtime, through a decoupling from the generation of individual chains.

Software-Defined Traffic Engineering to Absorb Influx of Network Traffic

Participants : Jérôme François [contact] , Abdelkader Lahmadi, Romain Azais [MOSAIC team] , Benoit Henry [IMT Lille Douai] , Shihabur Chowdhury [University of Waterloo] , Raouf Boutaba [University of Waterloo] .

Existing shortest path-based routing in wide area networks or equal cost multi-path routing in data center networks do not consider the load on the links while taking routing decisions. As a consequence, an influx of network traffic stemming from events such as distributed link flooding attacks and data shuffle during large scale analytics can congest network links despite the network having sufficient capacity on alternate paths to absorb the traffic. This can have several negative consequences, service unavailability, delayed flow completion, packet losses, among others. In this regard and under the context of NetMSS associate team (section 9.4.1.1), we proposed SPONGE [15], a traffic engineering mechanism for handling sudden influx of network traffic. SPONGE models the network as a stochastic process, takes the switch queue occupancy and traffic rate as inputs, and leverages the multiple available paths in the network to route traffic in a way that minimizes the overall packet loss in the network. We demonstrated the practicality of SPONGE through an OpenFlow based implementation, where we periodically and pro-actively reroute network traffic to the routes computed by SPONGE. Mininet emulations using real network topologies show that SPONGE is capable of reducing packet drops by 20% on average even when the network is highly loaded because of an ongoing link flooding attack.