Professional Documents
Culture Documents
Improving Security in A Virtual Network by Using Attribute Based Encryption Algorithm
Improving Security in A Virtual Network by Using Attribute Based Encryption Algorithm
Abstract— The creation of a network for an organization or a with an ID and password or other authenticating information
firm can be a multifarious task especially if there a large that allows them access to information and programs within
number of nodes, middle-boxes and security nodes to be their authority.
integrated in the network. This paper introduces the For instance Network intrusion Detection System (NIDS)
integration of the ABE algorithm into a virtual network can be deployed to monitor the attacks and also network
security called the NETSECVISOR in order to achieve anomaly detection system can be used to detect the DoS
authentication of the users involved in the network and the attacks. The NIDS monitors traffic and reports its results to the
confidentiality of data transmitted or received. A virtual administrator, but it cannot automatically take action to
network redeems the administrators and network designers prevent the detected attack. Attackers are capable of exploiting
from its complexity not only by reducing the number of susceptibilities very quickly once they enter the network,
devices required, to a specific workstation that will take as rendering the NIDS an inadequate deployment for prevention
input the various policies pertaining to the packets to be sent device. The most common and simple way of protecting a
but also by including various routing rules and response network resource is by assigning it a unique name and a
techniques for malicious attacks. The Attribute Based corresponding password. Even the data can be encrypted and
Encryption (ABE) algorithm is used to improve the security sent to the end user for the maintenance of security in the
on an existing virtual network security called the network. The encryption techniques can be changed based on
NETSECVISOR. The ABE algorithm uses attributes that are the data transmission in the network.
known to the participants involved in the transmission and Here, Network Security Virtualization (NSV) [1] that
reception of packets. This helps ease the process of creation leverages preinstalled, static security devices and provide
and retrieval of keys for encryption and decryption dynamic, flexible, and on-demand security services to the
notwithstanding the performance of security that will be users. The NSV technology delivers or redirects the flow to
enhanced for the virtual network. the defined security middle boxes (regardless of its actual
Keywords—Virtual network; network security; Software physical location) automatically and transparently and each
Defined Networking; Open Flow; Attribute Based Encryption user need not know about the location or the number of
algorithm. security devices in the network. Network virtualization will
facilitate movement of virtual servers because the virtual
I. INTRODUCTION network is contemplated be hidden to the physical devices.
Implementing firewall helps to address every security problem
Security in networks is mandatory at present due to various
that is no longer a supported practice in security organizations
new improvements in the field of communication. The
because of the various cocktail of techniques used by the
security provided in the network should be efficient in all
attackers. The use of virtualization technologies comes with
ways. Network security mainly consists of numerous policies
many benefits such as agility, flexibility and cost efficiency.
to keep the entire network with guaranteed security. A critical
Networking in its primeval times was complicated as it had
part in providing security for network is network management
to consider the various devices to be connected long with the
in which it varies in kinds of situations. Network security
supporting topologies followed by the numerous amount of
involves the authorization of access to data in a network,
hardware for its connections. The practice of using a network
which is typically handled by a network administrator, or
of remote servers hosted on the Internet to store, manage, and
system administrator who implements the security policy,
process data, rather than a local server or a personal computer
network software and hardware that is needed to protect a
has formed the basis of cloud storage by which it is
network. The resources accessed through the network from
implemented.
unauthorized access have to be quarantined and thus ensure
This new enhancement provided the grounds of integrating
that authorized personnel have adequate access to the network
the concept of networking into a virtual one. Network
and resources to work upon. Users can choose or assigned
c. Proposed Prototype
The proposed prototype comprises of the
collaboration of the Network Formation, Device and policy
Fig. 1. Architecture of the NETSECVISOR using ABE Algorithm
manager, the Response manager, the various routing
The NETSECVISOR consists of five main modules: algorithms, Flow enforcer, the Data Manager and the
(i) Device and policy manager, (ii) Routing rule generator, (iii) Encryption algorithm.
Flow rule enforcer, (iv) Response manager, and (v) Data The following modules are described in the further
manager. sections below: (i) Cloud network formation
Device and policy manager is in charge of two main functions. (ii) NIDS
First, it receives the information of security devices from a (iii) Encryption
cloud administrator, and it stores that information into a
device table in NETSECVISOR for further usage. Second, this i. Cloud Network Formation
module also receives security requests from each network Being at an experimental level, we consider the
tenant, and it translates them into security policies and stores possibility of wired and wireless connections. The network
the policies into a policy table. Thus, this module finally formation includes the creation of 10 static router nodes and a
provides us with the following information: (i) locations/types Network Intrusion Detection System (NIDS). By this the
of security devices from a cloud administrator and (ii) security various endpoints of a network is established. Since, these are
policies from each tenant. It makes our system handle network static routers they involve a wired connection or in other
security devices easily. words a duplex wired link between the router nodes and the
Response manager receives detection results from security NIDS.
devices, and it enables security response strategies that are Fifty tenants are created that have wireless or wired
defined in security policies, when it is needed. For example, if links between them. The next step that follows is to configure
a tenant defines a security policy to drop all corresponding mobile IPs in the wireless network created. Since the wired
packets when a threat is detected by a NIDS, the response devices are assigned an IP in a network, they need not be
manager will enable drop function to discard network packets bothered with that complication.
belonging to the detected network flows on a network device.
Enabled functions will be realized as a set of network flow
rules, which are sent to routers or switches, and thus we can
2016 International Conference on Circuit, Power and Computing Technologies [ICCPCT]
ii. NIDS (Network Intrusion Detection System) b) Shortest-through
The second approach is to find the shortest path
The NIDS is the combination of the following
between a start node and an end node passing through each
modules: (i) Device and Policy Manager (ii) Routing Rule
intermediate security node. Finding this path is more
Generator (iii) Response Manager (iv) Data Manager (v) Flow
complicated than finding the shortest path between two nodes,
Rule Enforcer.
because in this case, we should make sure that the found path
includes all intermediate nodes. To do this, NETSECVISOR
I. Device And Policy Manager
finds all possible connection pairs.
The device and policy manager collects information of the
security devices and stores it in a table. Our experiment c) Multipath-shortest
may focus on a handful of security devices but when OpenFlow supports the function of sending out
implemented on a real world basis, there can be more than network packets to multiple outports of a router
just a handful of security devices. For this purpose we simultaneously, and Algorithm 1 is based on this function.
include the table that will store the information of these However, it may not be efficient, because it can create
devices. After the storage of the security devices in the multiple redundant network flows. Thus, we try to propose an
table, the NIDS will receive security requests from tenants. enhanced version of Algorithm 1. This approach does not find
These have to be parsed into security policies that which is the shortest path between a start node and each security node;
understood by the NIDS and is stored into a policy table. instead it finds a node, which is closest to a security node and
in the shortest path between a start node and an end node. If it
II. Response Manager finds the node, it asks this node to send packets to multiple
The response manager receives detection results from the output ports: (i) a port, which is connected to a next node in
security devices. If the detection of a certain packet is found to the shortest path, and (ii) (a) port(s), which is (are) connected
be malicious, the corresponding action is taken after the to (a) node(s) heading to (a) security node(s). Thus, network
determination of the packet flowing through a passive or an packets are delivered through the shortest path, and they are
online routing path. delivered to each security node as well.
The passive response strategies include only the Passive
Drop/Isolate. d) Shortest In-Line
For passive monitoring devices, we can simply find a
The in-line response strategies include: path passing through each security node, however, in the case
• In-line mode Forward that there is a security device working in-line mode, we are
• In-line mode Drop/Isolate required to consider both of security nodes and security links
• In-line mode Redirect. (between two nodes). Even though a path includes two nodes
for a link, it does not guarantee that the link is used for the
III. Routing Rule Generator path, because each node could be linked to other nodes. To
The routing rule generator creates routing paths to address this issue, we modify our Algorithm 2 to make sure
control each network Àow. There are 4 routing algorithms that that it should include security links in the generated path.
are implemented through the routing rule generator: Thus, this Algorithm 4 has a routine checking whether
security links are included or not.
• Multipath Naïve
• Shortest-through
IV. Flow Rule Enforcer
• Multipath shortest
• Shortest In-line The flow rule enforcer is used to receive the response
strategies from the response manager or the routing rules from
a) Multipath Naïve the routing rule generator and then translate it into flow rules
First, we design a simple algorithm to visit each that can be understood by the OpenFlow routers/switches.
security node regardless of the path between a start node and Once the translation has been completed, it is sent to the
an end node. In this algorithm, NETSECVISOR first finds the corresponding routers or switches.
shortest path between a start node and an end node. Then,
NETSECVISOR also discovers the shortest paths between a V. Data Manager
start node and each security node. If NETSECVISOR has all In the case of response of the response manager is in
paths, it delivers packets to all obtained paths. This approach the in-line mode action, certain packets have to be held until it
is based on a function of OpenFlow, which can send network is proved to be malicious or harmless. For this purpose, the
packets to multiple output ports of a router. Thus, data manager is used to hold the network packets that flow
NETSECVISOR can send network packets to different paths from the routers or switches until some security device sends
simultaneously. its detection result to the NETSECVISOR.
2016 International Conference on Circuit, Power and Computing Technologies [ICCPCT]
iii. Encryption quintessential method to building more secure and trusted
virtual networks within an organization.
Attribute-based encryption (ABE) is a relatively recent
approach that reconsiders the concept of public-key
cryptography. In traditional public-key cryptography, a VI. SCOPE FOR FUTURE STUDY
message is encrypted for a specific receiver using the
receiver’s public-key. Identity-based cryptography and in
particular identity-based encryption (IBE) changed the Despite the various methods and strategies used for the
traditional understanding of public-key cryptography by NETSECVISOR, there is always room for further
allowing the public-key to be an arbitrary string, e.g., the improvement and enhancements. First, the NETSECVISOR
email address of the receiver. ABE goes one step further and has an improved security enhancement by the addition of an
defines the identity not atomic but as a set of attributes, e.g., encryption algorithm to its packets. While this may add to
roles, and messages can be encrypted with respect to subsets security it can sometimes lead to delays caused if there are a
of attributes (key-policy ABE - KP-ABE) or policies defined large number of packets involved for encryption and
over a set of attributes (ciphertext-policy ABE - CP-ABE). decryption. A method to reduce delay and promote speed in
The key issue is that someone should only be able to decrypt a operations is required. Secondly, the case scenario is tested
ciphertext if the person holds a key for "matching attributes" with less than a 100 nodes that can be both wireless and wired.
where user keys are always issued by some trusted party. A In a real case scenario, there can be a larger number of nodes
particular key can decrypt a particular ciphertext only if present. Better tests and studies are yet to be made to decide
associated attributes and policy are matched. on whether it will succeed in the real world scenario. Followed
The Attribute Based Encryption (ABE) algorithm can be by the number of nodes involved, the number of security
implemented into the cloud computing scenarios where nodes that are also to be present in a network can vary;
provision of storage and software are provided as a service. followed by the number of paths to a security node, number of
Being a virtual network, the cloud computing storage will be devices it can handle at a time, the network traffic etc. Only
separated into two different domains, the data owner and after experimenting in the real world can it be decided whether
cloud servers. The data content that is being outsourced [2] is the number of security devices has to be increased or the
not to be accessed by the cloud servers for confidentiality and processing speed of each security device has to be boosted for
the data owner does not physically have full control over the higher performance. Furthermore, the performance overhead
data resources. By storing the security policies or data on the of the NETSECVISOR is to be considered also. These are a
cloud server it will lead to the need of an encryption few modifications that have to be considered in the future.
mechanism to protect the security policies or data, before
being outsourced to the cloud. To deal with the potential risks
of privacy exposure, instead of letting the service providers References
encrypt the tenet’s data, the sharing services should give the
tenets (users / private network administrators) full control over [1]. Seungwon Shin, Haopei Wang, and Guofei Gu. “A First Step Towards
Network Security Virtualization: From Concept to Prototype” In Proc
the selective sharing of their own data. of IEEE, 2015.
[2]. Muhammad Asim, Milan Petkovic and Tanya Ignatenko “Attribute-
V. CONCLUSION based encryption and decryption outsourcing”. In Proceedings of the
12th Australian Information Security Management Conference,
December 2014.
This paper brings to light the concept of security in a [3]. Seyed Kaveh Fayazbakhsh, Luis Chiang, Vyas Sekar, Minlan Yu, and
Jeffrey C. Mogul. “Enforcing network-wide policies in the presence of
virtual network that can be further endorsed with the help of dynamic middlebox actions using flowtags.” In 11th USENIX
an ABE algorithm. The virtual network operates based on the Symposium on Networked Systems Design and Implementation (NSDI
security policies that have been input to it by its trusted 14), 2014.
tenants, hence providing the attack of non-repudiation to be [4]. T. Benson and et al. “Cloudnaas: a cloud networking platform for
enterprise applications.” In Proceedings of the 2nd ACM Symposium
nullified. The response manager deals with the manner in on Cloud Computing, 2011.
which the necessary actions have to be taken and rules [5]. Michael J. Freedman, Minlan Yu, Jennifer Rexford and Jia Wang.
enforced based on the routing rules that have been initiated “Scalable flow-based networking with DIFANE.” In In Proceedings of
upon dispatch of packets. Since a network can be both ACM SIGCOMM, August 2010.
[6]. Melissa Chase “Multi-authority Attribute Based Encryption”. In TCC,
dynamic and static in nature, both these methods have been volume 4392 of LNCS, pages 515–534. Springer, 2007.
taken into consideration. To further improve the security of [7]. Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar,
packets that travel across the designated paths in a network, Larry Peterson, Jennifer Rexford, Scott Shenker, and Jonathan Turner.
the ABE encryption algorithm is used to encrypt the packet “OpenFlow: enabling innovation in campus networks.” In Proceedings
of ACM SIGCOMM Computer Communication Review, April 2008.
based on the attributes of both the users and devices involved [8]. Phillip Porras, Seungwon Shin, Vinod Yegneswaran, Martin Fong,
in the particular transaction. This concept of promoting Mabry Tyson, and Guofei Gu. “A security enforcement kernel for
security with the help of an encryption algorithm along with openflow networks.” In Proceedings of ACM SIGCOMM Workshop
the aforementioned security parameters is believed to be the on Hot Topics in Software Defined Networking (HotSDN’12), August
2012.