Object Oriented Policy Conflict Checking Framework in Cloud Networks (OOPC)

Ankur Chowdhary, Abdulhakim Sabur, Dijiang Huang, James Kirby, M. Kang

Research output: Contribution to journalArticlepeer-review

Abstract

Software-Defined Networking (SDN) provides a programmable framework for multi-tenant cloud network management and orchestration. The end-to-end packet processing induced by virtual network functions (VNFs) like stateless firewall, load balancer, intrusion detection, and prevention system (IDPS) in a network involves the processing of network traffic through security policies matching the traffic pattern defined in security rules of individual VNF. The conflicting rules in terms of traffic match and conflicting actions can lead to a) violation of security requirements (authentication and authorization bypass) b) mission requirements - the presence of redundant rules (increased latency, reduced throughput). We present a new object-oriented policy conflict detection and resolution framework (OOPC), which analyzes the rule dependency relationships between the rules of heterogeneous virtual network functions (VNFs) and creates a VNF-Graph. The rules are analyzed using object-oriented dependencies between the address space and actions of VNF rules. OOPC utilizes a compact VNF-Graph, which leads to a reduction in search complexity when analyzing new security policies. Our security policy composition in our framework OOPC achieves 37% lower latency in policy graph composition than previous work. The proposed solution performs 20% faster security policy conflict detection on a cloud network with 60k OpenFlow rules than prior frameworks that serve a similar purpose.

Original languageEnglish (US)
JournalIEEE Transactions on Dependable and Secure Computing
DOIs
StateAccepted/In press - 2021

Keywords

  • Cloud computing
  • Complexity theory
  • Electronics packaging
  • Firewalls (computing)
  • IP networks
  • Object Oriented Paradigm (OOP)
  • OpenFlow
  • Policy Composition
  • Policy Conflict Detection
  • Policy Conflict Resolution
  • Policy Graph
  • Scalability
  • Security
  • Service Function Chaining (SFC)
  • Software-Defined Networking (SDN)
  • Virtual Network Functions (VNFs)

ASJC Scopus subject areas

  • Computer Science(all)
  • Electrical and Electronic Engineering

Fingerprint

Dive into the research topics of 'Object Oriented Policy Conflict Checking Framework in Cloud Networks (OOPC)'. Together they form a unique fingerprint.

Cite this