December 6, 2019 –
Title: Optimizing Network Configurations for Functionality and Security
PhD Candidate: Devon Callahan
Major Advisor: Dr. Benjamin Fuller
Associate Advisors: Dr. Amir Herzberg, Dr. Michel Laurent
Day/Time: Friday, December 6, 2019 11:00 AM
Location: HBL Video Theatre 1
Networks are designed with functionality, security, performance, and cost in mind. Flows should be served while controlling risk due to attackers. Configuration is time intensive and largely static until a major new vulnerability or service requirement forces change. Tools exist to check or optimize individual properties of a network, reachability (Khurshid et al., NSDI 2013) and risk using (probabilistic) attack graphs (Sheyner et al., IEEE S&P 2002). However, these tools are not designed to generate configurations that simultaneously satisfy multiple properties. These properties may conflict, so it is not always possible to run these tools in series to find a configuration that meets all requirements. This leads to network administrators manually searching for a configuration.
We look to optimization techniques to provide a solution that addresses both functional and security requirements and explore the trade-off of modeling and implementation choices for this problem. In our Multi-Layer framework DocSDN, each layer optimizes over a single property. The Security layer can constrain the search problem of the Functional Layer allowing the framework to converge on a joint solution. In a second approach, FASHION is a single layer linear optimizer that fashions network configurations that balance functionality and security requirements. A primary technical contribution of our work is formulating and modeling network risk in a manner that is accurate and can be solved using fast optimization (integer programming) techniques.
The network configuration problem is large considering data-center networks and solution requirements are time sensitive. Our approach has the most promise for software-defined networks which can easily reconfigure their logical configuration. Our frameworks allows an enterprise to automatically reconfigure their network upon a change in functionality (shift in user demand) or security (publication or patching of a vulnerability).