Securing Edge Networks with Securebox - arXiv

Securing Edge Networks with Securebox

Ibbad HafeezDepartment of Computer Science

University of HelsinkiHelsinki, Finland

[email protected]

Aaron Yi DingDepartment of Informatics

Technical University of MunichMunich, Germany

[email protected]

Sasu TarkomaDepartment of Computer Science

University of HelsinkiHelsinki, Finland

[email protected]

Abstract—The number of mobile and IoT devices connectedto home and enterprise networks is growing fast. These devicesoffer new services and experiences for the users; however,they also present new classes of security threats pertainingto data and device safety and user privacy. In this article, wefirst analyze the potential threats presented by these devicesconnected to edge networks. We then propose Securebox:a new cloud-driven, low cost Security-as-a-Service solutionthat applies Software-Defined Networking (SDN) to improvenetwork monitoring, security and management. Secureboxenables remote management of networks through a cloudsecurity service (CSS) with minimal user intervention required.To reduce costs and improve the scalability, Securebox isbased on virtualized middleboxes provided by CSS. Ourproposal differs from the existing solutions by integratingthe SDN and cloud into a unified edge security solution,and by offering a collaborative protection mechanism thatenables rapid security policy dissemination across all connectednetworks in mitigating new threats or attacks detected bythe system. We have implemented two Securebox prototypes,using a low-cost Raspberry-PI and off-the-shelf fanless PC.Our system evaluation has shown that Securebox can achieveautomatic network security and be deployed incrementally tothe infrastructure with low management overhead.

Keywords-IoT, smart home, security, network, firewall, mid-dlebox, architecture

I. INTRODUCTION

Recent advancements in technology have been the drivingfactor in the development of the new generation of smartportable devices including smart phones, smart watches, andtablet PCs to give some examples. Together they add up tomore than 3 billion devices and their number is growing at afast pace [44]. Internet of Things (IoT) has recently gainedhuge popularity among consumers and estimates predict thatmore than 20 billion IoT devices will be connected to theInternet by 2020 [7]. IoT devices typically contain sensorsand operate on limited computational and power resources.These devices are connected to the Internet either directlyor via an IoT hub. IoT devices are primarily used to collectdata from surroundings. This data is later analyzed to extractvaluable information to be used in different applications.

IoT devices offer many time saving and comfort featuresfor an average user [1]. Users can remotely switch off smartlights or open door locks using their mobile phones. With a

number of smart IoT devices launched every day, IoT vowsto bring convenience to user’s everyday life.

Medium and large scale enterprises are adopting BringYour Own Device (BYOD) policies for allowing their em-ployees and guests to connect their personal devices to theenterprise network. Connecting a large number of hetero-geneous devices to the enterprise network has brought anew set of problems for enterprise network security. Sincemost of the users do not know about malware and exploitspotentially installed in their smart devices, any infected de-vice can compromise security of the entire network. Surveysshow that majority of Chief Information Security Officers(CISOs) feel that network security operations have becomemuch more difficult to manage compared to the past [6].

Software-Defined Networking (SDN) promises to changethe way traditional networks are managed by offering aflexible model that supports innovation [21], [37]. SDN hasbeen used for wide area networks (WAN) and data centerenvironments [34]. SDN has not been applied for the homenetworks yet; however, we believe that it can support thisenvironment with better security and remote managementcapabilities. Previous research has showcased techniquesfor using SDN for dynamic re-routing of traffic throughmiddleboxes deployed outside the network [15], [14], [27].

Security and privacy are important concerns for onlineusers and applications. With the recent popularity of e-commerce, cloud storage and cloud based services, networksecurity and user privacy have become even more important.IoT and BYOD related security threats are fairly new toexisting network security techniques and tools, which aremostly designed for large enterprise networks [6]. Therefore,we need to develop new techniques for securing these net-works connecting large numbers of heterogeneous devices.

The cost of deploying and operating network securitysolutions, e.g., firewall (FW), deep packet inspection (DPI)is high. Therefore, these solutions are mainly adopted bylarge enterprises with sufficient resources to deploy andmaintain them. Small enterprise and home users also needsimilar facilities, but do not have the resources. Our work inthis article introduces the advantages of these sophisticatedsecurity and remote management solutions to all users withlow cost.

arX

iv:1

712.

0774

0v1

[cs

.CR

] 2

0 D

ec 2

017

The main contributions of this paper are:• Introducing SDN at the edge for automatic network

security, management and bringing the benefits of secu-rity services from cloud-based virutalized middleboxessecurity services to smart home and small/mediumenterprise users.

• Proposing Securebox: a redesigned, low-cost, remotelymanageable home gateway for securing smart home,IoT, BYOD environments and Cloud-based SecurityService: a cost efficient, scalable security service of-fering automatic network management, traffic analysisservices for detection/mitigation of network threatsusing collaborative mechanism.

• Implementation and evaluation of Securebox andCloud-based Security Service demonstrating feasibilityof proposed system in live networks.

Roadmap: Section II identifies a set of key security prob-lems in different networked environments. Section III ex-plains the design and architecture of our proposed solution.Section IV describes the implementation details of systemprototypes. We evaluate system performance in Section V.We discuss the limitations in current state of the art inSection VI before concluding in Section VII. For simplicity,rest of the paper will refer to IoT, hand-held device asuser device and smart home, small enterprise and smalloffice/home office networks as SOHO networks.

II. BACKGROUND

Typically, the routers or gateways installed in SOHOnetworks are mainly protecting user devices in the network.These gateways provide Network Address Translation (NAT)features and prevent direct access to the devices from theoutside network. However, new generation of IoT devicesoffer remote management features, which require the devicesto expose a management interface to the Internet. SomeIoT devices are connected to an IoT hub or user’s smartphone which is further connected to the Internet, therefore,providing an indirect way to access these devices.

With more and more devices connected to SOHO net-works, they are becoming a lucrative target for criminals.Criminals can remotely break into a user’s home networkand passively monitor IoT sensor traffic for determining ifthe user is at home or not, an attacker can remotely opendoor locks or disable the perimeter security system. Thisinformation can be sold and utilized in various ways notapproved by the user. Recently, researchers have shown howa connected car can be remotely controlled, which can resultin fatal accidents [45].

Most of these devices in BYOD environments are not pro-tected and can be contaminated with malware and spyware.Users also carry their devices to conference rooms and fa-cilities with limited access. The recording instruments, e.g.,microphone, camera, GPS can be used to record valuable

secret information and transfer it to unwanted entities. Suchdevices can also infect other devices in the network.

Recently, a number of attacks have surfaced in whichmillions of devices are hacked to remotely control them formalicious activities. Hundreds of thousands of home routerswere remotely controlled as of February 2014 to changetheir DNS server setting to an attacker’s controlled server.These hacked devices were then used to perform phishing,click fraud attacks etc.

Poor device management significantly eases the task ofan attacker to remotely access user devices. In late 2014, ahacker searched the Internet for connected CCTV camerasand tried logging in to them using factory default logincredentials. The attacker was able to login to thousandsof CCTV cameras across the world and obtain live videofeed [7]. Similarly, there have been incidents where personalcomputers were hacked to record live footage from webcamsand used for blackmailing and extortion [61].

A. Motivation and Problem Statement

With the continuous evolution and growing trend ofsecurity and privacy attacks using personal computing andsmart devices, there is a need for improving network securityby monitoring and auditing device activity and detectingsecurity issues [5]. SOHO and smart enterprise networksare either poorly managed or not managed at all due to lackof resources, vigilance and motivation on behalf of users.As a result, an attacker can break into these networks togain access and potentially control the devices inside thesenetworks. These compromised devices can then be used forspying on user activities, click-fraud, phishing, DistributedDenial of Services (DDoS) attacks, bitcoin mining etc. Theseissues put SOHO networks at the center of network securitypicture [10].

Users would like to have network devices that are secureand easy to manage [20]. Recent research has shown thatusers are more comfortable and enthusiastic to manage theirnetworks when they obtain more information about theirnetwork activity [20], [19]. The need for making networkmanagement easier and simpler is more prominent in SOHOnetworks, because it is neither feasible nor scalable to hireexperts who can individually manage the security of eachnetwork [18].

In our research, we conducted a user study of 150 usersfrom academia and industry to assess user perceptions inhome network security management. Our user study of 150users has revealed that majority (≥80%) of users find itvery difficult to manage their network access points andgateways and require an easy to operate version of thesedevices. Therefore, average users should not be burdenedwith the complex tasks of managing home network. Ourwork envisions a network gateway which offload manage-ment and operational tasks to an external entity (i.e., network

management service provider), which has more resourcesand expertise to perform these operations.

Our proposed gateway will act as a sensor in the networkand collect traffic statistics and insights to share them witha service provider. Service provider will use these statisticsto (re)configure all gateways in real-time in providing bettersecurity against attacks and malicious activities. This modelhelps in managing networks more efficiently, because theservice provider will have a better view across multiple net-works and will be able to make well-informed decisions. Thebroad view of network will also help to identify suspicioustraffic trends which might have gone previously unnoticed .

B. IoT threats analysis

IoT environments introduce many heterogeneous devicesrunning a variety of protocols and software versions. Dueto their small size, low power and limited resources, manyof these devices are not even running an operating system.These devices are mainly developed by startups or fastmoving teams in enterprises, which work on limited budgetand resources. These teams are hurried to develop andlaunch their products to the market. Therefore, security isoften neglected during the design and development of theseproducts. There is usually a lengthy, if any, update cycle formost of these devices. Owing to the number of sensors onthese devices with no software updates, a number of securitythreats are raised against these devices.

In enterprise BYOD environments, presence of hetero-geneous devices make the issue more grave for networksecurity team. Table I presents an overview of design andlimitations in current state of the art for privacy and securityin home networks.

Due to resource constraint, it is very hard to imple-ment security features on IoT devices. Some manufacturersuse Trusted platform hardware (TPM) and hardware basedscheme for securing these devices [46]. However, this app-roach is not feasible because of the limited computationaland power resources available on IoT devices. A smartsolution is to provide fully authenticated and verified accessto data collection and operations of these devices, so thatno attacker can hijack a device to steal the data or spyon user [2]. Since a majority of malware spread amongdevices, we should also inspect and restrict uncontrolleddevice to device (D2D) communications for presenting thedevices from infecting each other. In addition, several IoThubs available on the market lack of such security features[47], [48]. Our proposed cloud-assisted gateway is designedto provide these features for IoT and BYOD environments.

III. CLOUD ASSISTED SECUREBOX

Based on the set of issues identified in the previoussections, this article proposes a new architecture for remotenetwork management in smart home and small enterpriseenvironments.

A. OverviewThe proposed solution consists of two key components,

i.e., Securebox and Cloud-based Security Service (CSS). Theproposed system is designed to scale in different networksincluding smart home, SOHO and small/medium/enterprise(SME) environments with multiple offices.

The client end, i.e., Securebox uses SDN for networkmanagement and operations. Securebox can provide featurese.g. device isolation, authenticated device to device (D2D)communication, identification of infected/compromised de-vices, security profiling of devices etc. whereas CSS canprovide cost efficient and scalable detailed traffic analysisand network management features.

B. Client EdgeSecurebox is a modified gateway running SDN con-

troller and OpenVswitch. Figure 1 shows the architectureof Securebox. Securebox has a local policy database (Pol-DB) which contains security policies for different trafficclasses along with specified actions. Securebox is a cheaperreplacement for contemporary manageable home gatewaysin user networks. It provides wired and wireless interfacesto connect user devices. All the traffic flowing to/fromthe network passes through the Securebox which enforcesnetwork policies on this traffic. Securebox delegates all thetraffic analysis, security and network management tasks tothe CSS.

Management

Interface

SDN ControllerSmartphone

Workstation

PC

Laptop

TabletSwitching Hardware

Policy

Database

Cloud Security Service

Internet

Figure 1: Securebox architecture

1) Deployment: Securebox comes pre-configured to con-nect to the service provider specified CSS and user onlyneeds to connect it to Internet. Securebox managementand Pol-DB update are automatically handled by the CSS.Therefore, Therefore, users are free from manually con-figuring and managing their gateways. Securebox providesan interface showing stats about bandwidth usage per de-vice, security risks detected and removed, suspicious trafficto/from devices in the network, D2D communications etc.

Current State of ArtResearch Contribution Limitations

A. Brown et al. [19] HomeNetViewer: tool for collecting, annotating do-mestic network NetFlow records.

Neither addresses security, privacy challenges inhome networks nor IoT specific issues.

M. Chetty et al. [20] uCAP: tool for monitoring network bandwidth usagein home networks.

Does not address security and privacy challengesfor IoT, other devices in home network. Does notaudit network traffic to detect suspicious activitiesin network.

A. Alwabel et al. [22] SENSS: an interface for querying ISP to detectanomalies.

Needs to modify ISPs. Does not address challengesfrom IoT, traffic analysis. Requires expertise to makeuse of queried information.

R. Meyran [23] DefenseFlow: SDN application that programs net-works for DoS/DDoS security.

Aimed specifically at enterprise network, high cost,does not address IoT challenges, (currently) limitedto DoS/DDoS detection only.

J. Sherry et al. [24] Deploying middleboxes in cloud for scalability andcost efficiency.

Addresses only large enterprise use-case, does nottalk about security or privacy challenges in IoTdomain or SME networks.

Y. de Montjoye et al. [3] OpenPDS: Personal metadata management frame-work allowing user to collect store and manage thirdparty access to their metadata.

Needs support by software products and servicesfor deployment, needs effort from user to managestorage and access of data to third parties. No designsupport for feedback to the user.

H. Haddadi et al. [30] Databox: collects personal data for user andproviders controlled access to this data for thirdparties.

Needs realization of concept to access real worldapplicability. Security services should be redesignedto support databox. User needs to manage the con-trolled access to this data.

Table I: Current state of the art: Contributions and limitations

After configuring CSS, a user profile is set up at CSSfor traffic analysis tasks. Securebox then receives a Pol-DBupdate from CSS. This update consists of a basic set ofnetwork policies and is stored in Pol-DB. Later, Pol-DB isregularly updated by CSS, see Section III-C3.

Figure 2 shows the deployment architectures for Secure-box where devices are directly connected to the Secureboxrunning an SDN controller and OVS, see Fig. 2a and devicesdirectly connect to it. Scenario B, shown in Fig. 2b, showsthe Securebox running an SDN controller and managing OF-capable switches and wireless access points (AP) to whichuser devices are connected. Securebox is also connected tothe CSS and Internet as expected.

(a) Scenario A(b) Scenario B

Figure 2: Securebox deployment

Securebox mainly gets the network policies from the CSS.

However, Securebox design offers flexibility for power usersto configure policies of their own choice e.g. A user can con-figure that ”Allow my CCTV to connect to my file server (forvideo feed storage)”. These manually configured policies canbe devices specific and have a higher priority than thosereceived from CSS. Securebox can also provide securityranking for each device connected to the network, basedon device activity, giving user a better understanding devicebehaviour. It can generate warnings for the user whenevera suspicious activity is detected and quarantined. Thesewarnings can be displayed on web interface or deliveredto user’s smart phone.

2) Functioning: The flow processing algorithm of Se-curebox is presented in Algorithm 1. When a new traffic flowis initiated to/ from a device in the local network, Secureboxinterrupts this flow, extracts some information (6 tuple) fromthis flow and checks Pol-DB for any matching policy for thistraffic flow. If a matching policy is found, the associateddecision to allow or drop this traffic is applied to the trafficflow.

If there is no matching policy available, Securebox sendsthis data to the CSS, which analyzes this data using theuser preferred mechanism and returns a security policy.Securebox stores this policy in Pol-DB and applies thedecision to the requested traffic flow. In future, similar trafficflow request will get matching policies from the Pol-DBand Securebox will not need to send the traffic to CSS foranalysis.

If user installs a CCTV camera for a perimeter securitysystem and the CCTV camera opens a connection to an

arbitrary server on the Internet to send video feed, Secureboxwill intercept this new traffic flow request. Securebox willthen extract and send some statistics to CSS for analysiswhich will identify that user’s CCTV camera should not beallowed to connect to any arbitrary server. It will formulatea security policy directing the Securebox to deny any trafficflows which tries to connect CCTV camera to any arbitraryserver outside the network. Securebox will implement thispolicy and deny connection request from the CCTV camera.Any subsequent requests from the CCTV camera to connectto the same or any other arbitrary server will be denied.

Securebox needs to have connectivity with the CSS inorder to get the traffic analysis and Pol-DB updates inreal time. However, system design allows Securebox towork even when connection to CSS is not available. Inthat case, Securebox uses Pol-DB to make decisions forincoming traffic flow requests and implements an implicitallow/deny decision rule for traffic flows with no matchingpolicy available.

Another solution is to push some decision-making to theSecurebox. This solution will increase hardware require-ments for the Securebox therefore increasing the costs andcomplexity of system. This solution will require more userinteraction and most users would not be comfortable withmanaging all these services.

Secureboxes also act as sensors in the networks to collectinformation about the network activity and report it backto CSS. CSS then analyzes this information to make betterinformed decisions for enhanced network and security man-agement and improve quality of service (QoS) to enhanceuser experience.

C. Cloud-based Security Service

CSS is a low cost, highly scalable, service-based so-lution running in the cloud environment to provide secu-rity services including traffic analysis through middleboxes,malware and botnet detection to the clients. It allows anysubscriber to run personalized traffic analysis services in thecloud environment at reduced costs and improved scalability.

1) Architecture: Figure 3 shows the architecture of CSS.Cloud Manager is the central component of the wholesystem. Cloud Manager is responsible for handling clientrequests, managing resources, deploying and maintainingmiddleboxes, handling traffic analysis tasks. Cloud managerdelegates some of the sub-tasks to other entities in the CSS.

The certification authority manages the certificates for thesystem and all the subscribers, i.e., Secureboxes. The impactof certification authority on system security is explainedin detail in Section V-F. CSS also runs ”Backup CloudManager” which is a state-aware, hot-swappable replica ofCloud Manager which can replace the cloud manager in caseit goes down. This improves fault-tolerance and scalabilityof the system.

Algorithm 1 Securebox flow processing algorithmconnect to CSSbootstrap policy-DBwhile traffic flow request do

# Extract metadata from incoming connection requestsmetadata← extractMetadata(traffic flow)# if matching policy exists in policy databaseif policy exists(metadata) then

# extract decision from matching policypolicy decision← getDecision(metadata)# insert traffic flow and update loginsertF low(OF switch, traffic flow request)updateLog(event)

else# get decision from cloud-security-servicepolicy ← getSecurityPolicy(metadata)# insert traffic flow cache security policy and logeventinsertF low(OF switch, traffic flow request)updatePolicyDB(policy)updateLog(event)

endend

SOHO

Threat Analysis Service

Malware Analysis Service

Middlebox

Manager 1

Certification Server

Cloud ManagerDB 1

DB 2

IPS

FW

IDS

IPS

Backup cloud manger

Middlebox

Manager 2

Internet

SecureBox

Figure 3: Cloud-based security service architecture

Several kinds of middleboxes, e.g., Intrusion DetectionSystem (IDS), Intrusion Prevention System (IPS), FW canbe deployed in the cloud environment. Middlebox Managermanages the deployment and operations (e.g. load balancing,fault tolerance) of middleboxes deployed for traffic analysis.Some of the middleboxes are analyzing traffic from delaysensitive applications or enterprises so CSS maintains hot-swappable state-aware replicas of theses middleboxes toimprove fault tolerance and efficiency of the system. Theinstances of middleboxes running in the backup middleboxes

pool can immediately swap any middlebox which failsduring operations.

There is a huge volume of network traffic flowing to CSSfrom multiple subscriber networks. This enormous amountof data can be utilized to extract valuable statistics aboutnetwork traffic, QoS, devices connected to the network.CSS runs various kind of anlaysis on this traffic to ex-tract valuable insights from the traffic. Figure 3 shows thethreat and malware analysis services running in CSS. Theseservices use traffic statistics collected from Secureboxes todetect malwares, botnets and other malicious traffic flowingthrough various networks. The broad view across a numberof networks helps in detecting the tiny traces of malicioustraffic which usually goes undetected through the traditionalnetwork perimeter security systems.

2) CSS Functioning: After user profile is created forCSS, all subsequent traffic analysis requests from the (userspecific) Securebox are handled according to the preferencesof user profile. When a traffic analysis request arrives froma registered Securebox, request handler either sends it todedicated middleboxes or traffic analysis service dependingupon the user profile. The traffic analysis service returns adecision for the incoming request and request handler sendsthis decision to the Securebox in form of a security policy.Algorithm 2 presents the different operations pertaining torequest processing.

Following the example given in Section III-B when theSecurebox requests a decision on whether to allow CCTVcamera to connect to arbitrary server, CSS analyses theincoming information. CSS maintains a list of addresses ofsafe/ known servers and the requested connection to un-known server will be flagged suspicious. CSS will generatea policy to ”drop any traffic from CCTV which does not goto (specific) well known servers on the Internet” and send itto the Securebox.

Enterprise subscribers can use leased middleboxes foranalyzing their traffic (as it offers high availability andlow processing delay). On the other hand, subscribers fromSOHO networks can analyze their traffic in the middleboxesrun by CSS for general traffic analysis. Every subscriber canconfigure the type and sequence of middleboxes used foranalyzing their traffic, see Section III-C4. Subscribers canopt-out to share their traffic statistics to be used in otheranalysis services, as explained in Section V-C

CSS can share the traffic analysis results with otherservice providers to help them improve their services, QoSand user experience. It can also provide interfaces to thirdparties for running several kind of analysis on network trafficstatistics collected by CSS, for detecting botnets, malwareand track suspicious servers hosted over the Internet. Thismassive and diverse collection of network level traffic statis-tics can also be very useful for research community as well.

Algorithm 2 CSS request processing algorithmbootstrap system, serviceslaunch middleboxeswhile incoming analysis requests do

# extract information from incoming requestinfo← extractInfo(incoming request)# if matching policy exists in security-policy-storeif policy exists(incoming request) then

# get security policy from store and send to clientsec policy ← getPolicy(incoming request)sendToClient(sec policy, incoming request id)# update logsupdateLog(event)

else# Extract user profile and perform required securityanalysisuser profile← getUserProfile(incoming request)sec policy ← analyzeRequest(user profile,incoming request)sendToUser(sec policy, incoming request id)# cache security policy (if allowed by agreement)and update logsstorePolicy(sec policy)updateLog(event)

endend

3) Policy-DB updates: The decisions made for the in-coming traffic analysis requests are cached in the PolicyStore managed by CSS. The information obtained from thethreat analysis services run by CSS is also aggregated andstored in the form of network policies. CSS generates regularupdates for Secureboxes from the policies collected in PolicyStore. These updates are issued to all connected Secureboxesto improve their ability to handle more traffic locally andimmediately block any attempts to attack the network. Thesepolicy updates from CSS enable smooth functioning ofSecurebox without requiring user participation.

In the CCTV camera example, when a decision is madethat CCTV camera should not be allowed to connect toany arbitrary server (other than well known servers), thenext policy update will transfer this security policy to allconnected Secureboxes. The next time if a CCTV cameraconnected through any of these Secureboxes will attemptto connect to any arbitrary server, the connection willbe refused by the Securebox without sending an analysisrequest to the CSS.

The policy update mechanism provides a number ofadvantages. It significantly reduces the number of trafficanalysis requests sent to CSS which reduces the burden onthe service provider infrastructure as well as reduces theuplink traffic and saving precious bandwidth. A number of

(a) Service Chaining (b) Traffic Tunnelling

Figure 4: Service chaining

these benefits are explained in detail in Section V-B.CSS maintains a complete history of all previous updates

and current policies in the policy store. At every update,it refines and includes only those policies which were notpreviously sent. There is a trade-off for the frequency ofissuing these updates. If updates are issued too frequently,the size of each update will be smaller, update cycle willbe faster and security attacks and threats will be detectedmore quickly across all networks. However it will also resultin more traffic to the Securebox, hence consuming morebandwidth of the user. On the other hand, less frequentupdates will use less bandwidth and will increase delay indissemination of policies required to block network attacks.

In the proposed system design, high priority policies areimmediately updated to the Secureboxes whereas policieshaving less priority are bundled together and sent to theuser during hours of lesser network activity e.g. nighttime.

4) Service Chaining: The CSS architecture provides sup-port for service chaining for the subscribers to easily com-bine various kind of network services for analyzing theirnetwork traffic. Fig. 4a shows the case where user has chosenseparate traffic analysis techniques for different classes oftraffic being analyzed e.g. User A has configured that alltraffic from IoT devices (i.e. smart fridge, smart TV) belongto class A and traffic from smart phone, tablet or personalcomputing devices should be classified as Class B traffic.CSS will analyze traffic from each class through a separateset of middleboxes chosen by the subscriber. Traffic fromClass A will be analyzed by a FW whereas Class B trafficwill be analyzed by FW, IDS and DPI instance running inthe CSS environment.

This feature allows subscribers to save the cost andrun multiple kind of analysis on its traffic classified intovarious classes. The proposed architecture allows the user todynamically modify the analysis services chained together,providing complete control over the traffic analysis beingperformed on user traffic.

Figure 4b shows the scenario where the user has config-ured the Securebox to route all the traffic through the CSS.This features allows user to perform middlebox analysison the whole traffic session involving suspicious traffic.This scenario is especially useful for enterprise users whowould like to have all the traffic from guest devices topass through a set of middleboxes. Subscriber can add/

remove middleboxes on the path of this traffic and usingcloud resources offers better scalability as the user trafficvolume increases, hence preventing middlebox deploymentto become a bottleneck and degrade user experience. Similarconcepts have been introduced for re-routing the trafficthrough middleboxes deployed elsewhere and their work canbe used as a feature in the proposed system [27], [24].

D. User subscription models

The proposed architecture allows users to reserve a singleor set of dedicated middlebox instances for their trafficanalysis, achieving low latency and high availability. It alsoallows to subscribe for traffic analysis services withoutleasing any middlebox instances. The latter solution willoffer lower costs and slightly higher latencies. Section III-C4explains how a subscriber can benefit from service chainingfeatures offered by the CSS.

Another subscription model allows user to receive pe-riodic network policy updates from CSS without activelyanalyzing their traffic in middleboxes. All these subscriptionmodels include remote management and updates for theSecurebox as well.

E. Deployment Models

The proposed architecture offers three deployment modelsfor CSS examined below.

1) Third party security service provider: In this model,user gets a pre-configured Securebox from third party serviceprovider. Power users can configure Securebox to connect tothe CSS of their choice. Service provider can run differentkind of traffic analysis on subscriber traffic and get monetarybenefits from the traffic statistics collected from variousconnected networks. This data is valuable for the IoT devicemanufacturers, service providers (e.g. Netflix 1)., InternetService Providers (ISPs). It can lead to development of newtechnologies with built-in security features offering betteruser experience and QoS.

2) ISP based deployment: ISPs can also deploy CSS toprovide network management services to their customers. Intypical deployments, ISPs provide a home gateway whichcan be modified to work as a Securebox. ISP’s adoption ofproposed system will be useful for both customers and ISP.Following this model, customers would not need to installa new gateway and ISP can get valuable information aboutthe user networks to offer distinguished and personalizedservices. This model will save the cost of deployment andoperation for both customers and ISPs and improve ISPoperations.

3) Private deployment: Private deployment model is use-ful for research and enterprise-scale deployments since itprovides a complete control over the infrastructure. In thismodel, a client (e.g. enterprise) deploys its own CSS and

1www.netflix.com

the Secureboxes are managed by using this private CSS.This model provides a central control interface to monitorand operate network across all deployments. All the trafficis analyzed in a centrally managed infrastructure wherepersonalized traffic analysis techniques can be applied tothe data. Private deployment model reduces any privacyconcerns since the network information is not shared to thirdparty to any external entity.

In traditional networks, it is possible to deploy mid-dleboxes centrally at a gateway location and traffic fromdifferent establishments is routed through the centrally de-ployed middleboxes. However, these gateways frequentlybecome bottlenecks, resulting in bad user experience. Thismodel offers very little flexibility for configuration, man-agement and operations in live deployment. However, theproposed system will offer more flexibility by enablingnetwork managers to classify the traffic and change themiddleboxes on the fly. It will greatly improve fault toleranceby significantly reducing downtime of middleboxes. It alsoimproves scalability of infrastructure during peak accessperiods without compromising user experience and networkoperations.

IV. SYSTEM IMPLEMENTATION

We have implemented two prototypes for evaluating thereal-world performance of the proposed system. Our pro-totype system was demonstrated in the ACM S3 workshopand the Cloud Security Services (CLoSe) Workshop [31],[33].

A. Securebox

The primary components of Securebox (SB) are an SDNcontroller used for enforcing network policies and gatewaymanagement, Open Virtual Switch (OVS) for network levelfunctions and a policy-database for storing the networkpolicies.

For the two prototype of Securebox, we used Fit-PC3 pro-Linux (fitPC) and Raspberry PI (R-Pi) [55], [54]. Table IIgives a comparison of hardware specification of both de-vices. Section V gives a detailed evaluation of performanceachieved by both version of Securebox. Our implementa-tion of Securebox uses Floodlight SDN controller v1.1 atminimal configuration and OVS version 2.4.0 [52], [53]. Abackup copy of Pol-DB (to be used in case of reboot) isalso stored in the local file system. Policy table is currentlyimplemented using hash tables but bloom filters can also beused [32].

Portability: Deploying Securebox on Raspberry Pi sizeddevices makes it much more portable for personal use. Userscan carry Securebox and connect it to any available (inse-cure) Internet connection e.g. public Wi-Fi, hotel networks.Users then enable the option for setting up a secure personalaccess point (S-PAP) and connect their personal devices tothe S-PAP. This approach will prevent any malware, spyware

Raspberry PI 2(Model B)

Fit-PC3 pro Linux

CPU 900Mhz Quad-Core 1.6 Ghz Dual CoreMemory 1 GB 4 GBStorage SD Card 320 GBEthernet 1 5Wireless None 802.11 b/g/nUSB interface 4 6HDMI Yes YesCost USD 35 USD 533

Table II: Comparison between Raspberry-Pi and Fit-PC3

etc. on the insecure network from infecting user devices. Italso prevents illegal access to user’s devices connected toinsecure network.

B. Security Service

Security Service in the early prototype system was de-ployed using the OpenStack platform to dynamically deployDocker containers running a simplified version of SNORTas an IDS instance and a Firewall service [42], [40], [41].The choice of using Docker-based infrastructure instead ofvirtual machines was taken due to performance benefitsof Docker containers [12]. However, that discussion isout of scope for this paper. Cloud Manager program wasimplemented to manage Docker containers, request handlingof client events and load balancing across dockers. Cloudmanager is also responsible of disseminating the clientnetworks with the current network policies. Currently, weare also evaluating Kubernetes as a platform to deploy CSS[50].

V. SYSTEM EVALUATION

We evaluate the prototype system against different scenar-ios. In order to minimize latency and maximize privacy foruser, and as well as performance gain by using collaborativethreat detection/mitigation mechanism, we have upgradedthe system design multiple rounds.

A. Latency

Latency is an important factor for user experience. Asidentified in [49] higher latencies can result in significantdrop of website business. The proposed system design issusceptible to increase latency because the traffic analysis isdone in the cloud environment.

In order to minimize the latency experienced by user,only metadata (by default: 6 tuple) information from theinitial connection request is sent to CSS for analysis. Policiesare cached locally to be used for any subsequent similarconnection request. When a user accesses a website e.g.Youtube 2 for the first time, Securebox does not find amatching policy in Pol-DB and contacts security service

2www.youtube.com

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14HTTP Page load Time (s)

0

100

200

300

400

500

600

700

800

900

Num

ber o

f web

sites

Page load times for Alexa Top 1000 websites

Traditional NetworkSecureBox (Fit-PC)SecureBox (Raspberry-Pi)

(a) Page load latencies of Alexa Top 1000Websites

File1 File2 File3 File4 File5 File6 File7 File80

100

200

300

400

500

600

700

Time (in secon

ds)

SB (fitPC version) SB (Raspberry PI version) Network

(b) HTTP, FTP traffic

File1 File20

100

200

300

400

500

600

700

800

Time (in secon

ds)

697

129

670

125

691

131

File Transfer times over BittorentSB (fitPC version) SB (Raspberry PI version) Network

(c) Bittorrent traffic

Figure 5: Performance comparison for user experienced latency

Network SB(fitPC)

SB(R-Pi)

Download Speed (Mbps) 13.1 12.905 12.6Upload Speed (Mbps) 2.153 1.783 1.69Download Consistency 80% 78% 78%Upload Consistency 86% 83% 82%Download BW (Mbps) 18.504 17.693 17.296Jitter (server→ client) ms 3.3 6.4 7.8Jitter (client→ server) ms 5.8 7.6 8.2Packet loss (client→ server) 0% 0% 0.50%Packet loss (server→ client) 0% 0% 0%MOS Score 4.3 4.1 4

Table III: VOIP Performance Comparison

to get a security policy for this connection request. Thisprocedure will introduce a marginal increase in page loadtime of Youtube from 3.53 seconds to 3.81 seconds for thefirst time. Any subsequent requests will be addressed bymatching policies in the in-memory Pol-DB and user willexperience (almost) no latency.

2030405060708090100 Traditional Network

2030405060708090100 SB(fitPC)

0 10 20 30 40 50 602030405060708090100 SB (Raspberry-PI)

iperf.funet.fi iperf.scottlinux.com

Figure 6: IPerf bandwidth testing

Figure 5a shows the CDF graph for page load times for

Alexa Top 1000 websites (as of 23rd October 2015). It showsthat Securebox does not introduce significant latency com-pared to the latency experienced with traditional networks.Figure 5a also shows that Raspberry Pi version introducesalmost similar latency compared to the Fit-PC3, with muchpowerful hardware. The similarity in the performance isachieved by system design which requires Securebox to actas a policy enforcer and does not put any computationalburden. It enables us to implement Securebox on a low-powered devices running decent hardware, save costs andimprove portability without sacrificing the performance.

Figure 5b shows the results for file transfer over HTTPand FTP from public internet servers. The results show thatproposed solution only increase download times by negligi-ble percentage. Similar performance is achieved for Bittor-rent traffic as shown in Fig. 5c. Bittorrent is an interestinguse case because the connected peers are constantly beingupdated, new connections are made and old connections aredropped. Therefore, there are many traffic analysis requestsbeing sent to CSS. However, the latency experienced bySecurebox is almost similar to that of traditional network.

Table III shows the performance achieved for Voice-over-IP (VoIP) traffic. The jitter and consistency achieved bySecurebox for both uplink/ downlink traffic is similar tothat of a traditional network. Raspberry Pi version performsequally good as Fit-PC3 based version, achieving similarmean opinion score (MOS) score of 4, which shows thatproposed system can deliver good quality unjittered VOIPtraffic.

Pol-DB updates described in section III-C3 also contributein minimizing the latency. They provide aggregated policyupdates to the connected Secureboxes. It will increase thechances of finding a matching policy in the local Pol-DB ofSecurebox and reduces the number of requests made to CSSfor decisions on new connection requests, hence minimizingthe latency.

Figure 6 show the results obtained for bandwidth testingusing iperf servers in the Internet. Results shows that Secure-box (both fitPC and R-Pi version) achieve similar bandwidth

as achieved in traditional networks.

B. Collaborative Threat Detection/Mitigation

Collaborative effort for detection of attacks and threatsin the network is another key contribution of the proposedsystem.Section III-E explains how the Secureboxes installedin different network segments can act as network sensorswhich collect and send information to the CSS. The securityservice analyzes the information to detect attacks going onin disjoint networks. This broader view enables the SecurityService to detect threats in various networks before they cansubstantially affect user in the network. Section III-C3 showsthat when a new attack is detected in any network segment,Security Service dispatches Pol-DB updates to provide othernetworks with security policies to mitigate similar attacks.

Traditionally, attacks on different networks are detectedlong after they have infected the network. Once the attacksare detected, there is no mechanism for sharing this infor-mation with other entities because of legal and businessreasons. Attackers exploit this lack of information sharingamong network security teams and launch successful attackson different organizations using similar techniques. Securityprofessionals in each of these organizations face difficultiesin detecting them and organizations have already suffereddamage by the time these attacks are blocked.

Security community has long acknowledged the need fora mechanism for sharing network attack related informationand there exists an IETF working group developing protocolsfor sharing information about network attacks [51].

Host 1

Host 2

Host 3

SecureBox 1

Host 1

Host 2

Host 3

SecureBox 2

Host 1

Host 2 Host 3

SecureBox 3

Cloud Security Service

Att3Att2

Att1

Att2

Att1

Att3

Att1

Att3

Att2

N1

N4

N6N7

N5

N8

N2

N10

Figure 7: Attacker controlled nodes launching attack upondisjoint network segments

Figure 7 shows three disjoint network segments, eachconnected through a Securebox to CSS and the Internet. Theattacker launches a port scanning attack on the hosts in thesenetwork segments [39]. Figure 8 shows the traffic analysistrends and the performance gain by using collaborativethreat detection approach. A total of 20 nodes were usedfor generating traffic and a swarm of 15 zombie (attacker

controlled) nodes each scanning 1000 random ports wereused to attack three network segments each with threeconnected hosts

Figure 8a – 8d show the extracts from the attack traffic.These figures show the total attack traffic received, analyzedand dropped during the attack and compares the performancegain using collaborative approach.

Figure 8a shows that when the attacker initially launchesan attack on network 1. Securebox 1 initially sends all thetraffic to CSS for analysis. When CSS identifies the attackingnodes, it directs Securebox 1 to drop any more traffic comingfrom attacking nodes. Figure 8a shows that no traffic isdropped in the beginning. But, the volume of traffic droppedgradually increases as the CSS identifies more attackingnodes. The amount of traffic analyzed also decreases becauseSecurebox 1 directly drops the traffic without sending it toCSS.

Following collaborative approach, CSS generates a Pol-DB to inform other network segments about the attackernodes detected from network 1 activity. Figure 8b showsthat Securebox 2 uses this information and drops all thetraffic from suspicious nodes. It prevents any traffic fromalready detected attacker nodes to reach hosts inside thenetwork, therefore minimizing the malicious traffic enteringthe network. Meanwhile, this approach also reduces thevolume of traffic anlayzed by CSS.

CSS generates another Pol-DB update containing thelist of attacker nodes detected by analyzing traffic fromnetwork 2 activity. Using this information, Securebox 3 isable to identify and drop ¿90% of the attack traffic withoutanalyzing it. Figure 8c shows that volume of traffic analyzedis dropped to ¡10% of the total traffic received and all trafficfrom attack nodes is immediately dropped at network entrypoint.

With no collaboration in place, network 1, 2 and 3 willneed to process all the traffic initially and traffic is droppedwhen CSS detects attacking nodes, as shown in Fig. 8d. Noattack information is shared between the networks so everynetwork needs to (re)detect the attacking nodes individuallywhich allows some of the malicious traffic to penetrate thenetwork before its detected.

C. Privacy

When network level statistics are shared with a thirdparty service and user traffic is anlayzed in the cloudenvironment, privacy becomes an important concern. Werecently conducted a detailed user study asking our re-spondents ”How comfortable would you be in sharing yournetwork traffic statistics to get better network security andmanagement”. Majority (¿ 60%) of the participants werecomfortable with sharing their data with third party pro-viding network management and security services. Recentresearch has explained that it is difficult to provide completeaccountability while offering complete anonymity to the

0 20 40 60 80 100 120Time

0

10

20

30

40

50

60

70

TCP-

Syn

Req

uest

s

Received TrafficAnalyzed TrafficDropped Traffic

(a) Network 1

0 20 40 60 80 100 120Time

0

10

20

30

40

50

60

70

80

TCP-

Syn

Req

uest

s


(b) Network 2

0 20 40 60 80 100 120Time

0

10

20

30

40

50

60

TCP-Sy

n Req

uests


(c) Network 3

0 20 40 60 80 100 120Time

0

10

20

30

40

50

60

70

TCP-

Syn

Req

uest

s


(d) Network 1, 2, 3: No Collaboration

Figure 8: Performance gain in attack detection using collaborative approach compared to traditional approaches

users [17]. Therefore, our proposed system only uses bareminimum information from user to find a suitable trade-offbetween user privacy and usable security.

When CSS is deployed by ISP, see section III-E, theprivacy does not become an issue because ISP alreadyperforms a number of analysis on user traffic (to providebetter QoS). In-house deployment of CSS alleviates allprivacy concerns since it gives complete control over theinfrastructure, data sharing and analysis. It can performcustom traffic analysis and manage Secureboxes deployedin the network with personalized security and managementpolicies.

When CSS is deployed by a third party, different sub-scription models, see section III-D, allow user to decidewhat kind of services do they need for network managementand how much data they want to share. Both, user and theservice provider agree to the terms, which explicitly dictateshow user data will be stored, analyzed and shared by theservice provider. Users can opt-out to share their networktraffic data being analyzed, by paying a subscription fee forthe services and leased resources (i.e. middleboxes, trafficanalysis). CSS provider can offer free management servicesor premium services to the users who agree to share theirnetwork traffic data for analysis purposes.

D. Cost Efficiency

The cost of middleboxes range from hundreds to thou-sands of dollars a piece. Hiring network security profes-sional’s services for managing and updating these middle-boxes can cost hundreds of dollars per hour. The updatecycle of these middleboxes is a couple of years after whichthey need to be replaced by brand new equipment supportingmore functionalities and higher bandwidth. A new set ofequipment comes with deployment costs of their own. Thehigh cost of deploying and maintaining network security isone of the reason why security is often neglected. Largeenterprises can dedicate resources to manage these high costsbut the problem is direr in the small enterprise and homenetworks.

In typical enterprise environment, middlebox deploymentis underutilized most of the times and becomes a bottleneckduring peak access periods. The proposed solution providesa cost efficient solution following pay as you use model.The proposed model deploys bare minimum number ofmiddleboxes at all times, thus managing the resources moreefficiently. During peak access periods, the deployment au-tomatically scales to prevent middlexboxes from becomingthe bottleneck for network traffic and reduce customer churn.SDN allows us to efficiently distribute traffic load among themiddleboxes deployed in the cloud. In the proposed model,

the cost of replacing a non-functional middlebox is muchlow compared to the cost of replacing a physical middlebox.

Table II shows the Securebox deployment using RaspberryPI like device costs ¡ USD 50 and provide almost similarperformance as achieved by traditional networks, see sectionV. [24] also gives a detailed discussion on the how much costis saved by deploying middleboxes in the cloud environmentinstead of deploying them physically at network vantagepoints.

E. Scalability

Securebox design supports scalability due to its smallsize and minimal management overhead. User only needsto deploy the Secureboxes at network vantage points andconnect them to CSS, which will ensure that all Secureboxesoperate with consistent network policies. This model is alsouseful in enterprise environments where networking teamonly deploys Secureboxes at new establishments and officesand connects them to the CSS which installs initial set ofpolicies and later makes sure that every Securebox has acoherent set of policies for operation. Network managers nolonger need to individually configure middleboxes, switchesor routers, saving resources and time. This exercise also min-imizes any chances of inconsistent policies across networkdevices (which are very difficult to detect in the operationalenvironment).

Section V-D explains the problems with traditional mid-dleboxes e.g. underutilization, lack of scalability, updatecycle and high costs etc. These problems incur high costson already expensive network security infrastructure for anenterprise. Any network outages or bottlenecks can causesignificant business losses. Therefore, the proposed systemuses cloud resources to deploy traffic analysis services whichcan scale in real time while maintaining lower costs. Sherryet al. also supports our claim that using cloud resources todeploy middleboxes can reduces costs for enterprise securityinfrastructure [24].

F. Attacks against system

The proposed system is susceptible to attacks by rogue Se-cureboxes and compromised CSS. Individual or set of rogueSecureboxes (working in collusion) can repeatedly generatemalformed requests to CSS, compelling CSS to generatepolicies which mark suspicious/ insecure connections assafe. Rogue Secureboxes can also launch a DoS attack onthe security service. On the other hand, a compromisedsecurity service can generate security services which forceall Secureboxes to connect all traffic to any destinations.Any rogue node in the network can also claim to be asecurity service and start generating security updates to theSecureboxes in the network.

Figure 3 highlights the Certification Authority, which isresponsible of managing and issuing certificates to connectedSecureboxes. When a Securebox is registered, a certificate is

generated for it to communicate with CSS. All updates fromCSS are encrypted and signed. Securebox will reject anyupdates coming from sources other than the registered CSSand report those sources back to the CSS. Similarly, CSSlogs the traffic analysis request and any Securebox show-ing suspicious behaviour i.e. generating fake or repeatedrequests, is blacklisted. The proposed system design does notallow Secureboxes to communicate with each other, whichprevents any chances of Securebox generating false Pol-DBupdates to each other.

G. Uplink bandwidth saving

User bandwidth is a precious resources and the proposedsystem ensures that security service has minimal impacton the user bandwidth. Every traffic analysis request fora new connection contains ¡40 bytes of information. ThePol-DB updates also help in minimizing the number oftraffic analysis request generated by the user. Section III-C3explains that scheme followed by Pol-DB updates whichuses periods of less traffic activity for generating updates.

VI. RELATED WORK

Following the initial proposal of ETHANE to managecontrol plane in runtime, researchers showed the possibilitiesof how this technology could revolutionize the traditionalnetworking [38]. SDN has been a hot topic in academicresearch community since 2010. Google’s announcementfor using SDN to control its inter-datacenter traffic routingfurther increased the popularity of SDN with increaseddeployments in real-time traffic [56]. Both the academic andindustrial community proposed a number of techniques forimproving SDN performance, fault tolerance. However, SDNhas been mainly deployed in large enterprise to manageWAN and data center traffic [37]. This paper is the firstattempt to exploit the potential of SDN for managing SOHOand SME networks including IoT and BYOD environments.

A. Academic Research

SDN research has mainly focused on improving perfor-mance and fault tolerance of SDN controllers and bettercommunication with OVS hardware. Different SDN con-trollers have been proposed by researchers offering bettersecurity, resilience to attacks. Elasticon is proposed in [36],which is a distributed SDN controller to minimize impacts ofDDoS attacks against the SDN controller. Besides improvingthe security for SDN, researchers have also been investigat-ing how to apply SDN to enhance security for mobile andwireless networks [28], [29].

SDN and network function virtualization (NFV) hasopened new possibilities to improve network management.Researchers have also explored the possibility of virtualizingthe middleboxes to achieve reduced costs and increasedscalability. Sherry et al. have proposed to deploy virtualmiddleboxes in the cloud environment and showed that there

is no significant performance degradation [24]. A modeloffering DPI as a service has been proposed in [11]. Theirwork complements our proposed system for setting up thevirtual middleboxes in the CSS. Deidtect proposes the useof SDN to dynamically re-route network traffic through acentralized middlebox deployment (possibly in the cloud en-vironment) [27]. Their solution only explores SDN supportfor dynamic re-routing of traffic in enterprise environmentbut does not provide significant evaluation of its perfor-mance. Our work exploits SDN’s potential for managingnetwork policies, monitoring per device communications,interactions and dynamic re-routing of traffic through CSS.The proposed CSS offers many more features compared toa standard middlebox deployment.

SENSS proposes an interface design for ISPs which canprovide user’s traffic statistics on demand [26]. Users canthen make an analysis if they are under an attack and requestISP to take user-directed actions to secure their networks.This proposal requires significant user interaction to analyzetraffic traces and make decision about what should be doneto secure the network. ISPs might not be comfortable toprovide an interface to users for accessing traffic statisticsand manipulating traffic propagation. Alwabel et al. proposesa model where users can classify their traffic from the ISPand decide what path should it follow to their network e.g.users would want class A traffic to be redirected throughmiddleboxes, whereas class B traffic coming directly to theirnetwork [22]. Once again, ISP may not allow the users tocontrol the routing of their traffic.

Researchers have proposed a system to control the wire-less AP using SDN [35] but their work is focused on APmanagement and does not focus on the security aspect. Thiswork can be used by Securebox deployments in wirelessenvironments. Resonance has been proposed for securingenterprise environments by providing dynamic access con-trol on flow level information [13].

Recent set of events have greatly increased public aware-ness of privacy of their data and people are concerned forthe privacy of their data and devices more than ever before.Hacking, online scams, digital extortion and state sponsoredcyber espionage activities has become an increasing concernfor the users. Many contemporary devices contain sensorscollecting information about the environment and the users[43]. New generation of smartphones contains tens of thesesensors and there have been plenty of cases where smart-phone and mobile devices have been used to spy on the user[62].

Researchers have been working on the idea of how tomake smartphones more secure so that they do not leaksensitive information about the user to unwanted entities.Databox has been proposed in [30], which collects allthe information about the user and shares it only withauthenticated third parties. OpenPDS based service provides”safe answers” to the third parties asking for data collected

from the users [8]. These ”safe answers” are designed notto leak any related information about the users.

Securebox can offer similar functionalities for IoT andmobile devices. An IoT hub module in the Securebox cancollect data from the IoT devices connected to the networkand provide an interface for third party applications to accessthis data. Securebox will provide authenticated and validatedaccess to the collected information from user specifiedapplications. Securebox will thoroughly audit each incomingdata request and only respond to queries coming from trustedsources. However, this functionality will require supportfrom industrial manufacturers and third party services towork with this architecture.

B. Industrial Research

Many industrial actors have been trying to improve gate-ways to make them smarter and automatically manageable.Recently, Google announced OnHub solution for homeenvironments [57]. OnHub currently manages home wirelessnetwork environment and provides automatic managementservices via Google-On application but Google OnHubcomes at a heavy price tag of USD 219. Qualcomm R©

has presented a secure home gateway and IoT hub bycombining Gigabit Wi-Fi support of Qualcomm R© VIVE802.11 and Qualcomm R© StreamBoost technology [58]. Itprovides security features like parental control and automaticvirus detection features. Qualcomm has included a highperformance processor so that the device can learn useractions and mimic them later.

Home gateway initiative (HGI) is an alliance of leadinghome gateway manufacturers working together to improvethe home gateway experience [59]. HGI’s role is to specifyrequirements and plans for home gateways that support QoSand roll-out of triple play and broadband services. HGIwork on enabling services to include delivery frameworkfor smarthome services. ProSyst series of products launchedby Bosch Group provide multi service platform for smarthomes. They provide a framework for developing smarthome applications and creates a market place for it to benefitthird party developers and open source standard platform[60].

Currently available IoT hubs do not offer many featuresand are difficult to operate but a number of manufacturershave been developing new technologies for smarter homegateways and IoT hubs by including features like automatedmanagement. Most of this work has been targeted to get bet-ter wireless coverage, easier device communication, higherbandwidth available for the connected devices. However,security aspect is not considered in most of the cases. Ourproposed system bundles the management features and ac-cess point control along with better security functionalities.It also provides features like parental control, restrictedD2D communication, better traffic analysis and middleboxfunctionalities etc.

VII. CONCLUSION

Our proposed system is the first realization of the ideato bring remote management, enterprise grade security andbenefits of SDN to SOHO and small enterprise networks.Securebox is an easy to deploy, highly portable solutionwith much lower cost. System evaluation has shown thatit can be deployed on Raspberry Pi sized devices whichincrease portability and reduce costs. CSS offers subscribersa facility to analyze their traffic through middleboxes incloud environment. It also enables remote management ofSecureboxes that are installed at network edge, to take theburden of network management away from users. Offloadingthe traffic analysis and network management operations toCSS increases the system scalability for home and enterprisenetworks. Secureboxes installed in different networks act asa sensor for CSS and collect network level statistics fromthese networks. CSS can use this data to perform analysisto detect botnets, malwares and other insights about thenetwork. The result of their analysis can be used to detect,threats to network security, improve QoS and managementfor subscriber’s networks. Our proposed system introducesa collaborative scheme which allows networks to shareattack related information which helps in rapid detection andmitigation of attacks on disjoint network segments.

Our work shows that using SDN in SOHO and smallenterprise environments does not degrade user experience.The system is designed to minimize impacts on networklatency and user privacy. Our experiment results show thatSecurebox introduces only a marginal (almost negligible)increase in latency experienced by the user. We also intro-duce a number of subscription models for CSS to ensureuser privacy. CSS analyzes the data collected from connectednetworks to detect various abnormal behaviors and threatsoccurring in those networks. The collaborative scheme in-troduced in this paper allows CSS to rapidly share thisinformation with all Secureboxes so that they can promptlyblock any attempts to attack the network.

Our prototype system has shown that the proposed modelfor securing home and enterprise environments is functionaland effective. It can be deployed incrementally with currentinfrastructure and can resolve many security and networkmanagement problems in traditional networks. It can easethe tasks of enterprise network management teams. The pro-posed model also resolves many security issues encounteredin IoT and BYOD environments.

ACKNOWLEDGMENT

This work is carried out in the DIGILE Internet ofThings (IoT) and Cloud Security Services (CloSe) projectssupported by Tekes and Academy of Finland. The authorswould like to thank Valtteri Niemi, Seppo Hatonen, andEmad Nikkhouy for their feedback and technical support.

REFERENCES

[1] X. Liang et al. “Enabling pervasive healthcare through con-tinuous remote health monitoring“. IEEE Wireless Commun.,vol. 19, no. 6, December 2012, pp. 10-18.

[2] K.Zhang et al. “Security and Privacy for Mobile HealthcareNetworks: from a Quality of Protection Perspective“. IEEEWireless Commun., vol. 22, no. 4, August 2015, pp. 34–40.

[3] Y. de Montjoye et al. “openPDS: Protecting the Privacy ofMetadata through SafeAnswers“. PLoS One., vol. 9, no. 7July 2014.

[4] J. Zhou et al. “Security and privacy in cloud-assisted wirelesswearable communications: Challenges, solutions, and futuredirections“. IEEE Wireless Commun., vol. 22, no. 2, April2015, pp. 136-144.

[5] Huansheng Ning and Hong Liu and L.T. Yang, “CyberentitySecurity in the Internet of Things“. Computer, vol. 46, no.4, April 2013, pp. 46–53.

[6] Jon Oltsik, “The Internet of Things: A CISO andNetwork Security Perspective“. Enterprise StrategyGroup,https://www.cisco.com/web/strategy/docs/energy/network-security-perspective.pdf, October 2014.

[7] Mika Stahlberg, “Smart Homes: Opportunities and Risks”.Internet of Things-Finland Magazine, January 2015, pp. 60–63.

[8] Y. de Montjoye et al. “openPDS: Protecting the Privacy ofMetadata through SafeAnswers“. PLoS One., vol. 9, no. 7July 2014.

[9] K. L. Calvert et al. “Instrumenting Home Networks“. SIG-COMM Comput. Commun. Rev., vol. 41, no. 1, January 2011,pp. 84–89.

[10] Ruofan Jin and Bing Want, “Malware Detection for MobileDevices Using Software-Defined Networking“. Proc. GREE’13, February 2013, pp. 81–88.

[11] A. Bremler-Barr et al. “Deep Packet Inspection As a Service“.Proc. CoNext ’14, December 2014, pp. 271–282.

[12] M.G. Xavier et al. “Performance Evaluation of Container-Based Virtualization for High Performance Computing Envi-ronments“. Proc. IEEE Conf. on PDP, February 2013, pp.233–240.

[13] A. K. Nayak et al. “Resonance: Dynamic Access Control forEnterprise Networks“. Proc. ACM WREN ’09, August 2009,pp. 11–18.

[14] Z. A. Qazi et al. “SIMPLE-fying Middlebox Policy Enforce-ment Using SDN“. Proc. SIGCOMM ’13, August 2013, pp.27–38.

[15] A. Gember et al. “Towards Software-defined MiddleboxNetworking“. Proc. Hotnets ’12, October 2012, pp. 7–12.

[16] S. Justin et al. “BlindBox: Deep Packet Inspection overEncrypted Traffic“. SIGCOMM Comput. Commun. Rev., vol.45, no. 5, October 2015, pp. 213–226.

[17] A. Bremler-Barr et al. “Balancing Accountability and Privacyin the Network“. SIGCOMM Comput. Commun. Rev., vol. 44,no. 4, August 2014, pp. 75–86.

[18] N. Feamster “Outsourcing Home Network Security,“. Proc.ACM HomNets, October 2010, pp. 37–42.

[19] A. Brown et al. “An Exploration of User Recognition onDomestic Networks Using NetFlow Records“. Proc. ACMUbiComp ’14 Adjunct, September 2014, pp. 903–910.

[20] M. Chetty et al. “uCap: An Internet Data Management ToolFor The Home“. Proc. ACM CHI, April 2015, pp. 3093–3102.

[21] M. Casado et al. “Ethane: Taking Control of the Enterprise“.SIGCOMM Comput. Commun. Rev., October 2007, pp. 1–12.

[22] A. Alwabel et al. “SENSS: Observe and Control Your OwnTraffic in the Internet“. Proc. ACM SIGCOMM, Chicago2014, pp. 349-350.

[23] R. Meyran, “DefenseFlow: The First Ever SDNApplication that Programs Networks for DoS/DDoSSecurity”. http://blog.radware.com/security/2013/04/defenseflow-dosddos-security/, April 2013.

[24] J. Sherry et al. “Making Middleboxes Someone else’sProblem: Network Processing As a Cloud Service“. Proc.ACM SIGCOMM, August 2012, pp. 13–24.

[25] O. Flauzac et al. “SDN Based Architecture for IoT andImprovement of the Security“. Proc. IEEE WAINA, March2015, pp. 688–693.

[26] Minlan Yu et al. “SENSS: Software Defined Security Ser-vice“. Open Networking Summit (ONS), March 2014, pp.349–350.

[27] P. K. Shanmugam et al. “DEIDtect: Towards Distributed Elas-tic Intrusion Detection“. Proc. ACM SIGCOMM workshop onDistributed Cloud Computing, October 2014, pp. 17–24.

[28] A.Y. Ding, J. Crowcroft, S. Tarkoma, H. Flinck, “SoftwareDefined Networking for Security Enhancement in WirelessMobile Networks,“. Computer Networks, Vol. 66, June 2014,pp. 94–101.

[29] S.T. Ali, et al. “A Survey of Securing Networks using Soft-ware Defined Networking“. IEEE Transaction on Reliability,Vol. 64, No. 3, September 2015, pp. 1086–1097.

[30] H. Haddadi et al. “Personal Data: Thinking Inside the Box“.Tech.Rep.abs/1501.04737, arXiv, January 2015, pp. 349–350.

[31] I. Hafeez et al. “Demo: Cloud-based Security As a Service forSmart IoT Environments“. Proc. ACM S3, September 2015,pp. 20–20.

[32] S. Tarkoma and C.E. Rotherberg and E. Lagerspetz, “Theoryand Practice of Bloom Filters for Distributed Systems“. IEEECommunications Surveys Tutorials, vol. 14, no. 1, April 2011,pp. 131–155.

[33] I. Hafeez et al. “Cloud-based Security As a Service forSmart IoT Environments“. CloSe Workshop https://wiki.aalto.fi/display/CloSeProject/Project+Summary, April 2015.

[34] L. Fang et al. “Hierarchical SDN for the Hyper-scale, Hyper-elastic Data Center and Cloud“. Proc. SoSR, March 2015,pp. 7:1–7:13.

[35] Schulz-Zander et al. “OpenSDWN: Programmatic Controlover Home and Enterprise WiFi“. Proc. SoSR, March 2015,pp. 16:1–16:12.

[36] A. Dixit et al. “ElastiCon: An Elastic Distributed SdnController“. Proc. ANCS, March 2014, pp. 17–28.

[37] N. Feamster and J. Rexford and E. Zegura, “The Road toSDN: An Intellectual History of Programmable Networks“.SIGCOMM Comput. Commun. Rev., April 2014, pp. 87–98.

[38] M. Casado et al. “Ethane: Taking Control of the Enterprise“.SIGCOMM Comput. Commun. Rev., October 2007, pp. 1–12.

[39] K. Levenchenko and R. Paturi and G. Varghese, “TOn theDifficulty of Scalably Detecting Network Attacks“. Proc.CCS, October 2004, pp. 12–20.

[40] Xiongzi Ge et al., “OpenANFV: Accelerating NetworkFunction Virtualization with a Consolidated Framework inOpenstack“. SIGCOMM Comput. Commun. Rev., April 2014,pp. 353–354.

[41] M. Roesch, “SNORT– Lightweight intrusion detection fornetworks“. Proc. LISA ’99, November 1999, pp. 229–238.

[42] D. Merkel, “Docker: Lightweight Linux Containers forConsistent Development and Deployment“. Linux Journal,March 2014

[43] M. J. Covington and R. Carskadden, “Threat Implications ofthe Internet of Things“. Proc. of Int. Conf. on Cyber Conflict,June 2013

[44] Statistica, “Statistics and facts about Smartphone”. http://www.statista.com/topics/840/smartphones/, October 2015.

[45] Andy Greenberg, “Hackers Remotely Kill a Jeep on theHighway With Me in It”. http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/, July 2015.

[46] Todd Whitford, “Protecting People, Data and Profitswith Security-Optimized Embedded Designs ”. http://www.atmel.com/Images/Atmel Protecting People DataProfits with Security-Optimized Embedded Design.pdf,2013.

[47] Samuel Gibbs, “Samsung launches Smart-Things internet of things hub”. http://www.theguardian.com/technology/2015/sep/03/samsung-launches-smartthings-internet-of-things-hub,September 2015.

[48] Ry Crist, “Meet the smart hubs competing to control yourhome”. http://www.cnet.com/news/smart-hubs/, July 2014.

[49] Noction: Network Intelligence, “Understanding the impactof network latency on Service Providers’ business”. http://www.noction.com/blog/does latency really matter, August2010.

[50] “Kubernetes by Google”. http://kubernetes.io/, October 2015.

[51] “Managed Incident Lightweight Exchange (mile)”. https://datatracker.ietf.org/wg/mile/charter/, October 2011.

[52] “Project Floodlight: Open Source Software for BuildingSoftware-Defined Networks”. http://www.projectfloodlight.org/floodlight/, October 2015.

[53] “Open vSwitch”. http://openvswitch.org/, October 2015.

[54] “fitPC: Quality fanless computers”. http://www.fit-pc.com/web/, October 2015.

[55] Raspberry PI Foundation, “Raspberry PI 2 Model B”. https://www.raspberrypi.org/products/raspberry-pi-2-model-b/, Oc-tober 2015.

[56] Urs Holzle, “Inter-Datacenter WAN with centralizedTE using SDN and OpenFlow”. https://www.opennetworking.org/images/stories/downloads/sdn-resources/customer-case-studies/cs-googlesdn.pdf, October 2015.

[57] Google On-Hub, “onHub: A new type of router for the newway of Wi-Fi”. https://on.google.com/hub/, October 2015.

[58] Qualcomm, “Qualcomm Smart Gateway: You live. Itlearns”. https://www.qualcomm.com/products/smart-home,October 2015.

[59] HGI, “Home Gatway Initiative”. http://www.homegatewayinitiative.org/, October 2015.

[60] Bosch Group, “ProSyst”. http://www.prosyst.com/startseite/,October 2015.

[61] Max Eddy, “Webcam Hacker TargetedMiss Teen USA in Sextortion Plot”. http://www.securitywatch.pcmag.com/security/314889-miss-teen-usa-targeted-by-webcam-hacker-in-sextorition-plot,August 2013.

[62] European Union Agency for Network and Infor-mation Security, “Top Ten Smartphone Risks”.https://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/smartphone-security-1/top-ten-risks,

October 2015.

Securing Edge Networks with Securebox - arXiv

Documents

Transcript of Securing Edge Networks with Securebox - arXiv