Cloud Computing

• BASTION: A Security Enforcement Network Stack for Container Networks

Bastion is a new high-performance security enforcement network stack that extends the container hosting platform with an intelligent container-aware communication sandbox. Bastion introduces (i) a network visibility service that provides fine-grained control over the visible network topology per container application, and (ii) a traffic visibility service, which securely isolates and forwards inter-container traffic in a point-to-point manner, preventing the exposure of this traffic to other peer containers.

• KubeArmor: A Runtime Security Enforcement System for Container Environments

KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level. KubeArmor leverages Linux security modules (LSMs) such as AppArmor, SELinux, or BPF-LSM to enforce user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.

• Kunerva: Automated Network Policy Discovery Framework for Containers

Kunerva is an innovative and automated solution to tackle the critical security challenge of generating effective network security policies, given the intricate nature of label-based container management and the dynamic characteristics of container deployments. Kunerva focuses on policy discovery with network logs to generate a minimum set of network security policies to achieve maximum network traffic coverage while ensuring security isolation between containers. To enhance the reliability of the generated policies, Kunerva also integrates with a policy enforcement system (e.g., Gatekeeper) seamlessly for accurate policy verification.

Software-Defined Networking (SDN)

• Barista: Operator-defined Reconfigurable Network OS for Software-Defined Networks

Barista is a novel architecture that seeks to enable flexible and customizable instantiations of network operating systems (NOSs) for software-defined networks (SDNs). First, the modular design of the Barista enables the flexible composition of functionalities prevalent in contemporary SDN controllers. Second, its event-handling mechanism enables dynamic customization of control flows in a NOS. Third, its predictive NOS assessment helps to discover the optimal composition for the requirements specified by operators.

Network Function Virtualization (NFV)

• Probius: Automated Approach for VNF and Service Chain Analysis in Software-Defined NFV

Probius is a performance analysis system that provides a comprehensive view of virtualized network functions (VNFs) and their service chains on the basis of NFV architectural characteristics. Probius collects the most possible NFV performance-related features, analyzes the behaviors of VNFs in service chains, and finally infers possible reasons for performance uncertainties in the VNFs of suspicious service chains.

Internet of Things (IoT)

• SODA: A Software-defined Security Framework for IoT Environments

SODA is a secure IoT gateway that enables device-side dynamic access control and is capable of deploying various security services to protect sensitive and private information. With the assumption that a large number of IoT devices are crowded around an IoT gateway, SODA is implemented for such an environment based on software-defined-networking (SDN) and integrated with virtualized network functions (VNFs) over network function virtualization (NFV) on top of a real IoT device.

High-Performance Network Security

• Haetae: Scaling the Performance of Network Intrusion Detection with Many-core Processors

Haetae is a highly scalable network intrusion detection system on many-core processors. To maximize the NIDS performance, we take advantage of the underlying hardware and adhere to four design principles: shared-nothing architecture, computation offloading, lightweight data structure, and flow offloading. Through the experimental results, we find that our design choices can significantly improve the NIDS performance (79 Gbps with 1514B synthetic packets).