Network security: algorithms in the control tower

Date:
Changed on 14/04/2021
Improving traffic flow and filtering: network security combines two mutually contradictory demands. A CIFRE PhD carried out by Inria and the company Numeryx proposes an algorithmic solution to reduce computing time without lowering defences. The work supports the effort for more frugal digital technology, with a research paper published at the last IEEE NCA conference, in November 2020.
schéma réseau
© Photo by Pietro Jeng on Unsplash

Research conducted by two Inria teams

Ahmad Abboud returned from IEEE NCA, a major conference (in virtual form this year) of the network specialist community, with a well-received paper. The PhD student, employed by Numeryx, is in the final stages of a PhD jointly supervised by researchers from the PESTO and RESIST project teams (both joint between Inria and Loria), carrying out multidisciplinary research halfway between cybersecurity and network optimisation. Network traffic is regulated by a set of rules that dictate what goes in and out based on five parameters: the outgoing and incoming addresses, the protocol used and the input and output ports. Each rule also determines which action to take: reject or accept. “Numeryx approached RESIST and PESTO in 2018 with the problem of compressing filtering rules to reduce computing time, explains Michaël Rusinowitch, a researcher in the PESTO team. The teams proposed widening the objective to include the issue of distribution “which presents new fundamental challenges”. Ahmad Abboud will be entrusted with the task of building algorithms capable of distributing the filtering rules in an optimal way and orchestrating traffic flows.

Software at the control stations

Filtering malicious traffic requires expensive and energy-intensive equipment. TCAM (Ternary Content-Adressable Memory) plays an important role in network hardware (firewall, switch, router etc.). Its aim is to match the rule with the content of the messages it receives. This watchman-like technology is posted at the entrances of the network and checks the list of forbidden content. “This technology is very specific, constituting security memories that can contain up to 50,000 lines of rules. Ahmad’s PhD is based on distributing these rules in small switches that are only able to process a few hundred lines”. Abdelkader Lahmadi, an associate professor in the RESIST team and joint supervisor of the PhD, assisted Ahmad Abboud in the reorganisation of the filtering rules to be able to use them with greater precision and take advantage of network functioning to better place these control points. Here, the networks are SDNs, or Software Defined Networks, in which the traditional hardware devices are replaced by virtual switches deployed into servers. More flexible than traditional networks, SDNs rely on the algorithms of their controllers i.e., the software that controls the switches. “In traditional networks, every update requires each piece of hardware to be reconfigured individually. Here, by shifting the control plane to software, networks management becomes more flexible” explains Abdelkader Lahmadi.

schéma réseau / SDN
© Abdelkader Lahmadi
Network diagram

“Distributed filtering that is better spread out and less demanding in terms of computing time”

Automating network management operations requires being able to trust the algorithms that distribute the filtering rules. Protocol verification is the PESTO project team’s speciality. Ahmad Abboud’s objective is to analyse the controllers and check that the algorithms do what they are expected to do: “the use of the algorithms must be compliant with the security policy. Manipulating the rules must not introduce loopholes into the network”. Inria’s solution consists in sharing common rules across several flows, which facilitates security policy updates, avoids redundancy and optimises the number of rules “for an equivalent result”. Filtering is distributed, better spread out and faster. “It is a great collaboration with excellent results for everyone” says Abdelkader Lahmadi. Inria can notably compare this work to the solutions proposed by the Princeton (USA) and Technion (Israel) teams.

This work on new-generation software defined networks is currently in the simulation phase with an experimental platform being developed by Ahmad Abboud, who will defend his PhD at the end of 2021. His research contributes to the creation of more frugal digital technology at a time when the energy consumption of computer networks is a major concern. Over the next few years, other collaborations between Inria and industrial players will be able to extend this work to multiple fields of application. In the RESIST and PESTO headquarters, the teams are already imagining algorithmic security solutions for the fast-developing Internet of things.