Go to DBLP homepageFASHION: Functional and Attack Graph Secured HybrId Optimization of Virtualized Networks
Abstract: Maintaining a resilient computer network is a delicate task with conflicting priorities. Flows should be served while controlling risk due to attackers. Upon publication of a vulnerability, administrators scramble to manually mitigate risk while waiting for a patch. We introduce $\textsc {Fashion}$ : a linear optimizer that balances routing flows with the security risk posed by these flows. $\textsc {Fashion}$ formalizes routing as a multi-commodity flow problem with side-constraints. $\textsc {Fashion}$ formulates security using two approximations of risk in a probabilistic attack graph (Frigault et al. Network Security Metrics 2017). $\textsc {Fashion}$ 's output is a set of software-defined networking rules consumable by Frenetic (Foster et al. ICFP 2011). We introduce a topology generation tool that creates data center network instances including flows and vulnerabilities. $\textsc {Fashion}$ is executed on instances of up to 600 devices, thousands of flows, and million edge attack graphs. Solve time averages 30 minutes on the largest instances (seconds on the smallest instances). To ensure the security objective is accurate, the output solution is assessed using risk as defined by Frigault et al. $\textsc {Fashion}$ allows enterprises to reconfigure their network in response to changes in functionality or security requirements.
Loading