Adversarial VNet Embeddings: A Threat for ISPs?

Yvonne-Anne Pignolet, Gilles Tredan, Stefan Schmid April, 2013

2 Telekom Innovation Laboratories Stefan Schmid

CloudNets = Virtual Networking Cloud Resources

Success of Node Virtualization

a.k.a. end-host virtualization VMWare revamped server business OpenStack VM = flexible allocation, migration.. «Elastic computing»

Trend of Link Virtualization

MPLS, VPN networks, VLANs Software Defined Networks

(SDN), OpenFlow, ... «The VMWare of the net» «Elastic networking»

Unified, fully virtualized networks: CloudNets „Combine networking with heterougeneous cloud resources (e.g., storage, CPU, ...)!“

The Vision: Sharing Resources.

The Vision: Flexible CloudNets.

Physical infrastructure

(e.g., accessed by mobile clients)

Specification:

1. close to mobile clients

2. >100 kbit/s bandwidth for synchronization

Provider 1

Provider 2

CloudNet requests

CloudNet 2: Mobile service w/ QoS CloudNet 1: Computation

Specification:

1. > 1 GFLOPS per node

2. Monday 3pm-5pm

3. multi provider ok

The Vision: Flexible CloudNets.

Physical infrastructure

(e.g., accessed by mobile clients)

Specification:

1. close to mobile clients

2. >100 kbit/s bandwidth for synchronization

Provider 1

Provider 2

CloudNet requests

CloudNet 2: Mobile service w/ QoS CloudNet 1: Computation

Specification:

1. > 1 GFLOPS per node

2. Monday 3pm-5pm

3. multi provider ok

Embedding: From Service Provider via Broker to Infrastructure Provider.

Roles in CloudNet Arch.

Service Provider (SP)

(offers services over the top)

Virtual Network Operator (VNO)

(operates CloudNet, Layer 3+, triggers migration)

Physical Infrastructure Provider (PIP)

(resource and bit pipe provider)

Virtual Network Provider (VNP)

(resource broker, compiles resources)

Embed!

Security Issues.

Are CloudNet embeddings a threat for ISPs?

Do embeddings leak information about infrastructure?

Request Complexity.

Are CloudNet embeddings a threat for ISPs?

How many embeddings needed to fully reveal topology?

Request Complexity

Embedding Model.

unit capacity

arbitrary node demand arbitrary link

demand

Embedding Model.

unit capacity

demand

relay cost ε>0 (e.g., packet rate)

Embedding Model.

unit capacity

demand

relay cost ε>0 (e.g., packet rate) We will ask for unit capacities on

nodes and links! Essentially a graph immersion problem: disjoint paths for virtual links...

Some Properties Simple...

«Is the network 2-connected?»

Example: Tree

How to discover a tree? (Too) naive idea: 1. Test whether triangle fits? (loop-free) 2. Try to add neighbors to node until it works

Example: Tree

How to discover a tree? Naive idea: 1. Test whether triangle fits? (loop-free) 2. Try to add neighbors to node as long as possible, then continue with other node (degree strategy)

Problem: virtual links may be embedded over multiple physical links! Can still extend v, but will miss nodes along the way!

Solution: Tree

TREE ALGORITHM: line strategy 1. Binary search on longest path («anchor»):

2. Last and first node explored, explore «branches» at pending nodes

Analysis: Amortized analysis on links.

Be Careful with Embedding Relation!

Example: - A cannot be embedded into B - B cannot be embedded into A - But A can be embedded into BB!

A B BB

4 6 7 1

Overview of Results.

PIP 3 Tree Can be explored in O(n)

requests. This is optimal!

PIP 3 General Graph Can be explored in O(n2)

Cactus Graph Can be explored in O(n)

Lower bound: via number of possible trees and binary information.

Idea: Make spanning tree and then try all edges. (Edges directly does not work!)

Via «graph motifs»! A general framework exploiting poset relation.

PIP 3 General Graph Can be explored in O(n2)

PIP 3 General Graph Can be explored in O(n^2)

General Recipe: Expand Request! 1. Find «knitting»: - increasing connectivity too late comes at high cost! - so first find graph structure of connected «motifs» - motif = 2-connected components

2. Expand knitting - add nodes along virtual edges

General Recipe. 1. Find «knitting»: - increasing connectivity too late comes at high cost! - so first find graph structure of connected «motifs» - motif = 2-connected components

2. Expand knitting - add nodes along virtual edges

General Recipe. 1. Find «knitting»: - increasing connectivity too late comes at high cost! - so first find graph structure of connected «motifs» - motif = 2-connected components

2. Expand knitting - greedily add nodes along virtual edges

Dictionary Attack: Expansion Framework.

Examples Tree motifs: Cactus motifs:

Basic “knittings” of the graph.

Motif Define an order on motif sequences: Constraints on which sequence to ask first in order not to overlook a part of the topology. (E.g., by embedding links across multiple hops.)

Dictionary

Partially ordered set: embedding relation fulfills reflexivity, anti-symmetry, transitivity.

Framework

Explore branches according

to dictionary order,

exploiting poset property.

Dictionary Attacks: Expand Framework.

Examples Tree motifs: Cactus motifs:

Basic “knittings” of the graph.

Motif Define an order on motif sequences: Constraints on which sequence to ask first in order not to overlook a part of the topology. (E.g., by embedding links across multiple hops.)

Dictionary

Partially ordered set: embedding relation fulfills reflexivity, anti-symmetry, transitivity.

Framework

Explore branches according

to dictionary order,

exploiting poset property.

Example: Dictionary as a DAG.

Dictionary is a directed acyclic graph: defines which motifs to ask first! (Ensure: no important part overlooked!) Graph b) can be derived from dictionary a)!

Example: Dictionary as a DAG.

Dictionary is a directed acyclic graph: defines which motifs to ask first! (Ensure: no important part overlooked!) Graph b) can be derived from dictionary a)!

Request complexity depends on depth! (E.g., number of motifs?)

Evaluation: Request Complexity in Real Graphs.

A small set of motifs is often sufficient to discover all or most of a topology! (Size of dictionary influences request complexity…) E.g., motifs for autonomous system AS 1239 (Sprint) from Rocketfuel:

Conclusion.

- CloudNets:

- Elastic computing and networking

- Federated architecture: embeddings

- New security challenges

- With binary replies, graphs can not be exploited very efficiently (at least linear time)

- A first look at topology!

The Project Website.

Collaborators and Publications. People

T-Labs / TU Berlin: Anja Feldmann, Carlo Fürst, Johannes Grassler, Arne Ludwig, Matthias Rost, Gregor Schaffrath, Stefan Schmid

Uni Wroclaw: Marcin Bienkowski Uni Tel Aviv: Guy Even, Moti Medina NTT DoCoMo Eurolabs: Group around Wolfgang Kellerer LAAS: Gilles Tredan ABB: Yvonne Anne Pignolet IBM Research: Johannes Schneider Arizona State Uni: Xinhui Hu, Andrea Richa

Publications

Prototype: J. Information Technology 2013, ICCCN 2012, ERCIM News 2012, SIGCOMM VISA 2009

Migration: ToN 2013, INFOCOM 2013, ICDCN 2013 + Elsevier TCS Journal, Hot-ICE 2011, IPTComm 2011, SIGCOMM VISA 2010

Embedding: INFOCOM 2013 (Mini-Conference), CLOUDNETS 2012, 2 x ACM UCC 2012, DISC 2012, ICDCN 2012 (Best Paper Distributed Computing Track)

Dr. Stefan Schmid

Telekom Innovation Laboratories Ernst-Reuter-Platz 7, D-10587 Berlin E-mail: stefan@net.t-labs.tu-berlin.de

Project website: http://www.net.t-labs.tu-

berlin.de/~stefan/virtu.shtml

Contact.

Adversarial VNet Embeddings: A Threat for ISPs? · Motif Define an order on motif sequences:...

Documents

Installation Instructions · The DatalinkII software regards a single USM as four individual Vnet sensors channels. The USM can be used in conjunction with any Vnet sensor, Racepak

vnet 2007manual español

KARMA Motif Using the Remote Mode – Motif XF/XS

Request for Quotation Number 19ZA6018PR7621202 for Vnet Back-Up Internet … · 2018-12-21 · Request for Quotation Number 19ZA6018PR7621202 for Vnet Back-Up Internet Circuit TABLE

Request for Quotation Number 19ZA6018PR7621202 for Vnet

Veriteq vNet PoE Device

GS32Q01B10-31E ProSafe-RS Safety Instrumented System Overview (for Vnet IP)

VPN Solutions Zerto Virtual Replication to Azures3.amazonaws.com/zertodownload_docs/Marketing_Material/VPN Solutions... · • An Azure Vnet – a Vnet is like a VLAN. When you create

Single Motif Charles Yan Spring 2006. 2 Single Motif

Indonesia News - Kemlu · Indonesia News E M B A S S Y O F ... A piece of Batik is named based on its motif, ... Jakarta motif, West Kalimantan motif, Riau motif, West Sumatera motif,

Terms - Dat… · Web viewv201701. General Business Terms of VNET a.s. for. Providing . VNET Data Services. Article I. Definition of Terms. 1.1For the purposes of the Contract the

VNET/P:BridgingtheCloudandHighPerformance ...pdinda/Papers/hpdc12-vnet.pdfVNET/P:BridgingtheCloudandHighPerformance ComputingThroughFastOverlayNetworking LeiXia∗ ZhengCui§ JohnLange‡

Biological sequence motif discovery using motif-x.motif-x.med.harvard.edu/publications/Chou_Schwartz_motif...Biological sequence motif discovery using motif-x. Michael F. Chou1 and

Cisco Connect Dubrovnik · VPC/VNET Compute VPC/VNET Using Marketplace (DIY) Remote Site SD-WAN Fabric Branch Campus Cloud Data Center Compute VPCs/VNETs Gateway VPC/VNET Fully Automated

6D-VNet: End-to-End 6-DoF Vehicle Pose Estimation From …openaccess.thecvf.com/content_CVPRW_2019/papers/Autonomous … · 6D-VNet: End-to-end 6DoF Vehicle Pose Estimation from Monocular

CS 5263 & CS 4593 Bioinformatics Motif finding. What is a (biological) motif? A motif is a recurring fragment, theme or pattern Sequence motif: a sequence

VNet User's Manual and Tutorial

Request Complexity of VNet Topology Extraction: Dictionary

Sectia Functia Vnet SERV. DE PREV. SI CONTROL AL INFECT ... financiare/Vnet0814.pdf · Sectia Functia Vnet SERV. DE PREV. SI CONTROL AL INFECT. NOZOCOMIALEmed.prim.s II (S) 3477 LABORATOR

2018 De vNet