Software Defined Networking

SDN Data-plane Security

SDN-based NFV technologies improve the dependability and resilience of networks by enabling administrators to spawn and scale-up trac management and security services in response to dynamic network conditions. However, in practice, SDN-based NFV services often suer from poor performance and require complex congurations due to the fact that network packets must be ‘detoured’ to each virtualized security service, which expends bandwidth and increases network propagation delay. To address these challenges, we propose a new SDN-based data plane architecture called DPX that natively supports security services as a set of abstract security actions that are then translated to OpenFlow rule sets.

Security Assessment Framework for SDN

As Software-Defined Networking (SDN) is getting popular, its security issue is being magnified as a new controversy, and this trend can be found from recent studies of presenting possible security vulnerabilities in SDN. Understanding the attack surface of SDN is necessary, and it is the starting point to make it more secure. However, most existing studies depend on empirical methods in different environments, and thus they have stopped short of converging on a systematic methodology or developing automated systems to rigorously test for security flaws in SDNs. Therefore, we need to disclose any possible attack scenarios in diverse SDN environments and examine how these attacks operate in those environments. Inspired by the necessity for disclosing the vulnerabilities in diverse SDN operating scenarios, we suggest an SDN penetration tool, DELTA, to regenerate known attack scenarios in diverse test cases.

Automated Permission Model Generation for SDN Control-plane

An important consideration in software-defined networks (SDNs), is that one SDN application, through a bug or API misuse, can break an entire SDN. While previous works have tried to mitigate such concerns by implementing access control mechanisms (permission models) for an SDN controller, they commonly require serious manual efforts in creating a permission model. Moreover, they do not support flexible permission models, and they are often tightly coupled with a specific SDN controller. To address such limitations, we introduce an automated permission generation and verification system called VOGUE. A distinguishing aspect of VOGUE is that it automatically generates flexible permission models and yet is completely separated from the SDN controller implementation.

Cyber Threat Intelligence

Bitcoin Scam Detection

Cybercriminals have been actively using Bitcoin to trade illicit goods or fraudulent services, whose monetary volume is over 180 million USD on the Dark Web. In particular, Bitcoin scams have become increasingly prevalent due to scam campaigns are cost-effective, yet this issue remains an understudied area, leaving no effective preventative solutions to this type of crime. To overcome the situation that there is no single centralized scam blacklist service, we present the design and implementation of ScamBreaker, a novel system for automatically collecting known Bitcoin scam addresses and detecting unreported scam addresses.

Cryptocurrency Abuses in Dark Web

The Dark Web is known to be a major source of malicious content such as drugs, malware, and scamming campaigns. The purpose of this research is to collect large scale Dark Web data, extract cryptocurrency information from the Dark Web, and analyze the usages patterns of cryptocurrencies on the Dark Web.  Due to the basic characteristics of anonymity, cryptocurrency are commonly used for trade purchases. Researchers noticed this issue and investigated how cryptocurrencies were used in the Dark Web, but on small or out-of-date datas. We introduce the MFScope, a framework that analyzes the above mentioned aspects on the most up-to-date Dark Web data.

Phishing Websites in Dark Web

The Dark Web has been notorious for harboring cybercriminals abusing anonymity. This anonymous nature allows website operators to conceal their identity and thereby leads users to have difficulties in determining the authenticity of websites. Phishers abuse this perplexing authenticity to lure victims; however, only a little is known about the prevalence of phishing attacks on the Dark Web. We conducted an in-depth measurement study to demystify the prevalent phishing websites on the Dark Web. We analyzed the text content of 28,928 HTTP Tor hidden services hosting 21 million dark webpages and confirmed 901 phishing domains. We also discovered a trend on the Dark Web in which service providers perceive dark web domains as their service brands.

Container Security

Security enforcement network stack for container networks

We conduct a security analysis of container networks, identifying a number of concerns that arise from the exposure of unnecessary network operations by containerized applications and discuss their implications. We then present a
new high-performance security enforcement network stack, called BASTION, which extends the container hosting platform with an intelligent container-aware communication sandbox. BASTION introduces a network visibility service that provides fine-grained control over the visible network topology
per container application, and a traffic visibility service, which securely isolates and forwards inter-container traffic in a point-to-point manner, preventing the exposure of this traffic to other peer containers. Our evaluation demonstrates how BASTION can effectively mitigate several adversarial attacks in container networks while improving the overall performance up to 25.4% within single-host containers, and 17.7% for cross-host container communications.

preventing containers from kernel vulnerabilities


While containerization has emerged as a lightweight approach to package, deploy, and run legacy applications in a resource-efficient manner, the shared kernel-resource model used by containers introduces critical security concerns. Specifically, the abuse of system calls by a compromised container can trigger the security vulnerabilities of a host kernel. Unfortunately, even though existing solutions provide powerful protection mechanisms against such issues, how to define the capabilities of containers is still up to operators. In this work, we thus introduce TCLP, a dynamic analysis system that helps operators configure the least capabilities of containers to protect not only themselves but also a host. TCLP monitors the system calls triggered by containers in run time and finds the least capabilities required to run the containers based on the collected system calls. Finally, operators configure the minimal capabilities discovered by TCLP for their containers, reducing the risk of kernel vulnerabilities.