Research
Ongoing Research
Container Runtime Security
API Observability and Security
System Optimization and Security for AI Services
Service Attestation and Traffic Encryption for Multi-cloud Environments
Cryptographic Agility
Cloud Computing
BASTION: A Security Enforcement Network Stack for Container Networks
Bastion is a new high-performance security enforcement network stack that extends the container hosting platform with an intelligent container-aware communication sandbox. Bastion introduces (i) a network visibility service that provides fine-grained control over the visible network topology per container application, and (ii) a traffic visibility service, which securely isolates and forwards inter-container traffic in a point-to-point manner, preventing the exposure of this traffic to other peer containers.
Kunerva: Automated Network Policy Discovery Framework for Containers
Kunerva is an innovative and automated solution to tackle the critical security challenge of generating effective network security policies, given the intricate nature of label-based container management and the dynamic characteristics of container deployments. Kunerva focuses on policy discovery with network logs to generate a minimum set of network security policies to achieve maximum network traffic coverage while ensuring security isolation between containers. To enhance the reliability of the generated policies, Kunerva also integrates with a policy enforcement system (e.g., Gatekeeper) seamlessly for accurate policy verification.
Software-Defined Networking (SDN)
Barista: Operator-defined Reconfigurable Network OS for Software-Defined Networks
Barista is a novel architecture that seeks to enable flexible and customizable instantiations of network operating systems (NOSs) for software-defined networks (SDNs). First, the modular design of the Barista enables the flexible composition of functionalities prevalent in contemporary SDN controllers. Second, its event-handling mechanism enables dynamic customization of control flows in a NOS. Third, its predictive NOS assessment helps to discover the optimal composition for the requirements specified by operators.
Network Function Virtualization (NFV)
Probius: Automated Approach for VNF and Service Chain Analysis in Software-Defined NFV
Probius is a performance analysis system that provides a comprehensive view of virtualized network functions (VNFs) and their service chains on the basis of NFV architectural characteristics. Probius collects the most possible NFV performance-related features, analyzes the behaviors of VNFs in service chains, and finally infers possible reasons for performance uncertainties in the VNFs of suspicious service chains.
Internet of Things (IoT)
SODA: A Software-defined Security Framework for IoT Environments
SODA is a secure IoT gateway that enables device-side dynamic access control and is capable of deploying various security services to protect sensitive and private information. With the assumption that a large number of IoT devices are crowded around an IoT gateway, SODA is implemented for such an environment based on software-defined-networking (SDN) and integrated with virtualized network functions (VNFs) over network function virtualization (NFV) on top of a real IoT device.
High-Performance Network Security
Haetae: Scaling the Performance of Network Intrusion Detection with Many-core Processors
Haetae is a highly scalable network intrusion detection system on many-core processors. To maximize the NIDS performance, we take advantage of the underlying hardware and adhere to four design principles: shared-nothing architecture, computation offloading, lightweight data structure, and flow offloading. Through the experimental results, we find that our design choices can significantly improve the NIDS performance (79 Gbps with 1514B synthetic packets).