FASHION: Functional and Attack graph Secured HybrId Optimization of virtualized Networks

TL;DR

FASHION is a linear optimization tool that balances network routing efficiency with security risks by modeling attack graphs and generating SDN rules, enabling dynamic reconfiguration of virtualized networks.

Contribution

It introduces a novel multi-commodity flow optimization incorporating security risk via attack graphs, with a topology generator and scalable solution for large networks.

Findings

Successfully handles networks with up to 600 devices and thousands of flows.

Achieves solution times averaging 30 minutes on large instances.

Provides security-aware network reconfiguration capabilities.

Abstract

Maintaining a resilient computer network is a delicate task with conflicting priorities. Flows should be served while controlling risk due to attackers. Upon publication of a vulnerability, administrators scramble to manually mitigate risk while waiting for a patch. We introduce FASHION: a linear optimizer that balances routing flows with the security risk posed by these flows. FASHION formalizes routing as a multi-commodity flow problem with side constraints. FASHION formulates security using two approximations of risk in a probabilistic attack graph (Frigault et al., Network Security Metrics 2017). FASHION's output is a set of software-defined networking rules consumable by Frenetic (Foster et al., ICFP 2011). We introduce a topology generation tool that creates data center network instances including flows and vulnerabilities. FASHION is executed on instances of up to 600 devices, thousands of flows, and million edge attack graphs. Solve time averages 30 minutes on the largest instances (seconds on the smallest instances). To ensure the security objective is accurate, the output solution is assessed using risk as defined by Frigault et al. FASHION allows enterprises to reconfigure their network in response to changes in functionality or security requirements.