VMGuard: State-Based Proactive Verification of Virtual Network Isolation With Application to NFV

Network Functions Virtualization (NFV) simplifies and automates the creation and deployment of network services in a multi-tenant environment. However, clouds may also bring issues leading to tenants’ concerns over possible breaches violating the isolation of their deployments. Verifying such breaches in NFV faces unique challenges due to complexity and scalability issues.

In this paper, we propose VMGuard, a state-based proactive approach for efficiently verifying large-scale virtual infrastructures in cloud and NFV against network isolation policies. Our key idea is to proactively trigger the verification based on predicted events and their simulated impact upon the current state, such that we can have the best of both worlds, i.e., the efficiency of a proactive approach and the effectiveness of state-based verification. We implement and evaluate VMGuard based on OpenStack, and our experiments with both real and synthetic data demonstrate the performance and efficiency, e.g., less than five milliseconds to perform incremental verification on a dataset with more than 25,000 VMs and less than two milliseconds with the proactive module enabled.

Full abstract available in IEEEXplore DOI:10.1109/TDSC.2020.3041430


Gagandeep Singh Chawla, Suryadipta Majumdar, Lingyu Wang, and Mourad Debbabi, Concordia University

Mengyuan Zhang, Yosr Jarraya,  and Makan Pourzandi, Ericsson Research


Published in: IEEE Transactions on Dependable and Secure Computing,  Volume: 18, Issue: 4, July-Aug. 1 2021.

© 2021 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse.