SDN-based Dynamic Policy Specification and Enforcement for Provisioning SECaaS in Cloud

  • Uday TupakulaEmail author
  • Vijay Varadharajan
  • Kallol Karmakar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10570)


In this paper we make use of SDN for provisioning of Security as a Service (SECaaS) to the tenant and simplify the security management in cloud. We have developed a Security Application (SA) for the SDN Controller which is used for capturing the tenant security requirements and enforcing the related security policies for securing their virtual machines (VMs). We have developed a security policy specification language for enforcing TPM, Access Control and Intrusion Detection related security policies with the SA. Finally we present the prototype implementation of our approach and some performance results.


SECaaS Cloud security management SDN Policy control 


  1. 1.
    Amazon, E.: Amazon elastic compute cloud (amazon ec2). Amazon Elastic Compute Cloud (Amazon EC2) (2010)Google Scholar
  2. 2.
    Bauman, E., et al.: A survey on hypervisor-based monitoring: approaches, applications, and evolutions. ACM Comput. Surv. (CSUR) 48(1), 10 (2015)CrossRefGoogle Scholar
  3. 3.
    Benninger, C., et al.: Maitland: lighter-weight vm introspection to support cyber-security in the cloud. In: 2012 IEEE 5th International Conference on Cloud Computing (CLOUD), pp. 471–478. IEEE (2012)Google Scholar
  4. 4.
    Blanc, M., et al.: Mandatory access protection within cloud systems. In: Security, Privacy and Trust in Cloud Systems, pp. 145–173. Springer, Heidelberg (2014)Google Scholar
  5. 5.
    Duan, Y., et al.: Various aas of everything as a service. In: 2015 16th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), pp. 1–6. IEEE (2015)Google Scholar
  6. 6.
    Foundation, O.N.: Software-defined networking: the new norm for networks. Accessed 12 Dec 2015
  7. 7.
    Fu, Y., et al.: Bridging the semantic gap in virtual machine introspection via binary code reuse. Ph.D. thesis, The University of Texas at Dallas (2016)Google Scholar
  8. 8.
    Garfinkel, T., et al.: A virtual machine introspection based architecture for intrusion detection. NDSS 3, 191–206 (2003)Google Scholar
  9. 9.
    Hasan, M.M., et al.: Encryption as a service for smart grid advanced metering infrastructure. In: 2015 IEEE Symposium on Computers and Communication (ISCC), pp. 216–221. IEEE (2015)Google Scholar
  10. 10.
    Hussain, M., et al.: Secaas: security as a service for cloud-based applications. In: Proceedings of the Second Kuwait Conference on e-Services and e-Systems. p. 8. ACM (2011)Google Scholar
  11. 11.
    Jain, B., et al.: SoK: Introspections on trust and the semantic gap. In: 2014 IEEE Symposium on Security and Privacy (SP), pp. 605–620. IEEE (2014)Google Scholar
  12. 12.
    Liu, J., et al.: Leveraging software-defined networking for security policy enforcement. Inf. Sci. 327, 288–299 (2016)CrossRefGoogle Scholar
  13. 13.
    Luo, Y., et al.: Modeling, conflict detection, and verification of a new virtualization role-based access control framework. Secur. Commun. Netw. 8(10), 1904–1925 (2015)CrossRefGoogle Scholar
  14. 14.
    Mell, P., et al.: The NIST definition of cloud computing (2011)Google Scholar
  15. 15.
    Microsoft Corporation: Windows Azure. (2011)
  16. 16.
    Naik, Y.: Xen-Cap: a capability framework for Xen (2013)Google Scholar
  17. 17.
    Payne, B.D.: Simplifying virtual machine introspection using LibVMI. Sandia report, pp. 43–44 (2012)Google Scholar
  18. 18.
    Sahay, R., et al.: Adaptive policy-driven attack mitigation in SDN. In: Proceedings of the 1st International Workshop on Security and Dependability of Multi-Domain Infrastructures, p. 4. ACM (2017)Google Scholar
  19. 19.
    Sailer, R., et al.: Building a MAC-based security architecture for the Xen open-source hypervisor. In: Computer Security Applications Conference, 21st Annual, p. 10. IEEE (2005)Google Scholar
  20. 20.
    Sfyrakis, I., et al.: Virtuscap: capability-based access control for unikernels. In: 2017 IEEE International Conference on Cloud Engineering (IC2E), pp. 226–237. IEEE (2017)Google Scholar
  21. 21.
    Sgandurra, D., et al.: Evolution of attacks, threat models, and solutions for virtualized systems. ACM Comput. Surv. (CSUR) 48(3), 46 (2016)CrossRefGoogle Scholar
  22. 22.
    Suneja, S., et al.: Safe inspection of live virtual machines. In: Proceedings of the 13th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments, pp. 97–111. ACM (2017)Google Scholar
  23. 23.
    Tpm, T.: Main part 1 design principles specification version 1.2 (2003)Google Scholar
  24. 24.
    Yu, S., et al.: A security-awareness virtual machine management scheme based on Chinese wall policy in cloud computing. The Scientific World Journal (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Uday Tupakula
    • 1
    Email author
  • Vijay Varadharajan
    • 1
  • Kallol Karmakar
    • 1
  1. 1.Advanced Cyber Security Research CentreThe University of NewcastleCallaghanAustralia

Personalised recommendations