Analyzing SECURITY in MEC environments
(Multi-Access Edge COMPUTING)
CSCM10 PROJECT
Haopeng Wu
939188
Pardeep Kumar
Date: 10th May 2019
Abstract
MEC is a new Internet concept, a new technology and a new computing architecture. This technology is the core technology of 5G, which integrates network cloud, distributed network architecture, cloud service and other technologies. These cloud services include IAAS, PAAS, SAAS, etc. The technologies in these cloud computing also bring new security problems and challenges. These are based on NFV [AWMHK13] and other computing architectures combine virtualization technology to achieve the marginalization of networks and services. It is necessary to study these new security problems and challenges.
Introduction
Motivation
With the development of Internet technology and the arrival of the era of big data, the traditional wired and fixed Internet access model has been unable to meet people’s needs, and the growth of Internet application data and services has led to the rising demand for data storage and processing. First there is cloud computing, this is a use of a central server handles the customer’s needs and service way, but the centralized access if met big traffic can cause network congestion, reducing the QoE and QoS, such as car driving automatic control, centralized network in the face of the huge number of auto control instruction will cause high delay, which affects the system operation, and even endanger the lives of users, so low latency and the new network become the new direction of rapid response. In recent years, with the development of cloud-based infrastructure and the development of IoT devices, the generated data and optimized network infrastructure in IoT devices have generated a reliable and interconnected internal driving force. Edge cloud big data centers play a very important role in off-line data analysis, but the performance requirements of many Internet and Internet of things applications determine the necessity of real-time operation [R16].
It is expected that by 2020, various new types of businesses and applications will emerge continuously, which will bring A 1000-fold increase in data traffic and more than 50 billion terminal device connections. [EAM15], in order to effectively solve its rapid development will bring high network load, high bandwidth and low latency requirements, MEC concept was put forward and has been widely attention [P14]. It first emerged in 2013, when IBM and Nokia Siemens networks launched a computing platform that runs applications inside wireless base stations and provides services to mobile users. The European telecommunications standards institute (ETSI) established the mobile edge computing specification working group in 2014, and officially announced to promote the standardization of mobile edge computing. The basic idea is to put the internal migration to cloud Computing platform from mobile core network Edge mobile Access network, realize flexible use of Computing and storage resources, in 2016, ETSI expanded the concept of MEC for multiple Access Edge Computing (Multi – Access Edge Computing), Edge was calculated from telecommunications cellular network to further extend to other wireless Access networks (such as WiFi).At this point, MEC can be viewed as a task-specific cloud server running on the edge of a mobile network. The MEC proposed by ETSI is a technology that is based on the architecture of 5G evolution and deeply integrates the mobile access network and Internet services. On the one hand, MEC can improve user experience and save bandwidth resources; on the other hand, by sinking computing power to mobile edge nodes, MEC can provide third-party application integration and provide infinite possibilities for service innovation at mobile edge entrance. This project will be implemented soon, involving big data, cloud services, distributed cloud, network security, virtualization and other technologies and aspects. In distributed cloud and cloud services, MEC can respond to user requests with minimal latency. In terms of network security, the research of this project combines many challenges in network security, such as user authentication, man-in-the-middle attack [FWM09], forged information log, etc., so the research of this project can better promote the development of 5G.One of the most serious attacks that multi-access edge computing systems are vulnerable to is the destruction of insecure Internet protocols. If hackers have compromised your edge system, they are likely to be able to read and modify any data or network traffic transmitted through connected edge devices. The project focuses on the MEC architecture and security aspects of the smart home, such as how to authenticate the identity of the entrants in an intelligent monitoring environment and how to prevent break-ins. The project also needs to implement specific security technologies. For example, how does the server in the edge cloud center control the security management of multiple subsystems and realize reasonable and legal authentication process? Needed for the project of the key technologies including large-scale antenna array, multicarrier technology, full duplex multiplexing, super dense network, software defined virtualization network (SDN), function (NFV). This project is necessary, Oracle once is the giant Internet companies, taking cloud computing, but later edge computation technology, the company gradually bottlenecks, the Oracle China cut 900 jobs, the famous IT companies because of cloud computing concepts such as accept slowly, was responsible for the consequences of layoffs.
In summary, the objectives of this project are as follows: to achieve a communication process based on MEC architecture; On the basis of understanding conventional security schemes, combining technologies such as PLS and blockchain encryption; Achieve accurate authentication, encryption and decryption processes.
Background research
Tools and techniques
Cloud computing
In today’s society where computing tasks and demands are greatly increased, cloud computing handles different computing and task demands with a core central network or server [KSK17] Cloud computing is based on operator services, public cloud, fog computing is based on personal cloud, private cloud, enterprise cloud. The computing power of cloud computing is strong. It is composed of clustered high-performance computing devices. Fog computing wins by volume. Cloud computing application service mode at build time, lay a foundation for the unified management of significance, including cloud computing technology to build application service mode, can the software resources, data resources, such as information service management, optimize the service mode, such as information processing, resource management work lay a good foundation for the cloud computing technology and application service model to explore. These cloud services can be broadly classified as IaaS services, PaaS services, and SaaS services.
IaaS service
IaaS services are infrastructure-as-a-service models that include computing resources, computing power, and even basic resources such as electricity. IaaS can collect hardware and servers into a resource pool to lay a good foundation for unified management, and then apply virtual technology to it to achieve the purpose of monitoring the operation of the management platform
PaaS service
PaaS services are platform-as-a-service patterns that encapsulate many of the underlying operations in addition to services such as underlying computing resources. PaaS provides the software deployment platform (runtime), abstracts out the hardware and operating system details, and scales them seamlessly. Developers only need to focus on their own business logic, not on the bottom line. Most database-related services are PaaS services, including MySQL, Oracle, etc.
SaaS service
SaaS refers to the service as a service model. SaaS service provides a complete set of services. For ordinary users, they can be unfamiliar with the software development process and then hand over all software development, management and deployment to a third party. The apps people use in daily life, such as Twitter, Facebook, etc. are SaaS service applications.
Fog computing and edge computing
The concept of fog computing was first proposed by Cisco. After the centralized cloud computing, the company deployed part of the service resources and processing equipment to the edge network closer to the client in the delivery service. This allows users to get services faster. After the fog intelligent transportation system is used to calculate, for example, can be quickly and real-time and intelligent device to interact with adjacent to traffic control, if the system is in cloud computing, a huge number of intelligent traffic lights to upload data will cause a great network congestion, thus affecting the effect of traffic light control system, and even cause great disaster. Compared with fog computing, edge computing does not implement a specific level to define the entire edge network closer to the client side, but more small servers are deployed near the client side. This is similar to the cellular data architecture, which allows for faster processing speeds and lower latency by moving the processing core closer to the user in a particular server.
SDN
SDN refers to the software-defined network. Compared with the traditional network architecture, SDN pays more attention to improving the utilization efficiency of the network. SDN divides the traditional tightly coupled network into three layers, which are application layer, control layer and forwarding layer. The forwarding layer is more like the traditional network device layer, which includes routing devices. The control layer is all the network services provided by various network application service providers encapsulated by SDN. SDN controls these services, which can be regarded as the interface of the application layer. The application layer encapsulates the company’s apis, which can be programmed to reach a software-defined network, handing management over to users. The core technologies of SDN are openFlow and NFV, the former can be regarded as a new message format.
OpenFlow
This is a way to realize SDN. The architecture of this technology is to standardize forwarding surface and separate forwarding and control. This technology determines the programmable characteristics of SDN. The flow table is an abstraction of the forwarding function of network devices, and the table items include network configuration information at all levels in the network. The specific table items include header fields, counters and actions. Secure Channel is used for network switching devices and remote controllers and is important for controlling the transfer of information. The OpenFlow protocol provides a standard open interface that makes communication between SDN controller and switch possible. Compared with the traditional network equipment communication process, SDN separates the control part independently, so that the network communication can be controlled and programmed, so as to maximize the utilization of the network.
Virtualization technology
Virtualization refers to the virtualization of one computer into multiple logical computers through virtualization technology. Running multiple logic computers at the same time on a computer, each logic computer can run different operating systems, and applications can be run in independent space without each other, thus significantly improving the work efficiency of the computer. VMM, the core software of virtualization, is a kind of middle-tier software running in the physical server and operating system. Virtualization technology has a variety of ways to achieve, according to the virtualization of the object, divided into software virtualization, hardware virtualization. Software virtualization is to use computer software to virtualize and simulate tasks that must be carried out in a physical environment. Hardware virtualization refers to that when some part of hardware resources are called, they will be virtualized to another part of hardware resources to help the software realize the virtualization of key hardware resources. According to degree, cent is complete virtualization and partial virtualization. The former refers to the operating system of the entire host machine running under the virtual machine and adding a software layer between the virtual machine and the hardware layer-Hypervisor [TCFB96], and the latter refers to the virtual machine as a piece of software on the operating system.
NFV
NFV is network function virtualization, which builds many types of network devices into a data center network, and then forms VM through virtualization technology, and then deploys business to VM before NFV, devices were used to perform specific functions, but after the emergence of SDN, the control part of virtual machine independent devices was used. When the enterprise needed to deploy new services, it only needed to deploy new virtual machines and install new functions. This process is called network function virtualization.
Rawsberry
This is a based on ARM micro computer motherboards, memory disk for SD/MicroSD card, card board around 1/2/4 a USB interface and a 10/100 Ethernet interface, can connect the keyboard, mouse, and network cable, at the same time have the video analog signal output interface and HDMI hd TV video output interface, and integrate the above parts all in a motherboard only slightly bigger than a credit card, have all the basic function of PC need to turn on the TV and a keyboard, can perform such as spreadsheets, word processing, play games, high-definition video, and many other functions. It simulates many devices, which are compatible with many platforms.
Man in the middle Attack
SSL hijack attack
SSL hijacking attack is SSL certificate spoofing attack. In order to obtain the plaintext data transferred by HTTPS, the attacker needs to connect himself to the client and the target website first. In the process of transmission, the certificate of the server is forged and the public Key of the server is replaced with its own public Key. In this way, the middleman can get the plaintext transmission belt Key1, Key2 and pre-master-key, thus stealing the communication data of the client and the server.
However, for the client, if the middleman forges the certificate, the certificate error will be prompted in the process of verifying the certificate, and the user will choose to continue operation or return. Since most users are not strong in security awareness, they will choose to continue operation. At this time, the middleman can obtain the communication data between the browser and the server
SSL peel attack
This type of attack also requires the attacker to be set as the intermediary, and then the HTTPS template is replaced with HTTP and returned to the browser, while the HTTPS server remains between the intermediary and the server. Because HTTP is transmitted in clear text, the broker can get both client and server transmitted data
Python & PyCharm
Python is a very compatible computer programming language, is an interpreted scripting language, is an object-oriented dynamic typing language. PyCharm is a Python IDE that comes with a set of tools to help users become more productive when developing in the Python language, such as debugging, syntax highlighting, Project management, code jumping, completion, unit testing, and version control.
Computation Offloading
Computing offloading [HPS15] [LRX13] refers to the technology that the terminal equipment transfers some or all computing tasks to the cloud computing environment to solve the shortcomings of mobile devices in terms of resource storage, computing performance and energy efficiency. Computational unloading technology mainly includes three aspects: unloading decision, resource allocation and unloading system implementation. Among them, the unloading decision mainly solves the problem that the mobile terminal decides how to unload, how much to unload and what to unload. Resource allocation focuses on solving the problem of how to allocate resources after uninstalling the terminal. For the implementation of the unloading system, it focuses on the implementation scheme in the process of mobile user migration.
Cloudlet
Cloudlet is a concept proposed by Carnegie Mellon University (Carnegie Mellon University) in 2013. Originating from the integration of mobile computing, IoT and cloud computing, Cloudlet represents the middle tier of the “mobile device /IoT device — Cloudlet — cloud” three-tier architecture, aiming to make the cloud closer to users. Based on this, OEC gives the definition of edge computing: edge computing provides a small data center (edge node) near the user side to improve the user experience of computing and storage resources. Cloudlets include four major features: software only deployment, computing/connectivity/security capabilities, proximity deployment, and standards-based cloud technology construction。
Multi – access edge computing in energy – aware server layout algorithm
This algorithm is used to configure the optimal number of edge servers. Particle swarm optimization (pso) and genetic selection algorithm are good options. [YS18]
Literature review
In 2015, Luan et al write a paper, this paper analyzes the middle attack in this case, this paper briefly expounds the fog calculating some safety problems and challenges, in this paper through the analysis of the structure of fog calculation, raises the man-in-the-middle attack may occur, that’s where fog computing equipment deployment. The general process is that after the information sent by the edge cloud arrives at the fog computing device, the man in the middle attack achieves the purpose of attack by tampering with the information of the remote server. The network environment of this attack is WLAN and 802.11.b/g protocol. In this paper, the response time and memory consumption of the CPU were obtained through specific experiments to verify the existence of the man-in-the-middle attack, and then the schemes of authentication and authorization were discussed. The focus of this paper is fog calculation, but fog calculation is not very different from edge calculation.
Project description
The theme of this project is calculate the edge of the multiple access security issues, first of all, the project will achieve a more access to the edge of computing model, this model can refer to the realization of the intelligent household, all family IOT devices on the same edge of the cloud, the cloud model can realize most of the Internet of things devices communicate with each other, for example, when the gas sensors in a high concentration of CO, will complete control of the fan directly on the edge of the cloud, and then consider the entire model of security problems, how to prevent common network security problems and achieve accurate authentication and authorization, in the process, Common network attack models are used to simulate attacks and study security issues.
Figure 1. Multi-access edge computing security
https://www.cisco.com/c/en/us/solutions/collateral/service-provider/ultra-services-platform/at-a-glance-c45-741450.html
Figure 2. MEC deployment across different enterprise networks
https://www.etsi.org/images/files/ETSIWhitePapers/etsi_wp30_MEC_Enterprise_FINAL.pdf
Documentation for Software Products
Functional requirements
1. Design a model that can fully demonstrate multi-access edge computing.
2. Discuss the security issues that may be encountered by previous models.
3. Implement a solution that can be used to solve a problem encountered.
Nonfunctional requirements
1. Establish a complete python development environment and complete a raspberry pie development board.
2. Understand the architecture of multi-edge access edge computing.
Use case scenarios
1. In smart home, security involves many aspects. If you use a traditional network, the cloud center processes a huge amount of data. Multi-access edge computing provides faster, lower latency responses.
2. In public transportation, the security of multi-access edge computing determines the normal operation of public transportation.
Project Plan
Figure 3. Project Plan
Figure 4. Gantt Chart
Every software development process must have requirements analysis, which can include the requirements given by the project leader and the social software requirements. Requirements analysis done well can achieve a more complete and meet the requirements of the software.
The first part is the background study, which lasts 67 days. During this process, read as many relevant papers, patents and journal articles as possible. The topics of these papers can be multi-edge access computing, a key 5G technology, or network security.
The second part is the installation and configuration of the hardware, which lasts for 3 days. The goal of this process is mainly to configure the hardware, including the core raspberry pie development board and other hardware.
The third part is the installation of software, the core of which is python’s integrated development environment.
The fourth part is coding, which lasts 132 days and can be learned continuously.
The fifth part is the testing. The testing process must wait for the completion of the initial part before starting the testing, so it will not start until 2 months later.
The sixth part is the uploading code and evaluating results.
Risk Analysis
1. There are not many studies on the security of multi-access edge computing, but there are many studies on the security of fog computing, so a lot of theoretical knowledge needs to be acquired by ourselves.
2. Virtualization technology takes up memory and computer resources, so how to simulate multi-access edge computing environment in a computer is a challenge.
3. How to do a complete test for this new technology project?
Software Life Cycle
The software developed in this project uses the latest technology, so the software cycle should be continuous. This software is an iterative development model, because the complete process is conducive to summarizing errors and improving the software, and the acceptance process of this project is about the result of the whole software.
Research Methodology
1. The development process model of the whole software mostly conforms to the iterative development model. During the development process, unit tests are carried out step by step. Because while it is an iterative development model, unit testing helps find errors earlier.
2. The whole software needs a lot of case studies and background studies, because a lot of content needs to be obtained from other cases.
Conclusion
This paper mainly tells the story of how to access the edge more computing security research of the project, from the background research papers, the journal of learning, and then make a more detailed development plan, clear the goal of this project, to achieve the project’s tools and environment, clear the entire risk of the project, so as to complete the development of the software. This project involves many aspects of knowledge, the core of which is NFV and SDN technology.
Bibliography
[AWMHK13] Basta, A., Kellerer, W., Hoffmann, M., Morper, H. J., & Hoffmann, K. (2014, August). Applying NFV and SDN to LTE mobile core gateways, the functions placement problem. In Proceedings of the 4th workshop on All things cellular: operations, applications, & challenges (pp. 33-38). ACM
[R16] 5G Radio Access for Ultra Reliable and Low Latency Communications. [Online]. Available at: http://www.ericsson.com/research-blog/5g/5g-radio-access-for-ultrareliable-and-low-latency-communications/, last accessed 14/Mar/2016.
[EAM15]AHMED E, GANI A, SOOKHAK M, et al. Application optimization in mobile cloud computing: motivation, taxonomies, and open challenges[J]. Journal of Network and Computer Applications, 2015(52): 52-68.
[M14]PATEL M. Mobile-edge computing introductory technical white paper[R]. 2014
[FWM09] Callegati, F., Cerroni, W., & Ramilli, M. (2009). Man-in-the-Middle Attack to the HTTPS Protocol. IEEE Security & Privacy, 7(1), 78-81.
[KSK17]Dolui, K., & Datta, S. K. (2017, June). Comparison of edge computing implementations: Fog computing, cloudlet and mobile edge computing. In 2017 Global Internet of Things Summit (GIoTS) (pp. 1-6). IEEE
[TCFB96] Bressoud, T. C., & Schneider, F. B. (1996). Hypervisor-based fault tolerance. ACM Transactions on Computer Systems (TOCS), 14(1), 80-107.
[HPS15] FLORES H, HUI P, TARKOMA S, et al. Mobile code offloading: from concept to practice and beyond[J]. IEEE Communications Magazine, 2015, 53(3):80-88
[LRX13] JIAO L, FRIEDMAN R, FU X, et al. Cloud-based computation offloading for mobile devices: State of the art, challenges and opportunities[C]// Future Network and Mobile Summit. 2013:1-11
[YS18]Li, Y., & Wang, S. (2018, July). An Energy-Aware Edge Server Placement Algorithm in Mobile Edge Computing. In 2018 IEEE International Conference on Edge Computing (EDGE) (pp. 66-73). IEEE.
Reviews
There are no reviews yet.