967 resultados para ZTA,Zero Trust,Microsegmentazione,Sicurezza,Scalabilità,Overlay network
Resumo:
Il crescente numero di attacchi condotti contro sistemi e servizi informatici richiede nuove strategie per la cybersicurezza. In questa tesi si prende in considerazione uno degli approcci più moderni per questa attività, basato su architetture Zero Trust, che deperimetrizzano i sistemi e mirano a verificare ogni tentativo di accesso alle risorse indipendentemente dalla provenienza locale o remota della richiesta. In tale ambito, la tesi propone una nuova forma di microsegmentazione agent-based basata su overlay network, con l'obiettivo di migliorare la scalabilità e la robustezza delle soluzioni esistenti, ad oggi messe in secondo piano in favore della facilità di configurazione. Una consistente serie di test dimostra che l'approccio descritto, attuabile in molteplici tipologie di sistemi cloud, è in grado di garantire, oltre alla sicurezza, scalabilità al crescere dei nodi partecipanti, robustezza evitando punti unici di fallimento e semplicità di configurazione.
Resumo:
Today more than ever, with the recent war in Ukraine and the increasing number of attacks that affect systems of nations and companies every day, the world realizes that cybersecurity can no longer be considered just as a “cost”. It must become a pillar for our infrastructures that involve the security of our nations and the safety of people. Critical infrastructure, like energy, financial services, and healthcare, have become targets of many cyberattacks from several criminal groups, with an increasing number of resources and competencies, putting at risk the security and safety of companies and entire nations. This thesis aims to investigate the state-of-the-art regarding the best practice for securing Industrial control systems. We study the differences between two security frameworks. The first is Industrial Demilitarized Zone (I-DMZ), a perimeter-based security solution. The second one is the Zero Trust Architecture (ZTA) which removes the concept of perimeter to offer an entirely new approach to cybersecurity based on the slogan ‘Never Trust, always verify’. Starting from this premise, the Zero Trust model embeds strict Authentication, Authorization, and monitoring controls for any access to any resource. We have defined two architectures according to the State-of-the-art and the cybersecurity experts’ guidelines to compare I-DMZ, and Zero Trust approaches to ICS security. The goal is to demonstrate how a Zero Trust approach dramatically reduces the possibility of an attacker penetrating the network or moving laterally to compromise the entire infrastructure. A third architecture has been defined based on Cloud and fog/edge computing technology. It shows how Cloud solutions can improve the security and reliability of infrastructure and production processes that can benefit from a range of new functionalities, that the Cloud could offer as-a-Service.We have implemented and tested our Zero Trust solution and its ability to block intrusion or attempted attacks.
Resumo:
We present the idea of a programmable structured P2P architecture. Our proposed system allows the key-based routing infrastructure, which is common to all structured P2P overlays, to be shared by multiple applications. Furthermore, our architecture allows the dynamic and on-demand deployment of new applications and services on top of the shared routing layer.
Resumo:
L’oggetto del lavoro si concentra sull’analisi in chiave giuridica del modello di cooperazione in rete tra le autorità nazionali degli Stati membri nel quadro dello Spazio LSG, allo scopo di valutarne il contributo, le prospettive e il potenziale. La trattazione si suddivide in due parti, precedute da una breve premessa teorica incentrata sull’analisi della nozione di rete e la sua valenza giuridica. La prima parte ricostruisce il percorso di maturazione della cooperazione in rete, dando risalto tanto ai fattori di ordine congiunturale quanto ai fattori giuridici e d’ordine strutturale che sono alla base del processo di retificazione dei settori giustizia e sicurezza. In particolare, vengono elaborati taluni rilievi critici, concernenti l’operatività degli strumenti giuridici che attuano il principio di mutuo riconoscimento e di quelli che danno applicazione al principio di disponibilità delle informazioni. Ciò allo scopo di evidenziare gli ostacoli che, di frequente, impediscono il buon esito delle procedure di cooperazione e di comprendere le potenzialità e le criticità derivanti dall’utilizzo della rete rispetto alla concreta applicazione di tali procedure. La seconda parte si focalizza sull’analisi delle principali reti attive in materia di giustizia e sicurezza, con particolare attenzione ai rispettivi meccanismi di funzionamento. La trattazione si suddivide in due distinte sezioni che si concentrano sulle a) reti che operano a supporto dell’applicazione delle procedure di assistenza giudiziaria e degli strumenti di mutuo riconoscimento e sulle b) reti che operano nel settore della cooperazione informativa e agevolano lo scambio di informazioni operative e tecniche nelle azioni di prevenzione e lotta alla criminalità - specialmente nel settore della protezione dell’economia lecita. La trattazione si conclude con la ricostruzione delle caratteristiche di un modello di rete europea e del ruolo che questo esercita rispetto all’esercizio delle competenze dell’Unione Europea in materia di giustizia e sicurezza.
Resumo:
Questa tesi si prefigge l’obiettivo di analizzare alcuni aspetti critici della sicurezza in ambito cloud. In particolare, i problemi legati alla privacy, dai termini di utilizzo alla sicurezza dei dati personali più o meno sensibili. L’aumento esponenziale di dati memorizzati nei sistemi di cloud storage (es. Dropbox, Amazon S3) pone il problema della sensibilità dei dati su un piano tutt'altro che banale, dovuto anche a non ben chiare politiche di utilizzo dei dati, sia in termini di cessione degli stessi a società di terze parti, sia per quanto riguarda le responsabilità legali. Questa tesi cerca di approfondire ed esaminare le mancanze più preoccupanti degli stessi. Oltre ad analizzare le principali criticità e i punti deboli dei servizi cloud, l’obiettivo di questo lavoro sarà quello di fare chiarezza sui passi e le infrastrutture che alcune aziende (es. Amazon) hanno implementato per avvicinarsi all’idea di 'safeness' nel cloud. Infine, l’ultimo obiettivo posto sarà l’individuazione di criteri per la valutazione/misura del grado di fiducia che l’utente può porre in questo contesto, distinguendo diversi criteri per classi di utenti. La tesi è strutturata in 4 capitoli: nel primo sarà effettuata una tassonomia dei problemi presenti nei sistemi cloud. Verranno presentati anche alcuni avvenimenti della storia recente, in cui queste problematiche sono affiorate. Nel secondo capitolo saranno trattate le strategie di 'safeness' adottate da alcune aziende, in ambito cloud. Inoltre, saranno presentate alcune possibili soluzioni, dal punto di vista architetturale. Si vedrà come il ruolo dell'utente sarà di estrema importanza. Il terzo capitolo sarà incentrato sulla ricerca di strumenti e metodi di valutazione che un utente, o gruppo di utenti, può utilizzare nei confronti di questi sistemi. Infine, il quarto capitolo conterrà alcune considerazioni conlusive sul lavoro svolto e sui possibili sviluppi di questa tesi.
Resumo:
Greedy routing can be used in mobile ad-hoc networks as geographic routing protocol. This paper proposes to use greedy routing also in overlay networks by positioning overlay nodes into a multi-dimensional Euclidean space. Greedy routing can only be applied when a routing decision makes progress towards the final destination. Our proposed overlay network is built such that there will be always progress at each forwarding node. This is achieved by constructing at each node a so-called nearest neighbor convex set (NNCS). NNCSs can be used for various applications such as multicast routing, service discovery and Quality-of-Service routing. NNCS has been compared with Pastry, another topology-aware overlay network. NNCS has superior relative path stretches indicating the optimality of a path.
Resumo:
Intra-session network coding has been shown to offer significant gains in terms of achievable throughput and delay in settings where one source multicasts data to several clients. In this paper, we consider a more general scenario where multiple sources transmit data to sets of clients over a wireline overlay network. We propose a novel framework for efficient rate allocation in networks where intermediate network nodes have the opportunity to combine packets from different sources using randomized network coding. We formulate the problem as the minimization of the average decoding delay in the client population and solve it with a gradient-based stochastic algorithm. Our optimized inter-session network coding solution is evaluated in different network topologies and is compared with basic intra-session network coding solutions. Our results show the benefits of proper coding decisions and effective rate allocation for lowering the decoding delay when the network is used by concurrent multicast sessions.
Resumo:
In free viewpoint applications, the images are captured by an array of cameras that acquire a scene of interest from different perspectives. Any intermediate viewpoint not included in the camera array can be virtually synthesized by the decoder, at a quality that depends on the distance between the virtual view and the camera views available at decoder. Hence, it is beneficial for any user to receive camera views that are close to each other for synthesis. This is however not always feasible in bandwidth-limited overlay networks, where every node may ask for different camera views. In this work, we propose an optimized delivery strategy for free viewpoint streaming over overlay networks. We introduce the concept of layered quality-of-experience (QoE), which describes the level of interactivity offered to clients. Based on these levels of QoE, camera views are organized into layered subsets. These subsets are then delivered to clients through a prioritized network coding streaming scheme, which accommodates for the network and clients heterogeneity and effectively exploit the resources of the overlay network. Simulation results show that, in a scenario with limited bandwidth or channel reliability, the proposed method outperforms baseline network coding approaches, where the different levels of QoE are not taken into account in the delivery strategy optimization.
Resumo:
Social network sites (SNS), such as Facebook, Google+ and Twitter, have attracted hundreds of millions of users daily since their appearance. Within SNS, users connect to each other, express their identity, disseminate information and form cooperation by interacting with their connected peers. The increasing popularity and ubiquity of SNS usage and the invaluable user behaviors and connections give birth to many applications and business models. We look into several important problems within the social network ecosystem. The first one is the SNS advertisement allocation problem. The other two are related to trust mechanisms design in social network setting, including local trust inference and global trust evaluation. In SNS advertising, we study the problem of advertisement allocation from the ad platform's angle, and discuss its differences with the advertising model in the search engine setting. By leveraging the connection between social networks and hyperbolic geometry, we propose to solve the problem via approximation using hyperbolic embedding and convex optimization. A hyperbolic embedding method, \hcm, is designed for the SNS ad allocation problem, and several components are introduced to realize the optimization formulation. We show the advantages of our new approach in solving the problem compared to the baseline integer programming (IP) formulation. In studying the problem of trust mechanisms in social networks, we consider the existence of distrust (i.e. negative trust) relationships, and differentiate between the concept of local trust and global trust in social network setting. In the problem of local trust inference, we propose a 2-D trust model. Based on the model, we develop a semiring-based trust inference framework. In global trust evaluation, we consider a general setting with conflicting opinions, and propose a consensus-based approach to solve the complex problem in signed trust networks.
Resumo:
This PhD thesis addresses the issue of scalable media streaming in large-scale networking environments. Multimedia streaming is one of the largest sink of network resources and this trend is still growing as testified by the success of services like Skype, Netflix, Spotify and Popcorn Time (BitTorrent-based). In traditional client-server solutions, when the number of consumers increases, the server becomes the bottleneck. To overcome this problem, the Content-Delivery Network (CDN) model was invented. In CDN model, the server copies the media content to some CDN servers, which are located in different strategic locations on the network. However, they require heavy infrastructure investment around the world, which is too expensive. Peer-to-peer (P2P) solutions are another way to achieve the same result. These solutions are naturally scalable, since each peer can act as both a receiver and a forwarder. Most of the proposed streaming solutions in P2P networks focus on routing scenarios to achieve scalability. However, these solutions cannot work properly in video-on-demand (VoD) streaming, when resources of the media server are not sufficient. Replication is a solution that can be used in these situations. This thesis specifically provides a family of replication-based media streaming protocols, which are scalable, efficient and reliable in P2P networks. First, it provides SCALESTREAM, a replication-based streaming protocol that adaptively replicates media content in different peers to increase the number of consumers that can be served in parallel. The adaptiveness aspect of this solution relies on the fact that it takes into account different constraints like bandwidth capacity of peers to decide when to add or remove replicas. SCALESTREAM routes media blocks to consumers over a tree topology, assuming a reliable network composed of homogenous peers in terms of bandwidth. Second, this thesis proposes RESTREAM, an extended version of SCALESTREAM that addresses the issues raised by unreliable networks composed of heterogeneous peers. Third, this thesis proposes EAGLEMACAW, a multiple-tree replication streaming protocol in which two distinct trees, named EAGLETREE and MACAWTREE, are built in a decentralized manner on top of an underlying mesh network. These two trees collaborate to serve consumers in an efficient and reliable manner. The EAGLETREE is in charge of improving efficiency, while the MACAWTREE guarantees reliability. Finally, this thesis provides TURBOSTREAM, a hybrid replication-based streaming protocol in which a tree overlay is built on top of a mesh overlay network. Both these overlays cover all peers of the system and collaborate to improve efficiency and low-latency in streaming media to consumers. This protocol is implemented and tested in a real networking environment using PlanetLab Europe testbed composed of peers distributed in different places in Europe.
Resumo:
This paper presents a DHT-based grid resource indexing and discovery (DGRID) approach. With DGRID, resource-information data is stored on its own administrative domain and each domain, represented by an index server, is virtualized to several nodes (virtual servers) subjected to the number of resource types it has. Then, all nodes are arranged as a structured overlay network or distributed hash table (DHT). Comparing to existing grid resource indexing and discovery schemes, the benefits of DGRID include improving the security of domains, increasing the availability of data, and eliminating stale data.
Resumo:
El concepto de efectividad en Redes Inter-organizacionales se ha investigado poco a pesar de la gran importancia en el desarrollo y sostenibilidad de la red. Es muy importante entender este concepto ya que cuando hablamos de Red, nos referimos a un grupo de más de tres organizaciones que trabajan juntas para alcanzar un objetivo colectivo que beneficia a cada miembro de la red. Esto nos demuestra la importancia de evaluar y analizar este fenómeno “Red Inter-organizacional” de forma más detallada para poder analizar que estructura, formas de gobierno, relaciones entre los miembros y entre otros factores, influyen en la efectividad y perdurabilidad de la Red Inter-organizacional. Esta investigación se desarrolla con el fin de plantear una aproximación al concepto de medición de la efectividad en Redes Inter-organizacionales. El trabajo se centrara en la recopilación de información y en la investigación documental, la cual se realizará por fases para brindarle al lector una mayor claridad y entendimiento sobre qué es Red, Red Inter-Organizacional, Efectividad. Y para finalizar se estudiara Efectividad en una Red Inter-organizacional.
Resumo:
Locality to other nodes on a peer-to-peer overlay network can be established by means of a set of landmarks shared among the participating nodes. Each node independently collects a set of latency measures to landmark nodes, which are used as a multi-dimensional feature vector. Each peer node uses the feature vector to generate a unique scalar index which is correlated to its topological locality. A popular dimensionality reduction technique is the space filling Hilbert’s curve, as it possesses good locality preserving properties. However, there exists little comparison between Hilbert’s curve and other techniques for dimensionality reduction. This work carries out a quantitative analysis of their properties. Linear and non-linear techniques for scaling the landmark vectors to a single dimension are investigated. Hilbert’s curve, Sammon’s mapping and Principal Component Analysis have been used to generate a 1d space with locality preserving properties. This work provides empirical evidence to support the use of Hilbert’s curve in the context of locality preservation when generating peer identifiers by means of landmark vector analysis. A comparative analysis is carried out with an artificial 2d network model and with a realistic network topology model with a typical power-law distribution of node connectivity in the Internet. Nearest neighbour analysis confirms Hilbert’s curve to be very effective in both artificial and realistic network topologies. Nevertheless, the results in the realistic network model show that there is scope for improvements and better techniques to preserve locality information are required.
Resumo:
Internet applications such as media streaming, collaborative computing and massive multiplayer are on the rise,. This leads to the need for multicast communication, but unfortunately group communications support based on IP multicast has not been widely adopted due to a combination of technical and non-technical problems. Therefore, a number of different application-layer multicast schemes have been proposed in recent literature to overcome the drawbacks. In addition, these applications often behave as both providers and clients of services, being called peer-topeer applications, and where participants come and go very dynamically. Thus, servercentric architectures for membership management have well-known problems related to scalability and fault-tolerance, and even peer-to-peer traditional solutions need to have some mechanism that takes into account member's volatility. The idea of location awareness distributes the participants in the overlay network according to their proximity in the underlying network allowing a better performance. Given this context, this thesis proposes an application layer multicast protocol, called LAALM, which takes into account the actual network topology in the assembly process of the overlay network. The membership algorithm uses a new metric, IPXY, to provide location awareness through the processing of local information, and it was implemented using a distributed shared and bi-directional tree. The algorithm also has a sub-optimal heuristic to minimize the cost of membership process. The protocol has been evaluated in two ways. First, through an own simulator developed in this work, where we evaluated the quality of distribution tree by metrics such as outdegree and path length. Second, reallife scenarios were built in the ns-3 network simulator where we evaluated the network protocol performance by metrics such as stress, stretch, time to first packet and reconfiguration group time
