Enforcing Multilevel Security Policies in Unstable Networks

Quinn Burke, Fidan Mehmeti, Rahul George, Kyle Ostrowski, Trent Jaeger, Thomas F. La Porta, Patrick McDaniel

Research output: Contribution to journalArticlepeer-review

6 Scopus citations

Abstract

Multilevel security (MLS) systems control access to data by formalizing permissible and impermissible information flows between data sources and destinations (e.g., database servers and clients) fixed with distinct security labels. In computer networks, MLS systems have been used to prevent unauthorized data disclosure in shared-infrastructure settings where network hosts and devices may fall within different trust domains (e.g., in multi-tenant cloud networks or wireless mesh networks). However, current MLS systems assume static network behavior-thus preventing the network from being practically usable in the presence of dynamic network events that frequent unstable network environments, including sudden changes in traffic patterns, link failures, and topology changes as a result of device movement or intermittent device connectivity. In this paper, we introduce MLS-Enforcer, a software-defined networking (SDN) controller application that can efficiently deploy network-level MLS policies while retaining the ability to securely relabel network nodes under changing topology state and network traffic demands. We model network adaptivity as an integer linear programming problem that reflects a given security policy. We then introduce heuristic relabeling algorithms that achieve near-optimal performance and are more tractable and efficient for larger networks. We validate MLS-Enforcer on several network topologies and traffic loads, demonstrating that it can relabel the network to route 90%+ of flows under normal conditions and quickly converge (on the order of seconds for the heuristic algorithms) under changing needs-from small network structure changes to catastrophic failures. This shows that formally secured networks can feasibly be deployed in diverse, changing, and unpredictable environments.

Original languageEnglish (US)
Pages (from-to)2349-2365
Number of pages17
JournalIEEE Transactions on Network and Service Management
Volume19
Issue number3
DOIs
StatePublished - Sep 1 2022

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Electrical and Electronic Engineering

Fingerprint

Dive into the research topics of 'Enforcing Multilevel Security Policies in Unstable Networks'. Together they form a unique fingerprint.

Cite this