A Network Function Virtualization Architecture for Automatic and Efficient Detection and Mitigation against Web Application Malware





Security, Malware, Network Function Virtualization, Software-Defined Networking


This paper proposes and implements a Network Function Virtualization (NFV) security architecture to provide automatic and efficient detection and mitigation against Web application malware. The mitigation is given by dynamically chaining a Virtual Security Function (VSF) to the data stream to block malicious exploitation traffic without affecting the benign traffic. We implement an NFV Security Controller (NFV-SC) that interacts with an Intrusion Detection System and a Web Application Firewall (WAF), both implemented as VSFs. We also implement a vulnerability scanner and a mechanism to automatically create rules in advance in the WAF-VSF when a security vulnerability is found in an application, even if no malicious traffic has attempted to exploit the flaw. In addition, it dynamically identifies and removes no longer used security rules to improve performance. We implement and evaluate our security proposal in the Open Platform for NFV (OPNFV). The evaluation results in our experimental scenarios show that the NFV security architecture automatically blocks 99.12% of the HTTP malicious traffic without affecting 93.6% of the benign HTTP requests. 
Finally, we show that the number of rules in the WAF-VSF severely affects the latency to load HTTP response headers and that the number of redirection OpenFlow rules within Open vSwitches is not enough to significantly impact the end-user experience in modern web browser applications.


Download data is not yet available.

Author Biography

Marcelo Rubinstein, PEL/DETEL-FEN, Universidade do Estado do Rio de Janeiro

PEL - Programa de Pós-Graduação em Engenharia Eletrônica


Abdelrahman, A. M., Rodrigues, J. J., Mahmoud, M. M., Saleem, K., Das, A. K., Korotaev, V., and Kozlov, S. A. (2021). Software-defined networking security for private data center networks and clouds: vulnerabilities, attacks, countermeasures, and solutions. International Journal of Communication Systems, 34(4). e4706. DOI: 10.1002/dac.4706.

An, D. (2018). Find out how you stack up to new industry benchmarks for mobile page speed. Avalable at: [link].

Andreoni Lopez, M., Mattos, D. M. F., Duarte, O. C. M. B., and Pujolle, G. (2019). A fast unsupervised preprocessing method for network monitoring. Annals of Telecommunications, 74(11-12):139–155. DOI: 10.1007/s12243-018-0663-2.

Ashodia, N. and Makadiya, K. (2022). Detection and mitigation of DDoS attack in software defined networking: A survey. In 2022 International Conference on Sustainable Computing and Data Communication Systems (ICSCDS), pages 1175-1180. IEEE. DOI: 10.1109/ICSCDS53736.2022.9760911.

CBS News (2019). Hundreds of millions of facebook user records were exposed on amazon cloud server. Available online [link].

Chou, T. (2013). Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3):79. DOI: 10.5121/ijcsit.2013.5306.

Deng, J., Hu, H., Li, H., Pan, Z., Wang, K.-C., Ahn, G.-J., Bi, J., and Park, Y. (2015). VNGuard: An NFV/SDN combination framework for provisioning and managing virtual firewalls. In IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN), pages 107-114. DOI: 10.1109/NFV-SDN.2015.7387414.

Dutta, A., Sood, K., Lu, W., et al. (2017). Network functions virtualisation (nfv) release 3; security; security management and monitoring specification. Technical report, ETSI. [link].

Fernandes, N., Moreira, M., Moraes, I., Ferraz, L., Couto, R., Carvalho, H., Campista, M., Costa, L., and Duarte, O. C. M. B. (2011). Virtual networks: Isolation, performance, and trends. Annals of Telecommunications, 40(1):339-355. DOI: 10.1007/s12243-010-0208-9.

FORBES (2015). Ashley madison hack data reveals interesting statistics. Available online [link].

Globo (2021a). huskyci - an open source tool that orchestrates security tests and centralizes all results into a database for further analysis and metrics. [link].

Globo (2021b). secdevlabs - a laboratory for learning secure web and mobile development in a practical manner. Available online [link].

Gupta, A. and Sharma, L. S. (2020). A categorical survey of state-of-the-art intrusion detection system-snort. Int. J. Inf. Comput. Secur., 13(3/4):337-356. DOI: 10.1504/IJICS.2020.109481.

Han, B., Gopalakrishnan, V., Ji, L., and Lee, S. (2015). Network function virtualization: Challenges and opportunities for innovations. IEEE Communications Magazine, 53(2):90-97. DOI: 10.1109/MCOM.2015.7045396.

Haugerud, H., Tran, H. N., Aitsaadi, N., and Yazidi, A. (2021). A dynamic and scalable parallel network intrusion detection system using intelligent rule ordering and network function virtualization. Future Generation Computer Systems, 124:254-267. DOI: 10.1016/j.future.2021.05.037.

Jiang, H., Xie, G., and Salamatian, K. (2013). Load balancing by ruleset partition for parallel IDS on multi-core processors. In International Conference on Computer Communications and Networks, ICCCN.

Lin, Y.-D., Lin, P.-C., Yeh, C.-H., Wang, Y.-C., and Lai, Y.-C. (2015). An extended SDN architecture for network function virtualization with a case study on intrusion prevention. IEEE Network, 29(3):48-53. DOI: 10.1109/MNET.2015.7113225.

Malwaretech (2017). Mapping mirai: A botnet case study. [link].

Martins, J., Ahmed, M., Raiciu, C., Olteanu, V., Honda, M., Bifulco, R., and Huici, F. (2014). Clickos and the art of network function virtualization. Available online [link].

Mauricio, L. A. F., Rubinstein, M. G., and Duarte, O. C. M. B. (2016). Proposing and evaluating the performance of a firewall implemented as a virtualized network function. In International Conference on the Network of the Future (NOF), pages 1-3. DOI: 10.1109/NOF.2016.7810127.

Mauricio, L. A. F., Rubinstein, M. G., and Duarte, O. C. M. B. (2018). Aclflow: An NFV/SDN security framework for provisioning and managing access control lists. In International Conference on the Network of the Future (NOF), pages 44-51. DOI: 10.1109/NOF.2018.8598136.

Midgley, J. T. J. (2020). Autobench: An http benchmarking suite. Available online [link].

Mijumbi, R., Serrat, J., Gorricho, J. L., Bouten, N., Turck, F. D., and Boutaba, R. (2016). Network function virtualization: State-of-the-art and research challenges. IEEE Communications Surveys Tutorials, 18(1):236-262. DOI: 10.1109/COMST.2015.2477041.

Mosberger, D. and Jin, T. (1998). Httperf — a tool for measuring web server performance. ACM SIGMETRICS Performance Evaluation Review, 26(3):31-37. DOI: 10.1145/306225.306235.

Mtibaa, A., Harras, K. A., and Alnuweiri, H. (2015). From botnets to mobibots: A novel malicious communication paradigm for mobile botnets. IEEE Communications Magazine, 53(8):61-67. DOI: 10.1109/MCOM.2015.7180509.

Netcraft (2019). January 2019 Web Server Survey. Available online [link].

OpenStack (2022). The most widely deployed open source cloud software in the world. Available online [link].

OPNFV (2021). Open platform for NFV. Available at: [link].

OWASP (2021). Owasp honeypot. [link].

OWASP (2021). Top 10 web application security risks. Available online [link].

Ponemon and Accenture (2017). 2017 cost of cyber crime study - insights on the security investments that make a difference. Technical report. [link].

Porras, P., Shin, S., Yegneswaran, V., Fong, M., Tyson, M., and Gu, G. (2012). A security enforcement kernel for openflow networks. In ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN), pages 121-126. DOI: 10.1145/2342441.2342466.

Pourghassemi, B., Amiri Sani, A., and Chandramowlishwaran, A. (2019). What-if analysis of page load time in web browsers using causal profiling. Proc. ACM Meas. Anal. Comput. Syst., 3(2). DOI: 10.1145/3341617.3326142.

Repetto, M., Bruno, G., Yusupov, J., Lamanna, G., Ertl, B., and Carrega, A. (2022). Automating mitigation of amplification attacks in NFV services. IEEE Transactions on Network and Service Management. DOI: 10.1109/TNSM.2022.3172880.

Ristic, I. (2010). ModSecurity Handbook: The Complete Guide to the Popular Open Source Web Application Firewall. Feisty Duck. ISBN 978-1907117022.

Sanz, I. J., Mattos, D. M. F., and Duarte, O. C. M. B. (2018). Sfcperf: An automatic performance evaluation framework for service function chaining. In IEEE/IFIP Network Operations and Management Symposium (NOMS), pages 1-9. DOI: 10.1109/NOMS.2018.8406237.

Sommer, R. (2003). Bro: An open source network intrusion detection system. Available online [link].

The Guardian (2011). Playstation network hackers access data of 77 million users. Available online [link].

ur Rahman, H., Wang, G., Chen, J., and Jiang, H. (2018). Performance evaluation of hypervisors and the effect of virtual CPU on performance. In 2018 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), pages 772-779. DOI: 10.1109/SmartWorld.2018.00146.

Varonis (2020). Inside out security - capital one's cloud breach & why data-centric security matters. Available online [link].

Wang, C., Urgaonkar, B., Nasiriani, N., and Kesidis, G. (2017). Using burstable instances in the public cloud: Why, when and how? Proc. ACM Meas. Anal. Comput. Syst., 1(1). DOI: 10.1145/3084448.

Williams, C. M., Chaturvedi, R., and Chakravarthy, K. (2020). Cybersecurity risks in a pandemic. J Med Internet Res, 22(9). e23692. DOI: 10.2196/23692.

Xing, T., Huang, D., Xu, L., Chung, C., and Khatkar, P. (2013). Snortflow: A openflow-based intrusion prevention system in cloud environment. In GENI Research and Educational Experiment Workshop, pages 89-92. DOI: 10.1109/GREE.2013.25.

Zanna, P., O'Neill, B., Radcliffe, P., Hosseini, S., and Hoque, M. S. U. (2014). Adaptive threat management through the integration of IDS into software defined networks. In International Conference on the Network of the Future (NOF) - Workshop on Smart Cloud Networks & Systems, pages 1-5. DOI: 10.1109/NOF.2014.7119792.

Zolotukhin, M., Kotilainen, P., and Hämäläinen, T. (2021). Intelligent IDS chaining for network attack mitigation in SDN. In 2021 17th International Conference on Mobility, Sensing and Networking (MSN), pages 786-791. IEEE. DOI: 10.1109/MSN53354.2021.00123.




How to Cite

Mauricio, L., & Rubinstein, M. (2023). A Network Function Virtualization Architecture for Automatic and Efficient Detection and Mitigation against Web Application Malware. Journal of Internet Services and Applications, 14(1), 10–20. https://doi.org/10.5753/jisa.2023.2847



Research article