<italic>Caught-in-Translation (CiT)</italic> Detecting Cross-level Inconsistency Attacks in Network Functions Virtualization (NFV)

As one of the main technology pillars of 5G networks, Network Functions Virtualization (NFV) enables agile and cost-effective deployment of network services. However, the multi-level, multi-actor design of NFV may also allow for inconsistency between the different abstraction levels to be mistakenly or intentionally introduced, as shown in recent studies. Serious security issues, such as man-in-the-middle, network sniffing, and DoS, may arise at one abstraction level without being noticed by the victims at another level. Most existing solutions are either limited to one abstraction level of NFV or reliant on direct access to lower-level data which could become inaccessible when managed by different providers. In this paper, by drawing an analogy between cross-level NFV event sequences and natural languages, we propose a Neural Machine Translation-based approach, namely, <italic>Caught-in-Translation (CiT)</italic>, to detect cross-level inconsistency attacks in NFV at runtime. Specifically, we first extract event sequences from different abstraction levels of an NFV stack. We then leverage Long Short-Term Memory (LSTM) to translate the event sequences from one level to another. Finally, we apply both a similarity metric and a Siamese neural network to compare the <italic>translated</italic> event sequences with the <italic>original</italic> ones to detect attacks. We integrate <italic>CiT</italic> into OpenStack&#x002F;Tacker, a popular open-source NFV implementation, and evaluate its performance using both real and synthetic data. Experimental results show the benefit of leveraging NMT as <italic>CiT</italic> achieves AUC&#x2265;96.03&#x0025;, which significantly outperforms traditional SVM-based anomaly detection. We also evaluate <italic>CiT</italic> in terms of its efficiency, scalability, and robustness for detecting inconsistency attacks in NFV platforms.