Thesis Chapters by Madhusanka Liyanage
To transform rigid and disparate legacy mobile networks into scalable and dynamic ecosystems, sof... more To transform rigid and disparate legacy mobile networks into scalable and dynamic ecosystems, softwaredefi ned mobile network (SDMN) architecture integrates software-defi ned networks, network functions virtualization, and cloud computing principles. However, because SDMN architecture separates control and data planes, it can introduce new security challenges. q q M M q q
Doctoral Dissertation, 2016
Ethernet based VPLS (Virtual Private LAN Service) is a transparent, protocol independent,
multipo... more Ethernet based VPLS (Virtual Private LAN Service) is a transparent, protocol independent,
multipoint L2VPN (Layer 2 Virtual Private Network) mechanism to interconnect remote customer
sites over IP (Internet Protocol) or MPLS (Multiprotocol Label Switching) based provider
networks. VPLS networks are now becoming attractive in many Enterprise applications, such as
DCI (data center interconnect), voice over IP (VoIP) and videoconferencing services due to their
simple, protocol-independent and cost efficient operation. However, these new VPLS applications
demand additional requirements, such as elevated security, enhanced scalability, optimum
utilization of network resources and further reduction in operational costs. Hence, the motivation
of this thesis is to develop secure and scalable VPLS architectures for future communication
networks.
First, a scalable secure flat-VPLS architecture is proposed based on a Host Identity Protocol
(HIP). It contains a session key-based security mechanism and an efficient broadcast mechanism
that increase the forwarding and security plane scalability of VPLS networks. Second, a secure
hierarchical-VPLS architecture is proposed to achieve control plane scalability. A novel encrypted
label-based secure frame forwarding mechanism is designed to transport L2 frames over a
hierarchical VPLS network. Third, a novel Distributed Spanning Tree Protocol (DSTP) is
designed to maintain a loop free Ethernet network over a VPLS network. With DSTP it is
proposed to run a modified STP (Spanning Tree Protocol) instance in each remote segment of the
VPLS network. In addition, two Redundancy Identification Mechanisms (RIMs) termed Customer
Associated RIMs (CARIM) and Provider Associated RIMs (PARIM) are used to mitigate the
impact of invisible loops in the provider network.
Lastly, a novel SDN (Software Defined Networking) based VPLS (Soft-VPLS) architecture is
designed to overcome tunnel management limitations in legacy secure VPLS architectures.
Moreover, three new mechanisms are proposed to improve the performance of legacy tunnel
management functions: 1) A dynamic tunnel establishment mechanism, 2) a tunnel resumption
mechanism and 3) a fast transmission mechanism. The proposed architecture utilizes a centralized
controller to command VPLS tunnel establishment based on real-time network behavior.
Hence, the results of the thesis will help for more secure, scalable and efficient system design
and development of VPLS networks. It will also help to optimize the utilization of network
resources and further reduction in operational costs of future VPLS networks.
Papers by Madhusanka Liyanage
A Software-Defined Mobile Network (SDMN) architecture is proposed to enhance the performance, fle... more A Software-Defined Mobile Network (SDMN) architecture is proposed to enhance the performance, flexibility , and scalability of today's telecommunication networks. However, SDMN features such as centralized controlling, network programmability, and virtualization introduce new security challenges to telecom-munication networks. In this article, we present security challenges related to SDMN communication channels (i.e., control and data channel) and propose a novel secure communication channel architecture based on Host Identity Protocol (HIP). IPsec tunneling and security gateways are widely utilized in present-day mobile networks to secure backhaul communication channels. However, the utilization of legacy IPsec mechanisms in SDMNs is challenging due to limitations such as distributed control, lack of visibility, and limited scalability. The proposed architecture also utilizes IPsec tunnels to secure the SDMN communication channels by eliminating these limitations. The proposed architecture is implemented in a testbed and we analyzed its security features. The performance penalty of security due to the proposed security mechanisms is measured on both control and data channels.
—Recent developments in Internet of Things (IoT) technologies have already put a huge impact on t... more —Recent developments in Internet of Things (IoT) technologies have already put a huge impact on the medical and health sector. Thus, the patient treatment can be performed in more efficient ways compared with traditional methods. Secure identification is a key system requirement for patients to acquire these health related services. Fast and convenient identification is important in the case of critical and elderly or disabled patients who required frequent health services. In this paper, we are presenting concept of the Naked environment where patients can get health services from smart and intelligent surroundings of hospital without using explicit gadgets. Patients would have direct interaction with the environment and get identified through it. We propose a biometric based authentication scheme for the Naked hospital environment that also protects the patients identity privacy. In addition, we show that this authentication scheme can resist various well known attacks such as insider attacks, replay attacks and identity privacy among others.
A Software-Defined Mobile Network (SDMN) architecture is proposed to enhance the performance, fle... more A Software-Defined Mobile Network (SDMN) architecture is proposed to enhance the performance, flexibility , and scalability of today's telecommunication networks. However, SDMN features such as centralized controlling, network programmability, and virtualization introduce new security challenges to telecom-munication networks. In this article, we present security challenges related to SDMN communication channels (i.e., control and data channel) and propose a novel secure communication channel architecture based on Host Identity Protocol (HIP). IPsec tunneling and security gateways are widely utilized in present-day mobile networks to secure backhaul communication channels. However, the utilization of legacy IPsec mechanisms in SDMNs is challenging due to limitations such as distributed control, lack of visibility, and limited scalability. The proposed architecture also utilizes IPsec tunnels to secure the SDMN communication channels by eliminating these limitations. The proposed architecture is implemented in a testbed and we analyzed its security features. The performance penalty of security due to the proposed security mechanisms is measured on both control and data channels.
IEEE Security & Privacy, 2016
Proceeding of IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks 2014, 2014
Selecting a Access Point (AP) is an important task for a mobile wireless user to achieve the best... more Selecting a Access Point (AP) is an important task for a mobile wireless user to achieve the best possible quality of service. We consider AP selection as a game where players make choices selfishly and try to select the closest AP based on Minimum Path-Loss (MPL) criteria.
Baltic Journal of Modern Computing, 2016
The next industrial revolution is foreseen to happen with upcoming Industrial Internet that combi... more The next industrial revolution is foreseen to happen with upcoming Industrial Internet that combines massive data collected by industrial sensors with data analysis for improving the efficiency of operations. Collecting, pre-processing, storing and analyzing such real-time data is a complex task with stringent demands on communication intelligence, QoS and security. In this paper we outline some challenges facing the Industrial Internet, namely integration with 5G wireless networks, Software Defined Machines, ownership and smart processing of digital sensor data. We propose a secure communication architecture for the Industrial Internet based on Smart Spaces and Virtual Private LAN Services. It is a position paper, describing state-of-the-art and a roadmap for future research on the Industrial Internet. Madhusanka Liyanage is a project manager at the Centre for Wireless Communications, University of Oulu, Finland. His research interests are SDN, 5G, NFV, mobile networks, VPNs and network security. He received the B.Sc. (2009) degree in electronics and telecommunication engineering from the University of Moratuwa, Sri Lanka, the M.Eng. (2011) degree from the Technology) of PetrSU and as Leading Research Scientist. Dmitry Korzun serves on technical program committees and editorial boards of a number of international conferences and journals. His research interests include analysis and evaluation of distributed systems, discrete modeling, ubiquitous computing and smart spaces, Internet of Things, software engineering, algorithm design and complexity, linear Diophantine analysis and its applications, theory of formal languages and parsing. More than 150 research and educational works have been published since 1997.
2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC), 2016
Secure VPLS (Virtual Private LAN Services) networks are becoming attractive in many Enterprise ap... more Secure VPLS (Virtual Private LAN Services) networks are becoming attractive in many Enterprise applications. However, the tunnel establishment mechanisms of legacy VPLS architectures are static, complex and inflexible in nature. As a result, secure VPLS architectures are suffering from limitations such as the limited scalability, over utilization of network resources, high tunnel establishment delay and high operational cost.
IEEE Security & Privacy, 2016
To transform rigid and disparate legacy mobile networks into scalable and dynamic ecosystems, sof... more To transform rigid and disparate legacy mobile networks into scalable and dynamic ecosystems, softwaredefi ned mobile network (SDMN) architecture integrates software-defi ned networks, network functions virtualization, and cloud computing principles. However, because SDMN architecture separates control and data planes, it can introduce new security challenges. q q M M q q
2016 IEEE International Conference on Communications Workshops (ICC), 2016
In this paper, we propose a secure intra-vehicular wireless communication architecture based on H... more In this paper, we propose a secure intra-vehicular wireless communication architecture based on Host Identity Protocol (HIP). It ultimately improves the security of wireless intravehicular communication systems. The performance evaluation of the proposed architecture is performed in a ski tunnel which emulates the real underground transportation environment. Our results verify the feasibility of proposed architecture by providing required level of service quality. Also, it outperforms the existing secure architectures. More importantly, the proposed architecture protect the wireless intra-vehicular communication system from IP based attacks.
for the continuous support for my studies at AIT, and the other faculty members in the department... more for the continuous support for my studies at AIT, and the other faculty members in the department of Telecommunication, Asian Institute of Technology for supporting me in various ways.
Software-Defined Mobile Networks (SDMNs) are becoming popular as the next generation of telecommu... more Software-Defined Mobile Networks (SDMNs) are becoming popular as the next generation of telecommunication networks due to the enhanced performance, flexibility and scalability. In this paper, we study the new security challenges of the control channel of SDMNs and propose a novel secure control channel architecture based on Host Identity Protocol (HIP). IPsec tunneling and security gateways are widely used in today's mobile networks. The proposed architecture utilized these technologies to protect the control channel of SDMNs. We implement the proposed architecture in a testbed and analyze the security features. Moreover, we measure the performance penalty of security of proposed architecture and analyze its ability to protect the control channel from various IP (Internet Protocol) based attacks.
2015 IEEE 10th International Conference on Industrial and Information Systems (ICIIS), 2015
Traditional Internet architecture allows a host and its location to be identified using only Inte... more Traditional Internet architecture allows a host and its location to be identified using only Internet Protocol (IP) address. Host Identity Protocol (HIP) separates the dual role of IP addresses as the locator and the identifier and introduces a Host Identity (HI) name space, based on a public key security infrastructure. This change allows applications to use HIs instead of IP addresses at the transport layer, hence offering secure host mobility and multihoming capabilities. This modification to traditional Internet architecture raises concerns from both industries and researchers as to what extent it will affect the ideal performance of a network.
2015 IEEE 10th International Conference on Industrial and Information Systems (ICIIS), 2015
In this paper, we study the current and emerging security mechanisms to protect the LTE (Long Ter... more In this paper, we study the current and emerging security mechanisms to protect the LTE (Long Term Evolution) architecture. We also highlight the limitations of legacy LTE security mechanisms. SDN (Software Defined Networking) and NFV (Network Function Virtualization) are positioned as innovative concepts to improve overall LTE security posture. This paper proposes enhancements to the legacy security mechanisms and introduces new security applications based on SDN and NFV technologies. The performance of proposed SDN based LTE security architecture is analyzed with simulations.
Security and Communication Networks, 2016
In this paper, we propose two secure virtual private network architectures for the long-term evol... more In this paper, we propose two secure virtual private network architectures for the long-term evolution backhaul network. They are layer 3 Internet protocol (IP) security virtual private network architectures based on Internet key exchange version 2 mobility and multihoming protocol and host identity protocol. Both architectures satisfy a complete set of 3GPP backhaul security requirements such as authentication, authorization, payload encryption, privacy protection, and IP-based attack prevention. The security analysis and simulation results verify that the proposed architectures are capable enough to protect long-term evolution backhaul traffic against various IP-based attacks.
2015 9th International Conference on Next Generation Mobile Applications, Services and Technologies, 2015
5G constitutes the next revolution in mobile communications. It is expected to deliver ultra-fast... more 5G constitutes the next revolution in mobile communications. It is expected to deliver ultra-fast, ultra-reliable network access supporting a massive increase of data traffic and connected nodes. Different technologies are emerging to address the requirements of future mobile networks, such as Software Defined Networking (SDN), Network Function Virtualization (NFV) and cloud computing concepts. In this paper, we introduce the security challenges these new technologies are facing, inherent to the new telecommunication paradigm. We also present a multitier approach to secure Software Defined Mobile Network (SDMN) by tackling security at different levels to protect the network itself and its users. First, we secure the communication channels between network elements by leveraging Host Identity Protocol (HIP) and IPSec tunnelling. Then, we restrict the unwanted access to the mobile backhaul network with policy based communications. It also protects the backhaul devices from source address spoofing and Denial of Service (DoS) attacks. Finally, we leverage Software Defined Monitoring (SDM) and data collection to detect, prevent and react to security threats.
2015 IEEE International Conference on Communication Workshop (ICCW), 2015
CITATIONS 4 READS 58 4 authors: Some of the authors of this publication are also working on these... more CITATIONS 4 READS 58 4 authors: Some of the authors of this publication are also working on these related projects: Resilient communication services protecting end-user applications from disaster-based failures (RECODIS) View project Algorithms, Architectures and Platforms for Enhanced Living Environments (AAPELE) View project Abstract-Virtual Private LAN Services (VPLS) is a widely utilized Layer 2 (L2) Virtual Private Network (VPN) architecture in industrial networks. In the last few years, VPLS networks gained an immense popularity as an ideal network architecture to interconnect industrial legacy SCADA (Supervisory Control and Data Acquisition) and process control devices over a shared network. However, legacy VPLS architectures are highly vulnerable to security threats which are initiated at the insecure shared network segment. Thus, secure VPLS architectures are becoming popular among industrial enterprises.
This book describes the concept of a Software Defined Mobile Network (SDMN), which will impact th... more This book describes the concept of a Software Defined Mobile Network (SDMN), which will impact the network architecture of current LTE (3GPP) networks. SDN will also open up new opportunities for traffic, resource and mobility management, as well as impose new challenges on network security. Therefore, the book addresses the main affected areas such as traffic, resource and mobility management, virtualized traffics transportation, network management, network security and techno economic concepts. Moreover, a complete introduction to SDN and SDMN concepts. Furthermore, the reader will be introduced to cutting-edge knowledge in areas such as network virtualization, as well as SDN concepts relevant to next generation mobile networks. Finally, by the end of the book the reader will be familiar with the feasibility and opportunities of SDMN concepts, and will be able to evaluate the limits of performance and scalability of these new technologies while applying them to mobile broadband ne...
Uploads
Thesis Chapters by Madhusanka Liyanage
multipoint L2VPN (Layer 2 Virtual Private Network) mechanism to interconnect remote customer
sites over IP (Internet Protocol) or MPLS (Multiprotocol Label Switching) based provider
networks. VPLS networks are now becoming attractive in many Enterprise applications, such as
DCI (data center interconnect), voice over IP (VoIP) and videoconferencing services due to their
simple, protocol-independent and cost efficient operation. However, these new VPLS applications
demand additional requirements, such as elevated security, enhanced scalability, optimum
utilization of network resources and further reduction in operational costs. Hence, the motivation
of this thesis is to develop secure and scalable VPLS architectures for future communication
networks.
First, a scalable secure flat-VPLS architecture is proposed based on a Host Identity Protocol
(HIP). It contains a session key-based security mechanism and an efficient broadcast mechanism
that increase the forwarding and security plane scalability of VPLS networks. Second, a secure
hierarchical-VPLS architecture is proposed to achieve control plane scalability. A novel encrypted
label-based secure frame forwarding mechanism is designed to transport L2 frames over a
hierarchical VPLS network. Third, a novel Distributed Spanning Tree Protocol (DSTP) is
designed to maintain a loop free Ethernet network over a VPLS network. With DSTP it is
proposed to run a modified STP (Spanning Tree Protocol) instance in each remote segment of the
VPLS network. In addition, two Redundancy Identification Mechanisms (RIMs) termed Customer
Associated RIMs (CARIM) and Provider Associated RIMs (PARIM) are used to mitigate the
impact of invisible loops in the provider network.
Lastly, a novel SDN (Software Defined Networking) based VPLS (Soft-VPLS) architecture is
designed to overcome tunnel management limitations in legacy secure VPLS architectures.
Moreover, three new mechanisms are proposed to improve the performance of legacy tunnel
management functions: 1) A dynamic tunnel establishment mechanism, 2) a tunnel resumption
mechanism and 3) a fast transmission mechanism. The proposed architecture utilizes a centralized
controller to command VPLS tunnel establishment based on real-time network behavior.
Hence, the results of the thesis will help for more secure, scalable and efficient system design
and development of VPLS networks. It will also help to optimize the utilization of network
resources and further reduction in operational costs of future VPLS networks.
Papers by Madhusanka Liyanage
multipoint L2VPN (Layer 2 Virtual Private Network) mechanism to interconnect remote customer
sites over IP (Internet Protocol) or MPLS (Multiprotocol Label Switching) based provider
networks. VPLS networks are now becoming attractive in many Enterprise applications, such as
DCI (data center interconnect), voice over IP (VoIP) and videoconferencing services due to their
simple, protocol-independent and cost efficient operation. However, these new VPLS applications
demand additional requirements, such as elevated security, enhanced scalability, optimum
utilization of network resources and further reduction in operational costs. Hence, the motivation
of this thesis is to develop secure and scalable VPLS architectures for future communication
networks.
First, a scalable secure flat-VPLS architecture is proposed based on a Host Identity Protocol
(HIP). It contains a session key-based security mechanism and an efficient broadcast mechanism
that increase the forwarding and security plane scalability of VPLS networks. Second, a secure
hierarchical-VPLS architecture is proposed to achieve control plane scalability. A novel encrypted
label-based secure frame forwarding mechanism is designed to transport L2 frames over a
hierarchical VPLS network. Third, a novel Distributed Spanning Tree Protocol (DSTP) is
designed to maintain a loop free Ethernet network over a VPLS network. With DSTP it is
proposed to run a modified STP (Spanning Tree Protocol) instance in each remote segment of the
VPLS network. In addition, two Redundancy Identification Mechanisms (RIMs) termed Customer
Associated RIMs (CARIM) and Provider Associated RIMs (PARIM) are used to mitigate the
impact of invisible loops in the provider network.
Lastly, a novel SDN (Software Defined Networking) based VPLS (Soft-VPLS) architecture is
designed to overcome tunnel management limitations in legacy secure VPLS architectures.
Moreover, three new mechanisms are proposed to improve the performance of legacy tunnel
management functions: 1) A dynamic tunnel establishment mechanism, 2) a tunnel resumption
mechanism and 3) a fast transmission mechanism. The proposed architecture utilizes a centralized
controller to command VPLS tunnel establishment based on real-time network behavior.
Hence, the results of the thesis will help for more secure, scalable and efficient system design
and development of VPLS networks. It will also help to optimize the utilization of network
resources and further reduction in operational costs of future VPLS networks.