IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO.

5, OCTOBER 2019 8005

Security Management Architecture for

NFV/SDN-Aware IoT Systems
Alejandro Molina Zarca, Jorge Bernal Bernabe , Ruben Trapero, Diego Rivera, Jesus Villalobos,
Antonio Skarmeta , Stefano Bianchi, Anastasios Zafeiropoulos, and Panagiotis Gouvas

Abstract—The Internet of Things (IoT) brings a multidisci-
plinary revolution in several application areas. However, security
and privacy concerns are undermining a reliable and resilient
broad-scale deployment of IoT-enabled critical infrastructures
(IoT-CIs). To fill this gap, this paper proposes a comprehensive
architectural design that captures the main security and privacy
challenges related to cyber-physical systems and IoT-CIs. The
architecture is devised to empower IoT systems and networks to
make autonomous security decisions through the usage of novel
technologies such as software defined networking and network
function virtualization, as well as endowing them with intelligent
and dynamic security reaction capabilities by relying on monitor-
ing methodologies and cyber-situational tools. The architecture
has been successfully implemented and evaluated in the scope of
ANASTACIA H2020 EU research project.
Index Terms—Architecture, cyber-security, Internet of Things
(IoT), software defined networking and network function virtu-
alization (SDN/NFV).
I. I NTRODUCTION
HE INTERNET of Things (IoT) [1] is changing the
T industrial landscape by leveraging network capabilities
of heterogeneous, pervasive, and autonomous smart-objects.
IoT promotes a distributed global network with billions of
devices interacting using machine-to-machine (M2M) com-
munications, which facilitates the creation of innovative smart
services and applications.
However, the constrained nature of IoT devices and
networks as well as their distributed and pervasive conditions,
Manuscript received October 12, 2018; revised January 25, 2019; accepted
February 28, 2019. Date of publication March 11, 2019; date of current ver-
sion October 8, 2019. This research was supported in part by the H2020
EU project ANASTACIA, Grant Agreement N 731558 and in part by a
postdoctoral INCIBE grant within the “Ayudas para la Excelencia de los
Equipos de Investigacíon Avanzada en Ciberseguridad” Program, with code
INCIBEI-2015-27363. (Corresponding author: Jorge Bernal Bernabe.)
A. Molina Zarca, J. B. Bernabe, and A. Skarmeta are with the Department
of Information and Communications Engineering, University of Murcia,
30003 Murcia, Spain (e-mail: [email protected]; [email protected]; the security of IoT networks to the network edge. In this
[email protected]).
R. Trapero and J. Villalobos are with the Cybersecurity Laboratory,
ATOS Research and Innovation, 28037 Madrid, Spain (e-mail:
[email protected]; [email protected]). IoT scenarios.
D. Rivera is with the R&D Department, Montimage, 75013 Paris, France
(e-mail: [email protected]).
S. Bianchi is with the Research & Innovation Department, Softeco Sismat
Srl, Genoa, Italy (e-mail: [email protected]). ment by exploiting SDN and NFV features in dedicated
A. Zafeiropoulos and P. Gouvas are with the R&D Department,
UBITECH, 15231 Athens, Greece (e-mail: azafeiropoulos@
ubitech.eu; [email protected]).
Digital Object Identifier 10.1109/JIOT.2019.2904123
2327-4662 c 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
makes the IoT subject to new kind of vulnerabilities and cyber-
threats. Traditional network protocols and security solutions
are not suitable for IoT, as they do not cope with unforeseen
interoperability and adaptability problems and do not meet the
dynamic needs, responsiveness, and lightness required in IoT.
The lack of automatized software updates, vendor support
as well as user’s misconfigurations make the IoT prone to
new kind of cyber-attacks. These problems and their conse-
quences are aggravated in IoT-enabled critical infrastructures
(IoT-CIs), like energy systems in smart buildings. In this con-
text, there is a need of advanced and adaptive mechanisms able
to ensure dynamically the proper security levels in the IoT
systems and providing system resiliency through self-healing
and self-repair capabilities, thereby countering cyber-attacks
and mitigate cyber-threats whenever occur in the managed IoT
network.
In this sense, contextual and monitoring information
obtained from the surrounded IoT environments can be used
as baseline for data analysis detect anomalous behaviors, and
in turn, infer smart control and management decisions through
different actuators, agents, and controllers deployed either at
the edge or in the core of the IoT network. Indeed, this contex-
tual and real-time monitoring can be also applicable to deal
with diverse kind of cyber-threats and IoT attacks, thereby
countering them by adapting the security policies and enforced
configurations of the managed IoT system according to the
context [2].
Software-defined networking (SDN) brings forward new
network capabilities by decoupling the control and data planes,
which can introduce novel security defense mechanisms in
IoT such as managing malicious traffic or IoT devices iso-
lation. Likewise, network function virtualization (NFV) can
exploit virtualization to provide on-demand, dynamic, flex-
ible, scalable, and elastic orchestration and deployment of
virtual appliances. NFV can enable the autonomous manage-
ment of virtual network security functions that can off-load
sense, Yu et al. [3] introduced virtualized versions of secu-
rity hardware, e.g., firewalls, DPIs, as well as support mobile
Some researches are starting to define architectures aimed
to deal with cyber-situational network and system manage-
scenarios-environments, such as 5G network management [4]
or cloud/fog computing [5] applications. However, unlike our
proposed architecture, those ones have not been tailored for
 8006
dealing with the security and privacy in SDN/NFV-enabled
IoT and critical cyber-physical systems (CPSs) scenarios.
This paper presents an architecture aimed to deal with the
security management of SDN/NFV-enabled IoT scenarios. The
architecture has been already implemented and evaluated in
critical infrastructures (CI) deployed in smart buildings, com-
ing up with a policy-based cyber-situational security frame-
work that has demonstrated its benefits to adapt dynamically
the enforced security mechanisms of IoT networks. The auto-
matic reaction against IoT threats and attacks is done through
special purpose IoT agents, SDN and IoT controllers as well as
NFV-based virtual security appliances, which enforce reaction
countermeasures needed to mitigate cyber-attacks and dynam-
ically adapt the system according to the context obtained
and analyzed by the integrated monitoring tools and security
information and event management (SIEM) system.
The rest of this paper is structured as follows. Section II
studies the current state-of-the-art in this research field.
Section III delves into the main IoT attacks/threats as well
as detection and reaction mechanisms proposed. Section IV
details the proposed architecture whereas Section V describes
its main architectural processes. Section VI is devoted to the
implementation of the proposed architecture, which is eval-
uated in Section VII. Finally, Section VIII concludes this
paper.
II. R ELATED W ORK
SDN is starting to be exploited as mechanism to han-
dle security threats [6], as it provides numerous advantages
such as dynamic flow control, IoT traffic, and devices isola-
tion, network monitoring to identify attacks (e.g., botnets) and
flexibility to support deployment of virtual network security
functions.
In this sense, Rawat and Reddy [7] proposed diverse secu-
rity threats and attacks and how they can be mitigated using
proper countermeasures based on SDN. An SDN architecture
to strengthen the IoT is presented by Chakrabarty et al. [8].
It aims to protect IoT communications by relying on the SDN
centralized controller delivering secure routing and enhancing
system management. Bull et al. [9] used IoT traffic monitored
from SDN gateway, for detecting misbehavior in the network
and reacting accordingly, either by blocking or forwarding
the traffic. Flauzac et al. [10] delivered an SDN security
solution for IoT wireless networks, that is intended to avoid
compromising a security domain by deploying security rules
throughout different security controllers. Choi and Kwak [11]
described software-defined security framework for IoT that
allows delivery of security appliances, e.g., access control or
channel protection, however, they do not exploit NFV.
On the other side, NFV can realize the security as a service
paradigm [12], abstracting security software from hardware, to
achieve performance improvement on virtual network security
functions. Lightweight virtualization enables deployment of
virtual network functions (VNFs) at the edge of IoT networks.
For instance, Al-Kaseem and Al-Raweshidyhamed [13] pro-
vided a solution based on SDN, NFV, and cloud computing
that can enhance network management in 6LoWPAN IoT
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019
networks. Yu et al. [3] presented IoTSec, an IoT security archi-
tecture that allows delivering micro-middleboxes, instantiated
on demand over lightweight IoT systems. NFV enables scaling
up/down security VNFs at the edge of the network, such as, for
instance, vFirewalls and vIDS, according to the network and
system status. SDN can be used along with NFV to steering
the traffic toward VNFs, optimizing the chaining of virtualized
middleboxes and enhancing resource utilization.
Yang and Fung [14] detailed the challenges, opportunities
as well as security issues in NFV. Similarly, other recent sur-
veys [15], [16] recap the main benefits of adopting SDN and
NFV to increase security in IoT networks.
The aforementioned research works, unlike ours, do not pro-
vide a holistic cyber-security framework that relies on SDN
and NFV in order to enhance IoT security. The framework is
able to dynamically detect cyber-security incidents and react
according to the actual status of IoT networks, systems and
deployed security policies.
Regarding policy-based frameworks, Shankar et al. [17]
proposed a framework which relies on an extended model
of event-condition-action policies in order to include post
conditions to verify the successful completion of pol-
icy actions. Rensing et al. [18] provided a policy-based
architecture and framework specific for AAA services.
Hadjiantonis et al. [19] adopted a policy-based network man-
agement together with context awareness for mobile ad hoc
networks and Shaw et al. [20] provided a policy-based frame-
work management for securely deployment and configuring
components which processes network traffic.
A first overview of ANASTACIA was presented at
the beginning of the project in [21], which outlined the
main objectives, challenges, and foundations of the project.
Similarly, a first insight about how SDN/NFV-based can be
exploited to provide security features over IoT scenarios
was presented in [22]. The ANASTACIA policy enforce-
ment mechanism was recently detailed by Zarca et al. [23].
However, unlike in the research described herein, those
previous publications did not present the whole final archi-
tecture and did not deal with the entire autonomic loop for
self-protection and self-healing of the IoT managed system.
Moreover, the monitoring, detection, and the reaction policies
to counter cyber-attacks were not addressed neither evaluated.
III. S ECURITY H ANDLING IN NFV/SDN-E NABLED
I OT S CENARIOS
This section gives an overview of the main threats and
vulnerabilities in IoT, enlightening how our proposed frame-
work detects, and reacts against those threats/attacks by using
NFV/SDN-based security enablers. Table I summarizes those
concepts.
IoT attacks can be split in two main categories: 1) active
where malicious attacker alters or injects messages to exploit
vulnerabilities and 2) passive where the attacker interacts
actively within the network.
Regarding active attacks, it is work mentioning the replay
attack (retransmission of previous victim’s packets) that aims
to perform a disservice or enable other more advanced attacks
 MOLINA ZARCA et al.: SECURITY MANAGEMENT ARCHITECTURE FOR NFV/SDN-AWARE IoT SYSTEMS
TABLE I
M AIN I OT T HREATS /ATTACKS AND O UR S UGGESTED P OTENTIAL D ETECTION AND R EACTION M ECHANISMS BASED ON NFV-SDN
such as masquerading attacks or impersonation, which in turn,
aims to get victims’ data and/or replicate nodes. In a tamper-
ing attack, the attacker node makes an unauthorized/malicious
action against the IoT device. In our framework, these kinds
of attacks can be detected by the AAA system and analyzing
the logs, the applicable countermeasure might perform device
flashing or its network isolation. vAAA and special agents
can be dynamically deployed in the edge of the IoT network
to facilitate authentication, authorization and key management
redistribution.
IoT devices infected with malware, e.g., worms, trojans, and
ransomware can be detected through vulnerability assessment
and the countermeasures. When it comes to the protection of
the rest of the IoT system/network, it lies on measures such
as updating the firmware, isolate device, and block connection
attempts.
Zero-day vulnerabilities refer to exploitation of software
vulnerabilities not seen before in the network. They are
extremely difficult to detect and mitigate. Our proposed frame-
work covers the detection and handling of this kind of attacks
by means of artificial intelligence-based (AI) anomaly detec-
tion. For example, IoT devices malfunctioning and reporting
unusual sensors values can be detected through machine learn-
ing of IoT data in context broker. The countermeasure is
done through special-purpose IoT controllers that act directly
on the malicious IoT device, using protocols like CoAP
or LWM2M.
Man-in-the-middle attacks allow malicious entities to inter-
cept communications and impersonate endpoints, to spoof and
alter packets, e.g., modifying IoT sensors values to produce
damages. Like in the previous case, it can be detected through
AI-based anomalous detection tools, and counter through IoT
controllers actions over final devices and agents.
Distributed DoS attacks are perpetrated by infecting IoT
devices with malware which, in turn, make them become
part of botnets that launch massive and coordinated DoS
attacks against external victims [24]. DoS can also target IoT
networks, flooding, and exhausting them, and causing ser-
vice unavailability. In our proposed architecture, this can be
detected by a vIDS and special IoT agents. The countermea-
sures based on NFV/SDN can be manifold in this case, either
deploying vLoadBalancer next to the victim entity, or stopping
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
8007
the network traffic in the source, that is, by deploying vFire-
walls that filter traffic coming from infected devices or just
stop the affected device if possible. Network traffic can be
also filtered directly by the SDN controller in the virtual switch
(that can be also deployed on demand in the edge as VNF). In
addition, a virtual IoT honeynet deployed as VNF can emulate
the real IoT network, and the attacker can be redirected to such
a controlled honeynet, thereby countering the potential dam-
age. In any of the cases, the traffic is diverted to the vFirewall,
or vIoTHoneyNet adding new flow rules using SDN.
Malicious code injection in memory or in services, e.g.,
SQL injection, can alter normal IoT and services behavior,
and it can be detected through monitoring tools that identify
unwanted network accesses, or unexpected queries/accesses in
databases/services. Our architecture aims to mitigate this kind
of attack by isolating attackers traffic using SDN.
On the other hand, regarding passive attacks such as traffic
analysis or sniffing/eavesdropping private IoT communica-
tions, our framework detects those problems through deep
packet inspectors deployed as security VNFs that detect
encrypted traffic. The SDN controller can mirroring the traf-
fic toward the vDPI for analysis. The countermeasure can be
deploying vChannelProtection VNFs, to facilitate rebootstrap-
ping of encryption keys and establishing encrypted network
tunnels (e.g., using DTLs), either, end-to-end or through
vProxies.
As identified by Gao et al. [25] there are other specific
attacks such as, for instance, routing attack, sink node attack,
black hole attack, flooding attack, trapdoor, and Sybil attack,
but they can be handled in a similar way that the ones
summarized above.
IV. A RCHITECTURE
ANASTACIA is envisioned as a framework integrated on
top of an IoT infrastructure where IoT devices, physical and
virtual network elements interact in the data plane. On top
of that, a control plane manages the computing, storage, and
networking resources in the data plane by leveraging SDN
controllers, NFV orchestration platforms, and IoT controllers.
The ANASTACIA architecture is shown in Fig. 1. It is
comprised of diverse planes that provides the intelligence and
 8008
Fig. 1. ANASTACIA reference architecture.
dynamic behavior to the system. Namely, the security orches-
trator plane, monitoring and reaction plane, security enforce-
ment plane, user plane, and seal manager. The following
section details each plane and its domains.
A. Security Enforcement Plane
The control and management domain oversees and con-
trols the usage of resources and run-time operations of the
security enablers deployed either over virtualized or physical
environment, including IoT networks. It connects the orches-
tration plane with the IoT platform (data and control planes),
managing the interactions among objects and components for
the enforcement of the security policy defined at the user
plane. The SDN controllers are responsible of communicating
though southbound APIs with the network elements to manage
connectivity applying the networking flow rules. NFV ETSI
MANO-compliant modules are responsible for management
and orchestration of the virtual network and security vir-
tual functions over the virtual infrastructure, e.g., Openstack.
Finally, IoT controllers provide different southbound interfaces
in order to manage and control different kind of IoT devices
depending on the IoT protocols. These IoT controllers are
deployed at the network edge (e.g., gateways) to enforce secu-
rity functions in heterogeneous IoT domains. Regarding the
main interfaces in this domain it is important to highlight the
following ones.
1) SDN-Oriented Security Enforcement Plane Interface:
This allows to manage the SDN networking configuration via
the SDN controller(s). The security orchestrator can request
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019
the enforcement of the SDN traffic flow rules received as
outcome of the policy refinement process.
2) NFV-Oriented Security Enforcement Plane Interface:
This allows to manage the security VNFs via the ETSI-
oriented NFV MANO modules. This is, the Security
Orchestrator maintains the knowledge about the VNF descrip-
tors, the network services (NSs) catalogue as well as the
current deployment. When a VNF management is required,
the security orchestrator requests it by sending the configura-
tion to the NFV MANO through the NFVI. Then, the NFV
MANO uses the resource orchestrator (RO) in order to provide
the required resources to cope with the received configuration
through a specific virtualized infrastructure manager. Finally,
the RO requests the VNF configuration enforcement to the
VNF configuration and abstraction. More information on this
topic can be found at [23].
3) IoT-Oriented Security Enforcement Plane Interface:
This manages the configuration of IoT nodes through the IoT
controllers. The security orchestrator can request the enforce-
ment of the security controls within the IoT nodes according to
the configurations generated by the policy refinement process.
The infrastructure and virtualization domain comprises all
the physical machines capable of providing computing, stor-
age, and networking capabilities, as well as the virtualization
technologies, to provide an infrastructures as a service layer.
This domain also includes the network elements responsible
for traffic forwarding, following the SDN controllers rules,
and a distributed set of security probes for data collection to
support the monitoring services.
 MOLINA ZARCA et al.: SECURITY MANAGEMENT ARCHITECTURE FOR NFV/SDN-AWARE IoT SYSTEMS
VNF domain represents the VNFs enforcing the security
within NSs. Anastasia currently considers diverse kind of
network security functions deployed as VNFs in order to
provide the defense mechanisms and threat countermeasures,
including vFirewall, vIDS/IPS, vAAA, vChannelProtection,
and vIoTHoneyNet.
IoT domain refers both, to the final IoT devices as well as
the the security enablers and actuators required to apply the
security directives within the IoT devices. To this aim, the
orchestration plane (either as proactive policy enforcement by
the admin, or as reaction), will apply, over the IoT controller
the appropriate security service, which, in turn, will contact
the final IoT device or actuator by using specific IoT protocols.
B. Security Orchestration Plane
The security orchestrator plane organizes the resources that
support the enforcement plane, carrying out activities such as
the transformation of security properties to configuration rules
(through a policy interpreter) and aligning the security poli-
cies defined by the policy interpreter with the provisioning
of relevant security mechanisms (through a security enabler
providers). It has the whole vision of the underlying infrastruc-
ture in order to orchestrate (through the security orchestrator)
resources and interfaces available at the security enforcement
plane.
The security enabler provider is able to identify the list of
security enablers which can provide specific security capabil-
ities to meet the security policies requirements. Besides, this
component will be endowed with an interface for delivering
medium-to-low translation plugins for technology dependant
policy translations into low-level configurations. In this way
any kind of software or hardware could be supported as secu-
rity enabler by implementing the corresponding translator plu-
gin. Currently, the framework provides plugins focused on the
current experimentation phase, encompassing network filter-
ing and forwarding through SDN and virtual router, XACML
authorization, IoT management through the IoT controller, IoT
honeynet configuration, and DTLS configuration.
A security orchestrator is responsible for selecting the secu-
rity enablers to be used in the policy refinement process. To
choose the proper security enabler to apply in a particular
situation (e.g., after a reaction), it oversees the security capa-
bilities, the available resources in the underlying infrastructure,
and the policy requirements. Once received the configuration
of the security enablers by the policy interpreter, the security
orchestrator interacts with relevant SDN/NFV/IoT control and
management components, so to enforce the required features
in the IoT devices and in the physical/virtual network elements
of the underlying infrastructure.
The SMI interface (security orchestrator system model)
allows to request a system model of the underlying architec-
ture. This information will be used by the security orchestrator
in order to make decisions like what could be the best security
enabler for a specific policy enforcement.
The policy interpreter transforms the security policy (closer
to a human readable policy) to a machine-readable policy
that is able to represent lower configurations parameters.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
8009
Namely, performs the refinement processes from high-level
security policy language (HSPL) to medium-level security
policy language (MSPL). These security policy models have
been extended from [26]. Finally, the MSPLs are translated to
enablers/VNFs configurations or tasks.
The high to medium interface allows to request a policy
refinement from an HSPL to an MSPL. The medium to lower
interface allows to request a policy refinement from an MSPL
to a specific enabler configuration/task.
Security enabler provider plugin interface allows to request
for a plugin which implements the MSPL to enabler
translation.
Currently, the framework provides security policy models
for authentication, authorization, channel protection (validated
in [27]), filtering, traffic divert, monitoring, IoT management,
IoT honeynet, anonymity, privacy (identity-based, attribute-
based, and PKI-based), QoS, data aggregation, and policy for
orchestration. In order to prevent conflicts between the security
policies, the framework provides a policy conflict detection
engine which verifies that the security policy will not gen-
erate conflicts like redundancy, priorities, duties (e.g., packet
inspection versus channel protection), dependencies, or contra-
dictions. To this aim, the security policy is processed against
the rule engine which extracts context information from the
policy repository and the system model in order to perform
the verification.
Regarding the policy for orchestration, the framework
allows the security administrator to define multiple security
policies related between themselves and with the already
deployed ones by establishing priorities and dependencies.
This is, the security administrator can establish different level
of priorities depending on the magnitude or relevance of the
policy. On the other hand, since the enforcement of a security
policy can be conditioned by the deployment of another pol-
icy or even by the triggering of any kind of event, the security
administrator is able to specify different kind of dependen-
cies depending on the deployment requirements (e.g., an
authorization policy could depend on a success authentication
event).
C. Monitoring and Reaction Plane
The monitoring and reaction plane connects to the IoT plat-
form through the security enforcement plane in order to col-
lect, through monitoring agents, security-focused information
related to the system behavior. This plane also evaluates the
fulfilment of the security policy by checking security models
and threats signatures, performing filtering activities and data
analysis for the detection of anomalies. At this plane, and
based on the anomalies detected, reactions are designed to
mitigate such anomalies through the mitigation action service
(MAS) that is directly connected to the service orchestration
plane. Reactions are designed based on the security model
analysis of the IoT/CPS infrastructure—which determine the
set of possible actions to enforce, and the capabilities of the
network that is being monitored. The specific reaction chosen
is based on a decision support system that evaluate the con-
venience of the reaction depending on the available resources.
 8010
Additionally, alerts and other reports are available for system
administrators through a security alert service.
The monitoring and reaction plane acts the security-enabling
member of the architecture, providing monitoring and self-
reaction capabilities to the platform. To this end, the plane
needs to communicate with other modules, using different
interfaces.
1) Monitoring Configuration Interface: This allows config-
uring the monitoring module from the security orches-
trator. It is intended to provide the required parameters to
refine the detection of potential threats on the network.
2) Reaction Security Configuration Interface: This enables
the security orchestrator to provide the security model-
related data to the reaction module. In general terms,
this information will be composed by the capabilities of
the security policy and the applied countermeasures on
the network as a reaction to a detected security issue.
3) Monitoring Verdicts Interface: This interface is intended
to provide the required monitoring information from
the monitoring to the reaction module. The transferred
data is mainly composed of the verdicts of the security
properties tested on the network.
4) Countermeasures Suggestions Interface: It was con-
ceived to transmit the set of suggested countermeasures
from the reaction module to the security orchestrator in
form of MSPL files.
D. User Plane
The policy editor tool allows administrators to model
security policies with a high/medium-level of abstraction.
1) Security Alerts and Warnings Interface: This interface
will transfer the alerts and warnings from the reaction module
to the end-user interfaces. It is designed as a communication
channel between the reaction module and the ANASTACIA
user plane.
E. Seal Manager Domain
Using security and privacy standards, the dynamic security
and privacy seal monitors in real time the security and privacy,
verdict and decision support system (VDSS). It provides a
graphical representation of the system status to the end-user,
through different GUIs for user and data controller, and data
bases to hold privacy policies and logs.
1) Seal Manager Metadata Interface: This provides the
requested information to evaluate the security and the pri-
vacy in a real-time fashion. The security and privacy policies
defined by the user are stored inside the policies repository
and an interface is available to retrieve and set them from the
seal manager.
V. M AIN A RCHITECTURAL F LOWS
A. Proactive Policy Deployment
The framework features two different policy enforcement
approaches, depending on the entity initiating the enforce-
ment process. Concretely, the proactive (or set-up) approach
and the reactive one. In the first approach, the security pol-
icy is enforced as part of a preventive or by-default security
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019
plan. On the other hand, the reactive approach rises the policy
enforcement as part of an automated security countermeasure.
Our previous work [23] already showed the main flow
for the policy-based security enforcement in the proactive
approach. In this case, the security administrator defines an
HSPL through a user-friendly interface using the policy editor
tool and once the policy has been properly defined, the secu-
rity administrator requests the policy enforcement. The policy
editor tool then sends the HSPL policy to the policy interpreter
which identifies the main capabilities of the security policy and
obtains a list of security enablers which could enforce the secu-
rity policy. When there is at least one security enabler capable
of enforcing the security policy (otherwise, the administrator
is notified), the policy interpreter performs a high-to-medium
level policy refinement, generating an MSPL policy, still inde-
pendent of the underlying technology, but filling some required
context information like real IP addresses or endpoints. This
refinement is registered in the policy repository, allowing trace-
ability among policy abstraction levels. Once the MSPL has
been generated, the policy interpreter requests the MSPL pol-
icy enforcement to the security orchestrator, providing, not
only the policy, but also the candidate’s security enablers.
The security orchestrator receives the request and its resource
planner makes the decision concerning the most suitable secu-
rity enabler to enforce, according to its knowledge about the
architecture. Then, the security orchestrator requests a secu-
rity policy translation to the policy interpreter in order to
get a security enabler specific configuration from the MSPL
security policy. The policy interpreter downloads the proper
security enabler translator plugin from the security enabler
provider and the policy interpreter performs the policy transla-
tion, generating the specific security enabler configuration and
registering the relationship among the MSPL and the enabler
configuration in the policy repository. Finally, the configu-
ration is returned to the security orchestrator, who enforces
it through the specific technology, deploying if required new
resources, and updating the new status of the security policy
in the policy repository.
B. Monitoring and Attack Detection
The architecture has been conceived as a security-enabling
framework that allows an autonomic detection of the security
incidents and computation of the countermeasures. To enable
these features, the architecture comprises a monitoring module
that will actively observe the network and ensure its security.
Fig. 2 shows the design of the monitoring component that
is composed of four principal components.
1) Data preprocessing and filtering (DPF) is an
intermediate layer between the incident detector
and the network agents. It is intended to perform an
initial filtering and reformatting of the information cap-
tured by the network agents and feed it in a normalized
format to the incident detector.
2) Incident detector is the core component of the monitor-
ing module. This unit analyses the processed data form
the network agents and executes the security analysis,
searching for security issues and attacks.
 MOLINA ZARCA et al.: SECURITY MANAGEMENT ARCHITECTURE FOR NFV/SDN-AWARE IoT SYSTEMS
Fig. 2. Design of the monitoring module (from ANASTACIA architecture).
3) Attack signatures is a database containing the set of
attacks that are being monitored in the network. Despite
this component is shown as module from the incident
detector, it is usually embedded in the latter.
4) Data analysis is an AI-based module that applies
machine-learning techniques on the extracted data to
detect behavior anomalies.
The aforementioned components rely on the data extracted
by the monitoring agents of our architecture, which can be
seen at the bottom of Fig. 2. Considering their position in
the whole architecture, the monitoring agents take the role of
directly interacting with the monitored network, continuously
extracting information from the data plane that will be used
by the components mentioned above to perform the security
analysis.
Monitoring IoT-based CPS networks introduced a particu-
lar constraint on the monitoring agents: the challenge arose
when using traditional monitoring techniques in state-of-the-
art networks. The proposed framework tackles this challenge
by adapting the traditional tools to the particular requirements
of the IoT networks.
1) Low Energy Consumption Monitoring Agents: Since
IoT devices are restrained in energy, the implemented
monitoring agents efficiently use the available energy,
relegating any complex task to more capable devices.
2) Restricted Computation Capabilities: As a consequence
of the restricted energy, the devices that act as moni-
toring agents for IoT network have limited computation
capability. In this sense, any complex task (such as the
analysis of the data) has to be delegated to devices with
more capacity.
Fig. 2 shows how the IoT monitoring agents interact with
the monitoring module. This design allows to use modified IoT
devices to extract information directly from the IoT network
(e.g., capture digital packets from IoT networks or extract ana-
logue data from sensors) and send it into the DPF module.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
8011
Fig. 3. ANASTACIA monitoring phase workflow.
This design also allows to connect the architecture to any IoT
system by deploying the monitoring agents on the network to
be protected. Moreover, since the whole architecture has been
conceived in a distributed way, the analysis of the extracted
data can be done in external premises, minimizing the impact
on the monitored network.
1) Security Monitoring Process: The design of the mod-
ule allows actively monitoring IoT networks by following the
process depicted in Fig. 3.
The architecture is devised to employ passive monitor-
ing techniques to continuously extract information form the
network and then put it in the DPF component. This module
performs an initial processing of the extracted data in order
to harmonize it in a common format. Once the information
has been normalized, it is sent to the data analysis module
and the incident detector modules. The functionality of these
modules is intentionally different to guarantee a deep security
analysis. The former, on one hand, is in charge of perform-
ing a behavioral analysis using machine learning techniques
to detect any abnormal behavior. The latter, on the other hand,
performs a signature-based security analysis, ensuring lower
detection times on known attacks.
Once the data analysis component has performed the behav-
ioral analysis, the result is returned to the preprocessing
component, which sends the normalized results to the incident
detection module. Finally, this module uses all the available
information (raw data extracted from the network and the
behavioral analysis results) to perform the security analysis.
Afterward, the incident detector generates the security alerts
that are sent to the reaction component. This process con-
cludes the monitoring phase and triggers the reaction on the
platform, according to the security issues and attacks detected
by the incident detector.
2) Monitoring Potential: The monitoring process has been
conceived to be agnostic of the underlying attack to keep the
 8012
generality of the security analysis. All the connected mon-
itoring agents deliver the extracted information in the DPF
component, which makes it available for both data analysis and
incident detector components. This design decision delegates
the attack detection functionalities on the latter components
allowing the detection of any attack on the monitored network.
Fig. 3 shows that, despite the generic workflow of the mon-
itoring process is complex, it has been designed to have a low
latency in whole detection process, as shown in Section VII.
The implemented instance of our architecture takes advan-
tage of this feature by using multiple monitoring agents such
as Montimage Monitoring Tool (MMT)-probe, IoT brokers,
IDS instances (e.g., Snort), multiple incident detectors (like
MMT-security), and AI data analysis modules, such as [28].
The AI data analysis based on machine learning techniques
allows dealing with anomaly-based intrusion detection, by ana-
lyzing deviations from the historical a normal data reported by
devices. The detection can be done using statistical methods,
such as correlation of time series, or supervised machine learn-
ing techniques such as, for instance, one class support vector
machine.
This features empower the architecture to detect a wide vari-
ety of attacks detailed in Table I. Additionally, the monitoring
agents also take advantage of the NFV and SDN techniques,
allowing a dynamic deployment of them on the monitored
network. Using these techniques, the monitoring and reaction
plane can determine to deploy new instances of monitor-
ing agents to harden the security levels. These instructions
(expressed in MSPL language) will be translated by policy
interpreter upon demands from the security orchestrator, which
will deploy the new monitoring agents—as virtual security
functions—and use SDN to perform the modifications on the
network and deploy the new instances.
Despite the recommended countermeasures are the general
guidelines to mitigate the detected security issues, the frame-
work is designed to dynamically analyze the enforced security
policy and the security capabilities deployed in the network to
compute the most appropriate countermeasure in the detected
case. This empower the framework with highly reactive and
dynamic security capabilities to cope with a wide variety of
attacks.
C. Self-Healing and Self-Protection Processes
The reaction process described in Fig. 4 uses the verdicts
on ongoing incidents to infer the possible countermeasures
to mitigate them. The decision depends on the reactions
that are possible to be enforced in the infrastructure and on
the resources needed to be executed. The available reactions
depend on the security model of the infrastructure, which also
depends on the security capabilities available at the platform.
During the reaction set-up, the security model of the IoT
infrastructure is received by the VDSS of the reaction module
from the security model analysis component, which receives
this information from the security orchestrator. This security
model is directly related to the security policy being enforced,
as it contains information about the security capabilities avail-
able, the potential countermeasures that are possible to be
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019
Fig. 4. ANASTACIA reaction process.
enforced and information about the cost associated to their
enforcement. The cost is understood here as the amount of
resources required to enforce certain countermeasure, either
in terms of time, human, computation, or monetary resources.
This set-up process is to be triggered mainly at the starting
point, although updates of the security model can be pushed
into the VDSS in case of updates of the security policy that
entail any modification of the security capabilities.
For every incident detected at the monitoring module, a risk
evaluation is carried out. The risk analysis is performed at
the VDSS, which evaluates the severity of the incident with
the criticality of the assets affected by the incident (which
is received from the security model analysis) and evaluating
the relevance of the threat in terms of potential propagation,
number of devices exposed to the threat or vulnerabilities
exploited. The risk assessment uses statistical models for its
analysis, which feeds from several sources of input.
1) Current incident (type of threat, severity, etc.).
2) Characteristic of the system affected (number of assets,
whether they are exposed to vulnerability exploits, how
critical these devices are).
3) Information about past incidents (past effects of similar
incidents, costs associated to their mitigation or about
damages caused).
Once the level of risk associated to the incident has been
evaluated, the VDSS evaluates the available counter measures
that the IoT infrastructure supports. This evaluation uses the
information received from the security model analysis, which
also notifies about the cost associated to every mitigation. A
potential human intervention is also considered here as the
system admin can fine tune values related to costs and miti-
gations or evaluate the severity of the incident and criticality
of the asset affected, providing with additional input to the
DSS when proposing the most appropriate countermeasure to
mitigate the ongoing incident. The selected countermeasure
is notified to the MAS, which is in charge of notifying to
the security orchestrator by adding the information about the
selected countermeasure to an MSPL policy.
In parallel to the exchange of reaction information
between the reaction and the orchestrator modules, additional
information is exchanged with the dynamic security and pri-
vacy seal module through the security alert service. A real
 MOLINA ZARCA et al.: SECURITY MANAGEMENT ARCHITECTURE FOR NFV/SDN-AWARE IoT SYSTEMS 8013

Fig. 5. ANASTACIA reactive policy enforcement process.

is mainly conceived for the threat intelligence exchange and it

Listing 1. Except of MSPL file for representing a reaction.
time push mechanism is used to notify the security alert ser-
vice about the incidents detected, the alerts generated, and the
mitigations chosen. Such information is transformed by the
security alert service into structured threat information expres-
sion messages, whose format was designed by OASIS1 for the
description of cyber-security information in a standard way. It
1 [Online]. Available: https://oasis-open.github.io/cti-documentation/
stix/intro
is used here to formalize the information received by the seal
manager from the monitoring and reaction modules.
It is worth noticing that, although this process is designed
to be executed in an automatic way, it is also considered
the possibility of requiring explicit consent from the system
administrator, which might also entail the modification of the
security policy. The enforcement of the selected reaction is
enforced at the orchestrator, using virtual network interfaces
and SDN/IoT controllers available at the enforcement plane.
D. Reactive Policy Deployment
Fig. 5 shows the main flow for a security policy enforce-
ment as part of an automatic countermeasure. In this case
the policy enforcement process is initiated by the reaction
module which is able to generate reactions depending on the
threats [Fig. 5 (step 1)]. As part of the reaction, it can be
included one or several MSPL policies. These security poli-
cies are sent to the security orchestrator who identifies the
main capabilities required by the policy [Fig. 5 (step 3)] and

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
 8014
requests information to the system model in order to get the
available resources, as well as requesting a list of security
enablers able to cope with the aforementioned capabilities to
the security enabler provider [Fig. 5 (steps 4 and 5)]. Once
the security orchestrator has gathered relevant information
about the underlying architecture, the resource planner (in
the security orchestrator) decides who is the best security
enabler according to its knowledge of the architecture [Fig. 5
(step 6)]. Then, it requests a policy translation to the policy
interpreter, providing the MSPL policies and the selected secu-
rity enablers for each one. When the policy interpreter receives
the request, it obtains the specific plugin from the security
enabler provider for each security enabler and it performs the
policy translation by executing the plugin for each received
MSPL [Fig. 5 (steps 8–12)]. Afterward, the policy interpreter
sends the result to both, the policy repository for traceabil-
ity purposes, and the security orchestrator, in order to trigger
the policy enforcement [Fig. 5 (steps 13 and 14)]. Finally,
the security orchestrator enforces the enabler configuration
through different components of the framework depending on
the nature of the countermeasure. In case the countermeasure
requires a VNF which is not already deployed, the secu-
rity orchestrator deploys it through the NFV MANO [Fig. 5
(step 15)]. Otherwise, it can use an existent VNF and enforce
the configuration without a previous deployment. At this point,
the configuration can be enforced through the NFV MANO,
the SDN controller or the IoT controller depending on whether
the countermeasure is a networking or IoT related configura-
tion [Fig. 5 (steps 16–18)]. Finally, once the policies have been
enforced, the security orchestrator notifies the new policies
status to the policy repository [Fig. 5 (step 19)].
VI. A RCHITECTURE I NSTANTIATION AND D EPLOYMENT
This section describes the implementation of the architec-
ture explained above as well as its deployment for validation
in two main scenarios: 1) mobile edge computing (MEC) and
2) building management system (BMS).
Regarding the implementation, the monitoring information
is obtained from three main sources.
1) Sensors Attached to the IoT Network: We include here
sensors such as IDS (such as Suricata/Snort sensors),
honeypots, access control logs, etc.
2) MMT [29]: Carrying out deep packet inspection for
the detection of incidents, instantiating the monitoring
module of the architecture.
3) Operational Data Extracted From IoT Devices: It is
analyzed by data analysis tool, which applies machine
learning techniques for identifying anomalous behav-
ior of IoT devices (for example, very high temperature
detected by climate sensors).
A Kafka broker2 is provided to gather the information from
the different sources, normalizing it and getting it ready to be
sent to the monitoring components.
The normalized data is sent, by using rsyslog, to
the anomaly detection reasoner based on the Atos’ XL-
SIEM engine implementing the VDSS functionality of the
2 [Online]. Available: https://kafka.apache.org/
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019
architecture. The XL-SIEM provides a correlation engine that
is able to detect incidents by analyzing events from different
sources. The design of the XL-SIEM allows to attach dif-
ferent sources just by implementing new plugins that adapt
and interpret new sources. Furthermore, the format used for
the plugins uses a compatible format with open source SIEM
solutions such as OSSIM,3 which increases the compatibility
and flexibility of the model. The data retrieved by the Kafka
broker, once normalized in rsyslog, is processed by the plugins
of the XL-SIEM which prepares the received data for its cor-
relation at the core of the XL-SIEM. The architecture of the
XL-SIEM permits to decouple plugins and the XL-SIEM core.
Since correlation activities can require a lot of computational
resources, the XL-SIEM core allows to distribute the correla-
tion activities among different instances, which increases not
only efficiency but also robustness.
The correlation activities carried out by the XL-SIEM
core generates alarms for the security incidents detected. The
alarms are labeled with a certain level of criticality, which are
used by the MAS to decide on the most suitable counter mea-
sure to react to the security incident. The orchestration engine
is notified about the proposed reaction, along with specific
information about the devices to receive the countermeasure
(IPs of the devices affected, incidents to mitigate, etc.).
A. Mobile Edge Computing Scenario
Smart security cameras send recorded video to nearby MEC
servers which can realize operations before sending the data to
the cloud. These kind of scenarios are attractive to the hackers
at different levels such as gain access to some security camera
in order to get real time video, capture the data between the
camera and the MEC server, compromise the MEC server in
order to get or manipulate the data or the standard behavior, or
even just take control of the IoT cameras in order to use them
as an army with the aim of performing some kind of DDoS
attack. In this scenario, a ping flooding attack is considered.
1) MEC Testbed: The testbed emulates several IoT devices
inside a Cooja environment, which will attack with ICMP ping
packets a victim outside the simulation—a server specifically
deployed to act as the victim.
To detect the ongoing attack, an instance of the MMT mon-
itoring tool is deployed inside the IoT network, including a
specially developed sniffer that allows extracting packets from
an IoT network. The extracted flows will be analyzed using the
DPI-enabled MMT-probe tool, which is loaded with specific
rules to detect ICMP ping bursts on IoT traffic. This detec-
tor will send events to the Kafka broker—containing the IP
of the affected device and the detected attack among other
data—once the threat has been identified.
In the Kafka broker, an Apache Storm4 class will process
these events and reformat the information using rsyslog, mak-
ing them ready to be sent to the XL-SIEM tool for further
analysis. Once the events have been read by the SIEM, the
latter processes the information and produces an attack alert
that is sent to the MAS by using a RabbitMQ channel.
3 OSSIM. [Online]. Available: https://www.alienvault.com/products/ossim
4 Apache Storm. [Online]. Available: http://storm.apache.org/
 MOLINA ZARCA et al.: SECURITY MANAGEMENT ARCHITECTURE FOR NFV/SDN-AWARE IoT SYSTEMS
To compute the countermeasures, our MAS implementation
receives the SIEM alert and extracts the information contained
within. This information is used to create the countermeasures
defined in MSPL policies. The MAS uses a generates an MSPL
with the the countermeasures for an ICMP flooding attack. The
MSPL defines a filtering rule for the ICMP protocol, instan-
tiated with context such as the IP addresses contained in the
SIEM alert. The MSPL is sent to the security orchestrator that
starts the deployment process of the countermeasures, retriev-
ing the list of available security enforcers capable of enforcing
the specified countermeasures.
To enforce the filtering policies, open source MANO
(OSM)5 together with ONOS6 are suitable security enforcers,
and the security enablers provider returns this as a single
security enforcer. Using this output, the orchestrator selects a
set of security enforcers and transforms the countermeasures,
expressed in MSPL, into a lower-level configuration; the set of
ONOS/OSM specific configurations that will be used to deploy
the countermeasure. With this final translation, the orchestrator
deploys the countermeasures, creating a new virtual firewall
using OMS and ONOS and deploying specific rules to redirect
the traffic of the affected devices and filter the ICMP traffic.
The detection part of the instance described above is com-
posed of three machines: 1) a Cooja machine (for emulating
an IoT network); 2) an MMT-IoT-probe machine (to run the
incident detector); and 3) a MAS machine (for executing the
mitigation service). These instances were virtualized using
VMs with the following features: two vCPUs @ 2.40 GHz,
2-GB RAM, and 20 GB of HDD.
B. Building Management System
Nowadays, it is very common to find a lot of sensors scat-
tered in buildings. In fact, there are usually several sensors by
room or dependencies measuring temperature, humidity, pres-
ence, and luminosity among others. These measurements can
be sent to a SCADA management system which usually imple-
ments different behaviors depending on the received measures
(e.g., if the system receives a measurement beyond the con-
figured threshold it could generate an alarm). Sometimes, this
kind of reactions are really expensive to deploy, or just alter
the standard behavior. On the other hand, if there is a real
emergency but the sensors have been manipulated, the absence
of reactions could be fatal. With this in mind, a malicious
attacker could try to exploit the system in order to take some
kind of advantage, to waste the resources of the target or
harm in somehow to the target. This scenario permits to eval-
uate the benefits provided by the architecture to deal with the
security challenges in IoT-CI that can be affected by the sen-
sor’s manipulation. Instantiating this scenario, the architectural
framework has been deployed in a real building where several
IoT devices, including temperature, humidity, and presence
sensors deployed.
In our testbed, one of these IoT devices is compromised
by an attacker, who gain access to it in order to manipu-
late the temperature sensor value to trigger the fire alarm
5 OSM. [Online]. Available: https://osm.etsi.org/
6 ONOS. [Online]. Available: https://onosproject.org/
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
8015
of the building. As explained in [28], the monitoring mod-
ules are able to discern a regular situation of a abnormal
one based on a previous training, so once the monitoring
modules receive the tramped temperature, these analyze and
correlate the information against its knowledge and them gen-
erates an alert to the reaction module (MAS). This reaction
module computes the countermeasures based on the received
information and determines that it is necessary to turn off the
IoT device until a physical verification has been performed.
The countermeasure is modelled by a new MSPL policy,
sent to the security orchestrator, that analyzes the security pol-
icy and obtains the required capability for the countermeasure.
Since it is an IoT-related management operation, the secu-
rity orchestrator decides to use the IoT controller and requests
the policy translation to obtain the IoT configuration from the
MSPL. Then, it gathers information from the system model in
order to decide through which component it will enforce the
configuration, that is sent to IoT controller. Finally, the IoT
device receives the IoT message by the IoT controller to be
turned off.
1) BMS Testbed: The policy interpreter, policy repository,
security enabler provider, security orchestrator, and IoT con-
troller have been developed from scratch in python using
Django7 rest framework and Falcon for the rest APIs and
Mysql as main database engine. The MSPL policy models
are an extended version of [26], that has been extended to
consider additional requirements imposed by IoT. The IoT
domain security enabler plugin also has been developed from
scratch in order to translate the extended MSPL into IoT con-
troller configuration. The policy interpreter implements four
different HTTP APIs to only translate and enforce the two dif-
ferent security policy levels. The policy repository implements
two different APIs to store the policy translations as well as
the policy enforcement status. The security enabler provider
implements two different APIs to get the security enabler can-
didates as well as to get the selected plugin code. The security
orchestrator implements three APIs to receive the reactions,
to perform the policy translations and to gather information
from the system model as well as the APIs for the infrastruc-
ture management. Finally, the IoT controller implements two
APIs to receive the IoT devices configuration and to send the
configuration using the specific IoT protocol implementation.
In this case, the IoT controller uses CoAP as IoT protocol.
Regarding the equipment used in this scenario, the moni-
toring and reaction modules has been deployed in the same
premises as the previous scenario. The policy interpreter, pol-
icy repository, security enabler provider, and security orches-
trator have been virtualized and dockerized in a Intel Core
i7-2600 CPU at 3.4 GHz, using three vCores, 3.5 GB of RAM,
and 30 GB of HDD. The IoT controller has been virtual-
ized and dockerized in a Intel Core Processor (Haswell) at
1.5 GHz using two vCores, 2 GB of RAM, and 15 GB of
HDD. IoT devices: they are MSP430F5419A-EP at 25 MHz,
128-kB ROM, and 16-kB RAM, running a customized ver-
sion of Contiki OS 2.7 and erbium CoAP server. The 6lowPAN
bridge: it is an MSP430F5419A-EP at 25 MHz, 128-kB ROM,
7 Django. [Online]. Available: https://www.djangoproject.com/
 8016
Fig. 6. DDoS attack detection performance in MEC scenario.
and 16-kB RAM, running a customized version of Contiki OS
2.7 in order to allow the communication between 802.15.4 and
802.3.
VII. P ERFORMANCE E VALUATION
A. Monitoring Performance
To measure the performance of the monitoring phase we
have conducted different experiments in order to determine
the detection time of a ping flooding attack in an IoT sce-
nario. We have setup an emulated IoT network (using Cooja)
that contains a compromised device which will perform a ping
DoS attack toward another device. In addition, we have setup
the MMT-IoT solution to extract the IoT packets and detect
the ICMP flooding using MMT-probe. The test script analyzed
the logs of two tools: the Cooja logs to identify the timestamp
when the attack was triggered and the logs of MMT-probe in
order to identify the timestamp when the attack was detected
by the incident detector. The test script triggered the attack in
the (emulated) compromised device. The verdicts generated
by MMT are then sent to the monitoring module, composed
by two components of the XL-SIEM tool: 1) the XL-SIEM
agent and 2) the XL-SIEM server, measuring the processing
time on both components. The former will receive, process
and filter the events from the MMT-probe sensor, while the
latter will perform the risk analysis and generate a detailed
attack report. Finally, this attack report is sent to the MAS
which will generate the respective MSPL containing the reac-
tion. The processing time is also measured in this last step.
This experiment was run 100 times, in order to compute the
average detection and reaction times for the ICMP flooding
attack (MEC) at each component of the platform.
Fig. 6 depicts the measured times in each component. For
each iteration, the processing times have been stacked to show
the total processing time of the ANASTACIA platform. The
principal contributor of the platform’s reaction time are the
analysis and detection components—MMT in this case—with
an average of 445 ms. The MMT needs to test a security
property: observe different ICMP packets per second, raising
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019
the alert as soon as this condition is met. The second contrib-
utor to the total time is the XL-SIEM server, with an average
of 57 ms. This includes the risk analysis performed, aimed to
enrich the data received from the detection engines and deter-
mine the best set of countermeasures to the ongoing attack.
On the contrary, the XL-SIEM agent and the MAS add con-
stant times to the whole process (3.4 and 8.4 ms, respectively)
due to their high parallelism. The average time for the four
analyzed components is 514 ms, counting from the moment
the attack is triggered until the reaction is computed.
B. Incident Handling Performance
To evaluate the performance of the Incident handling in both
MEC and BMS scenarios we have increasing number of events
that are sent to the incident detector at different pace. The inci-
dent detector (XL-SIEM), is an Apache Storm-based incident
detector that uses an complex event processing engine, namely
Esper,8 to correlate events. Events received by the incident
detector are filtered, processed and correlated to generate secu-
rity alarms, which are then sent to the reaction module via the
Kafka broker. The MAS collects these alarms and generates
an MSPL file which is sent to the security orchestrator.
To perform the tests, we have sent a burst of 100 events at
different frequencies: 20, 10, and 4 Hz. In order to test the
performance of the components involved in the monitoring,
detection, and reaction, we have forced the generation of a
security alert per event sent. Therefore, the incident detector
has generated 100 alarms at the pace indicated above. It is
worth noticing that, in a normal operation environment, events
from the same source IP will trigger just one alarm every 60 s
or several minutes (depending on the rule configured at the
Esper engine). This would allow to filter large amounts of
events and to avoid unnecessary overload to the system. In this
performance evaluation, we have simulated one of the worst
cases in terms of workload, both for the incident detector,
VDSS, MAS, and orchestrator.
8 Esper. [Online]. Available: http://www.espertech.com/esper
 MOLINA ZARCA et al.: SECURITY MANAGEMENT ARCHITECTURE FOR NFV/SDN-AWARE IoT SYSTEMS 8017

Fig. 7. Incident handling performance, bursts of 100 events at different frequencies.

Fig. 8. Incident handling performance, bursts of 100 combined attacks (1100 events) at different frequencies.

The results of the tests are represented in the following chart
(Fig. 7). The y-axis represents the time taken by the incident
detector to process each event, from the time it is received to
the time when it is sent to the messaging queue to be consumed
by the MAS. As it can be seen, the response time of incident
detector is stable, although some peaks are present in all tests.
The higher peak is present at 10 Hz (in event #79), with a
response time of 307 ms. Despite those anomalies the incident
detector recovers the normality quickly. It must be observed,
however, that at 20 Hz it takes longer to recover the stability
(e.g., from event #38 to #45).
To understand those delays we have to consider the XL-
SIEM architecture. It is implemented in Apache Storm which
uses multiple threads in order to process several processes
simultaneously. Each thread (or bolt, as Apache Storm names
a singular thread or process) is in charge of a singular task,
like storing events in database, correlate events, send alarms
to RabbitMQ, store alarms in database, etc. As long as there
are more threads than cores, the cores are shared by differ-
ent threads. The execution order of the different tasks can be
different in some cases, consequently the measured process-
ing time may fluctuate. Furthermore, some tasks use shared
resources (like databases), hence mutual exclusion situations
may occur and increase the processing time. Those variations
are appreciated in the charts as peaks.
Alarms generated by the incident detector are sent to a
RabbitMQ message queue, where the MAS is attached to
receive these alarms. There’s a transfer time of approximately
40–50 ms. This time may vary depending on the network con-
ditions and on the sync difference between the machines where
the time-stamps are measured.
In addition, some extra tests have been done to evaluate the
XL-SIEM server performance in a different stressing scenario.
In this case, the alerts are triggered when detecting differ-
ent combined attacks, mixing up to 11 events to generate an
alarm. Once again, the attacks have been generated at differ-
ent frequencies: 4, 10, and 20 Hz. This scenario stresses the
correlation engine, creating a bottleneck in this component at
higher frequencies. The tests results are represented in Fig. 8,
where the processing time increases constantly at 20 Hz and
the bottleneck effect can be appreciated. These tests demon-
strate how the complexity of the alarm rules can impact the
XL-SIEM performance.
C. Reaction Enforcement Performance
Fig. 9 shows the performance for the reactive policy trans-
lation. It measures along 100 iterations the time required by
the policy interpreter to translate the reactive MSPL into both,
filtering SDN and power management IoT configurations. As

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
 8018 IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019

part takes around 460 ms, the incident handling takes around
58 ms, the policy translation is close to 36 ms, and finally,
the policy enforcement shows results around 370 ms. If we
consider the whole cycle, the framework is detecting and
enforcing the countermeasures in less than 1 s. It is important
to highlight that this result depends largely on the complexity
of the countermeasure as well as the kind of attack, i.e., in
general, the more complex countermeasure, the longer it will
take its deployment.

VIII. C ONCLUSION
This paper has presented ANASTACIA security manage-
ment architecture aimed to deal with the security and privacy
in NFV/SDN-enabled IoT scenarios, detailing the different
planes of the architecture as well as the main architectural
Fig. 9. Reactive policy translation.
flows. In addition, the main IoT thread/attacks and their sug-
gested potential detection and reaction mechanisms based on
NFV-SDN has been presented. The architecture has been suc-
cessfully instantiated and tested in two different scenarios:
1) the MEC and 2) IoT-CI in BMSs. In these scenarios we
tested DDos and IoT malware attacks, respectively, detailing
the autonomic reaction processes to mitigate them. The accom-
plished performance evaluation demonstrated the feasibility of
the solution to automatically monitor, detect, react, and miti-
gate IoT cyber-attacks, enforcing proper security policies, in
reasonable times (depending on kind of attack and reaction
countermeasure), accounting the latency and delays incurred
in IoT networks.
As future work, we envisage to extend the supported cyber-
threats detection and mitigation possibilities by addressing
reactive VNF orchestration and deployment at the edge of IoT
constrained systems and networks.

Fig. 10. Reactive policy enforcement.
it can be seen, the measurements obtained for the policy trans-
lation are quite similar, with an average time close to 36 ms
taking into account the variations that the system may suffer
during execution. This is due to the extension and complexity
of the filtering policies for both scenarios are similar.
Fig. 10 shows the performance for the reactive policy
enforcement, which measures along 100 iterations the time
taken by the security orchestrator to enforce the configurations.
It covers since the security orchestrator receives the MSPL
policy until it receives the enforcement confirmation from the
security enabler. In this case it is not taking into account
the policy translation since it has been shown previously.
In the results we can see that the policy enforcement though
the SDN controller takes approximately half the time of the
enforcement through the IoT controller. It can be explained
as the enforcement against the IoT devices is sent through a
6LowPAN network while the SDN enforcement is performed
through Ethernet.
If we look at the full life-cycle of the framework detec-
tion and reaction processes in terms of average times, taking
as example the first scenario, we can see that the detection
R EFERENCES
[1] L. Atzori, A. Iera, and G. Morabito, “The Internet of Things:
A survey,” Comput. Netw., vol. 54, no. 15, pp. 2787–2805,
2010. [Online]. Available: http://www.sciencedirect.com/science/article/
pii/S1389128610001568
[2] J. L. H. Ramos, J. B. Bernabe, and A. F. Skarmeta, “Managing context
information for adaptive security in IoT environments,” in Proc. IEEE
29th Int. Conf. Adv. Inf. Netw. Appl. Workshops, Mar. 2015, pp. 676–681.
[3] T. Yu, V. Sekar, S. Seshan, Y. Agarwal, and C. Xu, “Handling a
trillion (unfixable) flaws on a billion devices: Rethinking network
security for the Internet-of-Things,” in Proc. 14th ACM Workshop
Hot Topics Netw. (HotNets-XIV), 2015, pp. 1–5. [Online]. Available:
http://doi.acm.org/10.1145/2834050.2834095
[4] J. P. Santos et al., “SELFNET framework self-healing capa-
bilities for 5G mobile networks,” Trans. Emerg. Telecommun.
Technol., vol. 27, no. 9, pp. 1225–1232. [Online]. Available:
https://onlinelibrary.wiley.com/doi/abs/10.1002/ett.3049
[5] P.-O. Östberg et al., “Reliable capacity provisioning for distributed
cloud/edge/fog computing applications,” in Proc. Eur. Conf. Netw.
Commun. (EuCNC), Jun. 2017, pp. 1–6.
[6] S. T. Ali, V. Sivaraman, A. Radford, and S. Jha, “A survey of securing
networks using software defined networking,” IEEE Trans. Rel., vol. 64,
no. 3, pp. 1086–1097, Sep. 2015.
[7] D. B. Rawat and S. R. Reddy, “Software defined networking architecture,
security and energy efficiency: A survey,” IEEE Commun. Surveys Tuts.,
vol. 19, no. 1, pp. 325–346, 1st Quart., 2017.
[8] S. Chakrabarty, D. W. Engels, and S. Thathapudi, “Black SDN for the
Internet of Things,” in Proc. IEEE 12th Int. Conf. Mobile Ad Hoc Sensor
Syst., Dallas, TX, USA, Oct. 2015, pp. 190–198.
[9] P. Bull, R. Austin, E. Popov, M. Sharma, and R. Watson, “Flow based
security for IoT devices using an SDN gateway,” in Proc. IEEE 4th Int.
Conf. Future Internet Things Cloud (FiCloud), Aug. 2016, pp. 157–163.

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
 MOLINA ZARCA et al.: SECURITY MANAGEMENT ARCHITECTURE FOR NFV/SDN-AWARE IoT SYSTEMS
[10] O. Flauzac, C. González, A. Hachani, and F. Nolot, “SDN based archi-
tecture for IoT and improvement of the security,” in Proc. IEEE 29th
Int. Conf. Adv. Inf. Netw. Appl. Workshops, Mar. 2015, pp. 688–693.
[11] S. Choi and J. Kwak, “Enhanced SDIoT security framework models,”
Int. J. Distrib. Sensor Netw., vol. 12, no. 5, May 2016.
[12] V. Varadharajan and U. Tupakula, “Security as a service model for
cloud environment,” IEEE Trans. Netw. Service Manag., vol. 11, no. 1,
pp. 60–75, Mar. 2014.
[13] B. R. Al-Kaseem and H. S. Al-Raweshidyhamed, “SD-NFV as an energy
efficient approach for M2M networks using cloud-based 6LoWPAN
testbed,” IEEE Internet Things J., vol. 4, no. 5, pp. 1787–1797,
Oct. 2017.
[14] W. Yang and C. Fung, “A survey on security in network functions virtu-
alization,” in Proc. IEEE NetSoft Conf. Workshops (NetSoft), Jun. 2016,
pp. 15–19.
[15] F. A. Alaba, M. Othman, I. A. T. Hashem, and F. Alotaibi, “Internet of
Things security: A survey,” J. Netw. Comput. Appl., vol. 88, pp. 10–28,
Jun. 2017. [Online]. Available: http://www.sciencedirect.com/
science/article/pii/S1084804517301455
[16] I. Farris, T. Taleb, Y. Khettab, and J. S. Song, “A survey on emerging
SDN and NFV security mechanisms for IoT systems,” IEEE Commun.
Surveys Tuts., vol. 21, no. 1, pp. 812–837, 1st Quart., 2019.
[17] C. S. Shankar, A. Ranganathan, and R. Campbell, “An ECA-P policy-
based framework for managing ubiquitous computing environments,”
in Proc. 2nd Annu. Int. Conf. Mobile Ubiquitous Syst. Netw. Services,
San Diego, CA, USA, 2005, pp. 33–42.
[18] C. Rensing, M. Karsten, and B. Stiller, “AAA: A survey and a
policy-based architecture and framework,” IEEE Netw., vol. 16, no. 6,
pp. 22–27, Nov./Dec. 2002.
[19] A. M. Hadjiantonis, A. Malatras, and G. Pavlou, “A context-aware,
policy-based framework for the management of MANETs,” in Proc. 7th
IEEE Int. Workshop Policies Distrib. Syst. Netw. (POLICY), 2006, p. 10.
[20] “D2.3.1—Specification of the SECURED architecture,” SECURED
Consortium, SECURED FP7 EU Project no. 611458, Sep. 2014.
[21] S. Ziegler, A. Skarmeta, J. Bernal, E. Kim, and S. Bianchi,
“ANASTACIA: Advanced networked agents for security and trust assess-
ment in CPS IoT architectures,” in Proc. Glob. Internet Things Summit
(GIoTS), Jun. 2017, pp. 1–6.
[22] I. Farris et al., “Towards provisioning of SDN/NFV-based security
enablers for integrated protection of IoT systems,” in Proc. IEEE Conf.
Stand. Commun. Netw. (CSCN-2017), 2017, pp. 169–174.
[23] A. M. Zarca et al., “Enhancing IoT security through network soft-
warization and virtual security appliances,” Int. J. Netw. Manag.,
vol. 28, no. 5, 2018, Art. no. e2038. [Online]. Available:
https://onlinelibrary.wiley.com/doi/abs/10.1002/nem.2038
[24] E. Bertino and N. Islam, “BotNets and Internet of Things security,”
Computer, vol. 50, no. 2, pp. 76–79, Feb. 2017. [Online]. Available:
doi.ieeecomputersociety.org/10.1109/MC.2017.62
[25] Y. Gao et al., “Analysis of security threats and vulnerability for cyber-
physical systems,” in Proc. 3rd Int. Conf. Comput. Sci. Netw. Technol.,
Oct. 2013, pp. 50–55.
[26] C. Basile, A. Lioy, C. Pitscheider, F. Valenza, and M. Vallini, “A
novel approach for integrating security policy enforcement with dynamic
network virtualization,” in Proc. 1st IEEE Conf. Netw. Softwarization
(NetSoft), Apr. 2015, pp. 1–5.
[27] A. M. Zarca et al., “Enabling virtual AAA management in SDN-based
IoT networks,” Sensors, vol. 19, no. 2, p. 295, 2019. [Online]. Available:
http://www.mdpi.com/1424-8220/19/2/295
[28] D. Mehta, A. E.-D. Mady, M. Boubekeur, and D. M. Shila, “Anomaly-
based intrusion detection system for embedded devices on Internet,” in
Proc. 10th Int. Conf. Adv. Circuits Electron. Micro Electron., Venice,
Italy, 2018, pp. 16–20.
[29] B. Wehbi, E. M. de Oca, and M. Bourdelles, “Events-based security
monitoring using MMT tool,” in Proc. IEEE 5th Int. Conf. Softw. Testing
Verification Validation, Apr. 2012, pp. 860–863.
Alejandro Molina Zarca received the M.Sc. and
master’s degrees in computer science from the
University of Murcia, Murcia, Spain, in 2012 and
2017, respectively, where he is currently pursuing
the Ph.D. degree at the Department of Information
and Communication Engineering.
He is currently a Researcher with the Department
of Information and Communication Engineering,
University of Murcia. His current research interests
include Internet of Things security and network
virtualization and softwarization.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
8019
Jorge Bernal Bernabe received the M.Sc., master’s,
and Ph.D. degrees in computer science from the
University of Murcia, Murcia, Spain.
He is currently a Post-Doctoral Researcher
with the University of Murcia. He has authored
several book chapters and over 35 papers in
international conferences and journals. He has
been involved with research on several European
projects such as DESEREC, Semiramis, Inter-Trust,
SocIoTal, ARIES, OLYMPUS, ANASTACIA, and
CyberSec4Europe. His current research interests
include security, trust, and privacy management in distributed systems and
Internet of Things.
Dr. Bernabe has been involved on the scientific committees of numerous
conferences and has served as a Reviewer for multiple journals.
Ruben Trapero received the Ph.D. degree from the
Universidad Politécnica de Madrid, Madrid, Spain,
in 2010.
He was a Research Engineer with the Universidad
Politécnica de Madrid, until 2011. He has been a
Telecommunication Engineer since 2004. From 2012
to 2014, he was an Assistant Professor with the
Universidad Carlos III of Madrid, Getafe, Spain.
In 2015, he joined the DEEDS Group, Technische
Universität Darmstadt, and where he became the
Head of the Security Laboratory focused in cloud
security. Since 2016, he has been a part of the Cyber Security Group,
ATOS Research and Innovation, Madrid. His current research interests
include identity management, privacy and security management, and service
engineering.
Diego Rivera received the bachelor of computer sci-
ences and computing engineering degree from the
University of Chile, Santiago, Chile, in 2011 and
2013, respectively, and the Ph.D. degree focused
on the analysis of the quality of experience for
OTT services from the Université Paris-Saclay, Paris,
France, in 2016.
From 2012 to 2013, he was a Research Assistant
with NIC Chile Research Labs, University of Chile,
where he was involved with research on concur-
rency issues in Linux UDP sockets. He is currently a
Research and Project Engineer with Montimage, Paris, where he is involved in
the development of security monitoring solutions for Internet of Things-based
cyber-physical systems.
Jesus Villalobos received the master’s degree in
computer science and the master’s degree in cyberse-
curity from the University of Seville, Seville, Spain,
in 2012 and 2016, respectively.
He also studied computer forensics with the
University of Granada, Granada, Spain, in 2017.
He has been a Software Engineer since 2012.
From 2012 to 2017, he was a Full-Stack
Developer and a Project Lead with 4A-SIDE GmbH,
Braunschweig, Germany. From 2017 to 2018, he was
a Cybersecurity Consultant with AndaluciaCERT,
Seville, as part of the Computer Emergency Response Team. Since 2017,
he has been a part of the Cybersecurity Laboratory, ATOS Research and
Innovation, Madrid, Spain, where he is involved in several projects for the
Horizon 2020 European Commission Program.
 8020
Antonio Skarmeta received the B.S. degree
(Hons.) in computer science from the University
of Murcia, Murcia, Spain, the M.S. degree
in computer science from the University of
Granada, Granada, Spain, and the Ph.D. degree
in computer science from the University of
Murcia.
Since 2009, he has been a Full Professor with
the Department of Information and Communications
Engineering, University of Murcia. He has been
involved with research on different projects in
the national and international areas in the networking, security, and
Internet of Things (IoT) area, like Euro6IX, ENABLE, DAIDALOS,
SWIFT, SEMIRAMIS, SMARTIE, SOCIOTAL, IoT6 ANASTACIA, and
CyberSec4Europe. He has been the Head of the Research Group ANTS since
its creation in 1995. He has authored or co-authored over 200 international
papers and being member of several program committees. His current research
interests include integration of security services, identity, IoT, and smart cities.
Stefano Bianchi received the biomedical engineer-
ing degree from the University of Genoa, Genoa,
Italy.
He is Research and Innovation Manager with
Softeco Sismat Srl, Genoa. He is the Head
of the Research and Innovation Business Unit,
Softeco, Geneva, Switzerland. His over 16 years
of experience in Research and Innovation projects
include European projects, such as eContent-
Worksafe, eContent-ERDDS, eTEN-EuOrphan, IST-
K-Wf Grid, eTEN-EuroWorksafe, eContentPlus-
AquaRing, IST-Accessibile, HEALTH-Hypergenes, ICT-TELL ME, and ICT-
ANASTACIA and national projects, such as CCSE RSE-SmartGen, FIMSER-
GLIMS, CSEA-Podcast, and CSEA-VIRTUS. His experience ranges from
user requirements analysis to system architecture design and technical soft-
ware development (Web application in particular) with an emphasis on
complementary activities, such as market analysis and business model plan-
ning, dissemination, communication and exploitation, and project technical
and administrative coordination. He is currently coordinating the H2020
ANASTACIA project on IoT/CPS cybersecurity, CSEA PODCAST project
on Automated Metering Infrastructure integration in smart grids, and CSEA
VIRTUS on Virtual Power Plant.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY WARANGAL. Downloaded on August 26,2024 at 12:26:22 UTC from IEEE Xplore. Restrictions apply.
IEEE INTERNET OF THINGS JOURNAL, VOL. 6, NO. 5, OCTOBER 2019
Anastasios Zafeiropoulos received the Dipl.-Ing.
degree from the School of Electrical and Computer
Engineering, National Technical University of
Athens, Athens, Greece, the M.Sc. degree in
public policy and management from the Athens
University of Economics and Business, Athens, and
the Ph.D. degree from the School of Electrical
and Computer Engineering, National Technical
University of Athens.
He is currently the Head of the 5G/IoT Research
Group, UBITECH, Athens, focusing mainly on the
design and implementation of innovative technical solutions on the fields of
5G, SDN/NFV, Internet of Things, data mining and analytics, and green IT
solutions. He has co-authored over 40 scientific publications in high-level
international journals and conferences.
Panagiotis Gouvas received the Dipl.-Ing. and
Ph.D. degrees from the School of Electrical
and Computer Engineering, National Technical
University of Athens, Athens, Greece.
He is the co-founder and Research and
Development Director of UBITECH, Athens. He
has authored or co-authored over 35 international
papers. He is also active in relevant standardization
communities. His current research interests include
cloud computing, security, big data analytics, and
autonomic networking. He has actively participated
in many research and commercial projects in the above areas.
Dr. Gouvas has been a member of several Program Committees.