IEICE TRANS. ??, VOL.Exx–??, NO.xx XXXX 200x1

PAPER

Assessing Lightweight Virtualization for

Security-as-a-Service at the Network Edge

Abderrahmane BOUDI†∗a), Ivan FARRIS†b), Miloud BAGAA†c), and Tarik TALEB†d),

SUMMARY Accounting for the exponential increase in secu-rity threats, the development of new defense strategies for perva-sive environments is acquiring an ever-growing importance. Theexpected avalanche of heterogeneous IoT devices which will pop-ulate our industrial factories and smart houses will increase thecomplexity of managing security requirements in a comprehen-sive way. To this aim, cloud-based security services are gain-ing notable impetus to provide security mechanisms accordingto Security-as-a-Service (SECaaS) model. However, the deploy-ment of security applications in remote cloud data-centers canintroduce several drawbacks in terms of traffic overhead and la-tency increase. To cope with this, edge computing can provideremarkable advantages avoiding long routing detours. On theother hand, the limited capabilities of edge node introduce po-tential constraints in the overall management. This paper focuseson the provisioning of virtualized security services in resource-constrained edge nodes by leveraging lightweight virtualizationtechnologies. Our analysis aims at shedding light on the feasi-bility of container-based security solutions, thus providing usefulguidelines towards the orchestration of security at the edge. Ourexperiments show that the overhead introduced by the container-ization is very light.key words: NFV, Security, Cloud/Edge Computing, and IoT.

1. Introduction

The interest towards cybersecurity is fast growing overthe last years accounting for the tremendous effectsand damages which can be carried out in our hyper-connected world. The potential attack surfaces are in-creasing at fast pace leveraging the widespread adop-tion of Internet of Things (IoT) devices. Furthermore,the heterogeneity of IoT devices, ranging from smart in-dustrial appliances to simple domestic sensors, can evenincrease the complexity to provide the desired protec-tion [1]. Novel security strategies are required to meetsecurity policies in both industrial and domestic envi-

Manuscript received July 7, 2018.Manuscript revised July 7, 2018.†Dep. of Communications and Networking School of

Electrical Engineering, Aalto University, Espoo, Finland.T. Taleb is also with Oulu University, Oulu, Finland, andwith Sejong University, Seoul, Korea.

∗Laboratoire de la Communication dans les Systemes In-

formatiques,Ecole nationale Superieure d’Informatique, Al-giers, Algeria

a) E-mail: a boudi@esi.dzb) E-mail: ivan.farris@aalto.fic) E-mail: miloud.bagaa@aalto.fid) E-mail: tarik.taleb@aalto.fi

DOI: 10.1587/trans.E0.??.1

ronments.Accounting for the success of cloud solutions, the

provisioning of on-demand security services accordingto the Security-as-a-Service model [2] is gaining notableattention from both industrial and research communi-ties. In this way, organizations and users can be as-sisted by cloud-hosted components providing securityand privacy protection [3], [4]. On the other hand, thedeployment of security instances in remote data centerspresent several drawbacks, such as long routing detoursand delay increase. To face these issues, Edge Comput-ing [5] offers the opportunity to efficiently host servicesat the network edge, thus introducing remarkable bene-fits in terms of shortening latency and traffic reduction.

In this paper, we aim at investigating the provi-sioning of security services in resource-constrained edgenodes, such as network access points and IoT gate-ways. In this vein, we will evaluate Docker containers aspromising lightweight virtualization technology [6]. Westrongly believe that performance analysis of securitydefense systems is of utmost importance, since securitymechanisms can notably influence the overall Quality ofService (QoS) [7]. Our analysis aims at shedding lighton the feasibility of container-based security servicesin resource-constrained devices, assessing relevant re-source consumption in a realistic testbed environmentfor a broad range of possible workloads.

The paper is organized as follows. In Section 2, wepresent a background on cloud-based security functionsand edge computing features. Two promising case stud-ies are discussed in Section 3. In Section 4, we presentSecurity-as-a-Service features in edge environment, ac-counting for the constraints and challenges introducedby resource-constrained edge nodes. Section 5 reportsthe performance evaluation of container-based securityfunctions. While we list some promising open researchchallenges in Section 6, concluding remarks are drawnin Section 7.

2. Background

2.1 Cloud-based Security Functions

Accounting for the remarkable benefits introduced bycloud service provisioning, an increasing number of se-curity vendors are exploiting cloud ecosystems to pro-vide their security solutions. This approach, referred

Copyright c© 200x The Institute of Electronics, Information and Communication Engineers

2

to as SECurity-as-a-Service (SECaaS) [2], is based onthe provisioning of virtual security applications via thecloud, thus leveraging greater flexibility and economiesof scale. In this vein, the Cloud Security Alliance (CSA)has defined guidelines for cloud-delivered defense so-lutions, to assist enterprises and end-users to widelyadopt this security paradigm shift [8].

In this landscape, specific research efforts aim atdeveloping schemes to appropriately model virtualizedsecurity services and to provide guidelines for efficientlyintegrating security services within standard cloud de-livery solutions [9]. In [10], an approach towards theadoption of security policies management with dynamicnetwork virtualization is presented. In particular, threedifferent policy abstraction layers are defined and aniterative refinement process is proposed to determinethe resources necessary to enforce specific security fea-tures through the provisioning of selected virtualizedsecurity functions. To meet the desired objectives andto avoid deviation from the expected policies’ goals, anaccurate estimation of the requirements for virtualizedfunctions becomes crucial, as well as the managementof the overall lifecycle.

Accounting for the significant advantages intro-duced by replacing dedicated network hardware withsoftware instances, Network Function Virtualization(NFV) is gaining high momentum to enhance thescalability and flexibility of softwarized networks [11].In [12], a framework for characterizing performance ofvirtual network functions has been developed, to deter-mine optimal resource configuration for a given work-load and useful insights to scale up or down relevantinstances. Among the analyzed functions, the analysisof Intrusion Detection System (IDS) executed in virtualmachines have been tested for cloud environments. In-deed, the performance of virtualized components canhave a great impact on the overall service chaining, ac-counting for the hardware settings and virtualizationtechnologies overhead [13]. The objective of this paperis to consider the evaluation of container-based tech-nologies for providing security mechanisms in resource-constrained edge nodes.

2.2 Lightweight Virtualization for Edge Computing

Over the last years, Edge Computing has received moreattention, accounting for the opportunity to extend thesuccessful cloud model towards the edge of the net-work. In this way, great advantages can be introduced interms of reduced latency, traffic reduction, and context-awareness. Not by chance, edge computing is consid-ered as a pillar of next-generation 5G networks [14],[15], able to support demanding verticals such as mas-sive IoT, virtual reality, and Tactile Internet [16], [17].Also, standardization bodies and industrial consortiaare promoting its widespread adoption by creating spe-cific study groups, thus leading to ETSI Multiple-access

Fig. 1 Security-as-a-Service in industrial edge scenarios.

Edge Computing (MEC) Working Group [18] and OpenFog Consortium [19].

However, new challenges are introduced in thedeployment of service instances at the networkedge. Especially when considering resource-constrainededge nodes, lightweight virtualization technologies arestrictly required. In this vein, container-based virtual-ization is able to offer several benefits with respect toclassic hypervisor-based virtual machine environments:(i) fast creation and initialization of virtualized in-stances; (ii) high density of applications, thanks to thesmall container images; (iii) reduced overhead, whileenabling isolation between different instances runningin the same host [6], [16].

As discussed in [20], Docker containers represent apromising platform for Edge Computing. In this work,Docker has been evaluated in terms of deployment andtermination, resource and service management. Dif-ferent application fields for container-based virtualiza-tion have been demonstrated. Container technologiesare used in a Capillary Network scenario [21], whereDocker containers allow to package, deploy, and exe-cute different functionalities at the capillary gateway.In [22], lightweight virtualization technologies are usedto deploy on-demand gateway features for the Cloud ofThings. However, an analysis of container technologiesfor security services is still missing.

3. Case studies

In this section, we present two promising use casesin both industrial and domestic environments whichstrongly push the need for provisioning security func-tions at the edge with advanced flexibility compared toclassic dedicated hardware solutions.

3

3.1 Factory 4.0

The fourth industrial revolution is next-to-come andwill be boosted by a progressive digitalization of in-dustrial production processes. In this fervent ecosys-tem, sensors and actuators will play a fundamentalrole to bridge the physical and virtual domains by pro-viding the necessary capabilities to monitor the indus-trial environment and to promptly react. Furthermore,automated robots are expected to provide real-timeinformation about operational behavior, for enablingboth remote quality of product and maintenance anal-ysis [23]. The increased connectivity of industrial sys-tems will thus be the key factor for next-generationFactory 4.0.

The dark side of the medal of this increased open-ness will be represented by the new potential secu-rity vulnerabilities which can be exploited by maliciousattackers [24], [25]. Indeed, security threats can causecatastrophic effects in industrial environments leadingto process interruption, product adulteration, and evenhealth risk for workers operating in strict synergy withrobots. These accidents can provoke huge losses in rev-enues and brand reputation, thus undermining the over-all digitalization of industrial revolution.

Further challenges of industrial environments dealwith the confidentiality of information gathered dur-ing production processes. Data leakages can also ad-vantage potential competitors, and consequently com-panies are reluctant to have their data processed out-side their boundaries. In this complex scenario, the in-creased abstraction capabilities of edge node can pro-vide the appropriate environment to execute virtualizedsecure functions, as sketched in Fig. 1. For instance,enhanced gateway can forward data to/from industrialsensors and analyze relevant traffic flows to identify po-tential security vectors. Only the verified data can beadmitted and security alerts are logged. Key aspectsdeal with the analysis of performance ensured by virtu-alized security functions in resource-constrained edgenodes. In this way, the interplay of virtualized secu-rity functions between cloud and edge can be furtherimproved and novel offloading strategies can be devel-oped, specifically tailored to the constraints of virtual-ized edge nodes.

3.2 Smart Home

A myriads of IoT devices will transform our housesin smart pervasive environments, ranging from smartkitchen appliances to tiny light sensors. A key factoris their enhanced interworking to exchange and coop-erate with neighboring devices, as well as back-end ap-plications hosted by cloud platforms. The dark side ofthis connectivity relates to the new potential securityvectors which attackers can leverage to lead their ma-

licious activities. Indeed, in October 2016, cybercrimi-nals launched a Distributed Denial of Service (DDoS)attack† against an Internet Service Provider Dyn, thusdisrupting access to several popular websites. To carryout this attack, a large number of internet-connecteddevices (mostly DVRs and cameras) were maliciouslyexploited by leveraging some firmware security flaws.The heterogeneity of devices make extremely complexto guarantee the desired security requirements for end-users.

To enhance defense mechanisms, the security-as-a-service paradigm can be promoted by Telco operators,which can provide routers/gateways with enhanced vir-tualization capabilities to their subscribers. A broadrange of services can be deployed on-demand withinthe home environments, while enabling the creation oflocal edge clouds able to secure and verify the communi-cations from/into domestic environments. In this way,potential sensitive information included in the trafficflows can be processed locally, thus preserving relevantconfidentiality. For instance, IDS can be deployed toverify malicious traffic between personal IoT devicesand remote cybercriminals. When potential threats aredetected, security alerts are launched to inform the end-users and to trigger the adoption of appropriate coun-termeasures.

4. Container-oriented Edge Management ofVirtual Security Functions

Container-based virtualization can drastically reducethe overhead with respect to classic hypervisor-basedvirtualization. Instead of executing a full operating sys-tem in each virtual machine instance, containers canrun on top of the same kernel provided by the underly-ing host machines. Indeed, containers leverage two keyfeatures of the operating system kernel, i.e., namespacesand control groups (cgroups). Linux namespaces allowto isolate processes (i.e. containers) from each other,whereas cgroups can be used to allocate specific amountof resources, such as CPU, memory, and block deviceI/O, to each container instance. Compared to full andpara-virtualized approaches, container virtualization isdirectly done in the kernel, thus guaranteeing betterperformance [6].

In this paper, we use application-oriented Dockercontainers for executing security functions. Docker in-troduces an underlying container engine, the so-calledDocker Engine, together with functional APIs that al-low for easy building, management, and removal of avirtualized service. With respect to system-level con-tainers, e.g., OpenVZ and LXC, application-orientedcontainers better cope with the microservice paradigm,which is considered the next big revolution for cloud-

†http://www.zdnet.com/article/dyn-confirms-mirai-botnet-involved-in-distributed-denial-of-service-attack/

4

based service provisioning [26].Indeed, by enabling a virtualized environment even

in resource-constrained edge nodes several advantagescan be introduced:

• Flexibility: High levels of flexibility are required todynamically launch different security functions toface new protection requirements, as well as scalingup/down instances according to the varying work-load and resources’ availability.

• Portability: This represents one of the most ap-pealing features since by packing security softwarealong with its dependencies into a single image con-tainer enables image-based deployment process,thus offering the freedom of develop once, deployeverywhere.

• Manageability: This feature allows a managerto facilitate the provisioning of security applica-tions on the same infrastructure composed of edgenodes, by leveraging the virtualization provided byLinux containers.

• Reliability: To achieve fault tolerance, a continu-ous monitoring of devices and containerized appli-cations can provide the ability of fast adaptationand reconfiguration, e.g., including specific high-availability mechanisms for security functions.

Another core aspect to boost container adoptionin production environment concerns the developmentof orchestration systems to facilitate the deploymentand management of multiple containerized applica-tions across a number of either physical or virtualhosts [27]. The most popular solutions are Kuber-netes, Docker Swarm, and Apache Mesos. In partic-ular, Docker Swarm is gaining momentum since it isnatively integrated with Docker distribution. A DockerSwarm is a cluster of running Docker Engines, whichleverages the management features provided by theSwarmKit. Two different logical entities are defined:(i) the manager node, which performs the orchestra-tion functions required to maintain the desired state ofthe swarm and dispatches units of work called “tasks”;(ii) the worker nodes, that receive and execute tasksscheduled by the manager. By default, manager nodesare also worker nodes, but it is possible to configuremanagers to be manager-only nodes. The agent notifiesthe current state of its assigned tasks to the managernode, so that the manager can continuously monitorthe state of the cluster. Each node in the swarm en-forces Transport Level Security (TLS) mutual authen-tication and encryption to secure its communicationswith all other nodes. The standard Docker API can beused to implement swarm management procedures, soto deploy security services to the swarm and carry outservice orchestration. While legacy Docker Engine is-sues container commands, Docker Swarm mode orches-trates “services”, which are the definitions of the tasksto be executed on the worker nodes. The service defi-

nition allows to specify the container image to use andthe commands to execute inside the relevant containerwhen the service is created. To enable coexistence ofdifferent security services over constrained edge nodes,the specifications of resource constraints must be con-sidered in the overall orchestration to ensure the de-sired performance level. This aspect can be particu-larly difficult accounting that requirements of differentvirtualized security functions can vary significantly. Tothis aim, in the following, we carry out an exemplarycharacterization of container-based protection solutionaccording to different workloads.

5. Performance evaluation

Fig. 2 Simulation setup.

In this section, we aim at comprehensively assess-ing the performance of virtualized security functions inresource-constrained edge nodes in a real testbed setup.Our objectives are also to demonstrate the feasibility ofefficiently adopting container-based virtualization, bycomparing the native execution of security functionsand their respective containerized counterparts. In ouranalysis, we focus on: i) the number of processed pack-ets; ii) network utilization; iii) the number of alerts;iv) RAM utilization; v) CPU load; and vi) the numberof dropped packets.

The testbed setup consist of Suricata running ona Raspberry Pi3 edge node (Fig.2). The experimentalresults show the difference between Suricata runningon bare metal (SoBM) and running inside a Dockercontainer (SoDC). In order to detect attacks, Suricataneeds a rule set that characterizes these attacks. In thisset of simulations, the emerging threats rules set is used.The traffic is generated from pcap files that contain ex-cerpts of legitimate and malicious traffic. Our exper-imental setup is similar to the one used in [28]. Weconsider two pcap files: in the first file the number ofsmall packets outnumbers the number of large packets;in the second file, the number of packets are quite simi-lar, which means that the traffic generated by the smallpackets is tiny compared to the traffic generated by thelarge packets.

Finally, the rate of the traffic is varied from10Mbps up to 90Mbps for large packets and from

5

10Mbps to 50Mbps for small packets. The reason whywe cannot go beyond 50Mbps is that the Raspberrybegins to heat up and crashes, therefore the results arenot reliable in those conditions. Finally, each simulationsetup is run 10 times and the average and standard de-viation are plotted for each experiment.

5.1 Processed packets

Fig.3(a) and Fig.4(a) show the number of processedpackets in relation to the traffic rate. It representsthe number of packets that were sent to the detec-tion engine of Suricata. It contains both legitimate andmalicious packets. Overall, SoDC and SoBM processroughly the same number of packets. It should be notedthat when the packets are small, there are four timesmore traffic than there is in large packet simulations.

5.2 Network utilization

Fig.3(b) and Fig.4(b) depict the performance of net-work utilization. From the obtained results, we can con-clude that SoBM slightly outperforms SoDC. As be-fore, running Suricata on bare metal or on a Dockercontainer does not show a clear difference in the per-formance. Unlike previously, the network utilization isgreater when the packets are large.

5.3 Alerts

The alerts are the number of successfully detectedthreats. Given the fact that, in large packets simula-tions, it is the same pcap file that is played over andover again, it is clear then that the number of alertswill increase with the rate at which the traffic is played.In all simulations, SoBM and SoDC have detected thesame number of alerts (Fig.3(c) and Fig.4(c)). From onesimulation to the next, the packets that were droppedand their number varies greatly. That is why there is ahigh variability in the number of detected attacks.

5.4 RAM utilization

In large packets simulations, the RAM usage rangesbetween 26% and 28%. While in small packets runs,the RAM reaches 50% of utilization, in both scenar-ios, SoBM and SoDC have shown similar RAM usage(Fig.3(d) and Fig.4(d)).

5.5 CPU utilization

The size of packets has a big impact on the load ex-erted on the CPU. Even when the traffic rate is only50Mbps, the average utilization is beyond 80% if thepackets are small. SoDC shows slightly better CPU us-age than SoBM. The difference is around 2% when thepackets are large and reaches 6% when they are small.Investigating this situation shows that SoDC is tak-ing more time running on kernel space, while SoBM

is taking more time on user space. It should be notedthat roughly the same number of packets is received bySuricata when the rate is 90Mbps for large packets and20Mbps for small packets, that is why the CPU load ishigh when the traffic mainly consists of small packets.

5.6 Number of drops

Fig.3(f) and Fig.4(f) show the percentage of drops oc-curred during the performance evaluation. In Fig.4(f),the dropping began at 20Mbps, and the percentageof dropped packets increases with the bandwidth. Onefifth to one forth of the packets were dropped when therate was at 50%. This is the reason of the variability ofthe number of alerts in Fig.4(c). When there are largepackets, the number of drops is less than 2%, even whenthe rate is 90%. The reason why SoDC shows less dropsis due to two main reasons. As shown in Fig.3(e) andFig.4(e), SoDC has less impact on the CPU on average.Therefore, it is less prone than SoBM to drop packetsdue to bursts. The second reason is that SoBM gener-ally receives more packets than SoDC, thus SoBM hasto drop more packets. Fig.5 shows the ratio betweenthe number of successfully processed packets by SoBMand SoDC (Eq.1).

ratio =ptksbm − dropbmptksdc − dropdc

(1)

where ptksbm and ptksoc denote the number of packetsreceived by SoBM and SoDC, respectively. dropbm anddropdc are the number of drops performed by SoBM andSoDC, respectively. As it can be seen in Fig.5, SoBMprocesses slightly more packets than SoDC.

5.7 Discussion

The aforementioned performance results have shownthat the overhead introduced by the containerizationof security functions is very light. It should be noted,though, that the Docker container had full control overthe network interface and only one Docker containerwas running during the performance evaluation. Usinga bridged network would have negatively impacted theperformances. Running two containers can bring a no-table impact on the performance of the Raspberry Pi.Even then, given the obtained results, it is clear thatlightweight virtualization, even in small devices such asa Raspberry Pi, is quite efficient. Therefore, the dy-namic deployment of containerized security functionsin the network’s edge is a very interesting prospect.

6. Open research challenges

The joint use of lightweight virtualization and edgecomputing represents a promising environment to pro-vide SECaaS, considering the multiple envisioned bene-fits reported in the previous sections. Furthermore, thisstudy opens up several research challenges to be further

6

(a) Number of processed packets. (b) Receiving rate. (c) Number of alerts.

(d) RAM usage. (e) CPU load. (f) Number of drops.

Fig. 3 SoBM vs SoDC results (Large packets).

(a) Number of processed packets. (b) Receiving rate. (c) Number of alerts.

(d) RAM usage. (e) CPU load. (f) Number of drops.

Fig. 4 SoBM vs SoDC results (Small packets).

investigated for an efficient provisioning of security fea-tures at the network edge.

• Security services orchestration: A key featureof edge computing concerns the opportunity tospread and coordinate service provisioning amongdistributed edge nodes to efficiently balance work-load. However, as discussed in Section 4, currentorchestration solutions have been mainly designed

for data center environments and further effortsare required to cope with challenges of resource-constrained edges. Also, multiple devices can col-laboratively perform security functions, providingvalue-added service benefits. For instance, in thecase of intrusion detection scenarios, each con-tainerized IDS instance can share contextual in-formation with neighboring nodes, so it can dy-

7

Fig. 5 Ratio of successfully treated packets by SoBM overSoDC.

namically refine the detection process.• Security of container virtualization: Container vir-

tualization heavily relies on underlying kernel fea-tures to provide the necessary isolation for virtu-alized services [29], [30]. Therefore, specific effortsshould address the relevant security concerns, ac-counting also for misleading configurations of rel-evant container options. Furthermore, a complexecosystem has been developed around the Dockervirtualization technologies, including container im-age repositories and orchestration platforms. Thesecomplementary tools introduce new security chal-lenges which go beyond the classical host domain,involving for instance the integrity of container im-ages during transfer over insecure Internet connec-tions, as well as the interactions with potentiallyuntrusted management modules.

7. Concluding remarks

The community of academic and industrial researchershas paid remarkable attention towards the adoption ofcloud-based security functions to provide on-demanddefense mechanisms against the increasing maliciousICT attacks. To benefit from reduction in latencyand network traffic overhead, edge environments arepromising candidates to host virtualized security func-tions. However, the resource constraints of edge nodescan impact the overall performance of SECaaS solu-tions. In this paper, we shed light on the provision-ing of security functions via lightweight virtualizationtechnologies, by assessing the performance of Dockercontainer-based IDS Suricata in a real testbed. Futureworks will explore the open challenges envisioned inSection 6 to boost SECaaS at the network edge. Fur-thermore, we will extend the characterization of con-tainerized security functions to efficiently orchestrate

security over distributed edge nodes.

Acknowledgment

An abridged version of this paper has been publishedin the proceedings of the 2018 edition of the IEEECSCN [31]. This work was partially supported by theANASTACIA project, that has received funding fromthe European Unions Horizon 2020 Research and Inno-vation Programme under Grant Agreement N. 731558and from the Swiss State Secretariat for Education, Re-search and Innovation. This work was also supportedin part by the Academy of Finland 6Genesis Flagship(Grant No. 318927).

References

[1] M.M. Hossain, M. Fotouhi, and R. Hasan, “Towards ananalysis of security issues, challenges, and open problems inthe Internet of Things,” Services (SERVICES), 2015 IEEEWorld Congress on, pp.21–28, IEEE, 2015.

[2] V. Varadharajan and U. Tupakula, “Security as a servicemodel for cloud environment,” IEEE Transactions on Net-work and Service Management, vol.11, no.1, pp.60–75, 2014.

[3] I. Farris, J. Bernabe, N. Toumi, D. Garcia, T. Taleb,A. Skarmet, and B. Sahlin, “Towards provisioning ofSDN/NFV-based security enablers for integrated protec-tion of IoT systems,” 2017 IEEE Conference on Standardsfor Communications and Networking (CSCN), Helsinki,pp.187–192, Sept 2017.

[4] I. Farris, T. Taleb, Y. Khettab, and J. Song, “A survey onemerging sdn and nfv security mechanisms for iot systems,”IEEE Communications Surveys Tutorials, (to appear).

[5] I. Farris, T. Taleb, H. Flinck, and A. Iera, “Providing ultra-short latency to user-centric 5G applications at the mobilenetwork edge,” Transactions on Emerging Telecomm. Tech-nologies (ETT), Mar. 2017. DOI 10.1002/ett.3169.

[6] R. Morabito, J. Kjallman, and M. Komu, “Hypervi-sors vs. lightweight virtualization: a performance compari-son,” IEEE International Conference on Cloud Engineering(IC2E), IEEE, 2015.

[7] T. Taleb and Y. Hadjadj-Aoul, “QoS2: a framework for inte-grating quality of security with quality of service,” Securityand communication networks, vol.5, no.12, pp.1462–1470,2012.

[8] “Defined Categories of Service 2011,” tech. rep., Cloud Se-curity Alliance - SecaaS WG, 2011.

[9] A. Furfaro, A. Garro, and A. Tundis, “Towards securityas a service (SecaaS): On the modeling of security servicesfor cloud computing,” Security Technology (ICCST), 2014International Carnahan Conference on, pp.1–6, IEEE, 2014.

[10] C. Basile, A. Lioy, C. Pitscheider, F. Valenza, andM. Vallini, “A novel approach for integrating security pol-icy enforcement with dynamic network virtualization,” Net-work Softwarization (NetSoft), 2015 1st IEEE Conferenceon, pp.1–5, IEEE, 2015.

[11] T. Taleb, A. Ksentini, and R. Jantti, ““Anything as a Ser-vice” for 5G mobile systems,” IEEE Network, vol.30, no.6,pp.84–91, November 2016.

[12] L. Cao, P. Sharma, S. Fahmy, and V. Saxena, “NFV-vital:A framework for characterizing the performance of virtualnetwork functions,” Network Function Virtualization andSoftware Defined Network (NFV-SDN), 2015 IEEE Con-ference on, pp.93–99, IEEE, 2015.

[13] R. Bonafiglia, I. Cerrato, F. Ciaccia, M. Nemirovsky, and

8

F. Risso, “Assessing the performance of virtualization tech-nologies for NFV: A preliminary benchmarking,” 2015Fourth European Workshop on Software Defined Networks,pp.67–72, Sept 2015.

[14] T. Taleb, K. Samdani, B. Mada, H. Flinck, S. Dutta, andD. Sabella, “On multi-access edge computing: A survey ofthe emerging 5G network edge architecture & orchestra-tion,” IEEE Communications Surveys & Tutorials, vol.19,no.3, pp.1657–1681, May 2017.

[15] P. Porambage, J. Okwuibe, M. Liyanage, M. Ylianttila, andT. Taleb, “Survey on multi-access edge computing for inter-net of things realization,” CoRR, vol.abs/1805.06695, 2018.

[16] T. Taleb, S. Dutta, A. Ksentini, M. Iqbal, and H. Flinck,“Mobile edge computing potential in making citiessmarter,” IEEE Communications Magazine, 2017.

[17] I. Afolabi, T. Taleb, K. Samdanis, A. Ksentini, andH. Flinck, “Network slicing & softwarization: A survey onprinciples, enabling technologies & solutions,” IEEE Com-munications Surveys Tutorials, 2018.

[18] “ETSI GS MEC 003 Mobile Edge Computing (MEC);Framework and Reference Architecture V1.1.1,” tech. rep.,ETSI MEC ISG, 2016.

[19] “Open Fog Reference Architecture,” tech. rep., Open FogConsortium, 2017.

[20] B.I. Ismail, E.M. Goortani, M.B. Ab Karim, W.M. Tat,S. Setapa, J.Y. Luke, and O.H. Hoe, “Evaluation of dockeras edge computing platform,” Open Systems (ICOS), 2015IEEE Confernece on, pp.130–135, IEEE, 2015.

[21] O. Novo, N. Beijar, M. Ocak, J. Kjallman, M. Komu, andT. Kauppinen, “Capillary networks-bridging the cellularand IoT worlds,” Internet of Things (WF-IoT), 2015 IEEE2nd World Forum on, pp.571–578, IEEE, 2015.

[22] R. Petrolo, R. Morabito, V. Loscrı, and N. Mitton, “Thedesign of the gateway for the cloud of things,” Annals ofTelecommunications, pp.1–10, 2016.

[23] N.H. Motlagh, T. Taleb, and O. Arouk, “Low-altitude un-manned aerial vehicles-based internet of things services:Comprehensive survey and future perspectives,” IEEE In-ternet of Things Journal, vol.3, no.6, pp.899–922, December2016.

[24] C. Alcaraz, R. Roman, P. Najera, and J. Lopez, “Securityof industrial sensor network-based remote substations inthe context of the Internet of Things,” Ad Hoc Networks,vol.11, no.3, pp.1091–1104, 2013.

[25] T. Taleb, B. Mada, M. Corici, A. Nakao, and H. Flinck,“PERMIT: Network slicing for personalized 5G mobiletelecommunications,” IEEE Communications Magazine,vol.55, no.5, pp.88–93, May 2017.

[26] A. Sill, “The design and architecture of microservices,”IEEE Cloud Computing, vol.3, no.5, pp.76–80, 2016.

[27] C. Pahl and B. Lee, “Containers and clusters for edgecloud architectures–a technology review,” Future Internetof Things and Cloud (FiCloud), 2015 3rd International Con-ference on, pp.379–386, IEEE, 2015.

[28] A. Sforzin, F.G. Mrmol, M. Conti, and J.M. Bohli, “RPiDS:Raspberry Pi IDS - A Fruitful Intrusion Detection Systemfor IoT,” 2016 13th IEEE International Conference on Ad-vanced and Trusted Computing (ATC 2016), pp.440–448,July 2016.

[29] S. Lal, T. Taleb, and A. Dutta, “NFV: Security threats andbest practices,” IEEE Communications Magazine, vol.55,no.8, pp.211–217, May 2017.

[30] S. Lal, A. Kalliola, I. Oliver, K. Ahola, and T. Taleb, “Se-curing VNF communication in NFVI,” 2017 IEEE Con-ference on Standards for Communications and Networking(CSCN), Helsinki, pp.187–192, Sept 2017.

[31] A. Boudi, I. Farris, M. Bagaa, and T. Taleb, “Lightweight

virtualization based security framework for network edge,”IEEE Conference on Standards for Communications andNetworking (CSCN), Paris, France, pp.1–6, October 29-312018.

Abderrahmane Boudi was bornin Algiers, Algeria, in 1990. He receivedthe engineer degree in computer sci-ence from the Ecole nationale Superieured’Informatique (ESI), Algeria, in 2013.Since 2014, he is a Ph. D. student in theLaboratoire de Communication dans lesSystemes Informatiques (LCSI) of ESI.His work is devoted to the study of ac-tive queue management, congestion con-trol, and intelligent feedback control sys-

tems.

Ivan Farris is a researcher at AaltoUniversity, Finland, in the Department ofCommunications and Networking, Schoolof Electrical Engineering. He received hisB.Sc. degree in Telecommunications En-gineering, his M.Sc. degree in Computerand Telecommunications Systems Engi-neering, and his Ph.D. in InformationTechnology Engineering from the Uni-versity Mediterranea of Reggio Calabria,Italy, in 2011, 2013, and 2017, respec-

tively. His research interests include Internet of Things, Edgecomputing, and network softwarization.

Miloud Bagaa received the bach-elors, masters, and Ph.D. degrees fromthe University of Science and Technol-ogy Houari Boumediene Algiers, Alge-ria, in 2005, 2008, and 2014, respectively.From 2009 to 2015, he was a ResearcherCERIST, Algiers. From 2015 to 2016, heheld a post-doctoral fellowship positionat the ERCIM and also worked with theNTNU, Trondheim, Norway. He is cur-rently a Senior Researcher with the Com-

munications and Networking Department, Aalto University.

Tarik Taleb (tarik.taleb@aalto.fi)is a professor at Aalto University, Fin-land. He is the founder and the directorof MOSA!C Lab (www.mosaic-lab.org).Prior to his current position, he was work-ing as a senior researcher and 3GPP stan-dards expert at NEC Europe Ltd., Ger-many. He also worked as an assistant pro-fessor at Tohoku University, Japan. He re-ceived his B.E. degree in information engi-neering, and his M.Sc. and Ph.D. degrees

in information sciences from Tohoku University in 2001, 2003,and 2005, respectively.