IMS: Towards Computability and Dynamicity for Intent-Driven Micro-Segmentation

IMS: Towards Computability and Dynamicity for Intent-Driven Micro-Segmentation

Micro-segmentation (MSG), a pillar of Zero-Trust, provides fine-grained access control for east-west traffic between cloud endpoints (VMs/containers). Admins formulate strict whitelisting MSG policies that allow necessary traffic. However, current MSG systems lack the computability foundation to res...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing 2025-01, Vol.22 (1), p.677-694
Hauptverfasser: Ma, Zixuan, Li, Chen, Zhang, Yuqi, You, Ruibang, Tu, Bibo
Format: Artikel
Sprache:eng
Schlagworte:
Access control
Business
dynamicity processing
intent-driven system
Micro-segmentation
Policies
policy verification
Process control
Prototypes
Security
Segmentation
Surface treatment
Traffic control
zero-trust
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 694
container_issue 1
container_start_page 677
container_title IEEE transactions on dependable and secure computing
container_volume 22
creator Ma, Zixuan
Li, Chen
Zhang, Yuqi
You, Ruibang
Tu, Bibo
description Micro-segmentation (MSG), a pillar of Zero-Trust, provides fine-grained access control for east-west traffic between cloud endpoints (VMs/containers). Admins formulate strict whitelisting MSG policies that allow necessary traffic. However, current MSG systems lack the computability foundation to resolve policy inconsistencies, where policy overlap can cause conflicts that violate the security requirements, and to verify policy reachability to avoid erroneously blocking necessary traffic. Meanwhile, current MSG systems lack comprehensive dynamicity processing, including maintaining invariants when updating MSG policies and promptly adjusting policy enforcement for endpoint status changes. We propose IMS, the first intent-driven MSG system towards computability and dynamicity. IMS innovatively defines the endpoint group space and algebra, providing the computability foundation for formally and automatically verifying and processing MSG policies. Based on this, IMS implements functionalities to resolve policy inconsistencies and to verify policy reachability. Meanwhile, IMS achieves comprehensive and prompt dynamicity processing. IMS fulfils the verification and dynamicity processing requirements of intent-driven systems. We implement a prototype and evaluations show that the processing time of IMS functionalities scales linearly with the number of policies, and the average endpoint dynamicity processing time is 5.05 ms in the setup of 1,000 endpoints, illustrating that IMS is scalable and can process dynamicity promptly.
doi_str_mv 10.1109/TDSC.2024.3413752
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_ieee_primary_10557157</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10557157</ieee_id><sourcerecordid>3156644610</sourcerecordid><originalsourceid>FETCH-LOGICAL-c1972-5e7a171f555bfde177592181f2bc97afbb9bdd56aaa5c1564f59b37437bf0c1e3</originalsourceid><addsrcrecordid>eNpNkMlOwzAQQC0EEqXwAUgcInFO8SSeuOaGUpZKLRxazpad2MhVkxQ7BfXvcdQeOM2iN4seIbdAJwBUPKxnq3KS0YxNcgY5x-yMjEAwSCmF6XnMkWGKgsMluQphQyM5FWxE3ufL1WOy7n6Vr0NSds1u3yvttq4_JKqtk9mhVY2rhtJ2Ppm3vWn7dObdj2mTpat8l67MVxObqndde00urNoGc3OKY_L58rwu39LFx-u8fFqkFQiepWi4Ag4WEbWtDXCOIoMp2ExXgiurtdB1jYVSCivAglkUOucs59rSCkw-JvfHvTvffe9N6OWm2_s2npR55AvGCqCRgiMV3wzBGyt33jXKHyRQOWiTgzY5aJMnbXHm7jjjjDH_eEQOyPM_dotpAg</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3156644610</pqid></control><display><type>article</type><title>IMS: Towards Computability and Dynamicity for Intent-Driven Micro-Segmentation</title><source>IEEE Electronic Library (IEL)</source><creator>Ma, Zixuan ; Li, Chen ; Zhang, Yuqi ; You, Ruibang ; Tu, Bibo</creator><creatorcontrib>Ma, Zixuan ; Li, Chen ; Zhang, Yuqi ; You, Ruibang ; Tu, Bibo</creatorcontrib><description>Micro-segmentation (MSG), a pillar of Zero-Trust, provides fine-grained access control for east-west traffic between cloud endpoints (VMs/containers). Admins formulate strict whitelisting MSG policies that allow necessary traffic. However, current MSG systems lack the computability foundation to resolve policy inconsistencies, where policy overlap can cause conflicts that violate the security requirements, and to verify policy reachability to avoid erroneously blocking necessary traffic. Meanwhile, current MSG systems lack comprehensive dynamicity processing, including maintaining invariants when updating MSG policies and promptly adjusting policy enforcement for endpoint status changes. We propose IMS, the first intent-driven MSG system towards computability and dynamicity. IMS innovatively defines the endpoint group space and algebra, providing the computability foundation for formally and automatically verifying and processing MSG policies. Based on this, IMS implements functionalities to resolve policy inconsistencies and to verify policy reachability. Meanwhile, IMS achieves comprehensive and prompt dynamicity processing. IMS fulfils the verification and dynamicity processing requirements of intent-driven systems. We implement a prototype and evaluations show that the processing time of IMS functionalities scales linearly with the number of policies, and the average endpoint dynamicity processing time is 5.05 ms in the setup of 1,000 endpoints, illustrating that IMS is scalable and can process dynamicity promptly.</description><identifier>ISSN: 1545-5971</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2024.3413752</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>Access control ; Business ; dynamicity processing ; intent-driven system ; Micro-segmentation ; Policies ; policy verification ; Process control ; Prototypes ; Security ; Segmentation ; Surface treatment ; Traffic control ; zero-trust</subject><ispartof>IEEE transactions on dependable and secure computing, 2025-01, Vol.22 (1), p.677-694</ispartof><rights>Copyright IEEE Computer Society 2025</rights><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-c1972-5e7a171f555bfde177592181f2bc97afbb9bdd56aaa5c1564f59b37437bf0c1e3</cites><orcidid>0000-0003-4307-0896 ; 0000-0001-5169-6536 ; 0009-0007-6830-7462 ; 0000-0002-9077-0687 ; 0000-0002-0278-7420</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10557157$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,776,780,792,27901,27902,54733</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10557157$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Ma, Zixuan</creatorcontrib><creatorcontrib>Li, Chen</creatorcontrib><creatorcontrib>Zhang, Yuqi</creatorcontrib><creatorcontrib>You, Ruibang</creatorcontrib><creatorcontrib>Tu, Bibo</creatorcontrib><title>IMS: Towards Computability and Dynamicity for Intent-Driven Micro-Segmentation</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>Micro-segmentation (MSG), a pillar of Zero-Trust, provides fine-grained access control for east-west traffic between cloud endpoints (VMs/containers). Admins formulate strict whitelisting MSG policies that allow necessary traffic. However, current MSG systems lack the computability foundation to resolve policy inconsistencies, where policy overlap can cause conflicts that violate the security requirements, and to verify policy reachability to avoid erroneously blocking necessary traffic. Meanwhile, current MSG systems lack comprehensive dynamicity processing, including maintaining invariants when updating MSG policies and promptly adjusting policy enforcement for endpoint status changes. We propose IMS, the first intent-driven MSG system towards computability and dynamicity. IMS innovatively defines the endpoint group space and algebra, providing the computability foundation for formally and automatically verifying and processing MSG policies. Based on this, IMS implements functionalities to resolve policy inconsistencies and to verify policy reachability. Meanwhile, IMS achieves comprehensive and prompt dynamicity processing. IMS fulfils the verification and dynamicity processing requirements of intent-driven systems. We implement a prototype and evaluations show that the processing time of IMS functionalities scales linearly with the number of policies, and the average endpoint dynamicity processing time is 5.05 ms in the setup of 1,000 endpoints, illustrating that IMS is scalable and can process dynamicity promptly.</description><subject>Access control</subject><subject>Business</subject><subject>dynamicity processing</subject><subject>intent-driven system</subject><subject>Micro-segmentation</subject><subject>Policies</subject><subject>policy verification</subject><subject>Process control</subject><subject>Prototypes</subject><subject>Security</subject><subject>Segmentation</subject><subject>Surface treatment</subject><subject>Traffic control</subject><subject>zero-trust</subject><issn>1545-5971</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2025</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpNkMlOwzAQQC0EEqXwAUgcInFO8SSeuOaGUpZKLRxazpad2MhVkxQ7BfXvcdQeOM2iN4seIbdAJwBUPKxnq3KS0YxNcgY5x-yMjEAwSCmF6XnMkWGKgsMluQphQyM5FWxE3ufL1WOy7n6Vr0NSds1u3yvttq4_JKqtk9mhVY2rhtJ2Ppm3vWn7dObdj2mTpat8l67MVxObqndde00urNoGc3OKY_L58rwu39LFx-u8fFqkFQiepWi4Ag4WEbWtDXCOIoMp2ExXgiurtdB1jYVSCivAglkUOucs59rSCkw-JvfHvTvffe9N6OWm2_s2npR55AvGCqCRgiMV3wzBGyt33jXKHyRQOWiTgzY5aJMnbXHm7jjjjDH_eEQOyPM_dotpAg</recordid><startdate>20250101</startdate><enddate>20250101</enddate><creator>Ma, Zixuan</creator><creator>Li, Chen</creator><creator>Zhang, Yuqi</creator><creator>You, Ruibang</creator><creator>Tu, Bibo</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><orcidid>https://orcid.org/0000-0003-4307-0896</orcidid><orcidid>https://orcid.org/0000-0001-5169-6536</orcidid><orcidid>https://orcid.org/0009-0007-6830-7462</orcidid><orcidid>https://orcid.org/0000-0002-9077-0687</orcidid><orcidid>https://orcid.org/0000-0002-0278-7420</orcidid></search><sort><creationdate>20250101</creationdate><title>IMS: Towards Computability and Dynamicity for Intent-Driven Micro-Segmentation</title><author>Ma, Zixuan ; Li, Chen ; Zhang, Yuqi ; You, Ruibang ; Tu, Bibo</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c1972-5e7a171f555bfde177592181f2bc97afbb9bdd56aaa5c1564f59b37437bf0c1e3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2025</creationdate><topic>Access control</topic><topic>Business</topic><topic>dynamicity processing</topic><topic>intent-driven system</topic><topic>Micro-segmentation</topic><topic>Policies</topic><topic>policy verification</topic><topic>Process control</topic><topic>Prototypes</topic><topic>Security</topic><topic>Segmentation</topic><topic>Surface treatment</topic><topic>Traffic control</topic><topic>zero-trust</topic><toplevel>online_resources</toplevel><creatorcontrib>Ma, Zixuan</creatorcontrib><creatorcontrib>Li, Chen</creatorcontrib><creatorcontrib>Zhang, Yuqi</creatorcontrib><creatorcontrib>You, Ruibang</creatorcontrib><creatorcontrib>Tu, Bibo</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Ma, Zixuan</au><au>Li, Chen</au><au>Zhang, Yuqi</au><au>You, Ruibang</au><au>Tu, Bibo</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>IMS: Towards Computability and Dynamicity for Intent-Driven Micro-Segmentation</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2025-01-01</date><risdate>2025</risdate><volume>22</volume><issue>1</issue><spage>677</spage><epage>694</epage><pages>677-694</pages><issn>1545-5971</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>Micro-segmentation (MSG), a pillar of Zero-Trust, provides fine-grained access control for east-west traffic between cloud endpoints (VMs/containers). Admins formulate strict whitelisting MSG policies that allow necessary traffic. However, current MSG systems lack the computability foundation to resolve policy inconsistencies, where policy overlap can cause conflicts that violate the security requirements, and to verify policy reachability to avoid erroneously blocking necessary traffic. Meanwhile, current MSG systems lack comprehensive dynamicity processing, including maintaining invariants when updating MSG policies and promptly adjusting policy enforcement for endpoint status changes. We propose IMS, the first intent-driven MSG system towards computability and dynamicity. IMS innovatively defines the endpoint group space and algebra, providing the computability foundation for formally and automatically verifying and processing MSG policies. Based on this, IMS implements functionalities to resolve policy inconsistencies and to verify policy reachability. Meanwhile, IMS achieves comprehensive and prompt dynamicity processing. IMS fulfils the verification and dynamicity processing requirements of intent-driven systems. We implement a prototype and evaluations show that the processing time of IMS functionalities scales linearly with the number of policies, and the average endpoint dynamicity processing time is 5.05 ms in the setup of 1,000 endpoints, illustrating that IMS is scalable and can process dynamicity promptly.</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2024.3413752</doi><tpages>18</tpages><orcidid>https://orcid.org/0000-0003-4307-0896</orcidid><orcidid>https://orcid.org/0000-0001-5169-6536</orcidid><orcidid>https://orcid.org/0009-0007-6830-7462</orcidid><orcidid>https://orcid.org/0000-0002-9077-0687</orcidid><orcidid>https://orcid.org/0000-0002-0278-7420</orcidid></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1545-5971
ispartof IEEE transactions on dependable and secure computing, 2025-01, Vol.22 (1), p.677-694
issn 1545-5971
1941-0018
language eng
recordid cdi_ieee_primary_10557157
source IEEE Electronic Library (IEL)
subjects Access control
Business
dynamicity processing
intent-driven system
Micro-segmentation
Policies
policy verification
Process control
Prototypes
Security
Segmentation
Surface treatment
Traffic control
zero-trust
title IMS: Towards Computability and Dynamicity for Intent-Driven Micro-Segmentation
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-02T21%3A46%3A17IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=IMS:%20Towards%20Computability%20and%20Dynamicity%20for%20Intent-Driven%20Micro-Segmentation&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Ma,%20Zixuan&rft.date=2025-01-01&rft.volume=22&rft.issue=1&rft.spage=677&rft.epage=694&rft.pages=677-694&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2024.3413752&rft_dat=%3Cproquest_RIE%3E3156644610%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3156644610&rft_id=info:pmid/&rft_ieee_id=10557157&rfr_iscdi=true