Prof. Riccardo Sisto

Thesis Proposals

The proposed theses are all related to research activities of the NetGroup. Most of them are about distributed software development and formal approaches for guaranteeing dependability (mainly safety and security) of distributed systems.
The number of distributed systems that can be considered critical (in terms of safety and security) is constantly increasing due to the increasing pervasiveness of computer-based systems (e.g. in the fields of avionics, automotive, industry, health care, e-commerce, e-banking, etc.), hence the growing importance of techniques for increasing their dependability.
The theses that are currently available are listed here (some of them are to be developed in external Companies):
  1. Security Automation and Optimization in NFV and SDN Cloud Context
  2. Multi-cloud infrastructure, cloud-native integration & API management
  3. Multi-cloud infrastructure and progressive delivery platforms
  4. Big Data Performance Monitoring of IP Networks
This page will be updated with new proposals as they will become available.
For further information contact Prof. Riccardo Sisto. An up-to-date CV including passed exams and their grading is required.


  A framework for automatic Network Security Functions configuration in NFV/Cloud context

Network function virtualization (NFV) and Software-Defined Networking (SDN) are two novel networking paradigms that can be used to virtualize and manage networks and security functions. These paradigms introduce several advantages compared to classical approaches, such as the dynamic provisioning of functionality or the implementation of scalable and reliable services (e.g., by adding new instances to support higher request volumes). NFV also allows the deployment of security controls, like firewalls or VPN gateways, as virtualized network functions.
However, currently the level of security automation and optimization is quite limited with respect to what could be potentially achieved with these new paradigms. For example, currently there is no automatic way to select the security functions and configure them according to a set of user's security requirements (also ensuring that some desired network properties or invariants are always guaranteed) or to dynamically reconfigure the security functions to mitigate a network attack.
The objective of the thesis is to address one of the specific problems related to Security Automation and Optimization in NFV and SDN, and to design and implement techniques and algorithms that extend the existing state of the art in this field, by extending the existing frameworks already developed by the Netgroup (i.e., VEREFOO and VERIGRAPH):
VEREFOO: https://github.com/netgroup-polito/verifoo
VERIGRAPH: https://github.com/netgroup-polito/verigraph
More specifically, the thesis may address one of the following aspects:
  1. integrate the different VEREFOO components, which currently are standalone, so that a unique framework is presented to the user;
  2. improve how the framework works, by enabling not only automatic configuration from scratch, but also re-configuration based on variations in security policies or in network features;
  3. extend the framework so that it can manage a larger variety of security functions, including the min types of security functions that are used in modern networks;
  4. integrate the framework within cloud environments like Kubernetes or Network Function Virtualization Orchestrators like Open Source MANO or ONAP.

The candidate should have a good knowledge and skills in Java programming. For what concerns networking and security, the basic knowledge provided in the Computer Engineering MS tracks is enough, at least for some of the objectives. Deeper knowledge in these fields is required for some of the objectives. Taking this thesis, the candidate will have the opportunity to get more skilled in network security, network management techniques and programming.


  Multi-cloud infrastructure, cloud-native integration & API management

Multi-cloud is when an enterprise uses and orchestrates more than one cloud platform to deliver application services. The most portable technology to adopt a multi-cloud strategy is the Docker container. Containers are simple and interoperable, and they enable seamless, fine-grained scaling. Kubernetes is an orchestration layer for containers that could be used to move workloads between on premises and one or more cloud providers.
Cloud native is an approach to building and running applications that exploits the advantages of the cloud computing delivery model. API management refers to the processes for distributing, controlling, and analyzing the APIs that connect applications and data across the enterprise and across clouds. Organizations are implementing strategies to manage their APIs so they can respond to rapid changes in customer demands. In most cases, these organizations adopt a microservices architecture in order to meet demands by speeding up software development.
The thesis will be developed during an internship within the Reply company. There is flexibility for the organization of the thesis work (in person versus remotely). During the internship the candidate will work to design, setup, implement and compare different api management solutions like Kong Gateway or Azure API Management in a multi-cloud scenario based on Kubernetes/OpenShift.


  Multi-cloud infrastructure and progressive delivery platforms

Multi-cloud is when an enterprise uses and orchestrates more than one cloud platform to deliver application services. The most portable technology to adopt a multi-cloud strategy is the Docker container. Containers are simple and interoperable, and they enable seamless, fine-grained scaling. Kubernetes is an orchestration layer for containers that could be used to move workloads between on premises and one or more cloud providers.
Progressive Delivery refers to a new lifecycle of software development that is deployed to ship code faster and at reduced risk using cloud and container technologies.
The thesis will be developed during an internship within the Reply company. There is flexibility for the organization of the thesis work (in person versus remotely). During the internship the candidate will work to design, setup, implement and compare progressive delivery solutions like Flagger or Argo Rollouts in a multi-cloud scenario based on Kubernetes/OpenShift and at least two Cloud providers like IBM Cloud, Amazon, Google or Azure.


  Big Data Performance Monitoring of IP Networks

Performance monitoring of IP networks is of great importance for service providers because it allows them to manage Service Level Agreements (SLA) with internal and external customers. In this context, one of the problems that are being addressed is the scalability of passive monitoring systems: if, for example, we want to monitor thousands of flows, it is necessary that each one of them is filtered by a specific capture rule loaded into each monitoring point. The problem that arises is that network devices support only a limited number of such rules, thus limiting the number of flows that can be monitored. In order to solve this issue, it is possible to introduce the concept of multipoint flow, which groups together a set of elementary flows. Then, a smaller number of multipoint flows is monitored, instead of all the elementary flows of interest. The data so captured, can then be processed in order to extract more precise information, e.g. referred to single elementary flows or certain subsets of elementary flows. From a theoretical point of view, the way of defining multipoint flows and the above mentioned post-processing operations have been defined in a patent held by Telecom Italia.
In the context of previous theses, an architecture has also been defined to implement this technique where certain probes installed in the network capture traffic, the captures are collected in a database, and the captured data are analyzed by post-processing software capable of extracting the necessary information starting from those contained in the DB. Since the size of the monitoring data can be considerable, the architecture adopts solutions for big data such as Hadoop, Flume and Kafka. The purpose of the thesis, to be developed at Telecom Italia, is to continue this project in one of several possible directions, such as introducing artificial intelligence techniques for the automatic analysis of the data collected in the DB or improving aspects such as usability and efficiency of the current framework.

Last change: October 2021