ABSTRACT. Service identities are crucial for authentication and access control, ensuring that only authorized services access specific resources. The SPIFFE framework addresses workload identity management and authentication effectively but needs support for solutions (e.g., extensible tokens) that fine-granular authorization mechanisms in distributed scenarios can use. In this context, we present the Lightweight SVID (LSVID), an identity document in JSON format that can be extended and used as a token. As an extensible token, LSVID enables features such as delegation, attenuation, and traceability, enhancing their flexibility and applicability. Our approach provides efficient handling of token extensions and validations, demonstrated through a proof-of-concept implemented in Go. Baseline results indicate that LSVID critical operations are efficient, with processing times in the microsecond range, offering significant functional advantages over the traditional JWT-SVIDs, one of two key security documents from SPIFFE.

ABSTRACT. A large literature is available on quantization for communication efficiency in distributed learning. However, these studies often overlook the enhancement of privacy through quantization. This paper aims to fill this research gap by undertaking a systematic literature review on the use of quantization in distributed learning for privacy enhancement. We explore peer-reviewed literature that utilizes quantization for privacy-preserving purposes. Our analysis identifies the limitations and challenges of current approaches. It also highlights the need to integrate quantization techniques for dual objectives (privacy and communication efficiency) in distributed learning frameworks.

ABSTRACT. The Confidential Virtual Machine (CVM) offerings from the major cloud providers are yet to deliver the promise of Confidential Computing. The steps required to verify the authenticity of CVMs are complex. Technical specifications are difficult to follow, and the implementations by the cloud providers are incomplete. Currently, there is no serviceable procedure to ensure desired security properties for CVM users. In this work, we show why the current offerings are insufficient to guarantee security and privacy, as well as what is needed. To that end, we design a generic framework that can be adopted by any cloud provider or CVM user. As most of the processors worldwide are from Intel and they have released their CVM technology just recently, we put a major emphasis on incorporating the latest Intel TDX CVM technology into our framework, comparing it to the better-known AMD SEV-SNP. After analyzing and evaluating Intel TDX services from major cloud providers we have identified a possible attack and designed a solution to detect it. Through experiments, we show that our solution does not add any significant overhead. While our ability to improve the CVM services is limited by the dependency on cloud providers to implement the missing functionalities, we hope that our work will help the cloud computing community to advance towards achieving the promise of confidential computing to protect users on the cloud.

ABSTRACT. The rapid deployment of Internet-of-Things (IoT) devices in smart environments such as smart campuses and cities necessitates robust Quality-of-Service (QoS) management across heterogeneous networks. In this paper, we extend the concept of Network Digital Twin (NDT) to networked IoT devices, presenting a Network Digital Twin Controller (NDTC) that enhances the functionality and performance of smart environments. Our NDTC addresses key challenges by creating Digital Twins (DTs) of Physical Twins (PTs), synchronizing their states, and performing QoS-related what-if analysis. Specifically, we build a DT-enabled IoT-instrumented smart environment by utilizing an open-source Software-Defined Network (SDN) controller. We formulate and solve the state synchronization problem using our proposed Optimal Update (OU) and Gradient-driven Update (GU) algorithms, carefully adjusting the update frequency and data granularity to minimize DT/PT state deviation within given network bandwidth budgets. We also formulate and address the what-if analysis problem by selecting optimal what-if analyzers using our Optimal Selection (OS) algorithm for the most accurate QoS predictions under a given computing time budget. Our extensive experiments on a real testbed demonstrate the merits of our proposed solution: (i) our developed NDTC and algorithms meet the functional requirements, (ii) our OU and GU algorithms significantly reduce the state deviation between PTs and DTs, (iii) our OS algorithm largely reduces the prediction errors of what-if analysis, and (iv) all our proposed algorithms incur acceptable overhead.

ABSTRACT. Scoring computer systems/networks in terms of specific threats or concerns can enable the comparison of their security level, in a quantitative manner, to facilitate decision making, e.g., mitigation prioritization. The state-of-the-art approaches have mostly focused on scoring the security of a given target, while aggregating scores of multiple systems where each system can be a potential target remains less explored, e.g., whether network A is relatively more secure than network B. In this paper, we take advantage of the well-established attack path representation and use such paths as inter-system influences to derive a risk score of the entire network. We consider the security semantics of various forms of score aggregation, which has not been studied by prior work, and propose to use what we call pairwise path aggregation. We evaluate our approach with a typical fifth Generation (5G) core network, supplemented by evaluations for other network types. The results show that our approach is able to reflect how the overall security varies with multiple factors in common operational scenarios of IT environments.

ABSTRACT. Edge computing is an emerging technology designed to bring computational resources closer to User Equipments (UEs), which often struggle to meet the computational demands of modern applications such as industrial automation, tactile internet, telemedicine, and Virtual/Augmented Reality (VR/AR). In this article, we consider a Non-Terrestrial Network (NTN)-empowered Multi-access Edge Computing (MEC) system, where UEs can either process the tasks locally or offload them to edge servers deployed on Unmanned Aerial Vehicles (UAVs) and Low Earth Orbit (LEO) satellites. However, designing an efficient offloading policy is challenging due to the dynamic nature of the considered environment, where task requirements at the UEs and computational capacity at the edge servers are constantly changing, causing increase in processing delays and leading to task drops due to missed deadlines. To address this issue, we propose a Multi-Agent Distributed Deep Reinforcement Learning (MADDRL) approach for designing a computation offloading strategy aimed at minimizing the costs, defined as the weighted sum of both delay and energy consumption experienced by UEs. Our approach leverages a policy gradient algorithm, specifically REINFORCE with softmax and cross-entropy loss. It enables UEs to make decentralized decisions using a Centralized Training and Decentralized Execution (CTDE) framework, where centralized training is performed by a central controller using global information received from all the UEs. Simultaneously, the neural networks at the UEs are trained by the central controller, and the policies are executed by the UEs in a decentralized manner using their local information. Simulation results demonstrate that our proposed approach can significantly reduce costs compared to baseline methods, with a percentage decrease ranging from 21% to 80%.