{"id":"https://openalex.org/W4406521454","doi":"https://doi.org/10.1109/tnsm.2025.3531040","title":"Elastic Cross-Layer Orchestration of Network Policies in the Kubernetes Stack","display_name":"Elastic Cross-Layer Orchestration of Network Policies in the Kubernetes Stack","publication_year":2025,"publication_date":"2025-01-17","ids":{"openalex":"https://openalex.org/W4406521454","doi":"https://doi.org/10.1109/tnsm.2025.3531040"},"language":"en","primary_location":{"id":"doi:10.1109/tnsm.2025.3531040","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tnsm.2025.3531040","pdf_url":null,"source":{"id":"https://openalex.org/S173527311","display_name":"IEEE Transactions on Network and Service Management","issn_l":"1932-4537","issn":["1932-4537","2373-7379"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Network and Service Management","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://lirias.kuleuven.be/retrieve/a1f03be9-1bdd-4691-bceb-77112d83949f","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5075655552","display_name":"Gerald Budigiri","orcid":"https://orcid.org/0000-0002-2611-6883"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":true,"raw_author_name":"Gerald Budigiri","raw_affiliation_strings":["DistriNet, KU Leuven, Leuven, Belgium","DistriNet KU, Leuven, Belgium"],"affiliations":[{"raw_affiliation_string":"DistriNet, KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]},{"raw_affiliation_string":"DistriNet KU, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5103259160","display_name":"Christoph Baumann","orcid":"https://orcid.org/0000-0003-4889-8326"},"institutions":[{"id":"https://openalex.org/I1306339040","display_name":"Ericsson (Sweden)","ror":"https://ror.org/05a7rhx54","country_code":"SE","type":"company","lineage":["https://openalex.org/I1306339040"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Christoph Baumann","raw_affiliation_strings":["Ericsson Security Research, Ericsson AB, Stockholm, Sweden","Ericsson Security Research, Stockholm, Sweden"],"affiliations":[{"raw_affiliation_string":"Ericsson Security Research, Ericsson AB, Stockholm, Sweden","institution_ids":["https://openalex.org/I1306339040"]},{"raw_affiliation_string":"Ericsson Security Research, Stockholm, Sweden","institution_ids":["https://openalex.org/I1306339040"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002782129","display_name":"Eddy Truyen","orcid":"https://orcid.org/0000-0001-7448-7681"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Eddy Truyen","raw_affiliation_strings":["DistriNet, KU Leuven, Leuven, Belgium","DistriNet KU, Leuven, Belgium"],"affiliations":[{"raw_affiliation_string":"DistriNet, KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]},{"raw_affiliation_string":"DistriNet KU, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5054031138","display_name":"Wouter Joosen","orcid":"https://orcid.org/0000-0002-7710-5092"},"institutions":[{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE"],"is_corresponding":false,"raw_author_name":"Wouter Joosen","raw_affiliation_strings":["DistriNet, KU Leuven, Leuven, Belgium","DistriNet KU, Leuven, Belgium"],"affiliations":[{"raw_affiliation_string":"DistriNet, KU Leuven, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]},{"raw_affiliation_string":"DistriNet KU, Leuven, Belgium","institution_ids":["https://openalex.org/I99464096"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5075655552"],"corresponding_institution_ids":["https://openalex.org/I99464096"],"apc_list":null,"apc_paid":null,"fwci":5.0245,"has_fulltext":true,"cited_by_count":4,"citation_normalized_percentile":{"value":0.94190763,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":98},"biblio":{"volume":"22","issue":"2","first_page":"2031","last_page":"2058"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12592","display_name":"Opinion Dynamics and Social Influence","score":0.9538999795913696,"subfield":{"id":"https://openalex.org/subfields/3109","display_name":"Statistical and Nonlinear Physics"},"field":{"id":"https://openalex.org/fields/31","display_name":"Physics and Astronomy"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12592","display_name":"Opinion Dynamics and Social Influence","score":0.9538999795913696,"subfield":{"id":"https://openalex.org/subfields/3109","display_name":"Statistical and Nonlinear Physics"},"field":{"id":"https://openalex.org/fields/31","display_name":"Physics and Astronomy"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.77487713098526},{"id":"https://openalex.org/keywords/orchestration","display_name":"Orchestration","score":0.7723910212516785},{"id":"https://openalex.org/keywords/stack","display_name":"Stack (abstract data type)","score":0.635274350643158},{"id":"https://openalex.org/keywords/layer","display_name":"Layer (electronics)","score":0.5576086640357971},{"id":"https://openalex.org/keywords/protocol-stack","display_name":"Protocol stack","score":0.49335232377052307},{"id":"https://openalex.org/keywords/computer-network","display_name":"Computer network","score":0.49203822016716003},{"id":"https://openalex.org/keywords/network-functions-virtualization","display_name":"Network Functions Virtualization","score":0.4724845290184021},{"id":"https://openalex.org/keywords/distributed-computing","display_name":"Distributed computing","score":0.4360900819301605},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.14522069692611694},{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.10465851426124573},{"id":"https://openalex.org/keywords/materials-science","display_name":"Materials science","score":0.1032269299030304}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.77487713098526},{"id":"https://openalex.org/C199168358","wikidata":"https://www.wikidata.org/wiki/Q3367000","display_name":"Orchestration","level":3,"score":0.7723910212516785},{"id":"https://openalex.org/C9395851","wikidata":"https://www.wikidata.org/wiki/Q177929","display_name":"Stack (abstract data type)","level":2,"score":0.635274350643158},{"id":"https://openalex.org/C2779227376","wikidata":"https://www.wikidata.org/wiki/Q6505497","display_name":"Layer (electronics)","level":2,"score":0.5576086640357971},{"id":"https://openalex.org/C38601921","wikidata":"https://www.wikidata.org/wiki/Q1757693","display_name":"Protocol stack","level":3,"score":0.49335232377052307},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.49203822016716003},{"id":"https://openalex.org/C200789330","wikidata":"https://www.wikidata.org/wiki/Q7000834","display_name":"Network Functions Virtualization","level":3,"score":0.4724845290184021},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.4360900819301605},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.14522069692611694},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.10465851426124573},{"id":"https://openalex.org/C192562407","wikidata":"https://www.wikidata.org/wiki/Q228736","display_name":"Materials science","level":0,"score":0.1032269299030304},{"id":"https://openalex.org/C159985019","wikidata":"https://www.wikidata.org/wiki/Q181790","display_name":"Composite material","level":1,"score":0.0},{"id":"https://openalex.org/C558565934","wikidata":"https://www.wikidata.org/wiki/Q2743","display_name":"Musical","level":2,"score":0.0},{"id":"https://openalex.org/C153349607","wikidata":"https://www.wikidata.org/wiki/Q36649","display_name":"Visual arts","level":1,"score":0.0},{"id":"https://openalex.org/C142362112","wikidata":"https://www.wikidata.org/wiki/Q735","display_name":"Art","level":0,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/tnsm.2025.3531040","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tnsm.2025.3531040","pdf_url":null,"source":{"id":"https://openalex.org/S173527311","display_name":"IEEE Transactions on Network and Service Management","issn_l":"1932-4537","issn":["1932-4537","2373-7379"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Network and Service Management","raw_type":"journal-article"},{"id":"pmh:oai:lirias2repo.kuleuven.be:20.500.12942/760702","is_oa":true,"landing_page_url":"https://lirias.kuleuven.be/handle/20.500.12942/760702","pdf_url":"https://lirias.kuleuven.be/retrieve/a1f03be9-1bdd-4691-bceb-77112d83949f","source":{"id":"https://openalex.org/S4306401954","display_name":"Lirias (KU Leuven)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I99464096","host_organization_name":"KU Leuven","host_organization_lineage":["https://openalex.org/I99464096"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"IEEE Transactions On Network and Service Management, vol. 22 (2)","raw_type":"info:eu-repo/semantics/publishedVersion"}],"best_oa_location":{"id":"pmh:oai:lirias2repo.kuleuven.be:20.500.12942/760702","is_oa":true,"landing_page_url":"https://lirias.kuleuven.be/handle/20.500.12942/760702","pdf_url":"https://lirias.kuleuven.be/retrieve/a1f03be9-1bdd-4691-bceb-77112d83949f","source":{"id":"https://openalex.org/S4306401954","display_name":"Lirias (KU Leuven)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I99464096","host_organization_name":"KU Leuven","host_organization_lineage":["https://openalex.org/I99464096"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"IEEE Transactions On Network and Service Management, vol. 22 (2)","raw_type":"info:eu-repo/semantics/publishedVersion"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G675498270","display_name":null,"funder_award_id":"814035","funder_id":"https://openalex.org/F4320332999","funder_display_name":"Horizon 2020 Framework Programme"},{"id":"https://openalex.org/G7331901853","display_name":null,"funder_award_id":"EU H2020","funder_id":"https://openalex.org/F4320332999","funder_display_name":"Horizon 2020 Framework Programme"}],"funders":[{"id":"https://openalex.org/F4320322308","display_name":"KU Leuven","ror":"https://ror.org/05f950310"},{"id":"https://openalex.org/F4320332999","display_name":"Horizon 2020 Framework Programme","ror":"https://ror.org/00k4n6c32"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4406521454.pdf","grobid_xml":"https://content.openalex.org/works/W4406521454.grobid-xml"},"referenced_works_count":64,"referenced_works":["https://openalex.org/W1531637205","https://openalex.org/W1924504554","https://openalex.org/W2066338533","https://openalex.org/W2505478273","https://openalex.org/W2554427106","https://openalex.org/W2598200822","https://openalex.org/W2744780697","https://openalex.org/W2769086916","https://openalex.org/W2792590405","https://openalex.org/W2900072668","https://openalex.org/W2902718458","https://openalex.org/W2937403060","https://openalex.org/W3008495003","https://openalex.org/W3010404990","https://openalex.org/W3021027963","https://openalex.org/W3023801029","https://openalex.org/W3034155019","https://openalex.org/W3083881008","https://openalex.org/W3110636820","https://openalex.org/W3116079104","https://openalex.org/W3135497297","https://openalex.org/W3138230581","https://openalex.org/W3157301605","https://openalex.org/W3157323792","https://openalex.org/W3158213112","https://openalex.org/W3165728054","https://openalex.org/W3183394046","https://openalex.org/W3204162860","https://openalex.org/W4200091158","https://openalex.org/W4200226889","https://openalex.org/W4205617621","https://openalex.org/W4211052283","https://openalex.org/W4220661031","https://openalex.org/W4220785511","https://openalex.org/W4223983754","https://openalex.org/W4281944998","https://openalex.org/W4283786364","https://openalex.org/W4285131467","https://openalex.org/W4285279023","https://openalex.org/W4304140761","https://openalex.org/W4307423933","https://openalex.org/W4320718665","https://openalex.org/W4321383501","https://openalex.org/W4323646065","https://openalex.org/W4381745097","https://openalex.org/W4382052930","https://openalex.org/W4383221434","https://openalex.org/W4384834982","https://openalex.org/W4385208592","https://openalex.org/W4385951147","https://openalex.org/W4386025251","https://openalex.org/W4386618948","https://openalex.org/W4387005573","https://openalex.org/W4392024464","https://openalex.org/W4392158709","https://openalex.org/W4392544054","https://openalex.org/W4393146115","https://openalex.org/W4394712009","https://openalex.org/W6750584877","https://openalex.org/W6757819506","https://openalex.org/W6780074233","https://openalex.org/W6780724457","https://openalex.org/W6784834832","https://openalex.org/W6795368945"],"related_works":["https://openalex.org/W4391456748","https://openalex.org/W2382601015","https://openalex.org/W4392419091","https://openalex.org/W2547654579","https://openalex.org/W2582850443","https://openalex.org/W2089258678","https://openalex.org/W2577540431","https://openalex.org/W2753693138","https://openalex.org/W2990398726","https://openalex.org/W2566111429"],"abstract_inverted_index":{"Packaging":[0],"applications":[1,246],"in":[2,193],"Containers,":[3],"dynamically":[4,168,187],"managed":[5],"using":[6],"a":[7,81,151,194,216,231,257],"cluster":[8,143,218],"orchestrator,":[9],"is":[10,79,237],"the":[11,33,40,60,75,105,130,142,177,180,200,211,223,250,268],"de-facto":[12],"approach":[13,157,235],"for":[14,140,158,244],"deployment":[15],"of":[16,53,86,182,213,259],"cloud-native":[17],"applications.":[18],"When":[19],"Containers":[20,203],"run":[21],"inside":[22],"Virtual":[23],"Machines":[24],"(VMs)":[25],"to":[26,101,136,197,206,230,273],"protect":[27],"infrastructural":[28],"assets,":[29],"Network":[30,159,170],"Policies":[31,171],"at":[32,39,59,74,104,222,256,267],"Container":[34,61,87,94,173],"layer":[35,42,62],"and":[36,97,153,172,225,275],"Security":[37,72,125,164,189,232],"Groups":[38,73,126],"VM":[41,76,106],"provide":[43],"complementary":[44],"firewall":[45],"mechanisms":[46],"that":[47,90,186,236,243],"strengthen":[48],"defenses":[49],"against":[50],"lateral":[51],"movement":[52],"attackers.":[54],"However,":[55],"least-privilege":[56],"network":[57,224,251,264],"policies":[58],"may":[63],"not":[64,128,238],"always":[65],"be":[66,102],"consistent":[67],"with":[68,83,271],"statically":[69],"defined,":[70],"over-permissive":[71,124],"layer.":[77,107],"This":[78],"especially":[80],"problem":[82],"low-latency":[84,178,245],"configuration":[85],"networking":[88],"solutions":[89],"requires":[91],"every":[92],"opened":[93,103],"protocol,":[95],"port":[96],"traffic":[98],"direction":[99],"also":[100],"In":[108,145,228],"any":[109],"post-exploitation":[110],"scenario":[111],"where":[112],"attackers":[113],"escape":[114],"from":[115,132,167],"within":[116],"an":[117],"already":[118],"compromised":[119],"or":[120],"infected":[121],"Container,":[122],"such":[123],"do":[127],"prevent":[129],"attacker":[131],"spreading":[133],"across":[134],"VMs":[135,255],"find":[137],"powerful":[138],"tokens":[139],"accessing":[141],"orchestrator.":[144],"this":[146],"paper,":[147],"we":[148],"introduce":[149],"GrassHopper,":[150],"fast":[152],"dynamic":[154],"cross-layer":[155],"enforcement":[156],"Policies,":[160],"which":[161],"automatically":[162],"generates":[163],"Group":[165,190,233],"configurations":[166],"verified":[169],"scheduling":[174],"decisions.":[175],"Given":[176],"context,":[179],"design":[181],"GrassHopper":[183,214,247],"must":[184],"ensure":[185],"generated":[188],"rules":[191],"come":[192],"timely":[195],"manner":[196],"effect":[198],"before":[199],"newly":[201],"scheduled":[202],"become":[204],"ready":[205],"serve":[207],"traffic.":[208],"We":[209],"evaluate":[210],"performance":[212,265],"on":[215,220],"Kubernetes":[217],"running":[219],"OpenStack":[221],"application":[226,269],"level.":[227],"comparison":[229],"management":[234],"scheduling-aware,":[239],"our":[240],"findings":[241],"show":[242],"can":[248],"reduce":[249],"attack":[252],"surface":[253],"between":[254],"ratio":[258],"78-to-99%,":[260],"while":[261],"causing":[262],"no":[263],"overhead":[266],"level":[270],"respect":[272],"latency":[274],"throughput.":[276]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":3}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}