TY - CONF T1 - Fighting Spam with the NeighborhoodWatch DHT T2 - IEEE INFOCOM 2009 Y1 - 2009 A1 - Bender,A. A1 - Sherwood,R. A1 - Monner,D. A1 - Goergen,N. A1 - Spring, Neil A1 - Bhattacharjee, Bobby KW - Communications Society KW - computer crime KW - cryptography KW - Databases KW - IP addresses KW - IP networks KW - on-line trusted authority KW - Peer to peer computing KW - peer-to-peer computing KW - peer-to-peer distributed hash table KW - Postal services KW - Relays KW - Resilience KW - Routing KW - Security KW - table size routing KW - Unsolicited electronic mail AB - In this paper, we present DHTBL, an anti-spam blacklist built upon a novel secure distributed hash table (DHT). We show how DHTBL can be used to replace existing DNS-based blacklists (DNSBLs) of IP addresses of mail relays that forward spam. Implementing a blacklist on a DHT improves resilience to DoS attacks and secures message delivery, when compared to DNSBLs. However, due to the sensitive nature of the blacklist, storing the data in a peer-to-peer DHT would invite attackers to infiltrate the system. Typical DHTs can withstand fail-stop failures, but malicious nodes may provide incorrect routing information, refuse to return published items, or simply ignore certain queries. The neighborhoodwatch DHT is resilient to malicious nodes and maintains the O(logiV) bounds on routing table size and expected lookup time. NeighborhoodWatch depends on two assumptions in order to make these guarantees: (1) the existence of an on-line trusted authority that periodically contacts and issues signed certificates to each node, and (2) for every sequence of k + 1 consecutive nodes in the ID space, at least one is alive and non-malicious. We show how NeighborhoodWatch maintains many of its security properties even when the second assumption is violated. Honest nodes in NeighborhoodWatch can detect malicious behavior and expel the responsible nodes from the DHT. JA - IEEE INFOCOM 2009 PB - IEEE SN - 978-1-4244-3512-8 M3 - 10.1109/INFCOM.2009.5062095 ER - TY - CONF T1 - MobCast: Overlay Architecture for Seamless IP Mobility using Scalable Anycast Proxies T2 - Wireless Communications and Networking Conference, 2007.WCNC 2007. IEEE Y1 - 2007 A1 - Lee,C.P. A1 - Attrey,K. A1 - Caballero,C. A1 - Feamster, Nick A1 - Mihail,M. A1 - Copeland,J.A. KW - address space KW - handoff-speed KW - IP networks KW - MobCast KW - mobile hosts KW - mobile radio KW - overlay architecture KW - proxy location KW - routing overlay system KW - scalable anycast proxies KW - seamless IP mobility KW - telecommunication network routing KW - universal IP address AB - We propose a routing overlay system, MobCast, for simple and efficient routing to mobile hosts. Mobcast nodes advertise the same address space at each proxy location, and each mobile host is assigned a "universal" IP address from this address space, so packets sent to a mobile host's universal IP address automatically go to the nearest proxy on the overlay. The overlay then delivers the packets to the mobile host. Our architecture enables seamless mobility for both micro and macro mobility. While our initial design is not as mature as Mobile IP, it shows great promise to solve the traditional problems of ingress routing, firewalls, NATs, and rapid mobility with much lower complexity. We present our design as a scalable and deployable alternative to mobile IP. In this paper, we focus on describing the MobCast system architecture. We form our arguments for scalability, handoff-speed, and simplicity, and give our initial results for scalability. We postpone a detailed discussion of MobCast's security model for future work. JA - Wireless Communications and Networking Conference, 2007.WCNC 2007. IEEE M3 - 10.1109/WCNC.2007.708 ER - TY - JOUR T1 - Resilient multicast using overlays JF - IEEE/ACM Transactions on Networking Y1 - 2006 A1 - Banerjee,S. A1 - Lee,Seungjoon A1 - Bhattacharjee, Bobby A1 - Srinivasan, Aravind KW - application-layer multicast protocols KW - Computer science KW - Data communication KW - Delay KW - Internet KW - Internet-like topologies KW - IP networks KW - loss recovery technique KW - Multicast KW - multicast data recovery scheme KW - Multicast protocols KW - Network topology KW - NETWORKS KW - overlays KW - Performance loss KW - probabilistic forwarding KW - probabilistic resilient multicast KW - Protocols KW - Resilience KW - Streaming media KW - telecommunication network topology KW - Terminology AB - We introduce Probabilistic Resilient Multicast (PRM): a multicast data recovery scheme that improves data delivery ratios while maintaining low end-to-end latencies. PRM has both a proactive and a reactive components; in this paper we describe how PRM can be used to improve the performance of application-layer multicast protocols especially when there are high packet losses and host failures. Through detailed analysis in this paper, we show that this loss recovery technique has efficient scaling properties-the overheads at each overlay node asymptotically decrease to zero with increasing group sizes. As a detailed case study, we show how PRM can be applied to the NICE application-layer multicast protocol. We present detailed simulations of the PRM-enhanced NICE protocol for 10 000 node Internet-like topologies. Simulations show that PRM achieves a high delivery ratio (>97%) with a low latency bound (600 ms) for environments with high end-to-end network losses (1%-5%) and high topology change rates (5 changes per second) while incurring very low overheads (<5%). VL - 14 SN - 1063-6692 CP - 2 M3 - 10.1109/TNET.2006.872579 ER - TY - CONF T1 - An experimental evaluation to determine if port scans are precursors to an attack Y1 - 2005 A1 - Panjwani,S. A1 - Tan,S. A1 - Jarrin,K.M. A1 - Michel Cukier KW - attack data collection KW - computer crime KW - filtered data groups KW - ICMP scans KW - IP address KW - IP networks KW - management traffic KW - port scans KW - telecommunication security KW - Telecommunication traffic KW - vulnerability scans AB - This paper describes an experimental approach to determine the correlation between port scans and attacks. Discussions in the security community often state that port scans should be considered as precursors to an attack. However, very few studies have been conducted to quantify the validity of this hypothesis. In this paper, attack data were collected using a test-bed dedicated to monitoring attackers. The data collected consist of port scans, ICMP scans, vulnerability scans, successful attacks and management traffic. Two experiments were performed to validate the hypothesis of linking port scans and vulnerability scans to the number of packets observed per connection. Customized scripts were then developed to filter the collected data and group them on the basis of scans and attacks between a source and destination IP address pair. The correlation of the filtered data groups was assessed. The analyzed data consists of forty-eight days of data collection for two target computers on a heavily utilized subnet. M3 - 10.1109/DSN.2005.18 ER - TY - CONF T1 - Bootstrapping security associations for routing in mobile ad-hoc networks T2 - IEEE Global Telecommunications Conference, 2003. GLOBECOM '03 Y1 - 2003 A1 - Bobba,R. B A1 - Eschenauer,L. A1 - Gligor,V. A1 - Arbaugh, William A. KW - ad hoc networks KW - bootstrapping security association KW - Cryptographic protocols KW - dynamic source routing protocol KW - Fabrics KW - Intelligent networks KW - IP address KW - IP key KW - IP networks KW - Message authentication KW - mobile ad-hoc network KW - mobile radio KW - Protection KW - Public key KW - public key cryptography KW - routing layer security reliability KW - routing protocols KW - secure routing KW - Security KW - security service KW - statistically unique cryptographically verification KW - telecommunication security AB - To date, most solutions proposed for secure routing in mobile ad-hoc networks (MANETs), assume that secure associations between pairs of nodes can be established on-line; e.g., by a trusted third party, by distributed trust establishment. However, establishing such security associations, with or without trusted third parties, requires reliance on routing layer security. In this paper, we eliminate this apparent cyclic dependency between security services and secure routing in MANETs and show how to bootstrap security for the routing layer. We use the notion of statistically unique and cryptographically verifiable (SUCV) identifiers to implement a secure binding between IP addresses and keys that is independent of any trusted security service. We illustrate our solution with the dynamic source routing (DSR) protocol and compare it with other solutions for secure routing. JA - IEEE Global Telecommunications Conference, 2003. GLOBECOM '03 PB - IEEE VL - 3 SN - 0-7803-7974-8 M3 - 10.1109/GLOCOM.2003.1258490 ER - TY - CONF T1 - A secure PLAN (extended version) T2 - DARPA Active NEtworks Conference and Exposition, 2002. Proceedings Y1 - 2002 A1 - Hicks, Michael W. A1 - Keromytis,A. D A1 - Smith,J. M KW - active internetwork KW - active networks KW - active-network firewall KW - Authentication KW - authorisation KW - Authorization KW - Cities and towns KW - Computer networks KW - Computer science KW - cryptography KW - functionally restricted packet language KW - general-purpose service routines KW - Information security KW - internetworking KW - IP networks KW - latency overhead KW - namespace-based security KW - PLAN KW - PLANet KW - Planets KW - programmability KW - Safety KW - security architecture KW - telecommunication security KW - trust management KW - two-level architecture KW - Web and internet services AB - Active networks promise greater flexibility than current networks, but threaten safety and security by virtue of their programmability. We describe the design and implementation of a security architecture for the active network PLANet (Hicks et al., 1999). Security is obtained with a two-level architecture that combines a functionally restricted packet language, PLAN (Hicks et al., 1998), with an environment of general-purpose service routines governed by trust management (Blaze et al., 1996). In particular, we employ a technique which expands or contracts a packet's service environment based on its level of privilege, termed namespace-based security. As an application of our security architecture, we present the design and implementation of an active-network firewall. We find that the addition of the firewall imposes an approximately 34% latency overhead and as little as a 6.7% space overhead to incoming packets JA - DARPA Active NEtworks Conference and Exposition, 2002. Proceedings PB - IEEE SN - 0-7695-1564-9 M3 - 10.1109/DANCE.2002.1003496 ER - TY - CONF T1 - Integrating distributed scientific data sources with MOCHA and XRoaster T2 - Thirteenth International Conference on Scientific and Statistical Database Management, 2001. SSDBM 2001. Proceedings Y1 - 2001 A1 - Rodriguez-Martinez,M. A1 - Roussopoulos, Nick A1 - McGann,J. M A1 - Kelley,S. A1 - Mokwa,J. A1 - White,B. A1 - Jala,J. KW - client-server systems KW - data sets KW - data sites KW - Databases KW - Distributed computing KW - distributed databases KW - distributed scientific data source integration KW - Educational institutions KW - graphical tool KW - hypermedia markup languages KW - IP networks KW - java KW - Large-scale systems KW - Maintenance engineering KW - meta data KW - metadata KW - Middleware KW - middleware system KW - MOCHA KW - Query processing KW - remote sites KW - scientific information systems KW - user-defined types KW - visual programming KW - XML KW - XML metadata elements KW - XML-based framework KW - XRoaster AB - MOCHA is a novel middleware system for integrating distributed data sources that we have developed at the University of Maryland. MOCHA is based on the idea that the code that implements user-defined types and functions should be automatically deployed to remote sites by the middleware system itself. To this end, we have developed an XML-based framework to specify metadata about data sites, data sets, and user-defined types and functions. XRoaster is a graphical tool that we have developed to help the user create all the XML metadata elements to be used in MOCHA JA - Thirteenth International Conference on Scientific and Statistical Database Management, 2001. SSDBM 2001. Proceedings PB - IEEE SN - 0-7695-1218-6 M3 - 10.1109/SSDM.2001.938560 ER - TY - CONF T1 - Practical programmable packets T2 - IEEE INFOCOM 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings Y1 - 2001 A1 - Moore,J. T A1 - Hicks, Michael W. A1 - Nettles,S. KW - active picket language KW - Application software KW - complier KW - Contracts KW - Data security KW - efficiency KW - Explosives KW - INFORMATION SCIENCE KW - Internet KW - IP KW - IP networks KW - low-level packet language KW - packet switching KW - performance KW - PLAN KW - practical programmable packets KW - program compilers KW - Protection KW - resource control KW - Resource management KW - safe and nimble active packets KW - Safety KW - Security KW - SNAP KW - software IP router KW - Software performance KW - telecommunication security KW - Transport protocols AB - We present SNAP (safe and nimble active packets), a new scheme for programmable (or active) packets centered around a new low-level packet language. Unlike previous active packet approaches, SNAP is practical: namely, adding significant flexibility over IP without compromising safety and security or efficiency. In this paper we show how to compile from the well-known active picket language PLAN to SNAP, showing that SNAP retains PLAN's flexibility; give proof sketches of its novel approach to resource control; and present experimental data showing SNAP attains performance very close to that of a software IP router JA - IEEE INFOCOM 2001. Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings PB - IEEE VL - 1 SN - 0-7803-7016-3 M3 - 10.1109/INFCOM.2001.916685 ER - TY - CONF T1 - PLANet: an active internetwork T2 - IEEE INFOCOM '99. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings Y1 - 1999 A1 - Hicks, Michael W. A1 - Moore,J. T A1 - Alexander,D. S A1 - Gunter,C. A A1 - Nettles,S. M KW - 100 Mbit/s KW - 300 MHz KW - 48 Mbit/s KW - active internetwork KW - active network architecture KW - active network implementation KW - byte-code-interpreted applications KW - Computer architecture KW - Computer languages KW - Computer networks KW - congested conditions KW - dynamic programming KW - dynamic router extensions KW - Ethernet KW - Ethernet networks KW - INFORMATION SCIENCE KW - Internet KW - Internet-like services KW - internetworking KW - IP KW - IP networks KW - link layers KW - Linux user-space applications KW - Local area networks KW - ML dialect KW - Network performance KW - networking operations KW - OCaml KW - Packet Language for Active Networks KW - packet programs KW - packet switching KW - Pentium-II KW - performance KW - performance evaluation KW - PLAN KW - PLANet KW - Planets KW - programmability features KW - programming languages KW - router functionality KW - special purpose programming language KW - Switches KW - telecommunication network routing KW - Transport protocols KW - Web and internet services AB - We present PLANet: an active network architecture and implementation. In addition to a standard suite of Internet-like services, PLANet has two key programmability features: (1) all packets contain programs; and (2) router functionality may be extended dynamically. Packet programs are written in our special purpose programming language PLAN, the Packet Language for Active Networks, while dynamic router extensions are written in OCaml, a dialect of ML. Currently, PLANet routers run as byte-code-interpreted Linux user-space applications, and support Ethernet and IP as link layers. PLANet achieves respectable performance on standard networking operations: on 300 MHz Pentium-II's attached to 100 Mbps Ethernet, PLANet can route 48 Mbps and switch over 5000 packets per second. We demonstrate the utility of PLANet's activeness by showing experimentally how it can nontrivially improve application and aggregate network performance in congested conditions JA - IEEE INFOCOM '99. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings PB - IEEE VL - 3 SN - 0-7803-5417-6 M3 - 10.1109/INFCOM.1999.751668 ER - TY - JOUR T1 - Safety and security of programmable network infrastructures JF - IEEE Communications Magazine Y1 - 1998 A1 - Alexander,S. A1 - Arbaugh, William A. A1 - Keromytis,A. D A1 - Smith,J. M KW - Access control KW - error protection KW - IP networks KW - Multicast protocols KW - network architecture KW - network operating systems KW - network service model KW - operating system KW - Power system dynamics KW - Power system modeling KW - Power system reliability KW - programmable languages KW - programmable network infrastructures KW - programming languages KW - Proposals KW - Protection KW - reliability properties KW - Safety KW - Secure Active Network Environment KW - Security KW - security of data KW - service creation KW - service providers KW - Switches KW - telecommunication computing KW - telecommunication network reliability KW - Web and internet services AB - Safety and security are two reliability properties of a system. A “safe” system provides protection against errors of trusted users, while a “secure” system protects against errors introduced by untrusted users. There is considerable overlap between mechanisms to support each property. Requirements for rapid service creation have stimulated the development of programmable network infrastructures, where end users or service providers can customize the properties of a network infrastructure while it continues to operate. A central concern of potential users of such systems is their reliability and, most specifically, their safety and security. In this article we explain the impact the network service model and architecture have on safety and security, and provide a model with which policies can be translated into restrictions of a general system. We illustrate these ideas with the Secure Active Network Environment (SANE) architecture, which provides a means of controlling access to the functions provided by any programmable infrastructure VL - 36 SN - 0163-6804 CP - 10 M3 - 10.1109/35.722141 ER - TY - JOUR T1 - A secure active network environment architecture: realization in SwitchWare JF - IEEE Network Y1 - 1998 A1 - Alexander,D. S A1 - Arbaugh, William A. A1 - Keromytis,A. D A1 - Smith,J. M KW - access protocols KW - AEGIS secure bootstrap architecture KW - architecture KW - Authentication KW - Collaboration KW - Communication switching KW - dynamic integrity checks KW - extended LAN KW - Functional programming KW - implementation KW - integrity KW - Intelligent networks KW - IP networks KW - Local area networks KW - network infrastructure KW - network infrastructures KW - network operating systems KW - network-level solutions KW - node KW - node-to-node authentication KW - packet switching KW - Proposals KW - ramming system KW - SANE KW - secure active network environment architecture KW - security of data KW - Switches KW - SwitchWare KW - trusted state KW - Web and internet services AB - An active network is a network infrastructure which is programmable on a per-user or even per-packet basis. Increasing the flexibility of such network infrastructures invites new security risks. Coping with these security risks represents the most fundamental contribution of active network research. The security concerns can be divided into those which affect the network as a whole and those which affect individual elements. It is clear that the element problems must be solved first, since the integrity of network-level solutions will be based on trust in the network elements. In this article we describe the architecture and implementation of a secure active network environment (SANE), which we believe provides a basis for implementing secure network-level solutions. We guarantee that a node begins operation in a trusted state with the AEGIS secure bootstrap architecture. We guarantee that the system remains in a trusted state by applying dynamic integrity checks in the network element's runtime system, using a novel naming system, and applying node-to-node authentication when needed. The construction of an extended LAN is discussed VL - 12 SN - 0890-8044 CP - 3 M3 - 10.1109/65.690960 ER - TY - JOUR T1 - The SwitchWare active network architecture JF - IEEE Network Y1 - 1998 A1 - Alexander,D. S A1 - Arbaugh, William A. A1 - Hicks, Michael W. A1 - Kakkar,P. A1 - Keromytis,A. D A1 - Moore,J. T A1 - Gunter,C. A A1 - Nettles,S. M A1 - Smith,J. M KW - active extensions KW - active packets KW - Authentication KW - Computer languages KW - Computer networks KW - cryptography KW - cryptography-based authentication KW - high-integrity base KW - integrity checking KW - IP networks KW - LAN interconnection KW - mobile programs KW - network operating systems KW - packet switching KW - programmable network infrastructure KW - programming languages KW - Protocols KW - Safety KW - safety requirements KW - scalability KW - secure active router infrastructure KW - Security KW - security requirements KW - services KW - strong type checking KW - Switches KW - SwitchWare active network architecture KW - telecommunication network routing KW - Tin KW - usability KW - verification techniques AB - Active networks must balance the flexibility of a programmable network infrastructure against the safety and security requirements inherent in sharing that infrastructure. Furthermore, this balance must be achieved while maintaining the usability of the network. The SwitchWare active network architecture is a novel approach to achieving this balance using three layers: active packets, which contain mobile programs that replace traditional packets; active extensions, which provide services on the network elements and can be dynamically loaded; and a secure active router infrastructure, which forms a high-integrity base on which the security of the other layers depends. In addition to integrity checking and cryptography-based authentication, security in our architecture depends heavily on verification techniques from programming languages, such as strong type checking VL - 12 SN - 0890-8044 CP - 3 M3 - 10.1109/65.690959 ER - TY - CONF T1 - A secure and reliable bootstrap architecture T2 - , 1997 IEEE Symposium on Security and Privacy, 1997. Proceedings Y1 - 1997 A1 - Arbaugh, William A. A1 - Farber,D. J A1 - Smith,J. M KW - active networks KW - AEGIS architecture KW - bootstrap architecture KW - Computer architecture KW - computer bootstrapping KW - data integrity KW - Distributed computing KW - Hardware KW - hardware validity KW - initialization KW - integrity chain KW - integrity check failures KW - Internet KW - Internet commerce KW - IP networks KW - Laboratories KW - lower-layer integrity KW - Microprogramming KW - Operating systems KW - recovery process KW - reliability KW - robust systems KW - Robustness KW - Security KW - security of data KW - software reliability KW - system integrity guarantees KW - system recovery KW - transitions KW - Virtual machining AB - In a computer system, the integrity of lower layers is typically treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, the integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity “chain” inductively guarantees system integrity. When these conditions are not met, as they typically are not in the bootstrapping (initialization) of a computer system, no integrity guarantees can be made, yet these guarantees are increasingly important to diverse applications such as Internet commerce, security systems and “active networks”. In this paper, we describe the AEGIS architecture for initializing a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also includes a recovery process for integrity check failures, and we show how this results in robust systems JA - , 1997 IEEE Symposium on Security and Privacy, 1997. Proceedings PB - IEEE SN - 0-8186-7828-3 M3 - 10.1109/SECPRI.1997.601317 ER -