Network Fault Localization Adrian Perrig. Overview
|
|
- Herbert Bruce
- 5 years ago
- Views:
Transcription
1 Network Fault Localization Adrian Perrig CyLab / Carnegie Mellon University Overview Fault localiza/on overview Four fault localiza/on schemes PAAI ShortMAC TrueNet DynaFL 2 1
2 What is Fault Localization? Problem defini/on Iden/fy faulty links during packet forwarding AJacker Model Drop, modify, misroute, or inject packets at data plane Challenges Selec/ve ajack: break ping, traceroute, etc High overhead Only drop node 5 s ACKs Slander & framing Got it Got it Got it Got it Got it Source Dest 3 What is Fault Localization? Challenges (cont d) AJacks against sampling Forgery ajack: break NeZlow, Bloom Filter, etc Natural packet loss 100 pkts Source is not sampled, drop it! Got 100 Got 100 Got 100 Got 100 Got Only modify packets Dest 4 2
3 Why is Fault Localization Important? The current Internet Best effort, purely end- to- end Fault localiza/on enables: Data- plane accountability Intelligent path selec/on Linear path trial Worst case: 3 vs 2 3 trials Worst case: 2 3 Source Des/na/on 5 Design Goals Security Against drop, modify, inject, and replay packets Against mul/ple colluding nodes Efficiency Low detec/on delay Low storage, communica/on and computa/on overhead Viability Handle natural packet loss Provable bounds Upper bound of damage without being detected Lower bound of forwarding correctness if no fault detected 6 3
4 General Approach Limi$ng ajacks instead of perfect detec/on Detect every misbehavior? Costly! Error- prone! Absorb low- impact ajack: tolerance threshold Trap the ajacker into a dilemma Enable probabilis/c algorithms with provable bounds AJack more? Will get caught! Stay under the threshold? Damage is bounded! Source Dest. 7 Roadmap Path- based Secure sampling PAAI Fault Localiza5on 1- hop Probabilis/c packet marking Trusted compu/ng ShortMAC TrueNet Neighborhood monitoring DynaFL 8 4
5 Fault Localiza5on 1- hop Roadmap PAAI = Probabilis)c Acknowledgement- based Adversary Iden)fica)on Secure sampling PAAI Path- based X. Zhang, A. Jain, A. Perrig, ACM CoNext 08 Probabilis/c packet marking Trusted compu/ng ShortMAC TrueNet Neighborhood monitoring DynaFL 9 Path- based Design Space Which Packets should be acknowledged Which Nodes should send the ACKs PAAI- 1 sampling non- sampling PAAI- 2 non- sampling sampling 10 5
6 Sampling packets 1) Sample? 3) If sampled, delayed probe 5) Score PAAI- 1 Overview Source p = data $mestamp probe = tag ID(p) Drop score ) Check $mestamp: if long- delayed, discard; otherwise buffer p (assume loose $me synch) 4) On receiving probe, send Onion ACKs Dest 11 Sampling nodes Every lost packet is to be acknowledged However, only one node is selected to send the ACK Anonymity and uniformity of node selec$on Score difference PAAI- 2 Overview Suspect this link! Denial- of- detec)on: drops packets if node 1 or 2 is selected big score difference Incrimina)on: drops packets if node 5 is selected Selected Drop score Source Dest
7 1) Starts a $mer for e2e ACK 2) If fails, sends probe 4) score PAAI- 2 Protocol Node 1 is Selected! A 1 = [R 1 ] K1 A 2 = [A 3 ] K2 Constant ( O(1) ) ACK size everywhere! anonymity and uniformity of node selec5on If not sampled, re- encrypts: A 3 = [A 4 ] K If sampled, generates new ACK A 4 = [R 4 ] K4 to replace A 5 p = data $mestamp 3) Roll a die based on (Z, Ki) sampled or not probe = ID(p) Z Pr(node i is sampled) = 1/(5- i+1). E.g., 1/5, 1/4, 1/3, 1/2, 1 A d =[R d ] Kd => Pr(node i is selected) = 1/5. E.g. node 4: 4/5*3/4*2/3*1/2 = 1/5 13 PAAI Summary Results and Comparison Detec5on Delay (min) Can we do bejer? Packet sampling wastes non- sampled packets An ACK only for a single packet State PAAI KB per link PAAI MB per link Sta5s5cal FL [1] B per path Example Se\ng: A path length: 6; malicious node: node 3). PAAI- 1 sampling rate: 1/36. Source sending rate: 10 6 pkts/sec. False Posi/ve/Nega/ve rate = 3% [1] B. Barak, S. Goldberg, and D. Xiao. Protocols and lower bounds for failure localiza/on in the Internet, Proceedings of EUROCRYPT,
8 Roadmap Path- based Secure sampling PAAI Fault Localiza5on 1- hop Probabilis5c packet marking Trusted compu/ng ShortMAC X. Zhang, Z.Zhou, H.Hsiao, T. Kim, A. Perrig, P. Tague, NDSS 12 TrueNet Neighborhood monitoring DynaFL 15 ShortMAC Key Insight Fault Localiza/on Packet authen/ca/on Fault Localiza/on monitor packet count and content W/ pkt authen, content count Only counts small state, low bandwidth cost Source A B Detectable! C Detectable! 16 8
9 ShortMAC Key Ideas k- bit MAC, The ShortMAC packet marking e.g., k = 1 Limi/ng instead of perfectly detec/ng fake packets Source marks each packet with k bits (with keyed PRF) K 1 K d 1 0 K 2 1 Source K 1 K 2 K d (, 1, 0, 1) K 1 K = PRF Kd (, SN, TTL d ) = PRF K2 (, SN, TTL 2, ) Forge m? 50% chance of inconsistency. Detectable! = PRF K1 (, SN, TTL 1,, ) Dest K d 17 ShortMAC Key Ideas High- level steps Each node maintains two counters (counter only!) Secure repor/ng Threshold- based detec/on robust to natural errors sends 1000 pkts bit MAC Source modifies 500 pkt Dest. 18 9
10 Analysis and Evaluation Theore/cal bounds - - the math θ =(1 T dr ) d β N. Theore/cal bounds - - the numbers e of its malicious r links without being ( ) 2+8qTin ln 2 β = Tin δ ln 2 δ q + +ln 2 δ etection threshold dr,the4q 2 ln( N = 2d δ ) ) 2 ( ( 2 Tdr ρ ) d 1 Tdr espondingly, the fraction o Protocol ShortMAC PAAI- 1 Sta5s5cal FL Delay (pkt) State (bytes) 21 per path per link 500 per path SSFNet simula/on + Click router prototyping 19 Fault Localiza5on Path- based Roadmap Secure sampling PAAI ROOM FOR IMPROVEMENT? Probabilis/c packet marking ShortMAC X. Zhang, Z.Zhou, G.Hasker, A. Perrig, V. Gligor, ICNP 11 Trusted compu5ng TrueNet 1- hop Neighborhood monitoring DynaFL 20 10
11 Revisit Path-based Approach Theore/cally proven high overhead Per- source key storage (some/mes per- path state)! Can t globally share Fault Localiza/on results Delayed failure recovery, inconsistent rou/ng tables Node 5 is malicious! Mallory Fundamental reason: Lack of trust rela/onship Alice Bob 21 How Trusted Computing can Help Bootstrapping trust of code among nodes Remote ajesta/on and isola/on code integrity Sealed storage data secrecy How? TPM, Intel TXT, AMD SVM I expect Bob to be: So store: H( ) signed H( ) R u Bob? Alice Bob Data sealed by P; accessible only when H(P) is correct 22 11
12 Opportunities and Challenges Transi/vity of verifica/on Chain of 1- hop verifica/on gives end- to- end verifica/on per- neighbor state & key storage source AJest to the en/re network stack? Command- line input and configura/on! Large Trusted Compu/ng Base (TCB)! Code isn t modified Code is bug- free Large TCB == low security dest 23 TrueNet Goals Minimize the TCB Small piece of code can be more trusted Efficient ajesta/on without compromising performance Approach Do not ajest to seman$cs (implementa$on) of network stack AJest to behavior of network stack 1- hop monitoring module (MM): monitor behavior, in TCB 24 12
13 TrueNet Overview Setup secure channel between MMs Neighboring MMs share secret keys (per- neighbor only!) Secret keys sealed to the MMs MM Opera/ons and fault localiza/on Packets go through each MM m N SA [m, N SA ]K SA m N AB SA [m, N AB SA ]K AB SA Router S Router A Auth ACK Sam Alice 1- hop Router B Bob Network Stack Network Stack Network Stack 25 Evaluation Prototype (w/ TrustVisor): lijle computa/on overhead Storage measurement and comparison Key Storage Overhead (# keys) Other Schemes TrueNet Worst TrueNet Average ATT Sprint L3 Verio VSNL Tele (India) stra I2 Storage Overhead (bytes) 1e+09 1e+08 1e+07 1e Stat. FL Monitoring State Stat FL Key Storage Overhead TruNet Overhead ATL CHI HOU KAN LA NYC SLC SEA WAS Avg 26 13
14 Roadmap Path- based Secure sampling PAAI Fault Localiza5on 1- hop Probabilis/c packet marking Trusted compu/ng Neighborhood monitoring ShortMAC TrueNet X. Zhang, C. Lan, A. Perrig, Oakland 12 DynaFL 27 (Re)Revisit Path-based Approach TrueNet s View Lack of trust rela/onship! Solu/on: hardware support, vulnerable to hardware ajacks From another perspec/ve Operate on the granularity of paths! Per- source key, per- path state! Requires sta/c path knowledge and stability! R3 inconsistent with R4. Fault! Alice R1 R2 R3 R4 R5 Rd Bob 28 14
15 Alternative: Neighborhood-based Goals Localizing fault to a 1- hop neighborhood Path- obliviousness! Dynamic path support! Constant router state O(1) key storage N(r) p N(s) i j s r q a c b N(a) 29 High-level Steps with security holes and performance issues Record! Admin Controller Check N(s): Report (AC) whether r s + t Detec/on matches s r + s s t Traffic summary r s t s r s t s r s t 30 15
16 Challenges Defend against modifica/on ajacks Authen/ca/ng packets?! Fingerprin/ng data structure, e.g., bloom filter or sketch Fingerprin/ng without different secret keys Fingerprin/ng with different secret keys Η K r 101 Η K t Who will get it? p, q, or t? Repor/ng overhead r s t p q Dilemma! 31 Synchronous epochs DynaFL Key Ideas AC K s K f K s K f r s K f r s pkt hashes crypto hash t s pkt hashes K f t s r s t s r K f s r pkt hashes s t pkt hashes K f s t 32 16
17 DynaFL Analysis Benefits and Tradeoffs Path obliviousness! Dynamic path support Per- neighbor state O(1) key storage Localiza/on precision, path diversion! Security analysis (e.g., against collusion ajacks) Evalua/on Storage: ~ 500KB per neighbor! Repor/ng bandwidth: <0.1%! Detec/on delay: ~50000 packets! 33 Summary and Comparison Performance Protocol Storage Communication Computation Deployability PAAI per-path state 3% per-packet PRF loose time sync ShortMAC per-path state < 0.1% per-packet MAC change packet header TrueNet per-neighbor state < 0.1% per-packet MAC change packet header require TPMs DynaFL per-neighbor state < 0.1% per-packet hash loose time sync Security Protocol Detection Delay Forwarding Correctness Precision Global Sharing? PAAI pkts 95% link no ShortMAC pkts 95% link no TrueNet pkts 95% link (software attack only) yes DynaFL pkts 95% 1-hop neighborhood yes 34 17
18 Conclusion Fault localiza/on plays an important role to achieve high availability Determine and localizing malicious behavior enables avoiding malicious nodes Trusted network core can assist fault localiza/on Trusted compu/ng can greatly simplify fault localiza/on Nodes can rely on trusted core for highly available forwarding Challenge: how to extend fault localiza/on to Internet scale Applicable to local networks considered in this research but generaliza/on to Internet is an open problem 35 Thanks to ARO for generous support! Research highlights from this MURI (28 papers total in my group): Key establishment MiB: Sensys 08, U.S. Patent 8,150,037 issued 3 April 2012 SAKE: DCOSS 08 Secure group key establishment GAnGS MobiCom 2008 SPATE MobiSys 2009 (best paper award) SafeSlinger Fault localiza/on Xin Zhang s thesis 4 papers described in this paper 36 18
ShortMAC: Efficient Data-plane Fault Localization. Xin Zhang, Zongwei Zhou, Hsu- Chun Hsiao, Tiffany Hyun- Jin Kim Adrian Perrig and Patrick Tague
ShortMAC: Efficient Data-plane Fault Localization Xin Zhang, Zongwei Zhou, Hsu- Chun Hsiao, Tiffany Hyun- Jin Kim Adrian Perrig and Patrick Tague What is Fault LocalizaDon? Problem defini-on Iden-fy faulty
More informationThe Role of Trustworthy Computing to Build Future Secure Internet Architectures
The Role of Trustworthy Computing to Build Future Secure Internet Architectures Adrian Perrig Network Security Group ETH Zürich Overview Trusted Compu-ng Overview Cuckoo a7ack Secure rou-ng and BGP with
More informationWireless Network Security Spring 2015
Wireless Network Security Spring 2015 Patrick Tague Class #12 Forwarding Security 2015 Patrick Tague 1 SoW Presentation SoW Thursday in class I'll post a template Each team gets ~5-8 minutes Written SoW
More informationWireless Network Security Spring 2016
Wireless Network Security Spring 2016 Patrick Tague Class #12 Routing Security; Forwarding Security 2016 Patrick Tague 1 SoW Presentation SoW Thursday in class I'll post a template Each team gets ~5 minutes
More informationShortMAC: Efficient Data-Plane Fault Localization
ShortMAC: Efficient Data-Plane Fault Localization Xin Zhang, Zongwei Zhou, Hsu-Chun Hsiao, Tiffany Kim, Patrick Tague, and Adrian Perrig January 30, 2011 CMU-CyLab-11-007 CyLab Carnegie Mellon University
More informationShortMAC: Efficient Data-Plane Fault Localization
ShortMAC: Efficient Data-Plane Fault Localization Xin Zhang, Zongwei Zhou, Hsu-Chun Hsiao, Tiffany Hyun-Jin Kim, Adrian Perrig and Patrick Tague CyLab / Carnegie Mellon University Abstract The rising demand
More informationSecure and Efficient Network Fault Localization
Secure and Efficient Network Fault Localization Xin Zhang CMU-CS-12-104 April 9, 2012 School of Computer Science Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213 Thesis Committee:
More informationTrueNet: Efficient Fault Localization with Small TCB
TrueNet: Efficient Fault Localization with Small TCB Xin Zhang, Zongwei Zhou, Geoff Hasker, Adrian Perrig and Virgil Gligor Abstract Clear evidence indicates the existence of compromised routers in ISP
More informationNetwork Fault Localization with Small TCB
Network Fault Localization with Small TCB Xin Zhang, Zongwei Zhou, Geoff Hasker, Adrian Perrig and Virgil Gligor {xzhang1, zongweiz, hasker, perrig, gligor}@cmu.edu Carnegie Mellon University Abstract
More informationthe Presence of Adversaries Sharon Goldberg David Xiao, Eran Tromer, Boaz Barak, Jennifer Rexford
Internet Path-Quality Monitoring in the Presence of Adversaries Sharon Goldberg David Xiao, Eran Tromer, Boaz Barak, Jennifer Rexford Princeton University Penn State University CS Seminar November 29,
More informationWireless Network Security Spring 2011
Wireless Network Security 14-814 Spring 2011 Patrick Tague Jan 20, 2011 Class #4 Broadcast information security Agenda Broadcast information security Broadcast authentication and encryption Key management
More informationPacket-dropping Adversary Identification for Data Plane Security
Packet-dropping Adversary Identification for Data Plane Security Xin Zhang Carnegie Mellon University xzhang1@cmu.edu Abhishek Jain UCLA abhishek@cs.ucla.edu Adrian Perrig Carnegie Mellon University perrig@cmu.edu
More informationOPT: LIGHTWEIGHT SOURCE AUTHENTICATION & PATH VALIDATION
OPT: LIGHTWEIGHT SOURCE AUTHENTICATION & PATH VALIATION Tiffany Hyun- Jin Kim, 1 Cris(na Basescu, 2 Limin Jia, 1 Soo Bum Lee, 3 Yih- Chun Hu, 4 and Adrian Perrig 2 1 Carnegie Mellon University, 2 ETH Zurich,
More informationLink State Rou.ng Reading: Sec.ons 4.2 and 4.3.4
Link State Rou.ng Reading: Sec.ons. and.. COS 6: Computer Networks Spring 009 (MW :0 :50 in COS 05) Michael Freedman Teaching Assistants: WyaN Lloyd and Jeff Terrace hnp://www.cs.princeton.edu/courses/archive/spring09/cos6/
More informationLink State Rou.ng Reading: Sec.ons 4.2 and 4.3.4
Link State Rou.ng Reading: Sec.ons. and.. COS 6: Computer Networks Spring 0 Mike Freedman hep://www.cs.princeton.edu/courses/archive/spring/cos6/ Inside a router Goals of Today s Lecture Control plane:
More informationAn On-demand Secure Routing Protocol Resilient to Byzantine Failures. Routing: objective. Communication Vulnerabilities
An On-demand Secure Routing Protocol Resilient to Byzantine Failures Baruch Awerbuch Johns Hopkins University On-Demand vs. Proactive Routing Security Concerns On-Demand Source Authentication Caching presents
More informationAn On-demand Secure Routing Protocol Resilient to Byzantine Failures
An On-demand Secure Routing Protocol Resilient to Byzantine Failures Baruch Awerbuch Johns Hopkins University Joint work with David Holmer, Cristina Nita-Rotaru, and Herbert Rubens Based on paper at WiSe2002
More informationFailure Localization in the Internet
Failure Localization in the Internet Boaz Barak, Sharon Goldberg, David Xiao Princeton University Excerpts of talks presented at Stanford, U Maryland, NYU. Why use Internet path-quality monitoring? Internet:
More informationConges'on. Last Week: Discovery and Rou'ng. Today: Conges'on Control. Distributed Resource Sharing. Conges'on Collapse. Conges'on
Last Week: Discovery and Rou'ng Provides end-to-end connectivity, but not necessarily good performance Conges'on logical link name Michael Freedman COS 461: Computer Networks Lectures: MW 10-10:50am in
More informationLink Layer. w/ credit to Rick Graziani (Cabrillo) for some of the anima<ons
Link Layer w/ credit to Rick Graziani (Cabrillo) for some of the anima
More informationLink Layer. w/ much credit to Cisco CCNA and Rick Graziani (Cabrillo)
Link Layer w/ much credit to Cisco CCNA and Rick Graziani (Cabrillo) Administra>via How are the labs going? Telnet- ing into Linux as root In /etc/pam.d/remote comment out line auth required pam_securely.so
More informationELEC5616 COMPUTER & NETWORK SECURITY
ELEC5616 COMPUTER & NETWORK SECURITY Lecture 17: Network Protocols I IP The Internet Protocol (IP) is a stateless protocol that is used to send packets from one machine to another using 32- bit addresses
More informationTHE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul
THE SECOND GENERATION ONION ROUTER Roger Dingledine Nick Mathewson Paul Syverson 1 -Presented by Arindam Paul Menu Motivation: Why do we need Onion Routing? Introduction : What is TOR? Basic TOR Design
More informationKey Nego(a(on Protocol & Trust Router
Key Nego(a(on Protocol & Trust Router dra6- howle:- radsec- knp ABFAB, IETF 80 31 March, Prague. Introduc(on The ABFAB architecture does not require any par(cular AAA strategy for connec(ng RPs to IdPs.
More informationTVA: A DoS-limiting Network Architecture L
DoS is not even close to be solved : A DoS-limiting Network Architecture L Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington) 1 n Address validation is
More informationCS526: Information security
Cristina Nita-Rotaru CS526: Information security Anonymity systems. Based on slides by Chi Bun Chan 1: Terminology. Anonymity Anonymity (``without name ) means that a person is not identifiable within
More informationEfficient and Secure Source Authentication for Multicast
Efficient and Secure Source Authentication for Multicast Authors: Adrian Perrig, Ran Canetti Dawn Song J. D. Tygar Presenter: Nikhil Negandhi CSC774 Network Security Outline: Background Problem Related
More informationHow to live with IP forever
How to live with IP forever (or at least for quite some 5me) IPv6 to the rescue! Solves all problems with IPv4 Standardized during the 1990 s Final RFC in 1999 IPv4 vs IPv6 32- bit addresses IPSec op5onal
More informationSafely Measuring Tor. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems
Safely Measuring Tor Safely Measuring Tor, Rob Jansen and Aaron Johnson, In the Proceedings of the 23rd ACM Conference on Computer and Communication Security (CCS 2016). Rob Jansen Center for High Assurance
More informationA Survey of BGP Security Review
A Survey of BGP Security Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being interesting Border
More informationName-Based Content Routing in Information Centric Networks Using Distance Information
Name-Based Content Routing in Information Centric Networks Using Distance Information J.J. Garcia-Luna-Aceves Palo Alto Research Center UC Santa Cruz jj@soe.ucsc.edu Origins of Routing for Packet Switching
More informationCSCI 1800 Cybersecurity and Interna4onal Rela4ons. Design and Opera-on of the Internet John E. Savage Brown University
CSCI 1800 Cybersecurity and Interna4onal Rela4ons Design and Opera-on of the Internet John E. Savage Brown University Outline Network security The link layer The network layer The transport layer Denial
More informationCS144 An Introduc8on to Computer Networks
CS144 An Introduc8on to Computer Networks Packet Switching Philip Levis Oct 11, 2017 Packet Switching A Source R1 R2 R3 B Des8na8on R4 - Packets are routed individually, by looking up address in router
More informationBasic Internetworking (IP)
Basic Internetworking (IP) CSCI 466: Networks Keith Vertanen Fall 2011 Internetworking Service model Internet protocol (IP) History Packet format Fragmenta?on Global addressing Overview Discovering link-
More informationSybil defenses via social networks
Sybil defenses via social networks Abhishek University of Oslo, Norway 19/04/2012 1 / 24 Sybil identities Single user pretends many fake/sybil identities i.e., creating multiple accounts observed in real-world
More informationUnderstanding Opera.onal Rou.ng (part II) Geoffrey Xie Naval Postgraduate School
Understanding Opera.onal Rou.ng (part II) Geoffrey Xie Naval Postgraduate School July 6, 2011 Route Aggrega.on Child Route Unallocated Child Prefix: e.g., 10.1.33.0/24 19.1.1.2 Aggregate Route 10.1.1.0/24
More informationSleep/Wake Aware Local Monitoring (SLAM)
Sleep/Wake Aware Local Monitoring (SLAM) Issa Khalil, Saurabh Bagchi, Ness Shroff Dependable Computing Systems Lab (DCSL) & Center for Wireless Systems and Applications (CWSA) School of Electrical and
More informationBloom Filters. References:
Bloom Filters References: Li Fan, Pei Cao, Jussara Almeida, Andrei Broder, Summary Cache: A Scalable Wide-Area Web Cache Sharing Protocol, IEEE/ACM Transactions on Networking, Vol. 8, No. 3, June 2000.
More informationAvailable Bandwidth Estimation. Probing Packet Train in Pathneck. Transmission of RPT. Choke Point Detection. Packet train probing
Measuring the Path Network Measurement: Measuring the Path Available Bandwidth/Bottleneck BFind,Pathchar,Cartouche Pathneck Link Capacity: Pathchar CapProbe Loss/Delay/Re-ording Tulip Joy Zhang Pathneck
More informationWireless Network Security Spring 2013
Wireless Network Security 14-814 Spring 2013 Patrick Tague Class #11 Control-Plane Routing Misbehavior Agenda Control-Plane Routing Misbehavior MANET Routing Misbehavior at the control-plane Toward secure
More informationDefense Against Packet Injection in Ad Hoc Networks
Defense Against Packet Injection in Ad Hoc Networks Qijun Gu 1 Peng Liu 2 Chao-Hsien Chu 2 Sencun Zhu 3 1 Department of Computer Science Texas State University, San Marcos, TX 78666 2 School of Information
More informationSDN-based Network Obfuscation. Roland Meier PhD Student ETH Zürich
SDN-based Network Obfuscation Roland Meier PhD Student ETH Zürich This Talk This thesis vs. existing solutions Alice Bob source: Alice destination: Bob Hi Bob, Hi Bob, Payload encryption ǾǼōĦ
More informationProtocols and Lower Bounds for Failure Localization in the Internet
Protocols and Lower Bounds for Failure Localization in the Internet Boaz Barak, Sharon Goldberg, and David Xiao Princeton University, Princeton, NJ 08544 Abstract. A secure failure-localization path-quality-monitoring
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationMeasuring Path Quality in the Presence of Adversaries: The Role of Cryptography in Network Accountability
Measuring Path Quality in the Presence of Adversaries: The Role of Cryptography in Network Accountability Sharon Goldberg, David Xiao, Boaz Barak, and Jennifer Rexford Princeton University ABSTRACT Mechanisms
More informationQoS Services with Dynamic Packet State
QoS Services with Dynamic Packet State Ion Stoica Carnegie Mellon University (joint work with Hui Zhang and Scott Shenker) Today s Internet Service: best-effort datagram delivery Architecture: stateless
More informationLecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015
Lecture 6 Internet Security: How the Internet works and some basic vulnerabilities Thursday 19/11/2015 Agenda Internet Infrastructure: Review Basic Security Problems Security Issues in Routing Internet
More informationCSC 774 Advanced Network Security
Computer Science CSC 774 Advanced Network Security Topic 4.3 Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks 1 Wireless Sensor Networks (WSN) A WSN consists of a potentially
More informationCSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
More informationComputer Networks. Sándor Laki ELTE-Ericsson Communication Networks Laboratory
Computer Networks Sándor Laki ELTE-Ericsson Communication Networks Laboratory ELTE FI Department Of Information Systems lakis@elte.hu http://lakis.web.elte.hu Based on the slides of Laurent Vanbever. Further
More informationApplications of Secure Coding in Distributed Storage and Wireless Networking
Applications of Secure Coding in Distributed Storage and Wireless Networking Reza Curtmola New Jersey Institute of Technology Parts of this presentation are based on joint work with Bo Chen, Randal Burns,
More informationA SIMPLE INTRODUCTION TO TOR
A SIMPLE INTRODUCTION TO TOR The Onion Router Fabrizio d'amore May 2015 Tor 2 Privacy on Public Networks Internet is designed as a public network Wi-Fi access points, network routers see all traffic that
More informationSecurity for Structured Peer-to-peer Overlay Networks. Acknowledgement. Outline. By Miguel Castro et al. OSDI 02 Presented by Shiping Chen in IT818
Security for Structured Peer-to-peer Overlay Networks By Miguel Castro et al. OSDI 02 Presented by Shiping Chen in IT818 1 Acknowledgement Some of the following slides are borrowed from talks by Yun Mao
More informationCollabora've, Privacy Preserving Data Aggrega'on at Scale
Collabora've, Privacy Preserving Data Aggrega'on at Scale Michael J. Freedman Princeton University Joint work with: Benny Applebaum, Haakon Ringberg, MaHhew Caesar, and Jennifer Rexford Problem: Network
More informationInterdomain Routing Design for MobilityFirst
Interdomain Routing Design for MobilityFirst October 6, 2011 Z. Morley Mao, University of Michigan In collaboration with Mike Reiter s group 1 Interdomain routing design requirements Mobility support Network
More informationUNIT 12A The Internet: Fundamentals
UNIT 12A The Internet: Fundamentals 1 What is the Internet? The Internet is a system to deliver data (bits) from one computa?onal device to another. No one en?ty controls/owns the Internet. The Internet
More informationTo Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity
To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets Xiaowei Yang Duke Unversity Denial of Service (DoS) flooding attacks Send packet floods to a targeted victim Exhaust
More information(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.
CS140 Winter 2006 Final Exam Solutions (1) In class we talked about the link count in the inode of the Unix file system being incorrect after a crash. The reference count can either be either too high
More informationKNOM Tutorial Internet Traffic Matrix Measurement and Analysis. Sue Bok Moon Dept. of Computer Science
KNOM Tutorial 2003 Internet Traffic Matrix Measurement and Analysis Sue Bok Moon Dept. of Computer Science Overview Definition of Traffic Matrix 4Traffic demand, delay, loss Applications of Traffic Matrix
More informationEXAM TCP/IP NETWORKING Duration: 3 hours
SCIPER: First name: Family name: EXAM TCP/IP NETWORKING Duration: 3 hours Jean-Yves Le Boudec January 2013 INSTRUCTIONS 1. Write your solution into this document and return it to us (you do not need to
More informationUnicorn: Two- Factor Attestation for Data Security
ACM CCS - Oct. 18, 2011 Unicorn: Two- Factor Attestation for Data Security M. Mannan Concordia University, Canada B. Kim, A. Ganjali & D. Lie University of Toronto, Canada 1 Unicorn target systems q High
More informationAnalysis of Black-Hole Attack in MANET using AODV Routing Protocol
Analysis of Black-Hole Attack in MANET using Routing Protocol Ms Neha Choudhary Electronics and Communication Truba College of Engineering, Indore India Dr Sudhir Agrawal Electronics and Communication
More informationSource Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network
Source Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network 1 Ms.Anisha Viswan, 2 Ms.T.Poongodi, 3 Ms.Ranjima P, 4 Ms.Minimol Mathew 1,3,4 PG Scholar, 2 Assistant Professor,
More informationInver&ble Bloom Lookup Tables and Applica&ons. Michael Mitzenmacher Joint work with Michael Goodrich, Rasmus Pagh, George Varghese
Inver&ble Bloom Lookup Tables and Applica&ons Michael Mitzenmacher Joint work with Michael Goodrich, Rasmus Pagh, George Varghese Stragglers Problem Consider data streams that insert and delete many items,
More informationOutline today. MPLS Overview. We saw tunneling on top of IP. What about tunneling below IP? Introducing Mul<- Protocol Label Switching (MPLS) 3/21/11
UNDERLAYS and MIDDLEBOXES Outline today Network- layer principles Globally unique iden
More informationVerifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services)
1 Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vnfo joint with Seyed Fayazbakhsh, Mike Reiter VRA joint with Chen Chen, Petros Mania9s,
More informationNetwork Measurement. COS 461 Recita8on. h:p://
Network Measurement COS 461 Recita8on h:p://www.cs.princeton.edu/courses/archive/spr14/cos461/ 2! Why Measure the Network? Scien8fic discovery Characterizing traffic, topology, performance Understanding
More informationToward a Reliable Data Transport Architecture for Optical Burst-Switched Networks
Toward a Reliable Data Transport Architecture for Optical Burst-Switched Networks Dr. Vinod Vokkarane Assistant Professor, Computer and Information Science Co-Director, Advanced Computer Networks Lab University
More informationLocating Compromised Sensor Nodes through Incremental Hashing Authentication
Locating Compromised Sensor Nodes through Incremental Hashing Authentication Youtao Zhang 1, Jun Yang 2, Lingling Jin 2, and Weijia Li 1 1 Computer Science Department, University of Pittsburgh, Pittsburgh,
More informationSecurity Issues In Mobile Ad hoc Network Routing Protocols
Abstraction Security Issues In Mobile Ad hoc Network Routing Protocols Philip Huynh phuynh@uccs.edu Mobile ad hoc network (MANET) is gaining importance with increasing number of applications. It can be
More informationTOWARD PRIVACY PRESERVING AND COLLUSION RESISTANCE IN A LOCATION PROOF UPDATING SYSTEM
TOWARD PRIVACY PRESERVING AND COLLUSION RESISTANCE IN A LOCATION PROOF UPDATING SYSTEM R.Bhuvaneswari 1, V.Vijayalakshmi 2 1 M.Phil., Scholar, Bharathiyar Arts And Science College For Women, India 2 HOD
More informationLecture 7 - Applied Cryptography
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 7 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
More informationKun Sun, Peng Ning Cliff Wang An Liu, Yuzheng Zhou
Kun Sun, Peng Ning Cliff Wang An Liu, Yuzheng Zhou Abstract Accurate and synchronized time is crucial in many sensor network applications Time synchronization becomes an attractive target due to its importance
More informationDetecting Denial of Service Attacks in Tor
Norman Danner Danny Krizanc Marc Liberatore Department of Mathematics and Computer Science Wesleyan University Middletown, CT 06459 USA Financial Cryptography and Data Security 2009 Outline 1 Background
More informationOrigin- des*na*on Flow Measurement in High- Speed Networks
IEEE INFOCOM, 2012 Origin- des*na*on Flow Measurement in High- Speed Networks Tao Li Shigang Chen Yan Qiao Introduc*on (Defini*ons) Origin- des+na+on flow between two routers is the set of packets that
More informationIPSec. Slides by Vitaly Shmatikov UT Austin. slide 1
IPSec Slides by Vitaly Shmatikov UT Austin slide 1 TCP/IP Example slide 2 IP Security Issues Eavesdropping Modification of packets in transit Identity spoofing (forged source IP addresses) Denial of service
More informationRobust Identification of Fuzzy Duplicates
Robust Identification of Fuzzy Duplicates ì Authors: Surajit Chaudhuri (Microso3 Research) Venkatesh Gan; (Microso3 Research) Rajeev Motwani (Stanford University) Publica;on: 21 st Interna;onal Conference
More informationComputer Networks. Wenzhong Li. Nanjing University
Computer Networks Wenzhong Li Nanjing University 1 Chapter 7. Network Security Network Attacks Cryptographic Technologies Message Integrity and Authentication Key Distribution Firewalls Transport Layer
More informationDoS Attacks. Network Traceback. The Ultimate Goal. The Ultimate Goal. Overview of Traceback Ideas. Easy to launch. Hard to trace.
DoS Attacks Network Traceback Eric Stone Easy to launch Hard to trace Zombie machines Fake header info The Ultimate Goal Stopping attacks at the source To stop an attack at its source, you need to know
More informationTCP Congestion Control
6.033, Spring 2014 TCP Congestion Control Dina Katabi & Sam Madden nms.csail.mit.edu/~dina Sharing the Internet How do you manage resources in a huge system like the Internet, where users with different
More informationGNUnet Distributed Data Storage
GNUnet Distributed Data Storage DHT and Distance Vector Transport Nathan S. Evans 1 1 Technische Universität München Department of Computer Science Network Architectures and Services July, 24 2010 Overview
More informationP 5 : A Protocol for Scalable Anonymous Communications
P 5 : A Protocol for Scalable Anonymous Communications 1 P 5 : A Protocol for Scalable Anonymous Communications Rob Sherwood, Bobby Bhattacharjee, Aravind Srinivasan University of Maryland, College Park
More informationMissing pieces + Putting the pieces together
Missing pieces + Putting the pieces together CS 168, Fall 2014 Sylvia Ratnasamy Material thanks to Ion Stoica, Scott Shenker, Jennifer Rexford, Nick McKeown, and many other colleagues Today Switched Ethernet
More informationLHAP: A Lightweight Hop-by-Hop Authentication Protocol For Ad-Hoc Networks
LHAP: A Lightweight Hop-by-Hop Authentication Protocol For Ad-Hoc Networks Sencun Zhu 1 Shouhuai Xu 2 Sanjeev Setia 1 Sushil Jajodia 1,3 1 Center for Secure Information Systems, George Mason University,
More informationIntroduc)on to Computer Networks
Introduc)on to Computer Networks COSC 4377 Lecture 9 Spring 2012 February 15, 2012 Announcements HW4 due today Start working on HW5 In- class student presenta)ons TA office hours this week TR 1030a 100p
More informationOn Demand secure routing protocol resilient to Byzantine failures
On Demand secure routing protocol resilient to Byzantine failures Primary Reference: B. Awerbuch, D. Holmer, C. Nita-Rotaru, and H. Rubens, An on-demand secure routing protocol resilient to Byzantine failures,
More informationINSTRUCTIONS TO CANDIDATES
NATIONAL UNIVERSITY OF SINGAPORE SCHOOL OF COMPUTING FINAL EXAMINATION FOR Semester 2 AY2012/2013 Introduction to Computer Networks April 2013 Time Allowed 2 hours INSTRUCTIONS TO CANDIDATES 1. This exam
More informationWireless Network Security Spring 2013
Wireless Network Security 14-814 Spring 2013 Patrick Tague Class #19 Location Privacy & Tracking Agenda Location privacy and tracking Implications / risks of location information Location privacy and anonymity
More informationSecure Server Project. Xen Project Developer Summit 2013 Adven9um Labs Jason Sonnek
Secure Server Project Xen Project Developer Summit 2013 Adven9um Labs Jason Sonnek 1 Outline I. Mo9va9on, Objec9ves II. Threat Landscape III. Design IV. Status V. Roadmap 2 Mo9va9on In a nutshell: Secure
More informationSoK: A Study of Using Hardwareassisted. Environments for Security. Fengwei Zhang and Hongwei Zhang. Wayne State University Detroit, Michigan, USA
SoK: A Study of Using Hardwareassisted Isolated Execu
More informationInternet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
More informationSafely Measuring Tor. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems
Safely Measuring Tor Safely Measuring Tor, Rob Jansen and Aaron Johnson, In the Proceedings of the 23rd ACM Conference on Computer and Communication Security (CCS 2016). Rob Jansen Center for High Assurance
More informationSecure Routing in Wireless Sensor Networks: Attacks and Countermeasures
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures By Chris Karlof and David Wagner Lukas Wirne Anton Widera 23.11.2017 Table of content 1. Background 2. Sensor Networks vs. Ad-hoc
More informationLecture 6: Multicast
Lecture 6: Multicast Challenge: how do we efficiently send messages to a group of machines? Need to revisit all aspects of networking Last time outing This time eliable delivery Ordered delivery Congestion
More informationWireless Network Security Spring 2011
Wireless Network Security 14-814 Spring 2011 Patrick Tague Feb 1, 2011 SURVEY: Physical Layer Security Announcements HW #1 is posted on main class website Due 2/10 @ 11:59pm (PST) Office hours on 2/1 will
More informationMetrics for Security and Performance in Low-Latency Anonymity Systems
Metrics for Security and Performance in Low-Latency Anonymity Systems Tor user Entry node Tor Network Middle node Exit node Bandwidth per node (kb/s) (log scale) 1e+01 1e+03 1e+05 Encrypted tunnel Web
More informationWireless Network Security Spring 2015
Wireless Network Security Spring 2015 Patrick Tague Class #10 Network Layer Threats; Identity Mgmt. 2015 Patrick Tague 1 Class #10 Summary of wireless network layer threats Specific threats related to
More informationPrivCount: A Distributed System for Safely Measuring Tor
PrivCount: A Distributed System for Safely Measuring Tor Rob Jansen Center for High Assurance Computer Systems Invited Talk, October 4 th, 2016 University of Oregon Department of Computer and Information
More informationAuthors: Mark Handley, Vern Paxson, Christian Kreibich
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics Authors: Mark Handley, Vern Paxson, Christian Kreibich Exploitable Ambiguities NIDS does not have full range
More informationNetwork Security. Tadayoshi Kohno
CSE 484 (Winter 2011) Network Security Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More information