Browsing by Author "Dr. Douglas S. Reeves, Committee Chair"

Filter results by typing the first few letters
Now showing 1 - 8 of 8
  • No Thumbnail Available
    Detection of Denial of QoS Attacks on DiffServ Networks.
    (2002-08-21) Mahadik, Vinay A.; Dr. Douglas S. Reeves, Committee Chair; Dr. Peng Ning, Committee Member; Dr. Jon Doyle, Committee Member; Dr. Gregory Byrd, Committee Member
    In this work, we describe a method of detecting denial of Quality of Service (QoS) attacks on Differentiated Services (DiffServ) networks. Our approach focusses on real time and quick detection, scalability to large networks, and a negligible false alarm generation rate. This is the first comprehensive study on DiffServ monitoring. Our contributions to this research area are 1. We identify several potential attacks, develop/use research implementations of each on our testbed and investigate their effects on the QoS sensitive network flows. 2. We study the effectiveness of several anomaly detection approaches; select and adapt SRI's NIDES statistical inference algorithm and EWMA Statistical Process Control technique for use in our anomaly detection engine. 3. We then emulate a Wide Area Network on our testbed. We measure the effectiveness of our anomaly detection system in detecting the attacks and present the results obtained as a justification of our work. 4. We verify our findings through simulation of the network and the attacks on NS2 (the Network Simulator, version 2). We believe that given the results of the tests with our implementation of the attacks and the detection system, further validated by the simulations, the method is a strong candidate for QoS-intrusion detection for a low-cost commercial deployment.
  • No Thumbnail Available
    A Floor Control Protocol For SIP-Based Multimedia Conferences
    (2003-04-01) Gupta, Prashant; Dr. Peng Ning, Committee Member; Dr. Douglas S. Reeves, Committee Chair; Dr. Mladen A. Vouk, Committee Member
    The purpose of this research is to define a protocol to regulate resources among participants in SIP-based centralized multimedia conferences. Centralized conferences are typical of contemporary conferencing architectures. SIP is emerging as the signaling protocol of choice for multimedia multiparty sessions. An important problem that needs to be addressed, in such sessions, is that of controlling and ordering access to multimedia resources among participants. This is also known as floor control. There is, to the best of our knowledge, no standardized protocol that addresses the problem of floor control, though there is one other competing proposal in the pipeline. The work in this thesis proposes a set of primitives that solve the above problem, for a variety of situations. We present a comparison of the approach taken in this thesis and the existing proposal. We have developed software that realizes a subset of the primitives as a preliminary proof of concept of the proposed protocol.
  • No Thumbnail Available
    Maximizing Service Coverage of Adaptive Services in Wireless Mobile Ad-Hoc Networks using Non-Clustering Approach
    (2003-05-11) Thangavelu, Krithiga; Dr. Douglas S. Reeves, Committee Chair; Dr. Munindar P.Singh, Committee Member; Dr. Gregory T. Byrd, Committee Member
    Wireless Mobile Ad-hoc Networks are characterized by dynamic network topology and lack of network infrastructure. The network fragments into smaller networks and merges over a period of time due to mobility. This makes provisioning solutions to common network problems, like routing and QoS provisioning, a challenging task. Services in ad-hoc networks face two-fold problems. Making nodes aware of the availability and the location of services in a dynamically changing network is difficult, especially when such services are not tightly coupled with a fixed infrastructure. Servers may come and leave the network. Nodes may shutdown services to conserve energy. The problem is further exacerbated by the limitations posed by the wireless network on the bandwidth and by the limited computational capability of the wireless devices. This thesis addresses the problem of providing continuous and guaranteed access to such centralized services in a mobile wireless ad-hoc network. A distributed algorithm based on the exchange of service provider information is proposed to solve the problem. The previous work addressing the same problem assumes that the nodes move in long-term groups. Our solution does not make this assumption and targets arbitrary motion. So, no attempt is made to correlate the movement of the nodes, in order to solve the problem. In this thesis, we illustrate that our approach achieves higher service availability than the previous methods at the cost of a higher number of service instances. The proposed algorithm converges after a time period equivalent to the average propagation delay of the service instance information from a service provider to its reachable nodes. The computational and communication complexity of the algorithm is theoretically proved to be O(slogn) and O(n[subscript g]²) where s is the number of service instances, n is the number of nodes in the ad-hoc network and n[subscript g] is the average number of nodes in a connected component of the graph formed by the nodes in the ad-hoc network. The service cost incurred in providing the necessary service coverage is proved through simulation to be in the order of the number of connected components in the graph formed by the nodes in the ad-hoc network. Simulation results are used to prove that the algorithm provides for maximum service coverage independent of the mobility pattern of the nodes in the ad-hoc network.
  • No Thumbnail Available
    Mobile Movement Patterns and Applications in Wireless Networks
    (2008-08-21) Feng, Fang; Dr. Arne A. Nilsson, Committee Member; Dr. Douglas S. Reeves, Committee Chair; Dr. Wenye Wang, Committee Member; Dr. Matthias Stallmann, Committee Member
    In a real-life wireless network, the logical movements of mobile nodes are not purely random. Movements of individual mobile nodes have intrinsic patterns determined by regular activities of individual persons. Regularities in people's group activities also introduce patterns in co-location behavior of multiple mobile nodes. Mobile nodes are able to predict their future behavior using history information, and prediction results can be used to expedite network management processes and reduce the required overhead. Our research focus on characterization and applications of movement and co-location patterns. echanism with movement prediction for wireless IP networks. Each mobile node records movement history information, and predicts its next subnet before the actual movement. It explicitly notifies the current foreign agent to duplicate and forward packets to the predicted subnet. Simulation with real-life wireless network trace shows that the latency of network-layer handoff and the amount of packet loss are greatly reduced, only with a limited overhead in packet duplication and forwarding. The topology matching issue for mobile peer-to-peer networks is also investigated, and a Local Topology Cache mechanism is designed to expedite topology matching for overlay topology optimization and reduce the associated overhead. As mobile nodes have patterns in their movement and interaction, the physical network topology nearby might be similar for a mobile node's two consecutive visits to a subnet. The mobile node caches the information of topologically matched P2P neighbors and reuses them when returning to the subnet, without probing the network again. We simulate this scheme with a real-life wireless network trace, and found the caching mechanism can greatly reduce network probing overhead, while achieving similar efficiency of P2P overlay topology. We further investigate the co-location behavior of multiple mobile nodes. People's regular interactions determine that co-location of mobile nodes has regularities. Using real-life wireless network traces, we measure the characteristics of mobile nodes' co-location, and show that co-location has patterns and is repetitive, which provides the basis of co-location prediction. A Markov-family model is used to dynamically model the co-location behavior, and a fully distributed co-location prediction method only using a mobile node's own movement trace and co-location history is proposed. The effectiveness of this co-location prediction method is demonstrated with simulations based on real-life wireless network activity traces. We also utilize the co-location prediction method in the construction of the peer-to-peer overlay in a wireless network, and show that it can construct a peer-to-peer overlay as efficient as topology matching techniques, without probing the physical network. This demonstrates that co-location prediction can indeed expedite network management and reduce the associated overhead.
  • No Thumbnail Available
    Preventing Denial of Service Attacks on Reliable Multicast Networks
    (2002-12-17) Shah, Nipul Jayvant; Dr. Douglas S. Reeves, Committee Chair; Dr. Peter Wurman, Committee Member; Dr. Peng Ning, Committee Member
    Multicast is finding a lot of application in modern day networks and the Internet. There are various existing protocols that support the wide range of requirements demanded by these applications. If all the receivers in a multicast group are required to get all the packets at more or less the same time (i.e. synchronized reliable receiving), then the transmission rate of the source ends up being controlled by the rate of the slowest receiver in this group. Although, this is a requisite in some applications, it poses as a serious threat to the group. In other words, if one or more receivers were to artificially create a packet loss, then the source would be busy sending repairs and will consequentially slow down the overall transmission rate. This leads to a Denial of Service attack on the other group members. The goal of this thesis is to suggest a mechanism to deter, if not prevent, the hostile receiver(s) from causing such an attack. We first study the problem with respect to a specific reliable multicast protocol, viz. Pragmatic Generic Multicast (PGM), by conducting experiments, which prove that PGM is also affected by the 'slowest receiver problem'. If the source can work out an optimum transmitting rate, we may be able to reduce the repair requests in the network and have a more stable system. To achieve this, we look at the possibilities and advantages of using an auction-based mechanism, such as the Generalized Vickrey Auction (GVA) to compute the optimum rate, based on the rate requests from the various participating receivers. We implement our mechanism in PGM and conduct experiments in order to compare its performance to that of the existing PGM protocol. Our results prove that for a network having malicious members, an appropriate auction-based mechanism complemented with policing stabilizes the source transmission rate and hence prevents a Denial of Service attack on other group members.
  • No Thumbnail Available
    Preventing Misbehavior in Cooperative Distributed Systems
    (2009-12-01) Shin, Kyuyong; Dr. Douglas S. Reeves, Committee Chair; Dr. Injong Rhee, Committee Co-Chair; Dr. George N. Rouskas, Committee Member; Dr. Peng Ning, Committee Member
    Cooperative distributed systems are becoming increasingly popular as alternatives to the traditional client-server model for many applications, including file sharing, streaming, and distributed computing. In cooperative distributed systems, participants directly cooperate with each other to achieve common goals by sharing resources without the need of any central control. Therefore, in contrast to the client-server model, the system capacity potentially scales as the number of participants in a system increases, providing the participants with information or services with few resource restrictions. The information or services provided by the system can be thought of as a public good, and participants should play a part in the protection and provision of the public good. Thus, cooperation among participants to obtain mutual benefits is the fundamental premise behind the success of such a system. In spite of the importance of cooperation among participants to protect and support the public goods in cooperative distributed systems, a high level of informational integrity of the goods and behavioral integrity of participants toward the goods is difficult to achieve due to malicious or selfish participants. Because such malicious or selfish behavior was not anticipated at the inception of cooperative distributed applications, they are highly vulnerable to such behavior. To address the problem, in this dissertation, we identify two major threats (i.e., pollution and free-riding) to the protection and provision of the public goods, and propose tailored solutions to those specific threats. In addition, a general, fairness-enforcing incentive mechanism is proposed to foster cooperation among participants, which could be readily used to prevent various misbehaviors in a wide range of cooperative distributed systems. Firstly, this dissertation investigates the pollution problem in file sharing systems, and proposes a novel Distributed Hash Table (DHT)-based anti-pollution scheme called winnowing. Winnowing attempts to achieve a high level of informational integrity of the public goods (i.e., shared files in this case) through cooperation among (benign) participants. To attain the goal, publish verification and privacy-preserving object reputation are integrated into DHT as a part of publish and look-up processes. Secondly, this dissertation presents a free-riding prevention mechanism in one of the most famous file sharing systems (i.e., BitTorrent), which depends on the use of secret sharing. By employing secret sharing into file sharing, the proposed scheme, called Treat-Before-Trick (TBeT), enforces cooperation among participants by restricting uncooperative participants from the acquisition of secrets required to complete their work. Therefore, a high level of behavioral integrity on the part of participants toward the public goods can be achieved under TBeT. Finally, this dissertation proposes a general incentive mechanism which can be readily and widely used in many cooperative distributed systems to enforce cooperation among participants, which is named Triangle Chaining (T-Chain). T-Chain strongly depends both on the use of light-weight symmetric cryptography to reduce the opportunity for free-riding, and on the pay-it-forward policy to exploit the potential of multi-lateral participant compatibility.
  • No Thumbnail Available
    Tracing Intruders behind Stepping Stones
    (2005-08-06) Wang, Xinyuan; Dr. Douglas S. Reeves, Committee Chair; Dr. Peng Ning, Committee Member; Dr. George N. Rouskas, Committee Member; Dr. Gregory T. Byrd, Committee Member
    Network based intruders seldom attack directly from their own hosts but rather stage their attacks through intermediate 'stepping stones' to conceal their identity and origin. To track down and apprehend those perpetrators behind stepping stones, it is critically important to be able to correlate connections through stepping stones. Tracing intruders behind stepping stones and correlating intrusion connections through stepping stones are challenging due to various readily available evasive countermeasures by intruders: •Installing and using backdoor relays (i.e. netcat) at intermediate stepping stones to evade logging of normal logins. •Using different types of connections (i.e. TCP, UDP) at different portions of the connection chain through stepping stones to complicate connection matching. •Using encrypted connections (with different keys) across stepping stones to defeat any content based comparison. • Introducing timing perturbation at intermediate stepping stones to counteract timing based correlation of encrypted connections. In this dissertation, we address these challenges in detail and design solutions to them. For unencrypted intrusion connections through stepping stones, we design and implement a novel intrusion tracing framework called Sleepy Watermark Tracing (SWT), which applies principles of steganography and active networking. SWT is "sleepy" in that it does not introduce overhead when no intrusion is detected. Yet it is "active" in that when an intrusion is detected, the host under attack will inject a watermark into the backward connection of the intrusion, and wake up and collaborate with intermediate routers along the intrusion path. Our prototype shows that SWT can trace back to the trustworthy security gateway closest to the origin of the intrusion, with only a single packet from the intruder. With its unique active tracing, SWT can even trace when intrusion connections are idle. Encryption of connections through stepping stones defeats any content based correlation and makes correlation of intrusion connections more difficult. Based on inter-packet timing characteristics, we develop a novel correlation scheme of both encrypted and unencrypted connections. We show that (after some filtering) inter-packet delays (IPDs) of both encrypted and unencrypted, interactive connections are preserved across many router hops and stepping stones. The effectiveness of IPD based correlation requires that timing characteristics be distinctive enough to identify connections. We have found that normal interactive connections such as telnet, SSH and rlogin are almost always distinctive enough to provide correct correlation across stepping stones. The timing perturbation at intermediate stepping stones of packet flows poses additional challenge in correlating encrypted connections through stepping stones. The timing perturbation could either make unrelated flows have similar timing characteristics or make related flows exhibit different timing characteristics, which would either increase the false positive rate or decrease the true positive rate of timing-based correlation. To address this new challenge, we develop a novel watermark based correlation scheme that is designed to be specifically robust against such kinds of timing perturbation. The idea is to actively embed a unique watermark into the flow by slightly adjusting the timing of selected packets of the flow. If the embedded watermark is unique enough and robust enough against the timing perturbation by the adversary, the watermarked flow could be uniquely identified and thus effectively correlated. By utilizing redundancy techniques, we develop a robust watermark correlation framework that reveals a rather surprising result on the inherent limits of independent and identically distributed (iid) random timing perturbations over sufficiently long flows. We also identify the tradeoffs between the defining characteristics of the timing perturbation and the achievable correlation effectiveness. Our experiments show that our watermark based correlation performs significantly better than existing passive timing based correlation in the face of random timing perturbation. In this research, we learn some general lessons about tracing and correlating intrusion connections through stepping stones. Specifically, we demonstrate the significant advantages of active correlation approach over passive correlation approaches in the presence of active countermeasures. We also demonstrate that information hiding and redundancy techniques can be used to build highly effective intrusion tracing and correlation frameworks.
  • No Thumbnail Available
    Voice Over IP Performance Diagnosis
    (2002-11-18) Adhikari, Akshay Arun; Dr. George N. Rouskas, Committee Member; Dr Wushow Chou, Committee Member; Dr. Douglas S. Reeves, Committee Chair
    We investigate a framework for assessing the readiness of a network to support Voice over IP (VoIP) at the pre-deployment stage. In this framework, VoIP traffic is synthesized on the network, while simultaneously monitoring the health of network devices and links using the Simple Network Management Protocol(SNMP). Using this framework, we try to understand whether SNMP can be used to detect which network links or devices, if any, cause poor VoIP quality. First, we investigate the limitations of the end-to-end VoIP quality measurement, and SNMP measurement framework used in lab experiments. We quantify the errors in end-to-end VoIP quality measurements, and in SNMP measurements, so that these errors can be taken into account depending on the application at hand. Next, we use our lab experiments to understand how VoIP performance metrics like delay and loss are affected by offered load on a link. From our initial experiments with faulty synthetic traffic generators, we find that even at low utilization, bursty network traffic can significantly degrade VoIP quality, and small timescale measurements, which are impractical with SNMP, are required to detect the problems. However, using realistic emulation of network traffic in the lab, we find that when network problems are severe and last for long periods of time, they can be easily detected using SNMP. We also present a case study of VoIP assessment data collected from a real network, where we again successfully used SNMP to detect the network links that caused poor quality