Методика верификации сетевых информационных потоков в информационно-телекоммуникационных системах со встроенными устройствами

The paper comprises a technique of information flow verification for information and telecommunication systems with embedded devices. The goal of the technique is to evaluate the security level of the constructed system and check the compliance between real information flows and the set policies. The conducted verification is based on model checking with the use of SPIN tool. Implementation of such verification is fulfilled at initial design stages and provides earlier detection of contradictions in the used security policy and inconsistencies between the network topology and requirements of the information system.В работе представлена методика верификации сетевых информационных потоков информационно-телекоммуникационных систем со встроенными устройствами. Цель методики – оценка защищенности разрабатываемой системы и проверка соответствия информационных потоков в реальной системе заданным политикам. Проводимая верификация базируется на методе «проверки на модели» с использованием программного средства SPIN. Верификация информационных потоков проводится на начальных этапах проектирования и обеспечивает более раннее обнаружение противоречий в используемой политике безопасности и несоответствий топологии сети требованиям информационно-телекоммуникационной системы

DDoS Attacks with Randomized Traffic Innovation: Botnet Identification Challenges and Strategies

Distributed Denial-of-Service (DDoS) attacks are usually launched through the $botnet$, an "army" of compromised nodes hidden in the network. Inferential tools for DDoS mitigation should accordingly enable an early and reliable discrimination of the normal users from the compromised ones. Unfortunately, the recent emergence of attacks performed at the application layer has multiplied the number of possibilities that a botnet can exploit to conceal its malicious activities. New challenges arise, which cannot be addressed by simply borrowing the tools that have been successfully applied so far to earlier DDoS paradigms. In this work, we offer basically three contributions: $i)$ we introduce an abstract model for the aforementioned class of attacks, where the botnet emulates normal traffic by continually learning admissible patterns from the environment; $ii)$ we devise an inference algorithm that is shown to provide a consistent (i.e., converging to the true solution as time progresses) estimate of the botnet possibly hidden in the network; and $iii)$ we verify the validity of the proposed inferential strategy over $real$ network traces.Comment: Submitted for publicatio

The Embedding Capacity of Information Flows Under Renewal Traffic

Given two independent point processes and a certain rule for matching points between them, what is the fraction of matched points over infinitely long streams? In many application contexts, e.g., secure networking, a meaningful matching rule is that of a maximum causal delay, and the problem is related to embedding a flow of packets in cover traffic such that no traffic analysis can detect it. We study the best undetectable embedding policy and the corresponding maximum flow rate ---that we call the embedding capacity--- under the assumption that the cover traffic can be modeled as arbitrary renewal processes. We find that computing the embedding capacity requires the inversion of very structured linear systems that, for a broad range of renewal models encountered in practice, admits a fully analytical expression in terms of the renewal function of the processes. Our main theoretical contribution is a simple closed form of such relationship. This result enables us to explore properties of the embedding capacity, obtaining closed-form solutions for selected distribution families and a suite of sufficient conditions on the capacity ordering. We evaluate our solution on real network traces, which shows a noticeable match for tight delay constraints. A gap between the predicted and the actual embedding capacities appears for looser constraints, and further investigation reveals that it is caused by inaccuracy of the renewal traffic model rather than of the solution itself.Comment: Sumbitted to IEEE Trans. on Information Theory on March 10, 201

Distributed Detection of Multi-Hop Information Flows With Fusion Capacity Constraints

The problem of detecting multihop information flows subject to communication constraints is considered. In a distributed detection scheme, eavesdroppers are deployed near nodes in a network, each able to measure the transmission timestamps of a single node. The eavesdroppers must then compress the information and transmit it to a fusion center, which then decides whether a sequence of monitored nodes are transmitting an information flow. A performance measure is defined based on the maximum fraction of chaff packets under which flows are still detectable. The performance of a detector becomes a function of the communication constraints and the number of nodes in the sequence. Achievability results are obtained by designing a practical distributed detection scheme, including a new flow finding algorithm that has vanishing error probabilities for a limited fraction of chaff packets. Converse results are obtained by characterizing the fraction of chaff packets sufficient for an information flow to mimic the distributions of independent traffic under the proposed compression scheme.National Science Foundation (U.S.) (Grant No. CCF-0635070)United States. Office of Naval Research (MURI W911NF-08-1-0238