TOWARDS RELIABLE CIRCUMVENTION OF INTERNET CENSORSHIP

The Internet plays a crucial role in today\u27s social and political movements by facilitating the free circulation of speech, information, and ideas; democracy and human rights throughout the world critically depend on preserving and bolstering the Internet\u27s openness. Consequently, repressive regimes, totalitarian governments, and corrupt corporations regulate, monitor, and restrict the access to the Internet, which is broadly known as Internet \emph{censorship}. Most countries are improving the internet infrastructures, as a result they can implement more advanced censoring techniques. Also with the advancements in the application of machine learning techniques for network traffic analysis have enabled the more sophisticated Internet censorship. In this thesis, We take a close look at the main pillars of internet censorship, we will introduce new defense and attacks in the internet censorship literature. Internet censorship techniques investigate users’ communications and they can decide to interrupt a connection to prevent a user from communicating with a specific entity. Traffic analysis is one of the main techniques used to infer information from internet communications. One of the major challenges to traffic analysis mechanisms is scaling the techniques to today\u27s exploding volumes of network traffic, i.e., they impose high storage, communications, and computation overheads. We aim at addressing this scalability issue by introducing a new direction for traffic analysis, which we call \emph{compressive traffic analysis}. Moreover, we show that, unfortunately, traffic analysis attacks can be conducted on Anonymity systems with drastically higher accuracies than before by leveraging emerging learning mechanisms. We particularly design a system, called \deepcorr, that outperforms the state-of-the-art by significant margins in correlating network connections. \deepcorr leverages an advanced deep learning architecture to \emph{learn} a flow correlation function tailored to complex networks. Also to be able to analyze the weakness of such approaches we show that an adversary can defeat deep neural network based traffic analysis techniques by applying statistically undetectable \emph{adversarial perturbations} on the patterns of live network traffic. We also design techniques to circumvent internet censorship. Decoy routing is an emerging approach for censorship circumvention in which circumvention is implemented with help from a number of volunteer Internet autonomous systems, called decoy ASes. We propose a new architecture for decoy routing that, by design, is significantly stronger to rerouting attacks compared to \emph{all} previous designs. Unlike previous designs, our new architecture operates decoy routers only on the downstream traffic of the censored users; therefore we call it \emph{downstream-only} decoy routing. As we demonstrate through Internet-scale BGP simulations, downstream-only decoy routing offers significantly stronger resistance to rerouting attacks, which is intuitively because a (censoring) ISP has much less control on the downstream BGP routes of its traffic. Then, we propose to use game theoretic approaches to model the arms races between the censors and the censorship circumvention tools. This will allow us to analyze the effect of different parameters or censoring behaviors on the performance of censorship circumvention tools. We apply our methods on two fundamental problems in internet censorship. Finally, to bring our ideas to practice, we designed a new censorship circumvention tool called \name. \name aims at increasing the collateral damage of censorship by employing a ``mass\u27\u27 of normal Internet users, from both censored and uncensored areas, to serve as circumvention proxies

Hybrid switching : converging packet and TDM flows in a single platform

Optical fibers have brought fast and reliable data transmission to today’s network. The immense fiber build-out over the last few years has generated a wide array of new access technologies, transport and network protocols, and next-generation services in the Local Area Network (LAN), Metropolitan Area Network (MAN), and Wide Area Network (WAN). All these different technologies, protocols, and services were introduced to address particular telecommunication needs. To remain competitive in the market, the service providers must offer most of these services, while maintaining their own profitability. However, offering a large variety of equipment, protocols, and services posses a big challenge for service carriers because it requires a huge investment in different technology platforms, lots of training of staff, and the management of all these networks. In today’s network, service providers use SONET (Synchronous Optical NETwork) as a basic TDM (Time Division Multiplexing) transport network. SONET was primarily designed to carry voice traffic from telephone networks. However, with the explosion of traffic in the Internet, the same SONET based TDM network is optimized to support increasing demand for packet based Internet network services (data, voice, video, teleconference etc.) at access networks and LANs. Therefore the service providers need to support their Internet Protocol (IP) infrastructure as well as in the legacy telephony infrastructure. Supporting both TDM and packet services in the present condition needs multilayer operations which is complex, expensive, and difficult to manage. A hybrid switch is a novel architecture that combines packets (IP) and TDM switching in a unified access platform and provides seamless integration of access networks and LANs with MAN/WAN networks. The ability to fully integrate these two capabilities in a single chassis will allow service providers to deploy a more cost effective and flexible architecture that can support a variety of different services. This thesis develops a hybrid switch which is capable of offering bundled services for TDM switching and packet routing. This is done by dividing the switch’s bandwidth into VT1.5 (Virtual Tributary -1.5) channels and providing SONET based signaling for routing the data and controlling the switch’s resources. The switch is a TDM based architecture which allows each switch’s port to be independently configured for any mixture of packet and TDM traffic, including 100% packet and 100% TDM. This switch allows service providers to simplify their edge networks by consolidating the number of separate boxes needed to provide fast and reliable access. This switch also reduces the number of network management systems needed, and decreases the resources needed to install, provision and maintain the network because of its ability to “collapse” two network layers into one platform. The scope of this thesis includes system architecture, logic implementation, and verification testing, and performance evaluation of the hybrid switch. The architecture consists of ingress/egress ports, an arbiter and a crossbar. Data from ingress ports is carried to the egress ports via VT1.5 channels which are switched at the cross point of the crossbar. The crossbar setup and channel assignments at ingress port are done by the arbiter. The design was tested by simulation and the hardware cost was estimated. The performance results showed that the switch is non-blocking, provide differentiated service, and has an overall effective throughput of 80%. This result is a significant step towards the goal of building a switch that can support multiprotocol and provide different network capabilities into one platform. The long-term goal of this project is to develop a prototype of the hybrid switch with broadband capability

ENERGY EFFICIENT WIRED NETWORKING

This research proposes a new dynamic energy management framework for a backbone Internet Protocol over Dense Wavelength Division Multiplexing (IP over DWDM) network. Maintaining the logical IP-layer topology is a key constraint of our architecture whilst saving energy by infrastructure sleeping and virtual router migration. The traffic demand in a Tier 2/3 network typically has a regular diurnal pattern based on people‟s activities, which is high in working hours and much lighter during hours associated with sleep. When the traffic demand is light, virtual router instances can be consolidated to a smaller set of physical platforms and the unneeded physical platforms can be put to sleep to save energy. As the traffic demand increases the sleeping physical platforms can be re-awoken in order to host virtual router instances and so maintain quality of service. Since the IP-layer topology remains unchanged throughout virtual router migration in our framework, there is no network disruption or discontinuities when the physical platforms enter or leave hibernation. However, this migration places extra demands on the optical layer as additional connections are needed to preserve the logical IP-layer topology whilst forwarding traffic to the new virtual router location. Consequently, dynamic optical connection management is needed for the new framework. Two important issues are considered in the framework, i.e. when to trigger the virtual router migration and where to move virtual router instances to? For the first issue, a reactive mechanism is used to trigger the virtual router migration by monitoring the network state. Then, a new evolutionary-based algorithm called VRM_MOEA is proposed for solving the destination physical platform selection problem, which chooses the appropriate location of virtual router instances as traffic demand varies. A novel hybrid simulation platform is developed to measure the performance of new framework, which is able to capture the functionality of the optical layer, the IP layer data-path and the IP/optical control plane. Simulation results show that the performance of network energy saving depends on many factors, such as network topology, quiet and busy thresholds, and traffic load; however, savings of around 30% are possible with typical medium-sized network topologies

Modeling network traffic on a global network-centric system with artificial neural networks

This dissertation proposes a new methodology for modeling and predicting network traffic. It features an adaptive architecture based on artificial neural networks and is especially suited for large-scale, global, network-centric systems. Accurate characterization and prediction of network traffic is essential for network resource sizing and real-time network traffic management. As networks continue to increase in size and complexity, the task has become increasingly difficult and current methodology is not sufficiently adaptable or scaleable. Current methods model network traffic with express mathematical equations which are not easily maintained or adjusted. The accuracy of these models is based on detailed characterization of the traffic stream which is measured at points along the network where the data is often subject to constant variation and rapid evolution. The main contribution of this dissertation is development of a methodology that allows utilization of artificial neural networks with increased capability for adaptation and scalability. Application on an operating global, broadband network, the Connexion by Boeingʼ network, was evaluated to establish feasibility. A simulation model was constructed and testing was conducted with operational scenarios to demonstrate applicability on the case study network and to evaluate improvements in accuracy over existing methods --Abstract, page iii

Investigation of the tolerance of wavelength-routed optical networks to traffic load variations.

This thesis focuses on the performance of circuit-switched wavelength-routed optical network with unpredictable traffic pattern variations. This characteristic of optical networks is termed traffic forecast tolerance. First, the increasing volume and heterogeneous nature of data and voice traffic is discussed. The challenges in designing robust optical networks to handle unpredictable traffic statistics are described. Other work relating to the same research issues are discussed. A general methodology to quantify the traffic forecast tolerance of optical networks is presented. A traffic model is proposed to simulate dynamic, non-uniform loads, and used to test wavelength-routed optical networks considering numerous network topologies. The number of wavelengths required and the effect of the routing and wavelength allocation algorithm are investigated. A new method of quantifying the network tolerance is proposed, based on the calculation of the increase in the standard deviation of the blocking probabilities with increasing traffic load non-uniformity. The performance of different networks are calculated and compared. The relationship between physical features of the network topology and traffic forecast tolerance is investigated. A large number of randomly connected networks with different sizes were assessed. It is shown that the average lightpath length and the number of wavelengths required for full interconnection of the nodes in static operation both exhibit a strong correlation with the network tolerance, regardless of the degree of load non-uniformity. Finally, the impact of wavelength conversion on network tolerance is investigated. Wavelength conversion significantly increases the robustness of optical networks to unpredictable traffic variations. In particular, two sparse wavelength conversion schemes are compared and discussed: distributed wavelength conversion and localized wavelength conversion. It is found that the distributed wavelength conversion scheme outperforms localized wavelength conversion scheme, both with uniform loading and in terms of the network tolerance. The results described in this thesis can be used for the analysis and design of reliable WDM optical networks that are robust to future traffic demand variations

Design Issues of Reserved Delivery Subnetworks, Doctoral Dissertation, May 2006

The lack of per-flow bandwidth reservation in today\u27s Internet limits the quality of service that an information service provider can provide. This dissertation introduces the reserved delivery subnetwork (RDS), a mechanism that provides consistent quality of service by implementing aggregate bandwidth reservation. A number of design and deployment issues of RDSs are studied. First, the configuration problem of a single-server RDS is formulated as a minimum concave cost network flow problem, which properly reflects the economy of bandwidth aggregation, but is also an NP-hard problem. To make the RDS configuration problem tractable, an efficient approximation heuristic, largest demands first (LDF), is presented and studied. In addition, performance improvements with local search heuristic is investigated. A traditional negative cycle reduction and a new negative bicycle reduction algorithms are applied and evaluated. The study of RDS configuration problems is then extended to multi-server RDSs. The configuration problem can be similarly formulated as the single-server RDS configuration problem; however, the major challenge of multi-server RDS configuration is the optimal server locations. A number of server placement algorithms are evaluated using simulations. The simulation results show that a class of greedy algorithms provide the best solutions. In addition to configuration problem, the dynamic load redistribution mechanism is studied to improve the tolerance to server failures. A configuration algorithm to build redistribution subnetworks is proposed and evaluated to deal with single server failures in a group of servers. Besides the exclusive bandwidth access, there are potentials to further improve end-to-end performance in an RDS because end hosts can utilize the knowledge about the underlying networks to achieve better performance than in the ordinary Internet. These improvements are illustrated with a source traffic regulation technique to resolve the unbalanced bandwidth utilization problem in an RDS. A per-connection and an aggregated regulation algorithm for single-server and multi-server RDSs are presented and studied