System and Process for Providing Auxiliary Information for a Packet-Switched Network of Shared Nodes Using Dedicated Associative Store

A system and process for providing auxiliary information about a distributed network of shared nodes, at least a plurality of the nodes being adapted for receiving at least one type of ESP-(associative ephemeral store processing) packet. Available for access at each of the plurality of ESP-adapted nodes is a dedicated associative store wherein a value, if bound to a tag, is only accessible as a bound (tag, value) pair for a short time period, τ. Different types of packets are contemplated for routing through the ESP-capable plurality of nodes such as those arbitrarily identified herein as a ‘first’ and ‘second’ type: each first type packet has at least one field comprising an opcode identifying an instruction, and a tag; each second type packet has an opcode identifying an instruction an LOC field containing an identifier of a location for execution of an operand by the second packet instruction at any one of the ESP-capable plurality of nodes. In another aspect, each of the ESP-capable plurality of nodes has input and output port units and a centralized unit; an associative store may be dedicated to one or more of the port units as well as to the centralized location

Processor Microarchitecture for Implementation of Ephemeral State Processing within Network Routers

The evolving concept of Ephemeral State Processing (ESP) is overviewed. ESP allows development of new scalable end-to-end network user services. An evolving macro-level language is being developed to support ESP at the network node level. Three approaches for implementing ESP services at network routers can be considered. One approach is to use the existing processing capability within commercially available network routers. Another approach is to add a small scale existing ASIC based general-purpose processor to an existing network router. This thesis research concentrates on a third approach of developing a special-purpose programmable Ephemeral State Processor (ESPR) Instruction Set Architecture (ISA) and implementing microarchitecture for deployment within each ESP-capable node to implement ESP service within that node. A unique architectural characteristic of the ESPR is its scalable and temporal Ephemeral State Store (ESS) associative memory, required by the ESP service for storage/retrieval of bounded (short) lifetime ephemeral (tag, value) pairs of application data. The ESPR will be implemented to Programmable Logic Device (PLD) technology within a network node. This offers advantages of reconfigurability, in-field upgrade capability and supports the evolving growth of ESP services. Correct functional and performance operation of the presented ESPR microarchitecture is validated via Hardware Description Language (HDL) post-implementation (virtual prototype) simulation testing. Suggestions of future research related to improving the performance of the ESPR rnicroarchitecture and experimental deployment of ESP are discussed

Categorising Network Telescope data using big data enrichment techniques

Network Telescopes, Internet backbone sampling, IDS and other forms of network-sourced Threat Intelligence provide researchers with insight into the methods and intent of remote entities by capturing network traffic and analysing the resulting data. This analysis and determination of intent is made difficult by the large amounts of potentially malicious traffic, coupled with limited amount of knowledge that can be attributed to the source of the incoming data, as the source is known only by its IP address. Due to the lack of commonly available tooling, many researchers start this analysis from the beginning and so repeat and re-iterate previous research as the bulk of their work. As a result new insight into methods and approaches of analysis is gained at a high cost. Our research approaches this problem by using additional knowledge about the source IP address such as open ports, reverse and forward DNS, BGP routing tables and more, to enhance the researcher's ability to understand the traffic source. The research is a BigData experiment, where large (hundreds of GB) datasets are merged with a two month section of Network Telescope data using a set of Python scripts. The result are written to a Google BigQuery database table. Analysis of the network data is greatly simplified, with questions about the nature of the source, such as its device class (home routing device or server), potential vulnerabilities (open telnet ports or databases) and location becoming relatively easy to answer. Using this approach, researchers can focus on the questions that need answering and efficiently address them. This research could be taken further by using additional data sources such as Geo-location, WHOIS lookups, Threat Intelligence feeds and many others. Other potential areas of research include real-time categorisation of incoming packets, in order to better inform alerting and reporting systems' configuration. In conclusion, categorising Network Telescope data in this way provides insight into the intent of the (apparent) originator and as such is a valuable tool for those seeking to understand the purpose and intent of arriving packets. In particular, the ability to remove packets categorised as non-malicious (e.g. those in the Research category) from the data eliminates a known source of `noise' from the data. This allows the researcher to focus their efforts in a more productive manner

Network traffic data analysis

The desire to conceptualize network traffic in a prevailing communication network is a facet for many types of network research studies. In this research, real traffic traces collected over trans-Pacific backbone links (the MAWI repository, providing publicly available anonymized traces) are analyzed to study the underlying traffic patterns. All data analysis and visualization is carried out using Matlab (Matlab is a trademark of The Mathworks, Inc.). At packet level, we first measure parameters such as distribution of packet lengths, distribution of protocol types, and then fit following analytical models. Next, the concept of flow is introduced and flow based analysis is studied. We consider flow related parameters such as top ports seen, duration of the flow, distribution of flow lengths, and number of flows with different timeout values and provide analytical models to fit the flow lengths. Further, we study the amount of data flowing between source-destination pairs. Finally, we focus on TCP-specific aspects of captured traces such as retransmissions and packet round-trip times. From the results obtained, we infer the Zipf-type nature of distribution for number of flows, heavy-tailness of flow sizes and the contribution of well-known ports at packet and flow level. Our study helps a network analyst to farther the knowledge and helps optimize the network resources, while performing efficient traffic engineering

Non-Trivial Off-Path Network Measurements without Shared Side-Channel Resource Exhaustion

Most traditional network measurement scans and attacks are carried out through the use of direct, on-path network packet transmission. This requires that a machine be on-path (i.e, involved in the packet transmission process) and as a result have direct access to the data packets being transmitted. This limits network scans and attacks to situations where access can be gained to an on-path machine. If, for example, a researcher wanted to measure the round trip time between two machines they did not have access to, traditional scans would be of little help as they require access to an on-path machine to function. Instead the researcher would need to use an off-path measurement scan. Prior work using network side-channels to perform off-path measurements or attacks relied on techniques that either exhausted the shared, finite resource being used as a side-channel or only measured basic features such as connectivity. The work presented in this dissertation takes a different approach to using network side-channels. I describe research that carries out network side-channel measurements that are more complex than connectivity, such as packet round-trip-time or detecting active TCP connections, and do not require a shared, finite resource be fully exhausted to cause information to leak via a side-channel. My work is able to accomplish this by understanding the ways in which internal network stack state changes cause observable behavior changes from the machine. The goal of this dissertation is to show that: Information side-channels can be modulated to take advantage of dependent, network state behavior to enable non-trivial, off-path measurements without fully exhausting the shared, finite resources they use

Analysis of OSPFv3 in LEO satellite networks

Communication via satellite networks is under continuous research and development as it offers many advances over traditional terrestrial networks such as global coverage, but has a major drawback to be solved, the problem of point-to-point routing. In this work we have developed a satellite network emulator using Linux containers, which has allowed us to analyze the behavior of the IP routing protocol OSPFv3 in this type of networks. Specifically, its behavior has been analyzed in the Iridium constellation, which is widely known and used in this type of studies. For this purpose, we have used files of the topology of these networks over time generated with the HypatiaSeam orbital propagator, a modification of Hypatia made by the SeamSAT research group of the UPC. This project is part of a more global project whose objective is to be able to use a network of LEO satellites for communication between aircraft and airspace control centers. This would make it possible to centralize the different control centers, since it would not be necessary for aircraft to be in direct range to communicate with these centers, but thanks to the global coverage provided by these networks, they could communicate from anywhere in the world. Specifically, in this project we have developed an emulation platform that has allowed us to analyze the behavior of the OSPFv3 protocol to find optimal routes, i.e., shortest distance in terms of the cost function of the protocol. We will present the design and implementation of the emulation platform as well as the analysis of OSPFv3 performance in terms of protocol convergence time to topology changes, number of hops between a satellite and a ground station, delay and loss rate

A middlebox-cooperative TCP for a non end-to-end Internet. In

ABSTRACT Understanding, measuring, and debugging IP networks, particularly across administrative domains, is challenging. One particularly daunting aspect of the challenge is the presence of transparent middleboxes-which are now common in today's Internet. In-path middleboxes that modify packet headers are typically transparent to a TCP, yet can impact end-to-end performance or cause blackholes. We develop TCP HICCUPS to reveal packet header manipulation to both endpoints of a TCP connection. HICCUPS permits endpoints to cooperate with currently opaque middleboxes without prior knowledge of their behavior. For example, with visibility into end-to-end behavior, a TCP can selectively enable or disable performance enhancing options. This cooperation enables protocol innovation by allowing new IP or TCP functionality (e.g., ECN, SACK, Multipath TCP, Tcpcrypt) to be deployed without fear of such functionality being misconstrued, modified, or blocked along a path. HICCUPS is incrementally deployable and introduces no new options. We implement and deploy TCP HICCUPS across thousands of disparate Internet paths, highlighting the breadth and scope of subtle and hard to detect middlebox behaviors encountered. We then show how path diagnostic capabilities provided by HICCUPS can benefit applications and the network