Strategic Alert Throttling for Intrusion Detection Systems

Network intrusion detection systems are themselves becoming targets of attackers. Alert flood attacks may be used to conceal malicious activity by hiding it among a deluge of false alerts sent by the attacker. Although these types of attacks are very hard to stop completely, our aim is to present techniques that improve alert throughput and capacity to such an extent that the resources required to successfully mount the attack become prohibitive. The key idea presented is to combine a token bucket filter with a realtime correlation algorithm. The proposed algorithm throttles alert output from the IDS when an attack is detected. The attack graph used in the correlation algorithm is used to make sure that alerts crucial to forming strategies are not discarded by throttling

Strategic Alert Throttling for Intrusion Detection Systems

Network intrusion detection systems are themselves becoming targets of attackers. Alert flood attacks may be used to conceal malicious activity by hiding it among a deluge of false alerts sent by the attacker. Although these types of attacks are very hard to stop completely, our aim is to present techniques that improve alert throughput and capacity to such an extent that the resources required to successfully mount the attack become prohibitive. The key idea presented is to combine a token bucket filter with a realtime correlation algorithm. The proposed algorithm throttles alert output from the IDS when an attack is detected. The attack graph used in the correlation algorithm is used to make sure that alerts crucial to forming strategies are not discarded by throttling

Data Reduction in Intrusion Alert Correlation

Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack

Data Reduction in Intrusion Alert Correlation

Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack

Data Reduction in Intrusion Alert Correlation

Network intrusion detection sensors are usually built around low level models of network traffic. This means that their output is of a similarly low level and as a consequence, is difficult to analyze. Intrusion alert correlation is the task of automating some of this analysis by grouping related alerts together. Attack graphs provide an intuitive model for such analysis. Unfortunately alert flooding attacks can still cause a loss of service on sensors, and when performing attack graph correlation, there can be a large number of extraneous alerts included in the output graph. This obscures the fine structure of genuine attacks and makes them more difficult for human operators to discern. This paper explores modified correlation algorithms which attempt to minimize the impact of this attack

Quality of service differentiation for multimedia delivery in wireless LANs

Delivering multimedia content to heterogeneous devices over a variable networking environment while maintaining high quality levels involves many technical challenges. The research reported in this thesis presents a solution for Quality of Service (QoS)-based service differentiation when delivering multimedia content over the wireless LANs. This thesis has three major contributions outlined below: 1. A Model-based Bandwidth Estimation algorithm (MBE), which estimates the available bandwidth based on novel TCP and UDP throughput models over IEEE 802.11 WLANs. MBE has been modelled, implemented, and tested through simulations and real life testing. In comparison with other bandwidth estimation techniques, MBE shows better performance in terms of error rate, overhead, and loss. 2. An intelligent Prioritized Adaptive Scheme (iPAS), which provides QoS service differentiation for multimedia delivery in wireless networks. iPAS assigns dynamic priorities to various streams and determines their bandwidth share by employing a probabilistic approach-which makes use of stereotypes. The total bandwidth to be allocated is estimated using MBE. The priority level of individual stream is variable and dependent on stream-related characteristics and delivery QoS parameters. iPAS can be deployed seamlessly over the original IEEE 802.11 protocols and can be included in the IEEE 802.21 framework in order to optimize the control signal communication. iPAS has been modelled, implemented, and evaluated via simulations. The results demonstrate that iPAS achieves better performance than the equal channel access mechanism over IEEE 802.11 DCF and a service differentiation scheme on top of IEEE 802.11e EDCA, in terms of fairness, throughput, delay, loss, and estimated PSNR. Additionally, both objective and subjective video quality assessment have been performed using a prototype system. 3. A QoS-based Downlink/Uplink Fairness Scheme, which uses the stereotypes-based structure to balance the QoS parameters (i.e. throughput, delay, and loss) between downlink and uplink VoIP traffic. The proposed scheme has been modelled and tested through simulations. The results show that, in comparison with other downlink/uplink fairness-oriented solutions, the proposed scheme performs better in terms of VoIP capacity and fairness level between downlink and uplink traffic

Datacenter Traffic Control: Understanding Techniques and Trade-offs

Datacenters provide cost-effective and flexible access to scalable compute and storage resources necessary for today's cloud computing needs. A typical datacenter is made up of thousands of servers connected with a large network and usually managed by one operator. To provide quality access to the variety of applications and services hosted on datacenters and maximize performance, it deems necessary to use datacenter networks effectively and efficiently. Datacenter traffic is often a mix of several classes with different priorities and requirements. This includes user-generated interactive traffic, traffic with deadlines, and long-running traffic. To this end, custom transport protocols and traffic management techniques have been developed to improve datacenter network performance. In this tutorial paper, we review the general architecture of datacenter networks, various topologies proposed for them, their traffic properties, general traffic control challenges in datacenters and general traffic control objectives. The purpose of this paper is to bring out the important characteristics of traffic control in datacenters and not to survey all existing solutions (as it is virtually impossible due to massive body of existing research). We hope to provide readers with a wide range of options and factors while considering a variety of traffic control mechanisms. We discuss various characteristics of datacenter traffic control including management schemes, transmission control, traffic shaping, prioritization, load balancing, multipathing, and traffic scheduling. Next, we point to several open challenges as well as new and interesting networking paradigms. At the end of this paper, we briefly review inter-datacenter networks that connect geographically dispersed datacenters which have been receiving increasing attention recently and pose interesting and novel research problems.Comment: Accepted for Publication in IEEE Communications Surveys and Tutorial

Study of architecture and protocols for reliable multicasting in packet switching networks

Group multicast protocols have been challenged to provide scalable solutions that meet the following requirements: (i) reliable delivery from different sources to all destinations within a multicast group; (ii) congestion control among multiple asynchronous sources. Although it is mainly a transport layer task, reliable group multicasting depends on routing architectures as well. This dissertation covers issues of both network and transport layers. Two routing architectures, tree and ring, are surveyed with a comparative study of their routing costs and impact to upper layer performances. Correspondingly, two generic transport protocol models are established for performance study. The tree-based protocol is rate-based and uses negative acknowledgment mechanisms for reliability control, while the ring-based protocol uses window-based flow control and positive acknowledgment schemes. The major performance measures observed in the study are network cost, multicast delay, throughput and efficiency. The results suggest that the tree architecture costs less at network layer than the ring, and helps to minimize latency under light network load. Meanwhile, heavy load reliable group multicasting can benefit from ring architecture, which facilitates window-based flow and congestion control. Based on the comparative study, a new two-hierarchy hybrid architecture, Rings Interconnected with Tree Architecture (RITA), is presented. Here, a multicast group is partitioned into multiple clusters with the ring as the intra-cluster architecture, and the tree as backbone architecture that implements inter-cluster multicasting. To compromise between performance measures such as delay and through put, reliability and congestion controls are accomplished at the transport layer with a hybrid use of rate and window-based protocols, which are based on either negative or positive feedback mechanisms respectively. Performances are compared with simulations against tree- and ring-based approaches. Results are encouraging because RITA achieves similar throughput performance as the ring-based protocol, but with significantly lowered delay. Finally, the multicast tree packing problem is discussed. In a network accommodating multiple concurrent multicast sessions, routing for an individual session can be optimized to minimize the competition with other sessions, rather than to minimize cost or delay. Packing lower bound and a heuristic are investigated. Simulation show that congestion can be reduced effectively with limited cost increase of routings

Contributions based on cross-layer design for quality-of-service provisioning over DVB-S2/RCS broadband satellite system

Contributions based on cross-layer design for Quality-of-Service provisioning over DVB-S2/RCS Broadband Satellite Systems Nowadays, geostationary (GEO) satellite infrastructure plays a crucial role for the provisioning of IP services. Such infrastructure can provide ubiquity and broadband access, being feasible to reach disperse populations located worldwide within remote areas where terrestrial infrastructure can not be deployed. Nevertheless, due to the expansion of the World Wide Web (WWW), new IP applications such as Voice over IP (VoIP) and multimedia services requires considering different levels of individual packet treatment through the satellite network. This differentiation must include not only the Quality of Service (QoS) parameters to specify packet transmission priorities across the network nodes, but also the required amount of bandwidth assignment to guarantee its transport. In this context, the provisioning of QoS guarantees over GEO satellite systems becomes one of the main research areas of organizations such as the European Space Agency (ESA). Mainly because, their current infrastructures require continuous exploitation, as launching a new communication satellite is associated with excessive costs. Therefore, the support of IP services with QoS guarantees must be developed on the terrestrial segment to enable using the current assets. In this PhD thesis several contributions to improve the QoS provisioning over DVB-S2/RCS Broadband Satellite Systems have been developed. The contributions are based on cross-layer design, following the layered model standardized in the ETSI TR 102 157 and 462. The proposals take into account the drawbacks posed by GEO satellite systems such as delay, losses and bandwidth variations. The first contribution proposes QoSatArt, an architecture defined to improve QoS provisioning among services classes considering the physical layer variations due to the presence of rain events. The design is developed inside the gateway, including the specification of the main functional blocks to provide QoS guarantees and mechanisms to minimize de delay and jitter values experienced at the application layer. Here, a cross-layer design between the physical and the network layer has been proposed, to enforce the QoS specifications based on the available bandwidth. The proposed QoSatArt architecture is evaluated using the NS-2 simulation tool. In addition, the performance analysis of several standard Transmission Control Protocol (TCP) variants is also performed. This is carry out to find the most suitable TCP variant that enhances TCP transmission over a QoS architecture such as the QoSatArt. The second contribution proposes XPLIT, an architecture developed to enhance TCP transmission with QoS for DVB-S2/RCS satellite systems. Complementary to QoSatArt, XPLIT introduces Performance Enhanced Proxies (PEPs), which breaks the end-to-end semantic of TCP connections. However, it considers a cross-layer design between the network layer and the transport layer to enhance TCP transmission while providing them with QoS guarantees. Here, a modified TCP variant called XPLIT-TCP is proposed to send data through the forward and the return channel. XPLIT-TCP uses two control loops (the buffer occupancy and the service rate to provide optimized congestion control functions. The proposed XPLIT architecture is evaluated using the NS-2 simulation tool. Finally, the third contribution of this thesis consists on the development of a unified architecture to provide QoS guarantees based on cross-layer design over broadband satellite systems. It adopts the enhancements proposed by the QoSatArt architecture working at the network layer, in combination with the enhancements proposed by the XPLIT architecture working at the transport layer.Actualmente, los satélites Geoestacionarios (GEO) juegan un papel muy importante en la provisión de servicios IP. Esta infraestructura permite proveer ubicuidad y acceso de banda ancha, haciendo posible alcanzar poblaciones dispersas en zonas remotas donde la infraestructura terrestre es inexistente. Sin embargo, en la provisión de aplicaciones como Voz sobre IP (VoIP) y servicios multimedia, es importante considerar el tratamiento diferenciado de paquetes a través de la red satelital. Esta diferenciación debe considerar no solo los requerimientos de Calidad de Servicio (QoS) que especifican las prioridades de los paquetes a través de los nodos de red, si no también el ancho de banda asignado para garantizar su transporte. En este contexto, la provisión de garantías de QoS sobre satélites GEO es una de las Principales áreas de investigación de organizaciones como la Agencia Espacial Europea (ESA) persiguen. Esto se debe principalmente ya que dichas organizaciones requieren la explotación continua de sus activos, dado que lanzar un nuevo satélite al espacio representa costos excesivos. Como resultado, el soporte de servicios IP con calidad de servicio sobre la infraestructura satelital actual es de vital importancia. En esta tesis doctoral se presentan varias contribuciones para el soporte a la Calidad de Servicio en redes DVB-S2/RCS satelitales de banda ancha. Las contribuciones propuestas se basan principalmente en el diseño ”cross-layer” siguiendo el modelo de capas definido y estandarizado en las especificaciones ETSI TR 102 157 [ETS03] y 462 [10205]. Las contribuciones propuestas consideran las limitaciones presentes de los sistemas satelitales GEO como lo son el retardo de propagación, la perdida de paquetes y las variaciones de ancho de banda causados por eventos atmosféricos. La primera contribución propone QoSatArt, una arquitectura definida para mejorar el soporte a la QoS. Esta arquitectura considera las variaciones en la capa física debido a la presencia de eventos de lluvia para priorizar los niveles de QoS. El diseño se desarrolla en el gateway e incluye las especificaciones de los principales elementos funcionales y mecanismos para garantizar la QoS y minimizar el retardo presente en la capa de aplicación. Aquí, se propone un diseño ”cross-layer” entre la capa física y la capa de red, con el objetivo de reforzar las especificaciones de QoS considerando el ancho de banda disponible. La arquitectura QoSatArt es simulada y evaluada empleando la herramienta de simulación NS-2. Adicionalmente, un análisis de desempeño de diversas variantes de TCP (Transmission Control Protocol) es realizado con el objetivo de encontrar la variante de TCP más adecuada para trabajar en un ambiente con QoS como QoSatArt. La segunda contribución propone XPLIT, una arquitectura desarrollada para mejorar las transmisiones TCP con QoS en un sistema satelital DVB-S2/RCS. Complementario a QoSatArt, XPLIT emplea PEPs (Performance Enhanced Proxies), afectando la semántica end-to-end de las conexiones TCP. Sin embargo, XPLIT considera un diseño ”cross-layer” entre la capa de red y la capa de transporte con el objetivo de mejorar las transmisiones TCP considerando los parámetros de QoS como la ocupación de la cola y la tasa de transmisión (_i, _i). Aquí, se propone el uso de una nueva variante de TCP es propuesta llamada XPLIT-TCP, que usa dos bucles para proveer funciones mejoradas en el control de congestión. La arquitectura XPLIT es simulada y evaluada empleando la herramienta de simulación NS-2. Finalmente, la tercera contribución de esta tesis consiste en el desarrollo de un arquitectura unificada para el soporte a la QoS en redes satelitales de banda ancha basada en técnicas ”cross-layer”. Esta arquitectura adopta las mejoras propuestas por QoSatArt en la capa de red en combinación con las mejoras propuestas por XPLIT en la capa de transporte

Improving Security and Performance in Low Latency Anonymous Networks

Conventional wisdom dictates that the level of anonymity offered by low latency anonymity networks increases as the user base grows. However, the most significant obstacle to increased adoption of such systems is that their security and performance properties are perceived to be weak. In an effort to help foster adoption, this dissertation aims to better understand and improve security, anonymity, and performance in low latency anonymous communication systems. To better understand the security and performance properties of a popular low latency anonymity network, we characterize Tor, focusing on its application protocol distribution, geopolitical client and router distributions, and performance. For instance, we observe that peer-to-peer file sharing protocols use an unfair portion of the network’s scarce bandwidth. To reduce the congestion produced by bulk downloaders in networks such as Tor, we design, implement, and analyze an anonymizing network tailored specifically for the BitTorrent peer-to-peer file sharing protocol. We next analyze Tor’s security and anonymity properties and empirically show that Tor is vulnerable to practical end-to-end traffic correlation attacks launched by relatively weak adversaries that inflate their bandwidth claims to attract traffic and thereby compromise key positions on clients’ paths. We also explore the security and performance trade-offs that revolve around path length design decisions and we show that shorter paths offer performance benefits and provide increased resilience to certain attacks. Finally, we discover a source of performance degradation in Tor that results from poor congestion and flow control. To improve Tor’s performance and grow its user base, we offer a fresh approach to congestion and flow control inspired by techniques from IP and ATM networks