Action Amplification: A New Approach To Scalable Administration

We present a systems-management approach that enables administrators to effectively handle the challenge of increasing numbers of hosts, routers, users, and services in the networks to manage. Our approach is to map the actions of an administrator on a single host (such as creating a new user account) to the network at large, while maintaining the exact same interface. Our system amplifies the administrator's actions appropriately throughout the network, and confirms the correct propagation of all configuration changes throughout the distributed system. We argue that this approach allows administrators to easily manage several aspects of a large domain, because it provides a familiar and intuitive interface. Such a system can be used as a front-end to any other automation system used to manage large domains. To determine the feasibility of our approach, we implemented it on the OpenBSD system. We discuss the prototype implementation, along with the limitations to our approach that it exposes

xPF: Packet Filtering for Low-Cost Network Monitoring

The ever-increasing complexity in network infrastructures is making critical the demand for network monitoring tools. While the majority of network operators rely on low-cost open-source tools based on commodity hardware and operating systems, the increasing link speeds and complexity of network monitoring applications have revealed inefficiencies in the existing software organization, which may prohibit the use of such tools in high-speed networks. Although several new architectures have been proposed to address these problems, they require significant effort in re-engineering the existing body of applications. We present an alternative approach that addresses the primary sources of inefficiency without significantly altering the software structure. Specifically, we enhance the computational model of the Berkeley packet filter (BPF) to move much of the processing associated with monitoring into the kernel, thereby removing the overhead associated with context switching between kernel and applications. The resulting packet filter, called xPF, allows new tools to be more efficiently implemented and existing tools to be easily optimized for high-speed networks. We present the design and implementation of xPF as well as several example applications that demonstrate the efficiency of our approach

Taxi Planner Optimization: A Management Tool

This work introduces taxi planning optimization (TPO) as a methodology to guide airport surface management operations. The optimization model represents competing aircraft using limited ground resources. TPO improves aircraft taxiing routes and their schedule in situations of congestion, minimizing overall taxiing time (TT), and helping taxi planners to meet prespecified goals such as compliance with take-off windows, TT limits, and trajectory conflicts. By considering all simultaneous trajectories during a given planning horizon, TPO's estimation of TT from the stand to the runways improves over current planning methods. The operational optimization model is a large-scale space-time multi-commodity network with capacity constraints. In addition to its natural use as a real-time taxi planning tool, a number of TPO variants can be used for design purposes, such as expansion of new infrastructure. TPO is demonstrated using Madrid-Barajas as test airport

Shadow Honeypots

We present Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network or service. Traffic that is considered anomalous is processed by a "shadow honeypot" to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular ("production") instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Honeypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a considerable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives

Scalable Resource Control in Active Networks

The increased complexity of the service model relative to store-and-forward routers has made resource management one of the paramount concerns in active networking research and engineering. In this paper,we address two major challenges in scaling resource management-to-many-node active networks. The first is the use of market mechanisms and trading amongst nodes and programs with varying degrees of competition and cooperation to provide a scalable approach to managing active network resources. The second is the use of a trust-management architecture to ensure that the participants in the resource management marketplace have a policy-driven "rule of law" in which marketplace decisions can be made and relied upon. We have used lottery scheduling and the Keynote trust-management system for our implementation, for which we provide some initial performance indications

The Price of Safety in an Active Network

Security is a major challenge for "Active Networking," accessible programmability creates numerous opportunities for mischief. The point at which programmability is exposed, e.g., through the loading and execution of code in network elements, must therefore be carefully crafted to ensure security. The SwitchWare active networking research project has studied the architectural implications of various tradeoffs between performance and security. Namespace protection and type safety were achieved with a module loader for active networks, ALIEN, which carefully delineated boundaries for privilege and dynamic updates. ALIEN supports two extensions, the Secure Active Network Environment (SANE), and the Resource Controlled Active Network Environment (RCANE). SANE extends ALIEN's node protection model into a distributed setting, and uses a secure bootstrap to guarantee integrity of the namespace protection system. RCANE provides resource isolation between active network node users, including separate heaps and robust time-division multiplexing of the node. The SANE and RCANE systems show that convincing active network security can be achieved. This paper contributes a measurement-based analysis of the costs of such security with an analysis of each system based on both execution traces and end-to-end behavior

Virtual Private Services: Coordinated Policy Enforcement for Distributed Applications

Large scale distributed applications combine network access with multiple storage and computational elements. The distributed responsibility for resource control creates new security issues, caused by the complexity of the operating environment. In particular, policies at multiple layers and locations force conventional mechanisms such as firewalls and compartmented file storage into roles where they are clumsy and failure-prone. Our approach relies on two functional divisions. First, we split policy specification and policy enforcement, providing local autonomy within the constraints of the global security policy. Second, we create virtual security domains each with its own security policy. Every domain has an associated set of privileges and permissions restricting it to the resources it needs to use and the services it must perform. Virtual private services ensure security and privacy policies are adhered to through coordinated policy enforcement points

Managing Access Control in Large Scale Heterogeneous Networks

The design principle of maximizing local autonomy except when it conflicts with global robustness has led to a scalable Internet with enormous heterogeneity of both applications and infrastructure. These properties have not been achieved in the mechanisms for specifying and enforcing security policies. The STRONGMAN (for Scalable TRust Of Next Generation MANagement) system [9], [10] offers three new approaches to scalability, applying the principle of local policy enforcement complying with global security policies. First is the use of a compliance checker to provide great local autonomy within the constraints of a global security policy. Second is a mechanism to compose policy rules into a coherent enforceable set, e.g., at the boundaries of two locally autonomous application domains. Third is the "lazy instantiation" of policies to reduce the amount of state that enforcement points need to maintain. In this paper, we focus on the issues of scalability and heterogeneity

Detecting Targeted Attacks Using Shadow Honeypots

We present Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network/service. Traffic that is considered anomalous is processed by a "shadow honeypot'' to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular ("production'') instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. Contrary to regular honeypots, our architecture can be used both for server and client applications. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Honeypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a considerable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives

Equal antipyretic effectiveness of oral and rectal acetaminophen: a randomized controlled trial [ISRCTN11886401]

BACKGROUND: The antipyretic effectiveness of rectal versus oral acetaminophen is not well established. This study is designed to compare the antipyretic effectiveness of two rectal acetaminophen doses (15 mg/kg) and (35 mg/kg), to the standard oral dose of 15 mg/kg. METHODS: This is a randomized, double-dummy, double-blind study of 51 febrile children, receiving one of three regimens of a single acetaminophen dose: 15 mg/kg orally, 15 mg/kg rectally, or 35 mg/kg rectally. Rectal temperature was monitored at baseline and hourly for a total of six hours. The primary outcome of the study, time to maximum antipyresis, and the secondary outcome of time to temperature reduction by at least 1°C were analyzed by one-way ANOVA. Two-way ANOVA with repeated measures over time was used to compare the secondary outcome: change in temperature from baseline at times1, 2, 3, 4, 5, and 6 hours among the three groups. Intent-to-treat analysis was planned. RESULTS: No significant differences were found among the three groups in the time to maximum antipyresis (overall mean = 3.6 hours; 95% CI: 3.2–4.0), time to fever reduction by 1°C or the mean hourly temperature from baseline to 6 hours following dose administration. Hypothermia (temperature < 36.5°C) occurred in 11(21.6%) subjects, with the highest proportion being in the rectal high-dose group. CONCLUSION: Standard (15 mg/kg) oral, (15 mg/kg) rectal, and high-dose (35 mg/kg) rectal acetaminophen have similar antipyretic effectiveness