62 research outputs found
LAMP: Prompt Layer 7 Attack Mitigation with Programmable Data Planes
While there are various methods to detect application layer attacks or
intrusion attempts on an individual end host, it is not efficient to provide
all end hosts in the network with heavy-duty defense systems or software
firewalls. In this work, we leverage a new concept of programmable data planes,
to directly react on alerts raised by a victim and prevent further attacks on
the whole network by blocking the attack at the network edge. We call our
design LAMP, Layer 7 Attack Mitigation with Programmable data planes. We
implemented LAMP using the P4 data plane programming language and evaluated its
effectiveness and efficiency in the Behavioral Model (bmv2) environment
Toward incremental FIB aggregation with quick selections (FAQS)
Several approaches to mitigating the Forwarding Information Base (FIB)
overflow problem were developed and software solutions using FIB aggregation
are of particular interest. One of the greatest concerns to deploy these
algorithms to real networks is their high running time and heavy computational
overhead to handle thousands of FIB updates every second. In this work, we
manage to use a single tree traversal to implement faster aggregation and
update handling algorithm with much lower memory footprint than other existing
work. We utilize 6-year realistic IPv4 and IPv6 routing tables from 2011 to
2016 to evaluate the performance of our algorithm with various metrics. To the
best of our knowledge, it is the first time that IPv6 FIB aggregation has been
performed. Our new solution is 2.53 and 1.75 times as fast as
the-state-of-the-art FIB aggregation algorithm for IPv4 and IPv6 FIBs,
respectively, while achieving a near-optimal FIB aggregation ratio
Toward a Programmable FIB Caching Architecture
The current Internet routing ecosystem is neither sustainable nor economical.
More than 711K IPv4 routes and more than 41K IPv6 routes exist in current
global Forwarding Information Base (FIBs) with growth rates increasing. This
rapid growth has serious consequences, such as creating the need for costly FIB
memory upgrades and increased potential for Internet service outages. And while
FIB memories are power-hungry and prohibitively expensive, more than 70\% of
the routes in FIBs carry no traffic for long time periods, a wasteful use of
these expensive resources. Taking advantage of the emerging concept of
programmable data plane, we design a programmable FIB caching architecture to
address the existing concerns. Our preliminary evaluation results show that the
architecture can significantly mitigate the global routing scalability and poor
FIB utilization issues
Understading Multiple Origin AS Conflicts
Internet routing problems are often difficult to detect and diagnose because one address prefix can be originated by multiple ASes. There is, however, no comprehensive analysis on the causes of Multiple Origin AS (MOAS) conflicts. In this paper, we study the characteristics of MOAS conflicts and compare them with those from 10 years ago. We also provide an in-depth examination of four MOAS causes--IXP, anycast, false origin AS, and origin-AS transition. Furthermore, we propose two heuristics to identify MOAS conflicts caused by false origin ASes and origin-AS transitions. The findings from our study and proposed heuristics can help us design effective mechanisms to distinguish legitimate MOAS conflicts from illegitimate ones, thus improving the reliability and security of Internet routing
Reducing Router Forwarding Table Size Using Aggregation and Caching
The fast growth of global routing table size has been causing concerns that the Forwarding Information Base (FIB) will not be able to fit in existing routers\u27 expensive line-card memory, and upgrades will lead to a higher cost for network operators and customers. FIB Aggregation, a technique that merges multiple FIB entries into one, is probably the most practical solution since it is a software solution local to a router, and does not require any changes to routing protocols or network operations. While previous work on FIB aggregation mostly focuses on reducing table size, this work focuses on algorithms that can update compressed FIBs quickly and incrementally. Quick updates are critical to routers because they have very limited time to process routing updates without impacting packet delivery performance. We have designed three algorithms: FIFA-S for the smallest table size, FIFA-T for the shortest running time, and FIFA-H for both small tables and short running time, and operators can use the one best suited to their needs. These algorithms significantly improve over existing work in terms of reducing routers\u27 computation overhead and limiting impact on the forwarding plane while maintaining a good compression ratio. Another potential solution is to install only the most popular FIB entries into the fast memory (e.g., an FIB cache), while storing the complete FIB in slow memory. In this paper, we propose an effective FIB caching scheme that achieves a considerably higher hit ratio than previous approaches while preventing the cache-hiding problem. Our experimental results using data traffic from a regional network show that with only 20K prefixes in the cache (5.36% of the actual FIB size), the hit ratio of our scheme is higher than 99.95%. Our scheme can also efficiently handle cache misses, cache replacement and routing updates
Distributed Flow Scheduling in an Unknown Environment
Flow scheduling tends to be one of the oldest and most stubborn problems in
networking. It becomes more crucial in the next generation network, due to fast
changing link states and tremendous cost to explore the global structure. In
such situation, distributed algorithms often dominate. In this paper, we design
a distributed virtual game to solve the flow scheduling problem and then
generalize it to situations of unknown environment, where online learning
schemes are utilized. In the virtual game, we use incentives to stimulate
selfish users to reach a Nash Equilibrium Point which is valid based on the
analysis of the `Price of Anarchy'. In the unknown-environment generalization,
our ultimate goal is the minimization of cost in the long run. In order to
achieve balance between exploration of routing cost and exploitation based on
limited information, we model this problem based on Multi-armed Bandit Scenario
and combined newly proposed DSEE with the virtual game design. Armed with these
powerful tools, we find a totally distributed algorithm to ensure the
logarithmic growing of regret with time, which is optimum in classic
Multi-armed Bandit Problem. Theoretical proof and simulation results both
affirm this claim. To our knowledge, this is the first research to combine
multi-armed bandit with distributed flow scheduling.Comment: 10 pages, 3 figures, conferenc
VeriTable: Fast Equivalence Verification of Multiple Large Forwarding Tables
Due to network practices such as traffic engineering and multi-homing, the
number of routes---also known as IP prefixes---in the global forwarding tables
has been increasing significantly in the last decade and continues growing in a
super linear trend. One of the most promising solutions is to use smart
Forwarding Information Base (FIB) aggregation algorithms to aggregate the
prefixes and convert a large table into a small one. Doing so poses a research
question, however, i.e., how can we quickly verify that the original table
yields the same forwarding behaviors as the aggregated one? We answer this
question in this paper, including addressing the challenges caused by the
longest prefix matching (LPM) lookups. In particular, we propose the VeriTable
algorithm that can employ a single tree/trie traversal to quickly check if
multiple forwarding tables are forwarding equivalent, as well as if they could
result in routing loops or black holes. The VeriTable algorithm significantly
outperforms the state-of-the-art work for both IPv4 and IPv6 tables in every
aspect, including the total running time, memory access times and memory
consumption.Comment: INFOCOM 201
Crystal Structure of the Receptor-Binding Domain from Newly Emerged Middle East Respiratory Syndrome Coronavirus
The newly emerged Middle East respiratory syndrome coronavirus (MERS-CoV) has infected at least 77 people, with a fatality rate of more than 50%. Alarmingly, the virus demonstrates the capability of human-to-human transmission, raising the possibility of global spread and endangering world health and economy. Here we have identified the receptor-binding domain (RBD) from the MERS-CoV spike protein and determined its crystal structure. This study also presents a structural comparison of MERS-CoV RBD with other coronavirus RBDs, successfully positioning MERS-CoV on the landscape of coronavirus evolution and providing insights into receptor binding by MERS-CoV. Furthermore, we found that MERS-CoV RBD functions as an effective entry inhibitor of MERS-CoV. The identified MERS-CoV RBD may also serve as a potential candidate for MERS-CoV subunit vaccines. Overall, this study enhances our understanding of the evolution of coronavirus RBDs, provides insights into receptor recognition by MERS-CoV, and may help control the transmission of MERS-CoV in humans
Anti-HIV-1 Activity of a New Scorpion Venom Peptide Derivative Kn2-7
For over 30 years, HIV/AIDS has wreaked havoc in the world. In the absence of an effective vaccine for HIV, development of new anti-HIV agents is urgently needed. We previously identified the antiviral activities of the scorpion-venom-peptide-derived mucroporin-M1 for three RNA viruses (measles viruses, SARS-CoV, and H5N1). In this investigation, a panel of scorpion venom peptides and their derivatives were designed and chosen for assessment of their anti-HIV activities. A new scorpion venom peptide derivative Kn2-7 was identified as the most potent anti-HIV-1 peptide by screening assays with an EC50 value of 2.76 µg/ml (1.65 µM) and showed low cytotoxicity to host cells with a selective index (SI) of 13.93. Kn2-7 could inhibit all members of a standard reference panel of HIV-1 subtype B pseudotyped virus (PV) with CCR5-tropic and CXCR4-tropic NL4-3 PV strain. Furthermore, it also inhibited a CXCR4-tropic replication-competent strain of HIV-1 subtype B virus. Binding assay of Kn2-7 to HIV-1 PV by Octet Red system suggested the anti-HIV-1 activity was correlated with a direct interaction between Kn2-7 and HIV-1 envelope. These results demonstrated that peptide Kn2-7 could inhibit HIV-1 by direct interaction with viral particle and may become a promising candidate compound for further development of microbicide against HIV-1
Antiinflammatory Therapy with Canakinumab for Atherosclerotic Disease
Background: Experimental and clinical data suggest that reducing inflammation without affecting lipid levels may reduce the risk of cardiovascular disease. Yet, the inflammatory hypothesis of atherothrombosis has remained unproved. Methods: We conducted a randomized, double-blind trial of canakinumab, a therapeutic monoclonal antibody targeting interleukin-1β, involving 10,061 patients with previous myocardial infarction and a high-sensitivity C-reactive protein level of 2 mg or more per liter. The trial compared three doses of canakinumab (50 mg, 150 mg, and 300 mg, administered subcutaneously every 3 months) with placebo. The primary efficacy end point was nonfatal myocardial infarction, nonfatal stroke, or cardiovascular death. RESULTS: At 48 months, the median reduction from baseline in the high-sensitivity C-reactive protein level was 26 percentage points greater in the group that received the 50-mg dose of canakinumab, 37 percentage points greater in the 150-mg group, and 41 percentage points greater in the 300-mg group than in the placebo group. Canakinumab did not reduce lipid levels from baseline. At a median follow-up of 3.7 years, the incidence rate for the primary end point was 4.50 events per 100 person-years in the placebo group, 4.11 events per 100 person-years in the 50-mg group, 3.86 events per 100 person-years in the 150-mg group, and 3.90 events per 100 person-years in the 300-mg group. The hazard ratios as compared with placebo were as follows: in the 50-mg group, 0.93 (95% confidence interval [CI], 0.80 to 1.07; P = 0.30); in the 150-mg group, 0.85 (95% CI, 0.74 to 0.98; P = 0.021); and in the 300-mg group, 0.86 (95% CI, 0.75 to 0.99; P = 0.031). The 150-mg dose, but not the other doses, met the prespecified multiplicity-adjusted threshold for statistical significance for the primary end point and the secondary end point that additionally included hospitalization for unstable angina that led to urgent revascularization (hazard ratio vs. placebo, 0.83; 95% CI, 0.73 to 0.95; P = 0.005). Canakinumab was associated with a higher incidence of fatal infection than was placebo. There was no significant difference in all-cause mortality (hazard ratio for all canakinumab doses vs. placebo, 0.94; 95% CI, 0.83 to 1.06; P = 0.31). Conclusions: Antiinflammatory therapy targeting the interleukin-1β innate immunity pathway with canakinumab at a dose of 150 mg every 3 months led to a significantly lower rate of recurrent cardiovascular events than placebo, independent of lipid-level lowering. (Funded by Novartis; CANTOS ClinicalTrials.gov number, NCT01327846.
- …