IAVS: Intelligent Active Network Vulnerability Scanner

Network security needs to be assured through runtime active evaluating and assessment. However, active vulnerability scanners suffer from serious deficiencies such as heavy scan traffic during the reconnaissance phase, uncertainty in the environment, and heavy reliance on experts. Generating a blind heavy load of attack packets not only causes usage of network resources, but it also increases the probability of detection by target defense systems and causes failure in finding vulnerabilities. Furthermore, environmental uncertainty increases pointless attempts of vulnerability scanners, which wastes time. Utilizing a decision-making method devised for uncertainty conditions, we present Intelligent Active Network Vulnerability Scanner (IAVS). IAVS is implemented as an extension on Hail Mary, the automatic execution mechanism in the Metasploit toolkit. IAVS learns from previous vulnerability exploitation attempts to select exploit codes purposefully. IAVS not only reduces the role of experts in the process of vulnerability testing, but it also decreases the volume of scanning requests during the reconnaissance phase by integrating the reconnaissance and exploitation phases. Our experimental results indicate a successful decrease in failed attempts. It is also demonstrated that improvements in the results of IAVS correspond directly to the rate of similarity among different vulnerabilities in systems of the target network; that is, the higher the similarity, the better the results of IAVS. Our experiments compared the results of IAVS and those of Hail Mary without the IAVS extension; these results show that IAVS improved Hail Marys successful attempts by around 37%.

Future Internet Congestion Control:The Diminishing Feedback Problem

It is increasingly difficult for Internet congestion control mechanisms to obtain the feedback that they need. This lack of feedback can have severe performance implications, and it is bound to become worse. In the long run, the problem may only be fixable by fundamentally changing the way congestion control is done in the Internet. We substantiate this claim by looking at the evolution of the Internet's infrastructure over the past thirty years, and by examining the most common behavior of Internet traffic. Considering the goals that congestion control mechanisms are intended to address, and taking into account contextual developments in the Internet ecosystem, we arrive at conclusions and recommendations about possible future congestion control design directions. In particular, we argue that congestion control mechanisms should move away from their strict "end-to-end" adherence. This change would benefit from avoiding a "one size fits all circumstances" approach, and moving towards a more selective set of mechanisms that will result in a better performing Internet. We will also discuss how this future vision differs from today's use of Performance Enhancing Proxies (PEPs).Comment: Accepted for publication in IEEE Communications Magazine, 2022 (Open Call Article

LGCC: Food Chain Multi-Hop Congestion Control

Technological advancements have provided wireless links with very high capacity for 5G mobile networks and WiFi 6, which will be widely deployed by 2025; however, the capacity heavily fluctuates, violating the assumption at the transport layer that the capacity is (almost) fixed. This issue has so far been targeted by mostly ”hack-and-patches", which are still far from an efficient design. In this paper, we present a general and efficient, yet deployable solution to the aforementioned problem through a novel design empowered with a rich theory, allowing a significantly-improved experience in using new technologies, especially mobile cellular services

Securing the Internet of Things with Recursive InterNetwork Architecture (RINA)

—Communication technology improvements have inspired the idea of connecting almost every things to the Internet: from home appliances, medical devices, and cars, to large infrastructures. A unified and secure network of these things is almost a dream because the Internet has not had this goal from the beginning; protocols have been implemented and then secured, and then extended to new domains. This has been the cause of many vulnerabilities so far. In this paper, we take a fundamental look at the inherited architectural security issues of Internet of Things (IoT) which have raised serious security concerns due to its overwhelming number of nodes. Then, we investigate Recursive InterNetwork Architecture (RINA), a very promising network architecture, as a design solution; we demonstrate how RINA can specifically address security challenges of IoT networks, and how it mitigates their common attacks. Moreover, we will show how RINA can provide other features which are now mentioned as the future trend in IoT. © 2018 Institute of Electrical and Electronics Engineers (IEEE

Special Issue “Post-IP Networks: Advances on RINA and other Alternative Network Architectures”

Over the last two decades, research funding bodies have supported “Future Internet”, “New-IP”, and “Next Generation” design initiatives intended to reduce network complexity by redesigning the network protocol architecture, questioning some of its key principles [...

PEP-DNA: a Performance Enhancing Proxy for Deploying Network Architectures

Deploying a new network architecture in the Internet requires changing some, but not necessarily all elements between communicating applications. One way to achieve gradual deployment is a proxy or gateway which ''translates'' between the new architecture and TCP/IP. We present such a proxy, called ''Performance Enhancing Proxy for Deploying Network Architectures (PEP-DNA)'', which allows TCP/IP applications to benefit from advanced features of a new network architecture without having to be redeveloped. Our proxy is a kernel-based Linux implementation which can be installed wherever a translation needs to occur between a new architecture and TCP/IP domains. We discuss the proxy operation in detail and evaluate its efficiency and performance in a local testbed, demonstrating that it achieves high throughput with low additional latency and low CPU and memory overhead. In our experiments we use the Recursive InterNetwork Architecture (RINA) and Information-Centric Networking (ICN) as examples, but our proxy is modular and flexible, and hence enables realistic gradual deployment of any new ''clean-slate'' approaches

Computer-Aided Reproducibility

Computer networks research has been notoriously bad at reproducibility – a key aspect of making research results credible and convincing. This has been attributed to a lack of incentive for researchers to share the data underlying scientific results. We conjecture that this can be helped by reducing the amount of work that is required to make results reproducible. This paper introduces CAR – a system for “Computer-Aided Reproducibility”. Similar to other forms of “Computer-Aided- *”, our CAR tool facilitates the process of sharing the necessary data by partially automating it. © 2018 Institute of Electrical and Electronics Engineers (IEEE

Follow the Model: How Recursive Networking Can Solve the Internet's Congestion Control Problems

The Recursive InterNetworking Architecture RINA describes a new way to look at networking; it offers a point of view that is fundamentally different from today's networks. This paper explains how designing congestion control strictly in line with this model almost automatically leads to a conceptually cleaner, and quite possibly altogether better design than what we have in the Internet today. We give an overview of how far the OCARINA research project has come with the development of the RINA congestion control elements that follow from this design. Then, we conclude with an explanation of how the shift in thinking that RINA suggests can be applied to more gradual Internet developments related to congestion control

Estimating an Additive Path Cost with Explicit Congestion Notification

Network utility maximization is a well-accepted theoretical framework that describes how congestion controls cooperate to achieve an ideal sending rate allocation, for given utility functions of senders and constraints of the network. These network constraints are expressed as a “cost” in the framework. In practice, most congestion control mechanisms obtain feedback that is different from the framework's “cost.” This article focuses on explicit congestion notification (ECN), which has been shown to be advantageous when it is available, e.g., with the popular datacenter transmission control protocol mechanism. However, different from the framework's cost, ECN marks are not additive. We present a practical solution to this problem; it changes how end hosts interpret the ECN signal, while for routers, a special configuration of random early detection is used