On attack correlation and the benefits of sharing IDS data

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2005.Includes bibliographical references (p. 47-49).This thesis presents the first wide-scale study of correlated attacks, i.e., attacks mounted by the same source IP against different networks. Using a large dataset from 1700 intrusion detection systems (IDSs), this thesis shows that correlated attacks are prevalent in the current Internet; 20% of all offending sources mount correlated attacks and they account for more than 40% of all the IDS alerts in our logs. Correlated attacks appear at different networks within a few minutes of each other, indicating the difficulty of warding off these attacks by occasional offline exchange of lists of malicious IP addresses. Furthermore, correlated attacks are highly targeted. The 1700 DSs can be divided into small groups with 4-6 members that do not change with time; IDSs in the same group experience a large number of correlated attacks, while IDSs in different groups see almost no correlated attacks These results have important implications on collaborative intrusion detection of common attackers. They show that collaborating IDSs need to exchange alert information in realtime. Further, exchanging alerts among the few fixed IDSs in the same correlation group achieves almost the same benefits as collaborating with all IDSs, while dramatically reducing the overhead.by Sachin Katti.S.M

Information Slicing: Anonymity Using Unreliable Overlays

This paper proposes a new approach to anonymous communication called information slicing. Typically, anonymizers use onion routing, where a message is encrypted in layers with the public keys of the nodes along the path. Instead, our approach scrambles the message, divides it into pieces, and sends the pieces along disjoint paths. We show that information slicing addresses message confidentiality as well as source and destination anonymity. Surprisingly, it does not need any public key cryptography. Further, our approach naturally addresses the problem of node failures. These characteristics make it a good fit for use over dynamic peer-to-peer overlays. We evaluate the anonymity ofinformation slicing via analysis and simulations. Our prototype implementation on PlanetLab shows that it achieves higher throughput than onion routing and effectively copes with node churn

Embracing Wireless Interference: Analog Network Coding

Traditionally, interference is considered harmful.Wireless networks strive to avoid scheduling multiple transmissions at the same time in order to prevent interference. This paper adopts the opposite approach; it encourages strategically picked senders to interfere. Instead of forwarding packets,routers forward the interfering signals. The destination leverages network-level information to cancel the interference and recover the signal destined to it. The result is analog network coding because it codes signals not bits. So, what if wireless routers forward signals instead of packets? Theoretically, we prove that such an approach doubles the capacity of the canonical relay network. Surprisingly, it is also practical. We implement our design using softwareradios and show that it achieves significantly higher throughput than both traditional wireless routing and prior work on wireless network coding

Network coded wireless architecture

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2008.Includes bibliographical references (p. 183-197).Wireless mesh networks promise cheap Internet access, easy deployment, and extended range. In their current form, however, these networks suffer from both limited throughput and low reliability; hence they cannot meet the demands of applications such as file sharing, high definition video, and gaming. Motivated by these problems, we explore an alternative design that addresses these challenges. This dissertation presents a network coded architecture that significantly improves throughput and reliability. It makes a simple yet fundamental switch in network design: instead of routers just storing and forwarding received packets, they mix (or code) packets' content before forwarding. We show through practical systems how routers can exploit this new functionality to harness the intrinsic characteristics of the wireless medium to improve performance. We develop three systems; each reveals a different benefit of our network coded design. COPE observes that wireless broadcast naturally creates an overlap in packets received across routers, and develops a new network coding algorithm to exploit this overlap to deliver the same data in fewer transmissions, thereby improving throughput. ANC pushes network coding to the signal level, showing how to exploit strategic interference to correctly deliver data from concurrent senders, further increasing throughput. Finally, MIXIT presents a symbol-level network code that exploits wireless spatial diversity, forwarding correct symbols even if they are contained in corrupted packets to provide high throughput reliable transfers. The contributions of this dissertation are multifold. First, it builds a strong connection between the theory of network coding and wireless system design. Specifically, the systems presented in this dissertation were the first to show that network coding can be cleanly integrated into the wireless network stack to deliver practical and measurable gains. The work also presents novel algorithms that enrich the theory of network coding, extending it to operate over multiple unicast flows, analog signals, and soft-information.(cont.) Second, we present prototype implementations and testbed evaluations of our systems. Our results show that network coding delivers large performance gains ranging from a few percent to several-fold depending on the traffic mix and the topology. Finally, this work makes a clear departure from conventional network design. Research in wireless networks has largely proceeded in isolation, with the electrical engineers focusing on the physical and lower layers, while the computer scientists worked up from the network layer, with the packet being the only interface. This dissertation pokes a hole in this contract, disposing of artificial abstractions such as indivisible packets and point-to-point links in favor of a more natural abstraction that allows the network and the lower layers to collaborate on the common objectives of improving throughput and reliability using network coding as the building block. At the same time, the design maintains desirable properties such as being distributed, low-complexity, implementable, and integrable with the rest of the network stack.by Sachin Rajsekhar Katti.Ph.D

Resilient Network Coding in the Presence of Byzantine Adversaries

Network coding substantially increases network throughput. But since it involves mixing of information inside the network, a single corrupted packet generated by a malicious node can end up contaminating all the information reaching a destination, preventing decoding. This paper introduces distributed polynomial-time rate-optimal network codes that work in the presence of Byzantine nodes. We present algorithms that target adversaries with different attacking capabilities. When the adversary can eavesdrop on all links and jam zO links, our first algorithm achieves a rate of C - 2zO, where C is the network capacity. In contrast, when the adversary has limited eavesdropping capabilities, we provide algorithms that achieve the higher rate of C - zO. Our algorithms attain the optimal rate given the strength of the adversary. They are information-theoretically secure. They operate in a distributed manner, assume no knowledge of the topology, and can be designed and implemented in polynomial time. Furthermore, only the source and destination need to be modified; nonmalicious nodes inside the network are oblivious to the presence of adversaries and implement a classical distributed network code. Finally, our algorithms work over wired and wireless networks

Cliffhanger: Scaling Performance Cliffs in Web Memory Caches

Web-scale applications are heavily reliant on memory cache systems such as Memcached to improve throughput and reduce user latency. Small performance improvements in these systems can result in large end-to-end gains. For example, a marginal increase in hit rate of 1% can reduce the application layer latency by over 35%. However, existing web cache resource allocation policies are workload oblivious and first-come-first-serve. By analyzing measurements from a widely used caching service, Memcachier, we demonstrate that existing cache allocation techniques leave significant room for improvement. We develop Cliffhanger, a lightweight iterative algorithm that runs on memory cache servers, which incrementally optimizes the resource allocations across and within applications based on dynamically changing workloads. It has been shown that cache allocation algorithms underperform when there are performance cliffs, in which minor changes in cache allocation cause large changes in the hit rate. We design a novel technique for dealing with performance cliffs incrementally and locally. We demonstrate that for the Memcachier applications, on average, Cliffhanger increases the overall hit rate 1.2%, reduces the total number of cache misses by 36.7% and achieves the same hit rate with 45% less memory capacity