In-Network Volumetric DDoS Victim Identification Using Programmable Commodity Switches

Volumetric distributed Denial-of-Service (DDoS) attacks have become one of the most significant threats to modern telecommunication networks. However, most existing defense systems require that detection software operates from a centralized monitoring collector, leading to increased traffic load and delayed response. The recent advent of Data Plane Programmability (DPP) enables an alternative solution: threshold-based volumetric DDoS detection can be performed directly in programmable switches to skim only potentially hazardous traffic, to be analyzed in depth at the controller. In this paper, we first introduce the BACON data structure based on sketches, to estimate per-destination flow cardinality, and theoretically analyze it. Then we employ it in a simple in-network DDoS victim identification strategy, INDDoS, to detect the destination IPs for which the number of incoming connections exceeds a pre-defined threshold. We describe its hardware implementation on a Tofino-based programmable switch using the domain-specific P4 language, proving that some limitations imposed by real hardware to safeguard processing speed can be overcome to implement relatively complex packet manipulations. Finally, we present some experimental performance measurements, showing that our programmable switch is able to keep processing packets at line-rate while performing volumetric DDoS detection, and also achieves a high F1 score on DDoS victim identification.Comment: Accepted by IEEE Transactions on Network and Service Management Special issue on Latest Developments for Security Management of Networks and Service

Which Space for Fathers’ Mentalizing? A Systematic Review on Paternal Reflective Functioning, Mind-Mindedness and Insightfulness

Over the past twenty years research interest has been focused on deepening the role of parental mentalizing. Nevertheless, few studies have specifically addressed the role played by fathers’ mentalizing. This systematic review aims to bridge this gap by offering an exploration of paternal mentalizing within attachment theory considering three different operationalizations: Reflective Functioning, Parental Insightfulness and Mind-Mindedness. Starting from this, the main goals of this systematic review are: (1) to show the effect of paternal mentalizing on child’s outcomes or paternal role within the family system, (2) to increase research exchange between different theoretical frameworks, enhancing the knowledge of the mentalization construct, (3) to explore under-researched areas and implications for research and clinical practice. PsycInfo, PsycArticle, Web Of Science, Scopus, Medline, PubMed and EMBASE were systematically searched for articles published until February 7, 2021. In total, 6311 studies were considered for the systematic review; of these, thirty-six met the inclusion criteria. The included studies were subsequently split on the basis of the specific mentalizing operationalization. Overall, the data showed significant associations between paternal mentalizing and both fathers’ parenting features and variables related to the paternal broader functioning within the family context. This systematic review also confirms the role of fathers’ mentalizing processes in relation to paternal features and child’s outcomes. In conclusion, further studies aimed at examining paternal mentalizing specific influences, exploring the causal pathways related to paternal mentalizing and investigating the relationship between different mentalizing dimensions and their diverse effects are recommende

Resource allocation and modeling in spectrally and spatially flexible optical transport networks

The world's hunger for connectivity appears to be endlessly growing, yet the capacity of the networks that underpin that connectivity is anything but endless. This thesis explores both short and long term solutions for increasing the capacity of the largest and most capacious of these networks, the backbones upon which the Internet is built: optical transport networks. In the short term, Flexi-grid technology has emerged as the evolution of fixed-grid WDM optical networks, providing higher potential throughput but suffering from an aggravated form of the spectrum ragmentation problem that affects fixed-grid networks. A novel path-based metric to better evaluate the fragmentation of spectral resources in flexi-grid networks is presented, which considers both the fact that free spectrum slices may not be available on all the links of a path, and the likelihood that an end-to-end spectral void is usable to route incoming connections, and tested by means of simulations, finding that it outperforms existing ones from literature. For the longer term, Space Division Multiplexing (SDM) is a promising solution to overcome the looming fiber capacity crunch, and, perhaps more importantly, can offer a beneficial ratio between the expected capacity gains and the resulting increase in the cost of the network thanks to Joint and Fractional Joint Switching architectures and integrated transceivers and amplifiers. A model for such network is presented, and multiple heuristics for solving the Routing, Space and Spectrum Allocation problem are described, studied via simulations and iteratively improved, with the objective of quantifying the likely performance of several SDM architectures under multiple traffic scenarios. In addition, possible improvements to joint switching architectures, and an experimental SDN control plane for SDM networks, are presented and characterized, again by means of simulations. SDM is shown to be an attractive technology for increasing future transport networks capacity, at a reasonable cost

An Application-Aware Multi-Layer Service Provisioning Algorithm based on Auxiliary Graphs

A novel application-aware multi-layer resource allocation algorithm is proposed. We demonstrate that it prevents the violation of application requirements (bandwidth, latency, availability, encryption), while keeping blocking probability lower than an existing algorithm

Optimal Design of Practical Quantum Key Distribution Backbones for Securing Core Transport Networks

We describe two Mixed Integer Linear Programming formulations, one a faster version of a previous proposal, the other a slower but better performing new model, for the design of Quantum Key Distribution sub-networks dimensioned to secure existing core fiber plants. We exploit existing technologies, including non-quantum repeater nodes and multiple disjoint QKD paths to overcome reach limitations while maintaining security guarantees. We examine the models' performance using simulations on both synthetic and real topologies, quantifying their time and resulting QKD network cost compared to our previous proposal

INVEST: Flow-Based Traffic Volume Estimation in Data-Plane Programmable Networks

The emergence of programmable data planes in Software-Defined Networks enables the execution of various monitoring tasks directly in network devices, overcoming the need to deliver huge amounts of information to a controller that must then process it at scale. In this paper, we aim to solve a fundamental problem arising when exploiting programmable data planes for network-wide monitoring: how to estimate the overall number of packets in the network (i.e., the traffic volume), and the related number and size of flows, while avoiding packet double counting. Most existing works solve this problem by ensuring that each packet is counted only once on its path, which limits routing or requires coordination among devices. We propose a different approach, INVEST, a flow-based traffic volume estimator for P4-based switches, that relies on and can reuse commonly employed data structures while naturally solving the double-counting problem. We theoretically analyze and experimentally evaluate our solution, which we implemented in a real P4 carrier-grade switch, finding that it is accurate, memory-efficient, and can process packets at line rate

Optimization of Secure Quantum Key Distribution Backbones in Core Transport Networks

We present a Mixed Integer Linear Programming formulation to perform optimal placement of Quantum Key Distribution devices to protect active/planned traffic at minimal cost, thus securing active core transport networks

Towards Secure Optical Networks: A Framework to Aid Localization of Harmful Connections

We model the scope of optical signal insertion attacks by defining attack syndromes for each connection, and present a cost-efficient routing heuristic that aids localization of harmful connections by reducing syndrome ambiguity in the network

Energy Saving Through Traffic Profiling in Self-Optimizing Optical Networks

An increasing fraction of the electrical energy produced in western countries is being consumed by Internet infrastructure; reducing its energy footprint is therefore of utmost importance for the scalability of the Internet. We address optical transport backbones and propose a novel method to reduce the energy consumed by dynamically adjusting the number of active optical carriers to support the short-term load of the network with a small and controllable margin. This is achieved in a nondisruptive manner that does not interact with routing strategies and does not rely on any specific control plane, but exploits automated traffic profiling and prediction of the well-known circadian traffic cycle. The proposed approach works with both fixed and flexible grid optical networks. We describe a method to automatically learn these patterns and multiple techniques to predict incoming traffic. Furthermore, we present an algorithm that tunes the parameters of the proposed system in order to achieve a target a posteriori probability of causing traffic losses. The behavior of the system is studied, using simulations, under a variety of conditions. Results show that the proposed prediction algorithms can significantly reduce the number of active optical carriers, even in nonoptimal scenarios, while guaranteeing low traffic losses

Energy Saving Through Traffic Profiling in Self-Optimizing Optical Networks

An increasing fraction of the electrical energy produced in western countries is being consumed by Internet infrastructure; reducing its energy footprint is therefore of utmost importance for the scalability of the Internet. We address optical transport backbones and propose a novel method to reduce the energy consumed by dynamically adjusting the number of active optical carriers to support the short-term load of the network with a small and controllable margin. This is achieved in a nondisruptive manner that does not interact with routing strategies and does not rely on any specific control plane, but exploits automated traffic profiling and prediction of the well-known circadian traffic cycle. The proposed approach works with both fixed and flexible grid optical networks. We describe a method to automatically learn these patterns and multiple techniques to predict incoming traffic. Furthermore, we present an algorithm that tunes the parameters of the proposed system in order to achieve a target a posteriori probability of causing traffic losses. The behavior of the system is studied, using simulations, under a variety of conditions. Results show that the proposed prediction algorithms can significantly reduce the number of active optical carriers, even in nonoptimal scenarios, while guaranteeing low traffic losses