Projects

newConfigChecker: End-to-end Verification of Global Network Security Policies

This project investigates a theoretical and practical study of the impact of policies on network security and performance. One of the biggest difficulties with configuring network security devices is that each device has a local policy, but each device must cooperate with other devices in the network to provide global behavior. This situation cries out for a framework in which end-to-end security properties can be specified and verified. Ideally, such a framework would enable the discovery of policy inconsistencies and of security violations, and assist to correct the problems as well. In the first part of this proposal, we present such a framework, where we propose a unified policy representation (UPR) based on Binary Decision Diagrams (BDD) to model the policies of various network security devices. The individual models are combined to provide an overall model (Global Policy Representation or GPR) of the network as a whole. The GPR is then used to perform a general policy consistency check. In addition, our framework includes a formal language to specify higher level end-to-end properties that the network should satisfy. The global model of the network can then be checked automatically to see if it satisfies the desired properties. If the model fails to satisfy the requirements, a counter-example can be generated that demonstrates the failure.

Sponsor(s): National Science Foundation

Related publications

Team Members

Resources

newAdaptive Firewall Policy Optimization based on Dynamic Traffic Statistics

Existing research on filtering optimization focuses on worst-case algorithmic optimization techniques of the accepted traffic. We are one of the first to explore and advocate filtering optimization based on traffic properties for both accept and reject path. We proposed a novel traffic-aware optimization technique that uses information theory to characterize traffic trends and dynamically change filtering rules structure to achieve minimum matching cost. We explore and evaluate various techniques in this direction based on Rule-ordering, Alphabetic tress, Huffman trees and BDD segments. Our evaluation shows significant performance increase for the average case and improves the robustness of security devices against denial of service attacks.

Sponsor(s): National Science Foundation

Related publications

Team Members

Resources

newEarly Packet Rejection in Firewall Filtering

The policy representation has a significant impact on the performance of network devices. An increase in the number of policy rules causes a significant increase in filtering overhead as well as in traffic latency, particularly if the majority of incoming traffic is rejected by the last default rule. This project is to investigate and develop real-time policy optimization and adaptation algorithms for firewalls to reject traffic discarded by default-deny rule as early as possible without impacting the performance of the accepted traffic. This is used as a counter-measure for launching DOS attacks on firewalls by targeting default-deny rule with high traffic volume. None of the previous work has addressed this problem.

Sponsor(s): National Science Foundation

Related publications

Team Members

Resources

newFirewall Policy Testing

Firewalls implementation might have bugs causing serious network vulnerability problems. On the other hand, manual or human-driven testing techniques are proven to be insufficient because it provides a limited coverage of the testing space, and it requires long time and high labor overhead. Using a random selection scheme implies exponential growth in number of testing scenarios and extremely long testing period. In this project, we developed a framework for testing security policy enforcement using a “smart” selection of test scenarios (random policy configuration) and test cases (random packet/traffic generation) to conduct an efficient testing for IOS and PIX firewall devices.

Sponsor(s): National Science Foundation, Cisco Systems

Related publications

Team Members

Resources

newSecurity Metrics and Policy Evaluation

Evaluation of network security is an essential step in securing any network. This evaluation can help security professionals in making optimal decisions about how to design security countermeasures, to choose between alternative security architectures, and to systematically modify security configurations in order to improve security. However, the security of a network depends on a number of dynamically changing factors such as emergence of new vulnerabilities and threats, policy structure and network traffic. Identifying, quantifying and validating these factors using security metrics is a major challenge in this area. In this project, we investigate a comprehensive security metric framework that identifies and quantifies objectively the most significant security risk factors, which include existing and future vulnerabilities based on historical trends, security configuration immunity to attack occurrence and propagation, and traffic trends that characterize the insider and outsider user behavior.

Related publications

Team Members

newSPAM Botnet Detection

Team Members

newHigh-level Declarative Languages for Network Access Control Policies

Due to interaction of domains, services and devices in a network, defining firewall rule configuration for enterprise networks is a very complex task. The goal of this project is to provide high level languages to enable administrators to specify high-level security goals that can then be realized and translated into low level device configuration. Our work here is applied on Firewall but the ultimate goal is to extend to all network security devices.

Related publications

Team Members

newPolicyVis: Security Policy Visualization

With large number of network security devices and policy rules, network security policies are complex understand and manage. The purpose of this project is to enable administrator to inspect security policy visually and identify misconfigurations in a a distributed network environment.

Related publications

Team Members

newNext-generation Network Scanning & Reconnaissance: Attacks and Counter-measure

We explore new reconnaissance attack techniques to remotely scan security configuration in stealthy manner. Our implemented tool, FireCracker, scans firewall and discovers filtering polices accurately using intelligent and non-intensive probes. Thus the adversary not only discovers more sensitive network information but also navigate the network services silently.

Related publications

Team Members

newReasoning About the Uncertainty in Fault Diagnosis

Fault diagnosis is a core service in any network management system. Many active and passive fault reasoning techniques were proposed in the literature. However, due to the occurrence of lost and spurious symptoms only integration of both techniques can obtain optimal fault reasoning. In addition, the lack of network level information (symptoms) and knowledge (prior fault probability) like the case in overlay networks and the variation of user observations pose new challenges in fault diagnosis in overlay networks.

In this project, we investigate new models to incorporate optimal action selection into the fault reasoning process to minimize the latency of fault diagnosis. We also investigate new diagnose faults techniques based on users’ belief that does not require any underlying network fault probabilistic quantifications (e.g. prior fault probability).

Related publications

Team Members

newProactive Error and Rate Control for IPTV

In this project, we propose proactive end-to-end quality-centric technique for IPTV multicast. The receivers are divided into a number of multicast groups based on the Last-Mile available bandwidth. Our self-adaptive joint error and rate control mechanism ensures an optimal quality at real-time for each multicast receiver group by taking proactive control actions. The Error Control maintains receiver quality for each multicast group in the short term by providing Unequal Error Protection for FGS Base and Enhancement layers using optimal FEC and retransmission. Similar to audio, the degree and duration of error recovery methods are chosen dynamically using loss prediction and stochastic inventory control. The Rate Control detects changing bandwidth and uses a rate-quality optimization model to proactively deliver optimal Base and FGS Enhancement layer combination.

Team Members

Firewall Policy Advisor: Conflicts Analysis, Rule Editing and Translation

Although Firewall is basic network premiers, their policy configuration remains a complex and error-prone task. The existence of large number of rules and firewalls, and the rule-ordering semantic actions makes manual firewall management not only incompressible but also vulnerable to misconfiguration.
In this project, we model the relation between firewall rules using set-theoretic operations and present develop a comprehensive framework to classify and identify conflicts that could exist in a single Firewall device (intra-policy conflicts) or between different Firewall devices (inter-policy conflicts) in enterprise networks. We also developed conflict-free algorithms to edit/modify firewall polices in a distributed network environment. We also show how rules can be aggregated to create a compressed format suitable for translation to high-level description.

Sponsor(s): National Science Foundation, Cisco Systems

Related publications

Team Members

Resources

IPSec Policy Modeling and Verification

Although IPSec are basic network premiers, their policy configuration remains a complex and error-prone task. The complex semantics in IPSec policies that allows for triggering multiple rule actions increases significantly the potential of policy misconfiguration and insecure communication.
In this project, we present a generic model that captures various filtering policy semantics using Boolean expressions. We use this model to derive a canonical representation for IPSec policies using Ordered Binary Decision Diagrams. Based on this representation, we develop a comprehensive framework to classify and identify conflicts that could exist in a single IPSec device (intra-policy conflicts) or between different IPSec devices (inter-policy conflicts) in enterprise networks. Our testing and evaluation study on different network environments demonstrates the effectiveness and efficiency of our approach.

Sponsor(s): Intel Corperation

Related publications

Team Members

Real-Time Audio Quality Assessment

On-line audio quality assessment is important to provide real-time feedback to end-to-end Internet audio transport protocols to increase the reliability and quality of the audio session. In this project, we investigate passive statistical measurement techniques or on-line audio quality assessment, Audio Genome, that can deduce the audio quality of an on-going Internet audio for many different codecs under any network loss condition at real-time. Our approach is easy to deploy and guarantees high computational speed. We first provided an extensive experimental framework with diverse codecs, where we quantified the effect of packet loss on the audio quality objectively by considering a wide range of loss bursts, inter-loss gaps and loss rates. For each codec, we modeled the relationship of audio quality with inter-loss gaps and loss burst sizes using interpolation and multiple polynomial regression. For an ongoing communication, we estimate the partial MOS by aggregating the quality MOS using the inter-loss gaps and bursts seen in the session so far.

Related publications

Team Members

Proactive Quality Control for Real-Time Internet Audio

In this project, we propose a multi-codec proactive joint rate and error control mechanism for audio distributed over single- and multiple-paths. The contribution of our work is twofold. First, our self-adaptive joint error and rate control mechanism ensures an optimal receiver quality at real-time by taking proactive control actions, based on packet loss prediction (Loss Predictor) and on-line quality assessment (Audio Genome). This is superior to the reactive feedback used in current sender based single-path and multi-path rate control mechanisms. Second, our mechanism is user quality-centric, as opposed to ad-hoc reaction to network packet loss using static FEC. The Error Control recovers individual path loss and maintains receiver quality in the short term using optimal FEC. The FEC degree and duration are chosen dynamically using a Markov Decision Process (MDP) and stochastic inventory control, an effective approach that is novel in the area of multimedia error control. The Rate Control detects changing bandwidth and uses a rate-quality optimization model to proactively diversify optimal codec/bitrate combination over single or multiple paths. The sole purpose of the error control and rate adaptation actions is to optimize receiver quality at real time using objective audio quality assessment.

Related publications

Team Members

Scalable and Dynamic Monitoring and Correlation

Overlay networks have emerged as a powerful and flexible platform for developing new disruptive network applications. The performance and reliability of overlay applications depend on the capability of overlay networks to dynamically adapt to various factors such as link/node failures, overlay link quality, and overlay node characteristics. This research addresses the following important challenges facing monitoring new emerging technologies such as overlay, sensor, multicast and QoS networks:

 How to create an optimal event monitoring and aggregation infrastructure that minimizes the monitoring latency and event aggregation cost considering the large-scale geographical and network distribution of overlay nodes.
 Can real-time monitoring under bandwidth and time constraints be achieved?
 How monitoring systems can be self-organized and adaptive
 How to provide rich but usable monitoring interfaces

Sponsor(s): Sun Microsystems, Aprisma, DePaul University

Related publications

Team Members

Multicast Reachability Monitoring & Diagnosis

In this project we developed scalable monitoring techniques and tools to detect and isolate multicast reachability and QoS problems for on-going multicast sessions at real-time. Our solution solution consists of three components: mcastSNMP that extends SNMP to support multicasting, MRMON which is a SNMP-based remote passive multicast monitoring infrastructure, and SMRM which multicast QoS monitoring framework. Our framework combines distributed monitoring and centralized control, which offers scalable, easy-to-use and easy-to-deploy multicast monitoring services.

Related publications

Team Members

Game-theocratic Approach for Resource Management

Game-theocratic Approach for Resource Management in P2P Systems P2P services are widely used today for sharing resources like files. One of the main problems that degrades the overall performance of P2P system is the selfish behavior of a client (i.e., download much more upload) in the P2P community. In this propose, we propose a game theoretic approach to value and rank and clients based on their community services and usage in P2P system. This results in fair distribution of resources between P2P clients and increase in the overall performance.

Related publications

Team Members

Modeling and Prediction of Internet Packet Loss

The Loss Predictor expresses the probability of loss in the next packet train of a UDP transmission by passively analyzing (1) changes in the available bandwidth, manifested as end-to-end delay and inter-packet gap and variations of in-line stream packets as 'evidences', and (2) near-past history of congestion in terms of observed loss patterns and trends of gap and delay variations. In our approach, we identify the baseline delay and inter-packet gap as the delay and gap under no congestion. In contrast, we identify the delay and gap expansion at the capacity saturation point of a path as loss thresholds, after which packet loss is more likely. We track the short-term and long-term trends as indications of congestion build-up and release, and accordingly derive the likelihood of packet loss by detecting loss thresholds. The Loss Predictor is formalized as a Bayesian probability measure of packet loss in the next projection window based on the 'evidences' of inter-packet gap expansion and delay variation.

Related publications

Team Members