Arthur W. Berger

Fast portscan detection using sequential hypothesis testing

Attackers routinely perform random portscans of IP addresses to find vulnerable servers to compromise. Network intrusion detection systems (NIDS) attempt to detect such behavior and flag these portscanners as malicious. An important need in such systems is prompt response: the sooner a NIDS detects malice, the lower the resulting damage. At the same time, a NIDS should not falsely implicate benign remote hosts as malicious. Balancing the goals of promptness and accuracy in detecting malicious scanners is a delicate and difficult task. We develop a connection between this problem and the theory of sequential hypothesis testing and show that one can model accesses to local IP addresses as a random walk on one of two stochastic processes, corresponding respectively to the access patterns of benign remote hosts and malicious ones. The detection problem then becomes one of observing a particular trajectory and inferring from it the most likely classification for the remote host. We use this insight to develop TRW (Threshold Random Walk), an online detection algorithm that identifies malicious remote hosts. Using an analysis of traces from two qualitatively different sites, we show that TRW requires a much smaller number of connection attempts (4 or 5 in practice) to detect malicious activity compared to previous schemes, while also providing theoretical bounds on the low (and configurable) probabilities of missed detection and false alarms. In summary, TRW performs significantly faster and also more accurately than other current solutions.

Fast Detection of Scanning Worm Infections

Worm detection and response systems must act quickly to identify and quarantine scanning worms, as when left unchecked such worms have been able to infect the majority of vulnerable hosts on the Internet in a matter of minutes [9]. We present a hybrid approach to detecting scanning worms that integrates significant improvements we have made to two existing techniques: sequential hypothesis testing and connection rate limiting. Our results show that this two-pronged approach successfully restricts the number of scans that a worm can complete, is highly effective, and has a low false alarm rate.

Dynamic load balancing without packet reordering

Dynamic load balancing is a popular recent technique that protects ISP networks from sudden congestion caused by load spikes or link failures. Dynamic load balancing protocols, however, require schemes for splitting traffic across multiple paths at a fine granularity. Current splitting schemes present a tussle between slicing granularity and packet reordering. Splitting traffic at the granularity of packets quickly and accurately assigns the desired traffic share to each path, but can reorder packets within a TCP flow, confusing TCP congestion control. Splitting traffic at the granularity of a flow avoids packet reordering but may overshoot the desired shares by up to 60% in dynamic environments, resulting in low end-to-end network goodput Contrary to popular belief, we show that one can systematically split a single flow across multiple paths without causing packet reordering. We propose FLARE, a new traffic splitting algorithm that operates on bursts of packets, carefully chosen to avoid reordering. Using a combination of analysis and trace-driven simulations, we show that FLARE attains accuracy and responsiveness comparable to packet switching without reordering packets. FLARE is simple and can be implemented with a few KB of router state

NIRA: a new inter-domain routing architecture

In todays Internet, users can choose their local Internet service providers (ISPs), but once their packets have entered the network, they have little control over the overall routes their packets take. Giving a user the ability to choose between provider-level routes has the potential of fostering ISP competition to offer enhanced service and improving end-to-end performance and reliability. This paper presents the design and evaluation of a new Internet routing architecture (NIRA) that gives a user the ability to choose the sequence of providers his packets take. NIRA addresses a broad range of issues, including practical provider compensation, scalable route discovery, efficient route representation, fast route fail-over, and security. NIRA supports user choice without running a global link-state routing protocol. It breaks an end-to-end route into a sender part and a receiver part and uses address assignment to represent each part. A user can specify a route with only a source and a destination address, and switch routes by switching addresses. We evaluate NIRA using a combination of network measurement, simulation, and analysis. Our evaluation shows that NIRA supports user choice with low overhead.

Traffic descriptors for VBR video teleconferencing over ATM networks

This paper examines the problem of video transport over ATM networks using knowledge of both video system design and broadband networks. The following issues are addressed: video system delay caused by internal buffering, traffic descriptors (TD) for video, and call admission. We find that while different video sequences require different TD parameters, the following trends hold for all sequences examined. First, increasing the delay in the video system decreases the necessary peak rate and significantly increases the number of calls that can be carried by the network. Second, as an operational traffic descriptor for video, the leaky-bucket algorithm appears to be superior to the sliding-window algorithm. And finally, with a delay in the video system, the statistical multiplexing gain from VBR over CBR video is upper bounded by roughly a factor of four, and to obtain a gain of about 2.0 can require the operational traffic descriptor to have a window or bucket size on the order of a thousand cells. We briefly discuss how increasing the complexity of the video system may enable the size of the bucket or window to be reduced. >

Effective bandwidths with priorities

The notion of effective bandwidths has provided a useful practical framework for connection admission control and capacity planning in high-speed communication networks. The associated admissible set with a single linear boundary makes it possible to apply stochastic-loss-network (generalized-Erlang) models for capacity planning. We consider the case of network nodes that use a priority-service discipline to support multiple classes of service, and we wish to determine an appropriate notion of effective bandwidths. Just as was done previously for the first-in first-out (FIFO) discipline, we use large-buffer asymptotics (large deviations principles) for workload tail probabilities as a theoretical basis. We let each priority class have its own buffer and its own constraint on the probability of buffer overflow. Unfortunately, however, this leads to a constraint for each priority class. Moreover, the large-buffer asymptotic theory with priority classes does not produce an admissible set with linear boundaries, but we show that it nearly does and that a natural bound on the admissible set does have this property. We propose it as an approximation for priority classes; then there is one linear constraint for each priority class. This linear-admissible-set structure implies a new notion of effective bandwidths, where a given connection is associated with multiple effective bandwidths: one for the priority level of the given connection and one for each lower priority level. This structure can be used regardless of whether the individual effective bandwidths are determined by large-buffer asymptotics or by some other method.

Real time pricing to assist in load frequency control

We study the use of real time prices to assist in the control of frequency and tie line deviations in electric power systems. The role of such prices, if any, would yield the practical limit to the trend in electric power systems of varying prices on ever faster time scales. The application of prices in electric power systems to increase the efficient use of resources is an established technique. The pricing schemes can be classified by time scales. Energy adjustment charges vary seasonally or monthly, while time of day rates vary two or three times per day. The power brokering system of 18 Florida Utilities operates on an hourly time scale. In a spot price market of buyers and sellers of electric power, prices adapt to system operation conditions such as changes in system lambda, the effect of generation shortages, and the effect of line overloads. The fastest spot price that has been implemented to date is 30 minutes (most implementations involve 1 hour time steps, which may be prespecified 24 hours in advance). On a five minute time scale is system lambda, a shadow price, used internally by electric utilities for economic dispatch. A key assumption of spot pricing and economic dispatch is that the power system is in quasi-steady state; i.e. power system dynamics involving frequency, voltage, etc. are ignored, and only Kirchoffs laws for network are considered. The paper explores pricing at time scales where the quasi-steady state assumption is no longer valid.

Performance analysis of a rate-control throttle where tokens and jobs queue

A rate-control throttle is used for overload control in distributed switching systems and computer and communication networks. Typical implementations of the throttle have a token bank where an arriving job is blocked and rejected if the bank is empty of tokens. The author examines an expanded implementation where an arriving job queues in a finite buffer when the token bank is empty. It is shown that the steady-state throughput and blocking of jobs depends on the capacity of the job buffer and the capacity of the token bank only via the sum of the two capacities, not on their individual values. Thus, the job buffer per se is not needed to enhance the robustness of the throughput of the throttle to unknown exogenous job arrival rates. However, a job buffer (along with a token bank) with adjustable buffer capacities does have the potential to shape the departure process and to adapt between a delay control and a work-rejection control. >

Extending the effective bandwidth concept to networks with priority classes

ATM switches are now being designed to allow connections to be partitioned into priority classes, with packets being emitted for higher priority classes before packets are emitted for lower priority classes. Accordingly, allocation of network resources based on different priority levels is becoming a realistic possibility. Thus, we need new methods for connection admission control and capacity planning that take account of the priority structure. We show that the notion of effective bandwidths can be used for these purposes when appropriately extended. The key is to have admissibility of a set of connections determined by a linear constraint for each priority level, involving a performance criterion for each priority level. For this purpose, connections are assigned more than one effective bandwidth, one for its own priority level and one for each lower priority level. Candidate effective bandwidths for each priority level can be determined by using previous methods associated with the first-in first-out discipline. The proposed effective bandwidth structure makes it possible to apply product-form stochastic loss network models to perform dimensioning.

Comparison of call gapping and percent blocking for overload control in distributed switching systems and telecommunications networks

Two overload control techniques are compared. A percent blocking throttle blocks and rejects an arrival with a given probability. A call gapping throttle closes the gap size for a deterministic time interval; after this interval, the next job to arrive passes through and the throttle again closes for the deterministic time interval. The comparison of the throttle schemes is based on nine criteria, seven of which concern robustness. The key strengths of call gapping are shown to be a greater robustness to changes in total arrival rate, and higher goodput, the throughput times the probability of it being good. For varying arrival rate, where the control setting is fixed, call gapping maintains reasonable goodput over regions where percent blocking has allowed goodput to fall to zero. The strengths of percent blocking are shown to be robustness to changes in number of active sources and robustness to unbalanced loads. The optimal control setting for percent blocking is shown to be a function of the total arrival rate and not a function of the number of active sources or the individual arrival rates. >