Beverly Schwartz

Single-packet IP traceback

The design of the IP protocol makes it difficult to reliably identify the originator of an IP packet. Even in the absence of any deliberate attempt to disguise a packets origin, widespread packet forwarding techniques such as NAT and encapsulation may obscure the packets true source. Techniques have been developed to determine the source of large packet flows, but, to date, no system has been presented to track individual packets in an efficient, scalable fashion. We present a hash-based technique for IP traceback that generates audit trails for traffic within the network, and can trace the origin of a single IP packet delivered by the network in the recent past. We demonstrate that the system is effective, space efficient (requiring approximately 0.5% of the link capacity per unit time in storage), and implementable in current or next-generation routing hardware. We present both analytic and simulation results showing the systems effectiveness.

Smart packets: applying active networks to network management

This article introduces Smart Packets and describes the smart Packets architecture, the packet formats, the language and its design goals, and security considerations. Smart Packets is an Active Networks project focusing on applying active networks technology to network management and monitoring. Messages in active networks are programs that are executed at nodes on the path to one or more target hosts. Smart Packets programs are written in a tightly encoded, safe language specifically designed to support network management and avoid dangerous constructs and accesses. Smart Packets improves the management of large complex networks by (1) moving management decision points closer to the node being managed, (2) targeting specific aspects of the node for information rather than exhaustive collection via polling, and (3) abstracting the management concepts to language constructs, allowing nimble network control.

The SPINDLE Disruption-Tolerant Networking System

DARPAs Disruption-Tolerant Networking (DTN) program is developing technologies that enable access to information when stable end-to-end paths do not exist and network infrastructure access cannot be assured. DTN technology makes use of persistence within network nodes, along with the opportunistic use of mobility, to overcome disruptions to connectivity. In this paper, we describe the SPINDLE Disruption-Tolerant Networking system and related technology being developed at BBN under the DTN program. Using an open-source, standards-based core with a plugin architecture and well-specified interfaces, we enable independent development and insertion of innovative DoD-relevant technology while allowing the core system to be refined and engineered within a COTS context. SPINDLE technology innovations include: (i) routing algorithms that work efficiently across a wide range of network disruption, (ii) a name-management architecture for DTNs that supports progressive resolution of intentional name attributes within the network (not at the source), including support for queries as names and name-scheme translation, (iii) distributed caching, indexing, and retrieval approaches for disruption-tolerant content-based (rather than locator-based) access to information, and (iv) a declarative knowledge-based approach that integrates routing, intentional naming, policy-based resource management, and content-based access to information. We present preliminary results that show that the DTN approach outperforms traditional end-to-end approaches across a wide range of network disruption.

Architecture for multi-stage network attack traceback

Attacks can originate from anywhere in the network but there is little the network can tell operators about where the attacker is located. Packet traceback techniques have been proposed to find the source of one or more IP packets, but some attackers use multiple remote login sessions, or stepping stones, to increase obfuscation. IP packet traceback can only find the source of one of the several connections in the stepping stone connection chain. Stealthy tracing attackers research light trace (STARLlTE) is a customization and significant extension to BBNs source path isolation engine (SPlE.) The goal of STARLlTE was to construct a prototype to integrate single packet traceback with stepping stone detection. The resulting prototype traces a packet to an ingress router, and then discovers if the flow of that packet is related to a flow in another connection. A successful correlation can then be continued until an ultimate source is located

FIRE: flexible Intra-AS routing environment

Current routing protocols are monolithic, specifying the algorithm used to construct forwarding tables, the metric used by the algorithm (generally some form of hop-count), and the protocol used to distribute these metrics as an integrated package. The Flexible Intra-AS Routing Environment (FIRE) is a link-state, intra-domain routing protocol that decouples these components. FIRE supports run-time-pro- grammable algorithms and metrics over a secure link-state distribution protocol. By allowing the network operator to dynamically reprogram both the information being advertised and the routing algorithm used to construct forwarding tables in Java, FIRE enables the development and deployment of novel routing algorithms without the need for a new protocol to distribute state. FIRE supports multiple concurrent routing algorithms and metrics, each constructing separate forwarding tables. By using operator-specified packet filters, separate classes of traffic are routed using completely different routing algorithms, all supported by a single routing protocol.

FIRE: flexible intra-AS routing environment

Current routing protocols are monolithic, specifying the algorithm used to construct forwarding tables, the metric used by the algorithm (generally some form of hop count), and the protocol used to distribute these metrics as an integrated package. The flexible intra-AS routing environment (FIRE) is a link-state, intradomain routing protocol that decouples these components. FIRE supports run-time-programmable algorithms and metrics over a secure link-state distribution protocol. By allowing the network operator to dynamically reprogram both the properties being advertised and the routing algorithms used to construct forwarding tables, FIRE enables the development and deployment of novel routing algorithms without the need for a new protocol to distribute state. FIRE supports multiple concurrent routing algorithms and metrics, each constructing separate forwarding tables. By using operator-specified packet filters, separate classes of traffic may be routed using completely different routing algorithms, all supported by a single routing protocol. This paper presents an overview of FIRE, focusing particularly on FIREs novel aspects with respect to traditional routing protocols. We consider deploying several current unicast and multicast routing algorithms in FIRE, and describe our Java-based implementation.

Efficient Multi-Dimensional Flow Correlation

Flow correlation algorithms compare flows to determine similarity, and are especially useful and well studied for detecting flow chains through stepping stone hosts. Most correlation algorithms use only one characteristic and require all values in the correlation matrix (the correlation value of all flows to all other flows) to be updated on every event. We have developed an algorithm that tracks multiple (n) characteristics per flow, and requires updating only the flows n values upon an event, not all the values for all the flows. The n correlation values are used as coordinates for a point in n-space; two flows are considered correlated if there is a very small Euclidean distance between them. Our results show that this algorithm is efficient in space and compute time, is resilient against anomalies in the flow, and has uses outside of stepping stone detection.

An architecture for scalable network defense

We describe a novel architecture for network defense designed for scaling to very high data rates (100 Gb/s) and very large user populations. Scaling requires both efficient attack detection algorithms as well as appropriate an execution environment. Our architecture considers the time budget of traffic data extraction and algorithmic processing, provides a suite of detection algorithms”each designed to present different and complementary views of the data—that generate many “traffic events,” and reduces false positives by correlating these traffic events into benign or malicious hypotheses.