Eric Van Den Berg

A fast static analysis approach to detect exploit code inside network flows

A common way by which attackers gain control of hosts is through remote exploits. A new dimension to the problem is added by worms which use exploit code to self-propagate, and are becoming a commonplace occurrence. Defense mechanisms exist but popular ones are signature-based techniques which use known byte patterns, and they can be thwarted using polymorphism, metamorphism and other obfuscations. In this paper, we argue that exploit code is characterized by more than just a byte pattern because, in addition, there is a definite control and data flow. We propose a fast static analysis based approach which is essentially a litmus test and operates by making a distinction between data, programs and program-like exploit code. We have implemented a prototype called styx and evaluated it against real data collected at our organizational network. Results show that it is able to detect a variety of exploit code and can also generate very specific signatures. Moreover, it shows initial promise against polymorphism and metamorphism.

Privacy and Scalability Analysis of Vehicular Combinatorial Certificate Schemes

Vehicular networks require secure communication, especially for safety applications. A public key infrastructure using a Combinatorial Certificate Scheme was implemented in the US Vehicle Infrastructure Integration (VII) Proof-of-Concept (PoC) trial to secure V2V communication and preserve vehicle privacy. This paper analyzes the privacy and scalability of the Combinatorial Certificate approach for a nationwide network of 200 million vehicles. It examines the tradeoffs between privacy, the ability to efficiently detect and remove bad actors, and the need to minimize the impact on innocent vehicles due to revocation and replacement of compromised shared certificates. Key findings include the level of vehicle anonymity that exists in situations of low vehicular density and the impact that certificate revocations have on innocent vehicles. A refinement to the Combinatorial Certificate Scheme is described that improves the innocent vehicle re-key quota lifetime by an order of magnitude.

Autonomous, Collaborative Control for Resilient Cyber Defense (ACCORD)

ACCORD addresses the need for robust, rapidly adaptive resource allocation mechanisms in cloud computing. It employs a distributed, game-theoretic approach to apportion computational loads in an efficient, prioritized, Pareto-optimal fashion among geographically dispersed cloud computing infrastructure. This paper describes ACCORD algorithms, software implementation, and initial experimental results. Our results illustrate how a distributed, ACCORD-enabled cloud architecture autonomously adapts to the loss of computing resources (e.g., due to failures, poor network connectivity, or cyber attack) while ensuring that users receive maximal, prioritized utility from available cloud resources.

A test for nonlinearity of time series with infinite variance

A heavy tailed time series that can be represented as an infinite moving average has the property that the sample autocorrelation function (ACF) at lag h converges in probability to a constant ρ(h), although the mathematical correlation typically does not exist. For many nonlinear heavy tailed models, however, the sample ACF at lag h converges in distribution to a nondegenerate random variable. In this paper, a test for (non)linearity of a given infinite variance time series is constructed, based on subsample stability of the sample ACF. The test is applied to several real and simulated datasets.

Cognitive topology control based on game theory

We have created a framework to design and study distributed topology control algorithms that combine network-formation games with machine learning. The algorithms rely on game players to pursue selfish actions through low-complexity greedy algorithms with low or no signaling overhead. Convergence and stability are ensured through proper mechanism design that eliminates infinite adaptation process. The framework also includes game-theoretic extensions to influence behavior such as fragment merging and preferring links to weakly connected neighbors. Learning allows adaptations that prevent node starvation, reduce link flapping, and minimize routing disruptions by incorporating network layer feedback in cost/utility tradeoffs. Using greedy utility maximization as a benchmark in Telcordia WISER emulator, we show improvements of for metrics such as the numbers of disconnected fragments (14%) and weakly connected nodes (35%), topology stability (41%), and disruption to user flows (16%). The proposed framework is particularly suitable to cognitive radio networks because it can be extended to handle heterogeneous users with different utility functions and conflicting objectives.

Adaptive, Network-Aware Cluster Selection for Cloud Computing in Wireless Networks

We describe and demonstrate fully distributed algorithms that enable cloud clients to select among a set of available computing clusters adaptively, based on measurements of cluster computing loads and the relative bandwidths of paths between the client and each cluster. These techniques are particularly important in cases where (1) clients connect to clusters over stressed wireless networks whose characteristics vary considerably over time, and (2) cloud computing resources are physically dispersed over several locations to improve robustness against physical attack, power failure, network failure, or cyber attack. We demonstrate new means of measuring path bandwidth reliably over multi-hop wireless networks. We then show how the resulting network awareness can be combined with available data on cluster computing loads to arrive at favorable cluster selection decisions by cloud clients, without the need for a centralized cloud controller.

Distributed game-theoretic topology control in cognitive networks

Existing distributed approaches to topology control are poor at exploiting the large configuration space of cognitive radios and use extensive inter-node synchronization to aim at optimality. We have created a framework to design and study distributed topology control algorithms that combine network-formation games with machine learning. In our approach, carefully designed incentive mechanisms drive distributed autonomous agents towards a pre-determined system-wide optimum. The algorithms rely on game players to pursue selfish actions through low-complexity greedy algorithms with low or no signaling overhead. Convergence and stability are ensured through proper mechanism design that eliminates infinite adaptation process. The framework also includes game-theoretic extensions to influence behavior such as fragment merging and preferring links to weakly connected neighbors. Learning allows adaptations that prevent node starvation, reduce link flapping, and minimize routing disruptions by incorporating network layer feedback in cost/utility tradeoffs. The algorithms are implemented in Telcordia Wireless IP Scalable Network Emulator. Using greedy utility maximization as a benchmark, we show improvements of 13-40% for metrics such as the numbers of disconnected fragments and weakly connected nodes, topology stability, and disruption to user flows. The proposed framework is particularly suitable to cognitive radio networks because it can be extended to handle heterogeneous users with different utility functions and conflicting objectives. Desired outcome is then achieved by application of standard cooperation techniques such as utility transfer (payments). Additional cross-layer optimizations are possible by playing games at multiple layers in a highly scalable manner.

Mobile information services enabled by mobile publishing (MIS-MP)

Mobile users and devices want to discover and share a growing range of information as the processing and storage capabilities of mobile devices grow. For example, users want to discover nearby networks, and location-based or time-sensitive user information contents. A mobile device may want to discover neighboring networks and the parameters required to access these networks so that it can intelligently decide which networks to use next, and use its existing network connection to authenticate with selected neighboring networks before it moves into the coverage areas of the selected networks. This can significantly reduce handoff delays. Existing service discovery frameworks are not effective for such neighboring network discovery or for discovering dynamic, location- or time-sensitive user information contents. This paper describes and evaluates a new approach—Mobile Information Services enabled by Mobile Publishing (MIS-MP)—for real time collection, discovery, and sharing of network and user information. With MIS-MP, mobiles take full advantage of the wealth of information they can accumulate during their routine mobility and use of networks to help each other to discover the information they want when and where they want it. This is accomplished by mobiles publishing the information they collect about the networks they visited, and the user information contents they learned or used, to make the information available to other mobiles. This paper presents analytical models and simulation results to evaluate the feasibility and performance of MIS-MP. It also describes a testbed implementation of MIS-MP and some of the lessons we learned.

Self Adaptive Robust Resource Allocation for Prioritized TCP Flows in Wireless Networks

We describe and demonstrate a fully distributed algorithm that enables prioritized TCP flows to allocate network resources (bandwidth) among themselves. The algorithm does not require any explicit communication among the different TCP flows. It enables autonomous adaptation to loss of network resources due to cyber attack or failure, while ensuring that users receive prioritized utility from available network resources.

Local Unicast Routing Control Agent

Routing for link state routing protocols such as OSPF is determined by computing shortest-paths on the network topology graph. In conventional routing the OSPF link costs are configured a-priori before the network is deployed, and remain fixed until manually changed. If subsequently, link quality degrades or alternate links become available, routing paths may become sub-optimal in terms of throughput or end to end delay. In this paper we describe a distributed routing optimization technology called Local Unicast Routing Control Agent (L-URCA). 1 L-URCA is co-located with every router, and dynamically updates the OSPF link costs to re-route traffic away from congested or highly utilized links. L-URCA only uses local information, i.e. information that can be gathered from the local router. This removes the overhead of messaging and state synchronization between L-URCA processes. One simple heuristic for local-rerouting is to dynamically set the link cost proportional to link utilization. This tends to re-route traffic away from the congested link, however it can lead to congestion elsewhere in the network and oscillation of traffic. The heuristics of L-URCA are specifically designed to set the OSPF weights such that traffic following the shortest-path will approximately minimize the average delay experienced in the network. The heuristics proposed for L-URCA are based on robust optimization techniques that take into account uncertainties of traffic, capacity and routing decisions in other parts of the network. Examples and further steps in this ongoing research project are briefly discussed.