Francesco Oliviero

A Reputation-Based Metric for Secure Routing in Wireless Mesh Networks

The continuous growth of wireless networks calls for more and more sophisticated solutions for their security. In particular, mechanisms for limiting effects of routing protocol attacks are becoming a mandatory requirement: black-hole and gray-hole attacks can in fact seriously compromise the performance of a critical infrastructure like a Wireless Mesh Network. In this paper we present a new routing metric aimed at mitigating the effects of such attacks, based on an estimation of the trustworthiness level of network nodes. By applying the metric to existing wireless routing protocols we show that it is possible to increase both the security level and the performance of the overall network, even in the presence of routing attacks.

A distributed control law for load balancing in content delivery networks

In this paper, we face the challenging issue of defining and implementing an effective law for load balancing in Content Delivery Networks (CDNs). We base our proposal on a formal study of a CDN system, carried out through the exploitation of a fluid flow model characterization of the network of servers. Starting from such characterization, we derive and prove a lemma about the network queues equilibrium. This result is then leveraged in order to devise a novel distributed and time-continuous algorithm for load balancing, which is also reformulated in a time-discrete version. The discrete formulation of the proposed balancing law is eventually discussed in terms of its actual implementation in a real-world scenario. Finally, the overall approach is validated by means of simulations.

REAL TIME DETECTION OF NOVEL ATTACKS BY MEANS OF DATA MINING TECHNIQUES

Rule-based Intrusion Detection Systems (IDS) rely on a set of rules to discover attacks in network traffic. Such rules are usually hand-coded by a security administrator and statically detect one or few attack types: minor modifications of an attack may result in detection failures. For that reason, signature based classification is not the best technique to detect novel or slightly modified attacks. In this paper we approach this problem by extracting a set of features from network traffic and computing rules which are able to classify such traffic. Such techniques are usually employed in off line analysis, as they are very slow and resource-consuming. We want to assess the feasibility of a detection technique which combines the use of a common signature-based intrusion detection system and the deployment of a data mining technique. We will introduce the problem, describe the developed architecture and show some experimental results to demonstrate the usability of such a system.

Energy- and Delay-Efficient Routing in Mobile Ad Hoc Networks

In this paper we discuss how we improved the MChannel group communication middleware for Mobile Ad-hoc Networks (MANETs) in order to let it become both delay- and energy-aware. MChannel makes use of the Optimized Link State Routing (OLSR) protocol, which is natively based on a simple hop-count metric for the route selection process. Based on such metric, OLSR exploits Dijkstra’s algorithm to find optimal paths across the network. We added a new module to MChannel, enabling unicast routing based on two alternative metrics, namely end-to-end delay and overall network lifetime. With such new module, we prove that network lifetime and average end-to-end delay improve, compared to the original OLSR protocol implementation included in the mentioned middleware. Thanks to MChannel’s approach, which implements routing in the user’s space, the improvements achieved in the unicast jOLSR routing protocol are transparently applied to the upstanding MChannel overlay multicast OMOLSR protocol. We also discuss how the proposed new module actually represents a general framework which can be used by programmers to introduce in MChannel novel metrics and path selection algorithms.

High-speed intrusion detection in support of critical infrastructure protection

Telecommunication network plays a fundamental role in the management of critical infrastructures since it is largely used to transmit control information among the different elements composing the architecture of a critical system. The health of a networked system strictly depends on the security mechanisms that are implemented in order to assure the correct operation of the communication network. For this reason, the adoption of an effective network security strategy is seen as an important and necessary task of a global methodology for critical infrastructure protection. In this paper we present 2 contributions. First, we present a distributed architecture that aims to secure the communication network upon which the critical infrastructure relies. This architecture is composed of an intrusion detection system (IDS) which is built on top of a customizable flow monitor. Second, we propose an innovative method to extrapolate real-time information about user behavior from network traffic. This method consists in monitoring traffic flows at different levels of granularity in order to discover ongoing attacks.

REFACING: An autonomic approach to network security based on multidimensional trustworthiness

Several research efforts have recently focused on achieving distributed anomaly detection in an effective way. As a result, new information fusion algorithms and models have been defined and applied in order to correlate information from multiple intrusion detection sensors distributed inside the network. In this field, an approach which is gaining momentum in the international research community relies on the exploitation of the Dempster-Shafer (D-S) theory. Dempster and Shafer have conceived a mathematical theory of evidence based on belief functions and plausible reasoning, which is used to combine separate pieces of information (evidence) to compute the probability of an event. However, the adoption of the D-S theory to improve distributed anomaly detection efficiency generally involves facing some important issues. The most important challenge definitely consists in sorting the uncertainties in the problem into a priori independent items of evidence. We believe that this can be effectively carried out by looking at some of the principles of autonomic computing in a self-adaptive fashion, i.e. by introducing support for self-management, self-configuration and self-optimization functionality. In this paper, we intend to tackle some of the above mentioned issues by proposing the application of the D-S theory to network information fusion. This will be done by proposing a model for a self-management supervising layer exploiting the innovative concept of multidimensional reputation, which we have called REFACING (RElationship-FAmiliarity-Confidence-INteGrity).

Distributed management for load balancing in Content Delivery Networks

In this paper we face the challenging issue of defining and implementing an effective law for load balancing in Content Delivery Networks. We base our proposal on a formal study of a CDN system, carried out through the exploitation of a fluid flow model characterization of the network of servers. Starting from such characterization, we derive and prove a lemma about the network queues equilibrium. This result is then leveraged in order to devise a novel distributed algorithm for load balancing. The overall approach is validated by means of simulations showing the effectiveness of the proposed algorithm in terms of both fair load distribution and limited service time.

An extended ns-2 for validation of load balancing algorithms in Content Delivery Networks

This paper deals with the design, the development and the usage guidelines of a novel Content Delivery Network library for the ns-2 simulator. Such library allows evaluating new application-level load balancing approaches, with special regard to distributed content web servers. It includes some typical load balancing algorithms proposed in the literature and it can be extended to support new solutions. The proposed tool extends the ns-2 simulator with new HTTP data types and new application components which are in charge of data treatment. Moreover a new agent has been added to allow the simulation of data transferring. The library has been designed to work in a non-hierarchical and peer to peer cooperation environment. Several examples of testing scenarios are proposed in the paper.

Optimised balancing algorithm for content delivery networks

In this study the authors present the ‘fictitiously starred optimised balancing’ (FSOB), a novel algorithm for load balancing in a content delivery network (CDN) scenario. FSOB exploits the multiple redirection mechanism of the HTTP protocol to optimally redistribute clients requests among the servers which build up the CDN. Load redistribution is aimed at equalising the level of occupancy of the server queues and is achieved through the periodical exchange of information computed locally at each node. The algorithm initially makes a fictitious assumption about the local topology of the network, as it is seen by each single server node, which looks at itself as the centre (i.e. the master) of a star made up of all of its neighbours (i.e. the slaves). Load redistribution is performed by the master which, if needed, appropriately redirects incoming requests to its slaves. The authors show how FSOB outperforms most of its competitors under a number of fundamental aspects, at the price of an increased overhead owing to the adoption of the multiple redirections mechanism for the redistribution phase. Finally, they study the scalability properties of FSOB and perform a comparative evaluation of its performance with respect to the most interesting existing solutions.

Use of traffic engineering techniques to increase resilience of SCADA networks

In this paper we present the approach we have taken in the INSPIRE (INcreasing Security and Protection through Infrastructure REsilience) project to increase the protection of Critical Infrastructures (CIs). The core idea of the INSPIRE project is to protect Critical Infrastructures by making the underlying communication network more secure and resilient. In order to do so, we devised a routing mechanism that allows the communication infrastructure interconnecting SCADA (Supervisory Control And Data Acquisition) systems, the key building blocks of CIs, to be resilient to both node failures and attacks. The approach is to split the packets of a SCADA traffic flow on two node-disjoint paths by exploiting the capabilities of the Multi-Protocol Label Switching communication paradigm. The security of the SCADA traffic is improved since the proposed approach allows for a fast re-route of the flows traversing a node under attack, thus preserving the confidentiality of the transmitted information.