Gabi Dreo Rodosek

Future Internet = content + services + management

While the term future Internet has gained a lot of interest recently, there is little agreement on what this term means or what the future Internet looks like. By taking the viewpoint of an Internet user who is interested in using Internet services and not so much in the protocols that move data around, we first describe some possible future Internet services. In a second step we derive some network and service management requirements, and discuss some of them in more detail.

A generic model for IT services and service management

Whereas network and system components were in the focus of management research in previous years, nowadays management of services dominates management activities. We are witnessing a paradigm shift from device-oriented to service-oriented management, and with this the need to deal with new challenging management issues. The management of the underlying infrastructure with respect to the delivered services and agreed service level agreements is certainly the fundamental challenge. It is easy to see that all research questions center around the new managed object service and its integration with existing device-oriented managed objects (network devices, end systems, applications). Thus, the development of a common definition of a service in terms of a common generic service model is essential.

Determining the availability of distributed applications

Distributed applications can be seen as complex pieces of software which are distributed across various heterogeneous end systems in a network. Mostly, they rely on the provision of other applications as well. Adequate methods for testing the availability of distributed applications do not exist yet. Availability must be determined based on the availability of the involved end systems and network nodes. In view of this, we propose (i) a service graph for the description of functional dependencies, (ii) extend it to a parameterized availability graph to describe the involved components, instantiate the graph, and (iii) give calculation rules for determining the availability of applications. Although most dependencies are described during the design phase, some of them can be recognized only during operation. To deal with this, user trouble reports about unavailable services are used to refine the availability graph and improve the availability calculations.

Using the Concept of Intelligent Agents in FaultManagement of Distributed Services

This paper proposes the application of conceptsfrom the area of intelligent agents to overcomedeficiencies of existing management architecturesregarding distribution of functionality and flexibility. Its main contribution is the proposal of amethodology for a flexible, distributed realization ofcomplex management tasks. The main application areas aredistributed services which are complex pieces of software, distributed across variousheterogeneous end systems in a network. Mostly, theyrely on the provision of other services as well. Theapproach relies on well-known concepts, such ascooperative distributed problem solving and intelligentagents, and offers a framework to combine these twoconcepts, providing a step on the roadmap to a flexible,distributed management architecture. The assessment of the approach is displayed throughout thepaper by scenarios from the area of nontime criticalfault management.

Behavior-based intrusion detection in encrypted environments

In recent years the Internet has evolved into a critical communication infrastructure that is omnipresent in almost all aspects of our daily life. This dependence of modern societies on the Internet has also resulted in more criminals using the Internet for their purposes, causing a steady increase of attacks, both in terms of quantity as well as quality. Although research on the detection of attacks has been performed for several decades, todays systems are not able to cope with modern attack vectors. One of the reasons is the increasing use of encrypted communication that strongly limits the detection of malicious activities. While encryption provides a number of significant advantages for the end user like, for example, an increased level of privacy, many classical approaches of intrusion detection fail. Since it is typically not possible to decrypt the traffic, performing analysis w.r.t. the presence of certain patterns is almost impossible. To overcome this shortcoming we present a new behavior-based detection architecture that uses similarity measurements to detect intrusions as well as insider activities like data exfiltration in encrypted environments.

Command Evaluation in Encrypted Remote Sessions

Intrusion Detection Systems (IDS) are integral components for the detection of malicious code and attacks. Detection methods can be differentiated in signature-based and anomaly-based systems. While the former ones search for well-known patterns which are available in a database, the latter ones build a model of the normal behavior of a network and later on attacks can be detected by measuring significant deviation of the network status against the normal behavior described by the model. Often this requires the availability of the payload of the network packets. If encryption protocols like SSL or SSH are used, searching for attack signatures in the payload is not possible any longer and also the usage of behavior based techniques is limited: Statistical methods like flow evaluation can be used for anomaly detection, but application level attacks hidden in the encrypted traffic can be undetectable. At the moment, only a few systems are designed to cope with encrypted network traffic. Even so, none of these systems can be easily deployed in general because of the need for protocol modifications, special infrastructures or because of high false alarm rates which are not acceptable in a production environment. In this paper, we propose a new IDS for encrypted traffic which identifies command sequences in encrypted network traffic and evaluates the attack possibility of them. The encrypted traffic is clustered and possibilities for different commands are calculated. Based on that, command sequences are analysed. The system evaluates probabilities for commands and command sequences and the likeliness for an attack based on the identified sequences without a decryption of the packets. Because of only using statistical data gathered from the network traffic, the system can be deployed in general. The current prototype of the system focuses on the command evaluation.

Towards Evaluating Type of Service Related Quality-of-Experience on Mobile Networks

Quality of Service (QoS) metrics have been traditionally used to evaluate the perceived quality of services delivered by network operators. However, these metrics are not suitable for evaluating the experience of an end-user. The experience of a user is quantified based upon activities such as speed of web page loading, quality of video streaming, or voice quality of Internet-telephony. Due to the temporal and geographical nature of mobile networks, the perceived experience of a user may change based on location and time. Mobile operators may prioritize certain services over others, leading to a service type dependent Quality of Experience (QoE). In this paper we present a mobile application developed to gather metrics necessary to evaluate QoE in a mobile environment. Our approach towards obtain not just a general, but service specific mean opinion score (MOS) to quantify QoE is also discussed. Initial experiments and measurement tests show that it is possible for the same operator to deliver different QoE based on service and even time-of-day.

Towards a trust computing architecture for RPL in Cyber Physical Systems

Cyber Physical Systems (CPSs) are widely expected to be formed of networked resource constrained devices. To suit the constraints of such networks, the IETF developed the RPL routing protocol for Low-power and Lossy Networks (LLNs). Security in CPSs is important for maintaining the integrity and privacy of data, while also improving network resiliency to attacks. Even though RPL provides support for integrity and confidentiality of messages, details regarding key management and signatures are not covered. Since complexity and size is a core concern in LLNs, off-loading the security features to a Trusted Platform Module (TPM) can make it possible to include sophisticated security provisions in an RPL implementation. This paper presents how it would be possible to use the security mechanisms of a TPM in order to secure the communication in an RPL network.

Geolocation and Verification of IP-Addresses with Specific Focus on IPv6

Geolocation, the mapping of a network entity with its geographical position is used frequently in today’s internet. New location aware applications like e-commerce, web site content and advertisements are just some examples of what has appeared since the last couple of years. Regarding network security, Geolocation also has a significant impact, since it offers possibilities for advanced network security (e.g., including sophisticated geo-based attack correlation/classification). However, determining the physical position of a network entity is challenging, as there is no inherent relationship between an IP address and its geographical location. In addition, with the introduction of IPv6, the address space is enhanced by a factor of 296 making the process far more complex in comparison to IPv4. Although numerous techniques for Geolocation are existing, each strategy is subject to certain restrictions. Therefore, this publication illustrates and evaluates different approaches of Geolocation. Furthermore, strategies to obtain additional information related to the location of IP addresses are examined. After considering procedures how to verify the achieved data and following the ideas of Endo et al., we are designing an architecture for a combination of different methods for optimized Geolocation. Finally we introduce and evaluate our Proof of Concept called geolabel, a tool capable of mapping IPv4 as well as IPv6 addresses to certain geographical locations on a country level.

Thwarting attacks on ZigBee - Removal of the KillerBee stinger

Wireless Sensor Networks (WSNs) have recently emerged as an important research topic. Due to the enormous number of sensor nodes and the constrained resources, specific research challenges can be identified with respect to security. Almost all available commercial and research sensor nodes are equipped with ZigBee transceiver chips, and thus making ZigBee the de-facto standard in WSN communication. Since Joshua Wrights KillerBee Framework was released with its focus on exploring and exploiting the security of ZigBee networks, non security-hardened WSNs increase the risk of being vulnerable against certain attacks such as simple association flooding and packet replay attacks. We propose an anomaly-based approach intrusion detection system (IDS) optimized for ZigBee-based WSN to protect ZigBee-based WSN nodes against KillerBee supported attacks. We describe the KillerBee attack procedure and propose an approach of guarding a ZigBee transceiver. Based on an extended sensor node/network simulation and analysis framework, we demonstrate furthermore how our anomaly-based detection engine can thwart attacks on a ZigBee transceiver.