Liancheng Zhang

Situation assessment model for inter-domain routing system

Although nowadays Internet is facing more and more threats, very few works have investigated the security situation assessment for inter-domain routing system which is the most significant infrastructure of Internet. To deal with the problem, a situation assessment model based on the immune Danger Theory is proposed. In this study, the authors first give a comprehensive description of the model architecture as well as practical considerations, and then the main components including signal mapping, antigen selection, routing behaviour analysis and global situation assessment are, respectively, defined and illustrated. Evaluations are launched in view of Japan earthquake and YouTube hijacking, and the results show that the model is able to assess the global anomalous degree of specific inter-domain routing system quantitatively, which can provide network administrator with accurate and timely information to conduct network monitoring and route protection.

Interval-Based Spread Spectrum Watermarks for tracing multiple network flows

Most existing timing-based and traffic rate-based watermarking schemes are ineffective at tracing multiple network flows in parallel due to their interference with each other, even worse, most of them are visible to multi-flow attack and/or MSAC attack, as they embed different network flows using the same interval positions and/or improper parameters. By combining Interval-Based Watermarking (IBW) modulation approach with Spread Spectrum (SS) coding technique, we propose an Interval-Based Spread Spectrum Watermarking (IBSSW) scheme for tracing multiple network flows efficiently and simultaneously, which embeds signal by modulating the statistical character of packets arriving time and utilizes multiple orthogonal Pseudo-Noise (PN) codes as random seeds for randomizing the locations of the embedded watermark across different network flows. A statistical analysis of IBSSW, with no assumptions or limitations concerning the distribution of packet times, proves its effectiveness of multi-flow traceback under conditions of repacketization and timing perturbation, and robustness against multi-flow and MSAC attacks. Empirical results demonstrate that IBSSW can efficiently trace multiple network traffic at the same time.

A Security Threats Taxonomy for Routing System Intrusion Detection

Security threats against routing system have become both increasingly numerous and sophisticated recently. However, so far there is not a taxonomy that could be useful for the routing system security threats. In this paper, a clear-cut and scalable taxonomy faced to routing system security threats was proposed. It consisted of four basic dimensions which provided a holistic classification in order to deal with inherent problems in the routing system security threats field. The four dimensions included attack layer, attack vector, attack target and attack effect. Besides the above dimensions, a number of further dimensions were added to enhance the taxonomy.

A Covert Communication Model Based on IPv6 Multicast.

Covert communication using Internet Protocol version 6 (IPv6) header fields can be easily detected. By thoroughly exploring the characteristics of IPv6 multicast, this study proposes a novel covert communication model based on IPv6 multicast (MCv6). In this model, a multicast group, containing a large number of members across different subnets, is created to hide the receiver’s network ID, thereby achieving covert communications. To ensure the security of this covert communication, a random key generation algorithm, based on the chaotic sequence, is proposed to encrypt communication packets. To ensure the legitimacy of covert communications, a multicast source authentication mechanism based on hash comparison is proposed to verify the legitimacy of communication source nodes. To ensure the integrity of covert communications, a two-stage error control mechanism is proposed to control the possible packet-loss and other errors. Theoretical analysis and simulation results show that the proposed MCv6 model can provide good IPv6-based covert communications, efficiently reducing the probability of detection, and ensuring the security and reliability of the IPv6-based medium.

Survey on network flow watermarking: model, interferences, applications, technologies and security

Compared with passive flow correlation technologies based on flow characteristics, network flow watermarking, a kind of active flow correlation technology, is characterised by high accuracy, low false positive rate and short observation time. The basic framework and main elements of flow watermarking are formally described. The robustness and invisibility focused by flow watermarking as well as typical application scenarios (such as stepping-stone traceback, anonymous abuser correlation) of flow watermarking are expounded. The intra-flow and inter-flow interferences (such as repacketisation, packet reorder, delay normalisation, flow mixing, flow splitting and flow merging) faced by flow watermarking are briefly introduced. Analysis and comparison on different watermark carriers (packet payload, traffic rate, packet timing, packet number, packet length, packet order and hybrid carrier) based typical flow watermarking technologies, including flow fingerprinting technologies, are conducted, then, a review on security threats faced by flow watermarking, including multi-flow attack, mean-square autocorrelation attack, Kolmogorov-Smirnov test, BACKLIT detection and replication attack, and main countermeasures for increasing invisibility of flow watermarking is carried out. Current research hotspots and future development trends of flow watermarking are summarised and prospected from the aspects of architecture design, invisibility enhancement, adaptive capability improvement, performance evaluation, deployment and application.

Flow watermarking and random sampling based flow trajectory tracking technology in software defined network

Current technologies for extracting forwarding information from data plane focus on the forwarding behaviors of the flow on its flow path, so it is difficult for them to monitor the forwarding behaviors deviation from the original path. In order to effectively detect malicious forwarding behaviors such as traffic replication, traffic misrouting and traffic fabrication, flow watermarking and random sampling based flow trajectory tracking technology is proposed, which embeds covert watermark into target flow, and detects traffic replication, traffic misrouting and traffic fabrication by random sampling packets at each port of all switches. Experimental results show that this proposed technology can effectively detect malicious behaviors such as traffic replication, traffic misrouting and traffic fabrication at a low false negative rate when a certain sampling rate is guaranteed.

A Port Hopping Based DoS Mitigation Scheme in SDN Network

In order to resist DoS attack, taking advantages of SDN networks logically centralized control and network programmable features, a port hopping based DoS mitigation scheme in SDN network is proposed, which moves port hopping function forward to SDN controller and presents a timestamp feedback based hopping synchronization method. This proposed scheme not only can reduce protected servers cost caused by port hopping, earlier detect and filter malicious packets than traditional port hopping schemes, but also can resist port scanning and internal attack. Theoretical analysis and experimental results show that this proposed scheme can effectively defend against DoS attack and port scanning without consuming many resources on SDN controller.

An Epidemic-Dynamics-Based Model for CXPST Spreading in Inter-Domain Routing System

We study the CXPST attack which aims at the destruction of inter-domain routing system and propose a spreading model to represent the threatening scale. By analyzing the process we illuminate the mechanism of how CXPST seizes the BGP deficiencies to paralyze the Internet control plane from the traffic attack of data plane, and then the spreading model named as EDM-CS is presented based by the epidemic dynamics theory. Parameters of the model are closely associated with the real network topology and BGP router overloading condition which reflect the features of the CXPST spreading. In virtue of the classical BA scale-free network, spreading density that derives from EDM-CS behaves great consistency with the simulation results based on the collected data from CAIDA. This model can help understanding CXPST attack and providing a basis for predicting the spreading trend, as well as investigating effective defense strategy.

IRSR: Recover Inter-Domain Routing System from a Higher View Beyond Internet

Nowadays security situation of Internet is getting surprisingly worse. Many studies show that under the intensive paralyzing attack, inter-domain routing system which acts as the critical infrastructure of Internet, will falls into large-scale and long-term failure both of the routing nodes and links, endangering the running performance of Internet. Based on the centralized control theory, IRSR model proposed here builds an independent Decision Center above the existing inter-domain routing system, it could provide global situation awareness by using the sensor networks and controller networks deployed in each AS, and implements fast recovery from failures based on methods including pre-computed failover topology and consistent view. IRSR guarantees the maximum compatibility with existing routing protocols and structure of inter-domain routing system, which will reduce the deployment cost and complexity. Moreover, it also overcomes the problems like concealed AS information and long BGP convergence, which improves the recovery velocity and coverage rate.