Michael P. Howarth

An overview of routing optimization for internet traffic engineering

Traffic engineering is an important mechanism for Internet network providers seeking to optimize network performance and traffic delivery. Routing optimization plays a key role in traffic engineering, finding efficient routes so as to achieve the desired network performance. In this survey we review Internet traffic engineering from the perspective of routing optimization. A taxonomy of routing algorithms in the literature is provided, dating from the advent of the TE concept in the late 1990s. We classify the algorithms into multiple dimensions: unicast/multicast, intra-/inter- domain, IP-/MPLS-based and offline/online TE schemes. In addition, we investigate some important traffic engineering issues, including robustness, TE interactions, and interoperability with overlay selfish routing. In addition to a review of existing solutions, we also point out some challenges in TE operation and important issues that are worthy of investigation in future research activities.

A Survey of MANET Intrusion Detection & Prevention Approaches for Network Layer Attacks

In the last decade, mobile ad hoc networks (MANETs) have emerged as a major next generation wireless networking technology. However, MANETs are vulnerable to various attacks at all layers, including in particular the network layer, because the design of most MANET routing protocols assumes that there is no malicious intruder node in the network. In this paper, we present a survey of the main types of attack at the network layer, and we then review intrusion detection and protection mechanisms that have been proposed in the literature. We classify these mechanisms as either point detection algorithms that deal with a single type of attack, or as intrusion detection systems (IDSs) that can deal with a range of attacks. A comparison of the proposed protection mechanisms is also included in this paper. Finally, we identify areas where further research could focus.

Dynamic Balanced Key Tree Management for Secure Multicast Communications

A secure multicast communication is important for applications such as pay-per-view and secure videoconferencing. A key tree approach has been proposed by other authors to distribute the multicast group key in such a way that the rekeying cost scales with the logarithm of the group size for a join or depart request. The efficiency of this key tree approach critically depends on whether the key tree remains balanced over time as members join or depart. In this paper, we present two merging algorithms suitable for batch join requests. To additionally handle batch depart requests, we extend these two algorithms to a batch balanced algorithm. Simulation results show that our three algorithms not only maintain a balanced key tree, but their rekeying costs are lower compared with those of existing algorithms

Provisioning for interdomain quality of service: the MESCAL approach

This article presents an architecture for supporting interdomain QoS across the multi-provider global Internet. While most research to date has focused on supporting QoS within a single administrative domain, mature solutions are not yet available for the provision of QoS across multiple domains administered by different organizations. The architecture described in this article encompasses the full set of functions required in the management (service and resource), control and data planes for the provision of end-to-end QoS-based IP connectivity services. We use the concept of QoS classes and show how these can be cascaded using service level specifications (SLSs) agreed between BGP peer domains to construct a defined end-to-end QoS. We illustrate the architecture by describing a typical operational scenario.

Dynamics of key management in secure satellite multicast

Security is an important concern in todays information age and particularly so in satellite systems, where eavesdropping can be easily performed. This paper addresses efficient key management for encrypted multicast traffic transmitted via satellite. We consider the topic of encrypting traffic in large multicast groups, where the group size and dynamics have a significant impact on the network load. We consider life cycle key management costs of a multicast connection, and show for a logical key hierarchy (LKH) how member preregistration and periodic admission reduces the initialization cost, and how the optimum outdegree of a hierarchical tree varies with the expected member volatility and rekey factor. This improves network utilization, but encryption at the network layer can pose problems on satellite links. We, therefore, propose and analyze an interworking solution between multilayer Internet protocol security (IPSEC) and LKH that also reduces key management traffic while enabling interworking with performance enhancing modules used on satellite links.

Protection of MANETs from a range of attacks using an intrusion detection and prevention system

Mobile ad hoc networks (MANETs) are well known to be vulnerable to various attacks due to their lack of centralized control, and their dynamic topology and energy-constrained operation. Much research in securing MANETs has focused on proposals which detect and prevent a specific kind of attack such as sleep deprivation, black hole, grey hole, rushing or sybil attacks. In this paper we propose a generalized intrusion detection and prevention mechanism. We use a combination of anomaly-based and knowledge-based intrusion detection to secure MANETs from a wide variety of attacks. This approach also has the capability to detect new unforeseen attacks. Simulation results of a case study shows that our proposed mechanism can successfully detect attacks, including multiple simultaneous different attacks, and identify and isolate the intruders causing a variety of attacks, with an affordable network overhead. We also investigate the impact on the MANET performance of (a) the various attacks and (b) the type of intrusion response, and we demonstrate the need for an adaptive intrusion response.

Adaptive intrusion detection & prevention of denial of service attacks in MANETs

Mobile ad-hoc networks (MANETs) are well known to be vulnerable to various attacks, due to features such as lack of centralized control, dynamic topology, limited physical security and energy constrained operations. In this paper we focus on preventing denial-of-service (DoS) attacks. As an example, we consider intruders that can cause DoS by exploiting the route discovery procedure of reactive routing protocols. We show the unsuitability of tools such as control chart, used in statistical process control (SPC), to detect DoS and propose an anomaly-based intrusion detection system that uses a combination of chi-square test & control chart to first detect intrusion and then identify an intruder. When the intruder is isolated from the network we show reduced overhead and increased throughput. Simulation results show that our algorithm performs well at an affordable processing overhead over the range of scenarios tested.

End-to-end quality of service provisioning through inter-provider traffic engineering

This paper addresses the issue of delivering solutions that will enable the incremental implementation of inter-domain quality of service (QoS) in the multi-provider commercial Internet. The paper first introduces a holistic architecture that describes the key functions required to support inter-domain QoS, and then proceeds to present results from two major components of the architecture. A genetic algorithm for QoS-aware offline inter-domain traffic engineering is first presented, and it is shown through simulation studies how this can optimise the apportionment of QoS provisioning between adjacent domains. Secondly, QoS enhancements to BGP are proposed and the results of a testbed implementation are described, demonstrating how this QoS-enhanced BGP can deliver inter-domain QoS routing.

An intrusion detection & adaptive response mechanism for MANETs

Mobile ad hoc networks are vulnerable to a variety of network layer attacks such as black hole, gray hole, sleep deprivation & rushing attacks. In this paper we present an intrusion detection & adaptive response mechanism for MANETs that detects a range of attacks and provides an effective response with low network degradation. We consider the deficiencies of a fixed response to an intrusion; and we overcome these deficiencies with a flexible response scheme that depends on the measured confidence in the attack, the severity of attack and the degradation in network performance. We present results from an implementation of the response scheme that has three intrusion response actions. Simulation results show the effectiveness of the proposed detection and adaptive response mechanisms in various attack scenarios. An analysis of the impact of our proposed scheme shows that it allows a flexible approach to management of threats and demonstrates improved network performance with a low network overhead.

Transfer Reliability and Congestion Control Strategies in Opportunistic Networks: A Survey

Opportunistic networks are a class of mobile ad hoc networks (MANETs) where contacts between mobile nodes occur unpredictably and where a complete end-to-end path between source and destination rarely exists at one time. Two important functions, traditionally provided by the transport layer, are ensuring the reliability of data transmission between source and destination, and ensuring that the network does not become congested with traffic. However, modified versions of TCP that have been proposed to support these functions in MANETs are ineffective in opportunistic networks. In addition, opportunistic networks require different approaches to those adopted in the more common intermittently connected networks, e.g. deep space networks. In this article we capture the state of the art of proposals for transfer reliability and storage congestion control strategies in opportunistic networks. We discuss potential mechanisms for transfer reliability service, i.e. hop-by-hop custody transfer and end-to-end return receipt. We also identify the requirements for storage congestion control and categorise these issues based on the number of message copies distributed in the networks. For single-copy forwarding, storage congestion management and congestion avoidance mechanism are discussed. For multiple-copy forwarding, the principal storage congestion control mechanisms are replication management and drop policy. Finally, we identify open research issues in the field where future research could usefully be focused.