Min Cai

GossipTrust for Fast Reputation Aggregation in Peer-to-Peer Networks

In peer-to-peer (P2P) networks, reputation aggregation and ranking are the most time-consuming and space-demanding operations. This paper proposes a new gossip protocol for fast score aggregation. We developed a Bloom filter architecture for efficient score ranking. These techniques do not require any secure hashing or fast lookup mechanism, thus are applicable to both unstructured and structured P2P networks. We report the design principles and performance results of a simulated GossipTrust reputation system. Randomized gossiping with effective use of power nodes enables light-weight aggregation and fast dissemination of global scores in O(log2 n) time steps, where n is the P2P network size. The Gossip-based protocol is designed to tolerate dynamic peer joining and departure, as well as to avoid possible peer collusions. The scheme has a considerably low gossiping message overhead, i.e. O(n log2 n) messages for n nodes. Bloom filters demand at most 512 KB memory per node for a 10,000-node network. We evaluate the performance of GossipTrust with distributed P2P file-sharing and parameter-sweeping applications. The simulation results demonstrate that GossipTrust has small aggregation time, low memory demand, and high ranking accuracy. These results suggest promising advantages of using the GossipTrust system for trusted P2P applications.

Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes

This paper reports the design principles and evaluation results of a new experimental hybrid intrusion detection system (HIDS). This hybrid system combines the advantages of low false-positive rate of signature-based intrusion detection system (IDS) and the ability of anomaly detection system (ADS) to detect novel unknown attacks. By mining anomalous traffic episodes from Internet connections, we build an ADS that detects anomalies beyond the capabilities of signature-based SNORT or Bro systems. A weighted signature generation scheme is developed to integrate ADS with SNORT by extracting signatures from anomalies detected. HIDS extracts signatures from the output of ADS and adds them into the SNORT signature database for fast and accurate intrusion detection. By testing our HIDS scheme over real-life Internet trace data mixed with 10 days of Massachusetts Institute of Technology/Lincoln Laboratory (MIT/LL) attack data set, our experimental results show a 60 percent detection rate of the HIDS, compared with 30 percent and 22 percent in using the SNORT and Bro systems, respectively. This sharp increase in detection rate is obtained with less than 3 percent false alarms. The signatures generated by ADS upgrade the SNORT performance by 33 percent. The HIDS approach proves the vitality of detecting intrusions and anomalies, simultaneously, by automated data mining and signature generation over Internet connection episodes

Collaborative Internet worm containment

Large-scale worm outbreaks that lead to distributed denial-of-service attacks pose a major threat to Internet infrastructure security. Fast worm containment is crucial for minimizing damage and preventing flooding attacks against network hosts.

Fast and accurate traffic matrix measurement using adaptive cardinality counting

Traffic matrix (TM) can be used to detect, identify, and trace network anomaly caused by DDoS attacks and worm outbreaks. To detect network anomaly as early as possible, we need to obtain TM in a fast and accurate manner. Many existing TM estimation techniques are found not sufficient for this purpose due to their high overhead or low accuracy. We propose a cardinality-based TM measurement approach with an adaptive counting algorithm to produce both packetlevel and flow-level TM, which is well-suited for TM-based anomaly detection on a network basis. Our results show that the approach can obtain TM in almost real-time (once very 10 seconds) with low average relative error (less than 5%). Our approach has low processing, storage and communication overhead, e.g. software implementation can support OC-192 line speed. It can also be implemented in a passive mode and deployed incrementally without changing current routing infrastructure.

WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation

Fast and accurate generation of worm signatures is essential to contain zero-day worms at the Internet scale. Recent work has shown that signature generation can be automated by analyzing the repetition of worm substrings (that is, fingerprints) and their address dispersion. However, at the early stage of a worm outbreak, individual edge networks are often short of enough worm exploits for generating accurate signatures. This paper presents both theoretical and experimental results on a collaborative worm signature generation system (WormShield) that employs distributed fingerprint filtering and aggregation over multiple edge networks. By analyzing real-life Internet traces, we discovered that fingerprints in background traffic exhibit a Zipf-like distribution. Due to this property, a distributed fingerprint filtering reduces the amount of aggregation traffic significantly. WormShield monitors utilize a new distributed aggregation tree (DAT) to compute global fingerprint statistics in a scalable and load-balanced fashion. We simulated a spectrum of scanning worms including CodeRed and Slammer by using realistic Internet configurations of about 100,000 edge networks. On average, 256 collaborative monitors generate the signature of CodeRedl-v2 135 times faster than using the same number of isolated monitors. In addition to speed gains, we observed less than 100 false signatures out of 18.7-Gbyte Internet traces, yielding a very low false-positive rate. Each monitor only generates about 0.6 kilobit per second of aggregation traffic, which is 0.003 percent of the 18 megabits per second link traffic sniffed. These results demonstrate that the WormShield system offers distinct advantages in speed gains, signature accuracy, and scalability for large-scale worm containment.

DHT-based security infrastructure for trusted internet and grid computing

We designed a distributed security infrastructure with self-defence capabilities to secure networked resources in Grids and internet applications. This paper reports new developments in fuzzy trust management, game-theoretic Grid models, security-binding methodology, as well as new Grid performance metrics, defence architecture and mechanisms against intrusions, worms, and low-rate pulsing Distributed Denial of Service (DDoS) attacks. The design is based on a novel Distributed Hash Table (DHT) for security enforcement among Grid sites scattered over the internet.

Performance of Networked XML-Driven Co-Operative Applications

Web services are an emerging software technology that employ XML, e.g., W3C’s SOAP [1], to share and exchange data. They are a building block of co-operative applications that communicate using a network. They may serve as wrappers for legacy data sources, integrate multiple remote data sources, filter information by processing queries (function shipping), etc. Web services are based on the concept of “software and data as a service.” With those that interact with an end user, a fast response time is the difference between the following two scenarios: (1) users issuing requests, retrieving their results, and visiting the service repeatedly, and (2) users issuing requests, waiting for response and walking away prior to retrieving their results, with a lower likelihood of issuing future requests for this web service. One may employ a middleware to enhance performance by minimizing the impact of transmission time. This is accomplished by compressing messages. This paper identifies factors that this middleware must consider in order to reduce response time. In particular, it must ensure the overhead of compression (increased CPU time) does not exceed its savings (lower transmission time).

NAM: A Network Adaptable Middleware to Enhance Response Time of Web Services

Web Services is an emerging software technology that is based on the concept of software and data as a service. Binary and XML are two popular encoding/decoding mechanisms for network messages. A Web Service may employ a loss-less compression technique (e.g., Zip, XMill, etc.) in order to reduce message size prior to its transmission across the network, minimizing its transmission time. This saving might be outweighed by the overhead of compressing the output of a Web Service at a server and decompressing it at a client. The primary contribution of this paper is NAM, a middleware that strikes a compromise between these two factors in order to enhance response time. NAM decides when to compress data, based on the available client and server processor speeds and network characteristics. When compared with today’s common practice to transmit the output of a Web Service uncompressed always, our experimental results show NAM either provides similar or significantly improved response times (at times, more than 90% improvement) with Internet connections that offer bandwidths ranging from 80 to 100 Mbps.