Rajesh Talpade

AMRoute: ad hoc multicast routing protocol

The Ad hoc Multicast Routing protocol (AMRoute) presents a novel approach for robust IP Multicast in mobile ad hoc networks by exploiting user-multicast trees and dynamic logical cores. It creates a bidirectional, shared tree for data distribution using only group senders and receivers as tree nodes. Unicast tunnels are used as tree links to connect neighbors on the user-multicast tree. Thus, AMRoute does not need to be supported by network nodes that are not interested/capable of multicast, and group state cost is incurred only by group senders and receivers. Also, the use of tunnels as tree links implies that tree structure does not need to change even in case of a dynamic network topology, which reduces the signaling traffic and packet loss. Thus AMRoute does not need to track network dynamics; the underlying unicast protocol is solely responsible for this function. AMRoute does not require a specific unicast routing protocol; therefore, it can operate seamlessly over separate domains with different unicast protocols. Certain tree nodes are designated by AMRoute as logical cores, and are responsible for initiating and managing the signaling component of AMRoute, such as detection of group members and tree setup. Logical cores differ significantly from those in CBT and PIM-SM, since they are not a central point for data distribution and can migrate dynamically among member nodes. Simulation results (using ns-2) demonstrate that AMRoute signaling traffic remains at relatively low level for typical group sizes. The results also indicate that group members receive a high proportion of data multicast by senders, even in the case of a highly dynamic network.

NOMAD: traffic-based network monitoring framework for anomaly detection

Network performance monitoring is essential for managing a network efficiently and for ensuring reliable operation of the network. In this paper we introduce a scalable network monitoring framework, (NOMAD), that detects network anomalies through the characterization of the dynamic statistical properties of network traffic. NOMAD relies on high resolution measurements and on-line analysis of network traffic to provide real-time alarms in the incipient phase of network anomalies. It incorporates a suite of anomaly identification algorithms based on path changes, flow shift, and packet delay variance, and relies extensively on IP packet header information, such as TTL, source/destination address and packet length, and routers timestamps. NOMAD can be deployed in a single backbone router or incrementally in a regional or large scale network for detecting and locating network anomalies by correlating spatial and temporal network state information.

Towards a theory of intrusion detection

We embark into theoretical approaches for the investigation of intrusion detection schemes. Our main motivation is to provide rigorous security requirements for intrusion detection systems that can be used by designers of such systems. Our model captures and generalizes well-known methodologies in the intrusion detection area, such as anomaly-based and signature-based intrusion detection, and formulates security requirements based on both well-known complexity-theoretic notions and well-known notions in cryptography (such as computational indistinguishability). Under our model, we present two efficient paradigms for intrusion detection systems, one based on nearest neighbor search algorithms, and one based on both the latter and clustering algorithms. Under formally specified assumptions on the representation of network traffic, we can prove that our two systems satisfy our main security requirement for an intrusion detection system. In both cases, while the potential truth of the assumption rests on heuristic properties of the representation of network traffic (which is hard to avoid due to the unpredictable nature of external attacks to a network), the proof that the systems satisfy desirable detection properties is rigorous and of probabilistic and algorithmic nature. Additionally, our framework raises open questions on intrusion detection systems that can be rigorously studied. As an example, we study the problem of arbitrarily and efficiently extending the detection window of any intrusion detection system, which allows the latter to catch attack sequences interleaved with normal traffic packet sequences. We use combinatoric tools such as time and space-efficient covering set systems to present provably correct solutions to this problem.

InFilter: predictive ingress filtering to detect spoofed IP traffic

Cyber-attackers often use incorrect source IP addresses in attack packets (spoofed IP packets) to achieve anonymity, reduce the risk of trace-back and avoid detection. We present the predictive ingress filtering (InFilter) approach for network-based detection of spoofed IP packets near cyber-attack targets. Our InFilter hypothesis states that traffic entering an IP network from a specific source frequently uses the same ingress point. We have empirically validated this hypothesis by analysis of trace-routes to 20 Internet targets from 24 looking-glass sites, and 30-days of border gateway protocol-derived path information for the same 20 targets. We have developed a system architecture and software implementation based on the InFilter approach that can be used at border routers of large IP networks to detect spoofed IP traffic. Our implementation had a detection rate of about 80% and a false positive rate of about 2% in testbed experiments using Internet traffic and real cyber-attacks.

Bandwidth broker architecture for VoIP QoS

We present a scalable architecture for assuring Quality of Service to VoIP applications in an Internet Service Providers network. This architecture is based on the Differentiated Services and Bandwidth Broker models, and can also be used by other resource-sensitive applications. In this paper, we elaborate on a number of significant issues involved in the design, implementation, deployment and use of the Bandwidth Broker. The Call Agent architecture is used as the VoIP application. We describe the Bandwidth Broker prototype that is used to validate our approach. Our findings suggest that it is feasible to use the Bandwidth Broker architecture for assuring QoS, and a trade-off exists between the granularity of resource requests and call-setup delay.

A Simple Admission Control Algorithm for IP Networks

We present a simple and scalable admission control algorithm for improving the Quality of Service (QoS) in Internet Service Provider (ISP) networks. The algorithm is novel in that it does not make any assumptions regarding the underlying transport technology (works at the IP layer), requires simple data structures and is low in operational complexity, can handle IP network topology changes efficiently, and can help identify congested links in the network. We have verified the working of this algorithm by simulation for arbitrary IP network topologies, and have found it to be successful in performing admission control and identifying congested links after route changes.

Network Configuration Validation

To set up network infrastructure satisfying end-to-end requirements, it is not only necessary to run appropriate protocols on components but also to correctly configure these components. Configuration is the “glue” for logically integrating components at and across multiple protocol layers. Each component has configuration parameters, each of which can be set to a definite value. However, today, the large conceptual gap between end-to-end requirements and configurations is manually bridged. This causes large numbers of configuration errors whose adverse effects on security, reliability, and high cost of deployment of network infrastructure are well documented.

Guest editorial network infrastructure configuration

The nine papers in this special issue focus on network infrastructure configuration and some of the problems encountered in the areas of specification, diagnosis, repair, synthesis, and anonymization.