Thomas Gamer

Simulative analysis of the Hybrid Wireless Mesh Protocol (HWMP)

Within the last few years, prevalence and importance of wireless networks increased significantly. Especially, wireless mesh networks received a lot of attention in both academic research and commercial deployments. Wireless mesh networks are characterized by wireless multi-hop connectivity and facilitate a simple and cost-effective establishment of wireless networks while providing large coverage areas. The ongoing standardization of IEEE 802.11s WLAN Mesh Networking defines the Hybrid Wireless Mesh Protocol (HWMP) for link layer path selection. This protocol offers various modes of operation that are suitable for different environments. In this paper, a detailed simulative evaluation of these modes allows for conclusions about their performance and suitability for specific environments.

Distack -- A Framework for Anomaly-Based Large-Scale Attack Detection

Distributed denial-of-service attacks pose unpredictable threats to the Internet infrastructure and Internet-based business. Thus, many attack detection systems and anomaly detection methods were developed in the past. A realistic evaluation of these mechanisms and comparable results, however, are impossible up to now. Furthermore, an adaptation to new situations or an extension of existing systems in most cases is complex and time-consuming. Therefore, we developed a framework for attack detection which allows for an integration of various detection methods as lightweight modules. These modules can be combined easily and arbitrarily and thus, adapted to varying situations. Additionally, our framework can be applied in different runtime environments transparently. This enables an easy evaluation with meaningful and comparable results based on realistic large-scale scenarios, e.g. by using a network simulator.

Collaborative anomaly-based detection of large-scale internet attacks

The Internet infrastructure and Internet-based business today still suffer from various attacks like Distributed Denial-of-Service (DDoS) attacks or worm propagations. A necessary first step in order to cope with such large-scale attacks is to provide an Internet-wide detection of such ongoing attacks, i.e., a detection that is not limited to single detection systems only. Therefore, collaborative detection systems were developed in the past. They, however, often rely on close trust relationships, which only rarely are available in the Internet. This means that the scope of detection is limited to only a small part of the Internet, mostly to a single administrative domain. This paper, therefore, introduces our newly developed collaborative attack detection that facilitates collaboration beyond domain boundaries without requiring close trust relationships. In-network detection systems are explicitly considered, too. Such systems are located on routers in the core of the Internet and are characterized by limited resources available for detection. Finally, a detailed simulative evaluation of our proposed solution is presented.

Anomaly-Based Identification of Large-Scale Attacks

Large-scale attacks like Distributed Denial-of-Service (DDoS) attacks still pose unpredictable threats to the Internet infrastructure and Internet-based business. Thus, many attack detection systems using various anomaly detection methods were developed in the past. These detection systems result in a set of anomalies detected by analysis of the traffic behavior. A realtime identification of the attack type that is represented by those anomalies simplifies important tasks like taking countermeasures and visualizing the network state. In addition, an identification facilitates a collaboration of distributed heterogeneous detection systems. In this paper, we first lay the foundations for a generalized identification system by establishing a model of those entities that form anomaly-based attack detection: large-scale attacks, anomalies, and anomaly detection methods. Based on this flexible model, an adaptable and resource-aware system for the identification of large-scale attacks is developed that additionally offers an autonomous processing control.

PktAnon - A Generic Framework for Profile-based Traffic Anonymization

ABSTRACT Computer network researchers, system engineers and network operators have an increasing need for network traces. These are necessary to build and evaluate communication systems. This ranges from developing intrusion detection systems over evaluating network protocols or system design decisions, up to education in network security. Unfortunately, availability of real-world traces is very scarce, mainly due to privacy and security concerns. Making recorded data anonymous helps to mitigate this problem. Available anonymization systems, however, do not provide sufficient flexibility, extensibility or ease of use. Therefore, we developed a generic framework for traffic anonymization that can easily be configured by anonymization profiles. Such profiles ensure an easy adaptation of the information actually being made anonymous to different environments or local legislation. Furthermore, our framework supports flexible application of arbitrary anonymization primitives to every protocol field. Due to its extensibility our framework provides an easy incorporation of new anonymity-enhancing techniques, too. Additionally, it prevents accidental disclosure of private data by applying a technique called defensive transformation. Finally, it can be used for online as well as offline anonymization of network traffic.

An extensible and flexible system for network anomaly detection

Network hazards like attacks or misbehaving nodes are still a great obstacle for network operators. Distributed denial of service attacks and worm propagations do not only affect the attacked nodes but also the network itself by wasting network resources. In wireless ad hoc networks even more hazards exist due to its self-organizing characteristic. A detection of such network hazards as early as possible enables a fast deployment of appropriate countermeasures and thereby significantly improves network operation. Our proposed detection system uses programmable network technology to deploy such a system within the network itself. Doing this without influencing the routing performance seriously demands a resource saving architecture. We therefore propose to use a hierarchical architecture which runs a very small basic stage all the time and loads specialized detection modules on demand to verify the network hazard. In this paper we introduce our system which can detect DDoS attacks, worm propagations, and wormhole attacks.

An Extension to Packet Filtering of Programmable Networks

Several projects proposed to use active or programmable networks to implement attack detection systems for detecting distributed denial of service attacks or worm propagation. In order to distinguish legal traffic from the attack traffic bypassing packets need to be inspected deeply which is resource consuming. Such an inspection can be realized either with additional and expensive special hardware or in software. But due to resource limitations inspection of all bypassing packets in software is not feasible if the packet rate is high. Therefore we propose to add packet selection mechanisms to the NodeOS reference architecture for programmable networks. A packet selector reduces the rate of packets which are inspected. In this paper we detail on various packet selectors and evaluate their suitability for an attack detection system. The results of our implementation show significant advantages by using packet sampling methods compared to packet filtering.

Collaborative anomaly-based attack detection

Today networks suffer from various challenges like distributed denial of service attacks or worms. Multiple different anomaly-based detection systems try to detect and counter such challenges. Anomaly-based systems, however, often show high false negative rates. One reason for this is that detection systems work as single instances that base their decisions on local knowledge only. In this paper we propose a collaboration of neighboring detection systems that enables receiving systems to search specifically for that attack which might have been missed by using local knowledge only. Once such attack information is received a decision process has to determine if a search for this attack should be started. The design of our system is based on several principles which guide this decision process. Finally, the attack information will be forwarded to the next neighbors increasing the area of collaborating systems.

Simulative evaluation of distributed attack detection in large-scale realistic environments

Large-scale attacks such as distributed denial-of-service (DDoS) attacks present to be an increasing threat to the networks and business of service providers in today’s Internet. In order to defend against such attacks, the development and deployment of effective anomaly and attack detection mechanisms are necessary. Testbeds and real networks do, however, not provide feasible means for the large-scale evaluation of such mechanisms. In order to gain a deeper understanding of the effectiveness of distributed attack detection mechanisms, simulations are essential. Simulative evaluation of such mechanisms, however, is a challenging task that has mostly been ignored until now. In this paper, we therefore present a toolchain for the large-scale evaluation of distributed attack detection based on the network simulator OMNeT++. In particular, we focus on: (1) realistic simulation environments in terms of topology, traffic and attack generation; (2) transparent operation of attack detection mechanisms in real and simulated environments; and (3) performance measurements with respect to execution time and memory usage.

Distributed detection of large-scale attacks in the internet

Despite the many research activities that are performed in the field of attack prevention, detection, and mitigation, large-scale attacks like Distributed Denial-of-Service (DDoS) attacks still pose unpredictable threats to the Internet infrastructure and Internet-based business today. This paper outlines new mechanisms that facilitate a distributed real-time in-network attack detection. In addition, the foundations for a meaningful evaluation of large-scale detection mechanisms by means of simulations are laid.