Decoy Router Placement Against a Smart Adversary Jacopo Cesareo, Michael Schapira, and Jennifer Rexford Princeton University.

Slides:



Advertisements
Similar presentations
Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
Advertisements

1 Incentive-Compatible Interdomain Routing Joan Feigenbaum Yale University Vijay Ramachandran Stevens Institute of Technology Michael Schapira The Hebrew.
LASTor: A Low-Latency AS-Aware Tor Client
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
Wavelength Assignment in Optical Network Design Team 6: Lisa Zhang (Mentor) Brendan Farrell, Yi Huang, Mark Iwen, Ting Wang, Jintong Zheng Progress Report.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.
BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.
Traffic Engineering With Traditional IP Routing Protocols
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Game Playing CSC361 AI CSC361: Game Playing.
Traffic Engineering Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
1 Traffic Engineering for ISP Networks Jennifer Rexford IP Network Management and Performance AT&T Labs - Research; Florham Park, NJ
Traffic Engineering in IP Networks Jennifer Rexford Computer Science Department Princeton University; Princeton, NJ
New Routing Architectures Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.
Characterizing the Internet Hierarchy from Multiple Vantage Points Jennifer Rexford Internet and Networking Systems AT&T Labs - Research; Florham Park,
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
CS541 Advanced Networking 1 Routing and Shortest Path Algorithms Neil Tang 2/18/2009.
Economic Incentives in Internet Routing Jennifer Rexford Princeton University
On Multi-Path Routing Aditya Akella 03/25/02. What is Multi-Path Routing?  Dynamically route traffic Multiple paths to a destination Path taken dependant.
Routing Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
Internet Routing (COS 598A) Today: Interdomain Topology Jennifer Rexford Tuesdays/Thursdays 11:00am-12:20pm.
Wen Xu and Jennifer Rexford Princeton University MIRO : Multi-path Interdomain ROuting.
1 Experimental Network Management Jennifer Rexford Princeton University
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research Joint work with Lixin Gao.
Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)
1 A BGP-based Mechanism for Lowest-Cost Routing Rahul Sami Yale University Joint work with: Joan Feigenbaum Yale Christos.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.
Multi-path Interdomain ROuting by Xu and Rexford Alan Dunn Topics in Network Protocol Design March 5, 2010.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
FIDEMO 2009, Nov. 18 A Step Towards a Planet-scale Measurements Retrieval Infrastructure In this work, we propose to design an end-to-end path and delay.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
TDTS21: Advanced Networking Lecture 7: Internet topology Based on slides from P. Gill and D. Choffnes Revised 2015 by N. Carlsson.
Finding Vulnerable Network Gadgets in the Internet Topology Author: Nir Amar Supervisor: Dr. Gabi Nakibly Author: Nir Amar Supervisor: Dr. Gabi Nakibly.
Online Algorithms By: Sean Keith. An online algorithm is an algorithm that receives its input over time, where knowledge of the entire input is not available.
Mobile Agent Migration Problem Yingyue Xu. Energy efficiency requirement of sensor networks Mobile agent computing paradigm Data fusion, distributed processing.
R-BGP: Staying Connected in a Connected World Nate Kushman Srikanth Kandula, Dina Katabi, and Bruce Maggs.
Eliminating Packet Loss Caused by BGP Convergence Nate Kushman Srikanth Kandula, Dina Katabi, and Bruce Maggs.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Tung-Wei Kuo, Kate Ching-Ju Lin, and Ming-Jer Tsai Academia Sinica, Taiwan National Tsing Hua University, Taiwan Maximizing Submodular Set Function with.
Routing Around Decoys Max Schuchard, John Geddes, Christopher Thompson, Nicholas Hopper Proposed in FOCI'11, USINIX Security'11 and CCS'11 Presented by:
CSE534- Fundamentals of Computer Networking Lecture 12-13: Internet Connectivity + IXPs (The Underbelly of the Internet) Based on slides by D. Choffnes.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 23 PHILLIPA GILL - STONY BROOK U.
1 An Arc-Path Model for OSPF Weight Setting Problem Dr.Jeffery Kennington Anusha Madhavan.
Measuring and Mitigating AS-level Adversaries Against Tor
Mobile Sensor Deployment for a Dynamic Cluster-based Target Tracking Sensor Network Niaoning Shan and Jindong Tan Department of Electrical and Computter.
Bing Wang, Wei Wei, Hieu Dinh, Wei Zeng, Krishna R. Pattipati (Fellow IEEE) IEEE Transactions on Mobile Computing, March 2012.
Decoy Router Placement Jacopo Cesareo, Michael Schapira, and Jennifer Rexford Princeton University.
Optimal Relay Placement for Indoor Sensor Networks Cuiyao Xue †, Yanmin Zhu †, Lei Ni †, Minglu Li †, Bo Li ‡ † Shanghai Jiao Tong University ‡ HK University.
Placing Relay Nodes for Intra-Domain Path Diversity Meeyoung Cha Sue Moon Chong-Dae Park Aman Shaikh Proc. of IEEE INFOCOM 2006 Speaker 游鎮鴻.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
1 Internet Routing: BGP Routing Convergence Jennifer Rexford Princeton University
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
1 On the Impact of Route Monitor Selection Ying Zhang* Zheng Zhang # Z. Morley Mao* Y. Charlie Hu # Bruce M. Maggs ^ University of Michigan* Purdue University.
School of Computer Science & Engineering
Centralized vs Distributed Routing
GPSR Greedy Perimeter Stateless Routing
No Direction Home: The True cost of Routing Around Decoys
Can Economic Incentives Make the ‘Net Work?
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
Fixing the Internet: Think Locally, Impact Globally
Achieving Resilient Routing in the Internet
Presentation transcript:

Decoy Router Placement Against a Smart Adversary Jacopo Cesareo, Michael Schapira, and Jennifer Rexford Princeton University

Decoy Router Decoy router along the path to decoy destination … directs traffic to the covert destination 2 client decoy destination covert destination decoy router

Decoy Router Placement Problem Given clients, destinations, and paths –Clients: {c i } –Decoy destinations: {d j } –Paths: {P ij } from client c i to decoy destination d j Select K decoy routers –Decoy routers: {r k } from a set of candidates R To maximize –# client/decoy pairs that traverse a decoy router, or –# clients traversing a decoy router for some decoy dest 3 c1c1 c2c2 c3c3 d1d1 d2d2 P 11 P 32

Initial Placement Algorithm Heuristic based on “popularity” –# of (c i, d j ) pairs traversing the router, or –# of c i traversing the router to reach some decoy dest Greedy algorithm within 2/3 of optimal –Select the most popular candidate –Remove all parties it “covers” –Recompute the popularities –Repeat until K routers are chosen Experimental results –Good coverage with relatively few decoy routers –E.g., 5-7 ASes to cover most clients c i –E.g., ASes to cover (c i, d j ) pairs 4 c1c1 c2c2 c3c3 d1d1 d2d2 P 11 P 32

A Smart Adversary Circumventing decoy routers –By picking alternate routes –… that avoid decoy routers 55 client decoy destination covert destination decoy router Adversary Path with no decoy router

New Placement Problem Cover a (client c i, decoy destination d j ) –By covering all paths available to the adversary –E.g., the interdomain path through each neighbor AS Computationally difficult –NP-hard to find an optimal solution –(We suspect) hard even to approximate well Simple greedy heuristic –If a (ci, dj) pair has n paths –… covering one path brings a value of 1/n –Rank nodes by total value (over clients, paths, dests) –… and greedily pick the highest-value nodes 6

Experiments Autonomous System (AS) level model –RouteViews measurements of interdomain routing –CAIDA inferences of AS-level relationships –Simulation of AS-level routing decisions Example experiment –Clients: all ASes located in a country (e.g., Australia) –Decoy destinations: ASes for Amazon and eBay –Candidate decoy routers: all ASes outside the country Results –Naïve vs. smart adversary –Placing decoy routers on nodes or edges –Maximizing coverage of (c, d) pairs 7

Australia Results 8

Australia clients –710 clients –5415 paths AS node placement of decoy routers –Naïve adversary: 8 nodes to cover 90% of clients –Smart adversary: 9 nodes to cover 90% of clients AS-AS edge placement of decoy routers –Naïve adversary: 13 edges to cover 90% of clients –Smart adversary: 15 edges to cover 90% of clients Important ASes –Verizon, Sprint, EdgeCast, … 9

China Results 10

China Results China clients –207 clients –1863 paths AS node placement of decoy routers –Naïve adversary: 10 nodes to cover 90% of clients –Smart adversary: 11 nodes to cover 90% of clients AS-AS edge placement of decoy routers –Naïve adversary: 15 edges to cover 90% of clients –Smart adversary: 17 edges to cover 90% of clients Important ASes –Sprint, Telecom Italia, NTT, Level3, … 11

Conclusions Smart adversary –Selects paths that avoid the decoy router –Forces “good guys” to deploy more decoy routers Placement algorithm –Heuristic for covering alternate paths –… in the presence of a smart adversary Experimental results –Requires a few extra decoy routers –… to defend against a smart adversary Future work –Wider range of client and decoy destination scenarios 12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.