Presentation is loading. Please wait.

Presentation is loading. Please wait.

Decoy Router Placement Against a Smart Adversary Jacopo Cesareo, Michael Schapira, and Jennifer Rexford Princeton University.

Published byMilton Gerald Lawrence Modified over 8 years ago

Similar presentations

Presentation on theme: "Decoy Router Placement Against a Smart Adversary Jacopo Cesareo, Michael Schapira, and Jennifer Rexford Princeton University."— Presentation transcript:

1 Decoy Router Placement Against a Smart Adversary Jacopo Cesareo, Michael Schapira, and Jennifer Rexford Princeton University

2 Decoy Router Decoy router along the path to decoy destination … directs traffic to the covert destination 2 client decoy destination covert destination decoy router

3 Decoy Router Placement Problem Given clients, destinations, and paths –Clients: {c i } –Decoy destinations: {d j } –Paths: {P ij } from client c i to decoy destination d j Select K decoy routers –Decoy routers: {r k } from a set of candidates R To maximize –# client/decoy pairs that traverse a decoy router, or –# clients traversing a decoy router for some decoy dest 3 c1c1 c2c2 c3c3 d1d1 d2d2 P 11 P 32

4 Initial Placement Algorithm Heuristic based on “popularity” –# of (c i, d j ) pairs traversing the router, or –# of c i traversing the router to reach some decoy dest Greedy algorithm within 2/3 of optimal –Select the most popular candidate –Remove all parties it “covers” –Recompute the popularities –Repeat until K routers are chosen Experimental results –Good coverage with relatively few decoy routers –E.g., 5-7 ASes to cover most clients c i –E.g., 10-15 ASes to cover (c i, d j ) pairs 4 c1c1 c2c2 c3c3 d1d1 d2d2 P 11 P 32

5 A Smart Adversary Circumventing decoy routers –By picking alternate routes –… that avoid decoy routers 55 client decoy destination covert destination decoy router Adversary Path with no decoy router

6 New Placement Problem Cover a (client c i, decoy destination d j ) –By covering all paths available to the adversary –E.g., the interdomain path through each neighbor AS Computationally difficult –NP-hard to find an optimal solution –(We suspect) hard even to approximate well Simple greedy heuristic –If a (ci, dj) pair has n paths –… covering one path brings a value of 1/n –Rank nodes by total value (over clients, paths, dests) –… and greedily pick the highest-value nodes 6

7 Experiments Autonomous System (AS) level model –RouteViews measurements of interdomain routing –CAIDA inferences of AS-level relationships –Simulation of AS-level routing decisions Example experiment –Clients: all ASes located in a country (e.g., Australia) –Decoy destinations: ASes for Amazon and eBay –Candidate decoy routers: all ASes outside the country Results –Naïve vs. smart adversary –Placing decoy routers on nodes or edges –Maximizing coverage of (c, d) pairs 7

8 Australia Results 8

9 Australia clients –710 clients –5415 paths AS node placement of decoy routers –Naïve adversary: 8 nodes to cover 90% of clients –Smart adversary: 9 nodes to cover 90% of clients AS-AS edge placement of decoy routers –Naïve adversary: 13 edges to cover 90% of clients –Smart adversary: 15 edges to cover 90% of clients Important ASes –Verizon, Sprint, EdgeCast, … 9

10 China Results 10

11 China Results China clients –207 clients –1863 paths AS node placement of decoy routers –Naïve adversary: 10 nodes to cover 90% of clients –Smart adversary: 11 nodes to cover 90% of clients AS-AS edge placement of decoy routers –Naïve adversary: 15 edges to cover 90% of clients –Smart adversary: 17 edges to cover 90% of clients Important ASes –Sprint, Telecom Italia, NTT, Level3, … 11

12 Conclusions Smart adversary –Selects paths that avoid the decoy router –Forces “good guys” to deploy more decoy routers Placement algorithm –Heuristic for covering alternate paths –… in the presence of a smart adversary Experimental results –Requires a few extra decoy routers –… to defend against a smart adversary Future work –Wider range of client and decoy destination scenarios 12

Download ppt "Decoy Router Placement Against a Smart Adversary Jacopo Cesareo, Michael Schapira, and Jennifer Rexford Princeton University."

Similar presentations

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
1 Incentive-Compatible Interdomain Routing Joan Feigenbaum Yale University Vijay Ramachandran Stevens Institute of Technology Michael Schapira The Hebrew.

1 Incentive-Compatible Interdomain Routing Joan Feigenbaum Yale University Vijay Ramachandran Stevens Institute of Technology Michael Schapira The Hebrew.
LASTor: A Low-Latency AS-Aware Tor Client

LASTor: A Low-Latency AS-Aware Tor Client
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.

Censorship Resistance: Decoy Routing Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
Wavelength Assignment in Optical Network Design Team 6: Lisa Zhang (Mentor) Brendan Farrell, Yi Huang, Mark Iwen, Ting Wang, Jintong Zheng Progress Report.

Wavelength Assignment in Optical Network Design Team 6: Lisa Zhang (Mentor) Brendan Farrell, Yi Huang, Mark Iwen, Ting Wang, Jintong Zheng Progress Report.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Part II: Inter-domain Routing Policies. March 8, 20042 What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!

Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.

Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.
BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.

BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.
Traffic Engineering With Traditional IP Routing Protocols

Traffic Engineering With Traditional IP Routing Protocols
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Game Playing CSC361 AI CSC361: Game Playing.

Game Playing CSC361 AI CSC361: Game Playing.
Traffic Engineering Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Traffic Engineering Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
1 Traffic Engineering for ISP Networks Jennifer Rexford IP Network Management and Performance AT&T Labs - Research; Florham Park, NJ

1 Traffic Engineering for ISP Networks Jennifer Rexford IP Network Management and Performance AT&T Labs - Research; Florham Park, NJ
Traffic Engineering in IP Networks Jennifer Rexford Computer Science Department Princeton University; Princeton, NJ

Traffic Engineering in IP Networks Jennifer Rexford Computer Science Department Princeton University; Princeton, NJ
New Routing Architectures Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

New Routing Architectures Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.
Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.

Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.
Characterizing the Internet Hierarchy from Multiple Vantage Points Jennifer Rexford Internet and Networking Systems AT&T Labs - Research; Florham Park,

Characterizing the Internet Hierarchy from Multiple Vantage Points Jennifer Rexford Internet and Networking Systems AT&T Labs - Research; Florham Park,

Similar presentations

Ads by Google