With the proliferation of high-speed networks (with Gigabits or 10s of Gigabit links) and the exponential growth of Internet traffic, it has become extremely challenging to monitor such networks efficiently. In particular, attackers can take advantage of the high-speed network to propagate viruses/worms and take over the Internet in the order of seconds. Thus it is crucial tomonitor the traffic and detect the onset of Internet-scale attacks early on the routerswith good scalability, accuracy and robustness. Toward this goal,we proposed a new paradigm called High-speed Router-based Anomaly/Intrusion Detection andMitigation systems (HRAIDM) which has three major components as elaborated in this subsection.
“When something breaks in the Internet, the Internet's very decentralized structure makes it hard to figure out what went wrong and even harder to assign responsibility.”
— “Looking Over the Fence at Networks: A Neighbor's View of Networking Research”, by Committees on Research Horizons in Networking, National Research Council, 2001.
To monitor and diagnose a network, the straightforward troubleshooting approach is to install monitors on every entity in the distributed system. However, such simple and ideal approach is not suitable in many cases, e.g., the Internet routers are not accessible end users. Hence, diagnosing the internal of the network via the external measurements becomes an interesting and important topic of the community. We explored different angles on the same monitoring and diagnosing in various applications.
DoS is one of the largest threaten to the current Internet. While DoS attacks are more and more large scale, these DoS attacks are also getting more and more stealthy. We studies many vulnerabilities in distributed systems and networks, especially for the stealthy
DoS attacks. For example, proxy caching servers are widely deployed in today’s Internet and are crucial for the operation of many distributed systems, such as DNS. We investigate a class of pollution attacks that can dramatically degrade a proxy’s caching capabilities, either by ruining the cache file locality, or by inducing false file locality. We also developed efficient methods to
detect both false-locality and locality-disruption attacks, as well as a combination of the two. Recently, we discover a new class of error message based attacks which can effectively launch denial of service (DoS) attacks and stop clients from authenticating with various wireless and cellular networks even when the strong authentication protocols like Extensible Authentication Protocol (EAP) ormany of its variants are used.
Routing in ad hoc and sensor networks remains as a challenging problem given the limited wireless bandwidth, users’ mobility and potentially large scale. Recently, there has been a thrust of research to address these problems, including on-demand routing, geographic routing, virtual coordinate based routing etc. While geographic routing is superior to on-demand routing in the sense of avoiding costly flooding, geographic routing suffers from the dead-end problem in sparse networks. The first rollout of the virtual coordinate based routing, NoGeo, shows the practice of doing the same good job as geographic routing with virtual coordinates. We proposed a new Hop ID based routing protocol, which mitigates the dead-end problem significantly and meanwhile achieves good routing efficiency. We further proposed a Hierarchical Voronoi Graph based Routing algorithm (HVGR), which completely removes the dead-ends and guarantees the routing success. More importantly, HVGR is extended to be the routing primitive to support the data-centric storage application in sensor networks.