Secure overlay network design.

*(English)*Zbl 1184.68040Summary: Due to the increasing security threats on the Internet, new overlay network architectures have been proposed to secure privileged services. In these architectures, the application servers are protected by a defense perimeter where only traffic from entities called servlets are allowed to pass. End users must be authorized and can only communicate with entities called access points (APs). APs relay authorized users’ requests to servlets, which in turn pass them to the servers. The identity of APs are publicly known while the servlets are typically secret. All communications are done through the public Internet. Thus all the entities involved form an overlay network. The main component of this distributed system consists of \(n\) APs and \(m\) servlets. A design for a network is a bipartite graph with APs on one side, and the servlets on the other side. If an AP is compromised by an attacker (or fails), all the servlets that are connected to it are subject to attack. An AP is \(blocked\), if all servlets connected to it are subject to attack.

We consider two models for the failures: In the stochastic model, we assume that each AP \(i\) fails with a given probability \(p_i\). In the adversarial model, we assume that there is an adversary that knows the topology of the network and chooses at most \(k\) APs to compromise. In both models, our objective is to design the connections between APs and servlets to minimize the (expected/worst-case) number of blocked APs. In this paper, we give a polynomial-time algorithm for this problem in the stochastic model when the number of servlets is a constant. We also show that if the probability of failure of each AP is at least 1/2, then in the optimal design each AP is connected to only one servlet (we call such designs \(star-shaped\)), and give a polynomial-time algorithm to find the best star-shaped design. We observe that this statement is not true if the failure probabilities are small. In the adversarial model, we show that the problem is related to a problem in combinatorial set theory, and use this connection to give bounds on the maximum number of APs that a perfectly failure-resistant design with a given number of servlets can support. Our results provide the first rigorous theoretical foundation for practical secure overlay network design.

We consider two models for the failures: In the stochastic model, we assume that each AP \(i\) fails with a given probability \(p_i\). In the adversarial model, we assume that there is an adversary that knows the topology of the network and chooses at most \(k\) APs to compromise. In both models, our objective is to design the connections between APs and servlets to minimize the (expected/worst-case) number of blocked APs. In this paper, we give a polynomial-time algorithm for this problem in the stochastic model when the number of servlets is a constant. We also show that if the probability of failure of each AP is at least 1/2, then in the optimal design each AP is connected to only one servlet (we call such designs \(star-shaped\)), and give a polynomial-time algorithm to find the best star-shaped design. We observe that this statement is not true if the failure probabilities are small. In the adversarial model, we show that the problem is related to a problem in combinatorial set theory, and use this connection to give bounds on the maximum number of APs that a perfectly failure-resistant design with a given number of servlets can support. Our results provide the first rigorous theoretical foundation for practical secure overlay network design.

##### MSC:

68M10 | Network design and communication in computer systems |

68R05 | Combinatorics in computer science |

Full Text:
DOI

##### References:

[1] | Adler, M.: Tradeoffs in probabilistic packet marking for IP traceback. In: Proc. ACM Symposium on Theory of Computing (STOC), May, pp. 407–418 (2002) · Zbl 1192.68016 |

[2] | Bu, T., Norden, S., Woo, T.: Trading resiliency for security: Model and algorithms. In: Proc. IEEE International Conference on Network Protocols (ICNP), pp. 218–227 (2004) |

[3] | Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source. In: Proc. USENIX LISA, December, pp. 319–327 (2000) |

[4] | Dean, D., Franklin, M., Stubblefield, A.: An algebraic approach to IP traceback. In: Proc. Network and Distributed System Security Symposium (NDSS), February, pp. 3–12 (2001) |

[5] | Doeppner, T., Klein, P., Koyfman, A.: Using router stamping to identify the source of IP packets. In: Proc. ACM Conference on Computer and Communications Security (CCS), November, pp. 184–189 (2000) |

[6] | Ferguson, P.: Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2267, January (1998) |

[7] | Garber, L.: Denial-of-service attacks rip the Internet. IEEE Comput. 33(4), 12–17 (2000) |

[8] | Goodrich, M.T.: Efficient packet marking for large-scale IP traceback. In: Proc. ACM Conference on Computer and Communications Security (CCS), November, pp. 117–126 (2002) |

[9] | Keromytis, A.D., Misra, V., Rubenstein, D.: SOS: Secure overlay services. In: Proc. ACM SIGCOMM, August, pp. 61–72 (2002) |

[10] | Kleitman, D., Spencer, J.: Families of k-independent sets. Discrete Math. 6, 255–262 (1973) · Zbl 0269.05002 |

[11] | Li, J., Sung, M., Xu, J., Li, L.E.: Large-scale IP traceback in high-speed Internet: Practical techniques and theoretical foundation. In: Proc. IEEE Symposium on Security and Privacy, pp. 115–129 (2004) |

[12] | Li, L., Mahdian, M., Mirrokni, V.: Secure overlay network design. In: Proceedings of the 2nd International Conference on Algorithmic Aspects in Information and Management (AAIM). Lecture Notes in Computer Science, vol. 4041, pp. 354–366. Springer, Berlin (2006) · Zbl 1137.68319 |

[13] | Mahajan, R., Bellovin, S., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling high bandwidth aggregates in the network. ACM Comput. Commun. Rev. 32(3), 62–73 (2002) · Zbl 05395344 |

[14] | McGuire, D., Krebs, B.: Attack on Internet called largest ever. http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html , October (2002) |

[15] | Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the source. In: Proc. IEEE International Conference on Network Protocols (ICNP), November, pp. 312–321 (2002) |

[16] | Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., Govidan, R.: COSSACK: coordinated suppression of simultaneous attacks. In: DISCEX III, April, pp. 22–24 (2003) |

[17] | Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In: Proc. ACM SIGCOMM, August, pp. 15–26 (2001) |

[18] | Provan, J.S., Ball, M.O.: The complexity of counting cuts and of computing the probability that a graph is connected. SIAM J. Comput. 12(4), 777–788 (1983) · Zbl 0524.68041 |

[19] | Ruszinkó, M.: On the upper bound of the size of the r-cover-free families. J. Comb. Theory Ser. A 66, 302–310 (1994) · Zbl 0798.05071 |

[20] | Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: Proc. ACM SIGCOMM, August, pp. 295–306 (2000) |

[21] | Snoeren, A., Partridge, C., et al.: Hash-based IP traceback. In: Proc. ACM SIGCOMM, August, pp. 3–14 (2001) |

[22] | Song, D., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proc. IEEE INFOCOM, April, pp. 878–886 (2001) |

[23] | van Lint, J.H., Wilson, R.M.: A Course in Combinatorics. Cambridge University Press, Cambridge (2001) · Zbl 0980.05001 |

[24] | Vijayan, J.: Akamai attack reveals increased sophistication: Host’s DNS servers were DDoS targets, slowing large sites. http://www.computerworld.com/securitytopics/security/story/0,10801,93977p2,00.html , June (2004) |

This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. It attempts to reflect the references listed in the original paper as accurately as possible without claiming the completeness or perfect precision of the matching.