Network security is a critical aspect of a communication network architecture. We have conducted research in the areas of high-speed network security and wireless network security.
Broadband networks are vulnerable to malicious attacks. In recent years, Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks on well-known web sites has exposed the inherent vulnerabilities of the Internet. Our research involves the development of models, protocols, and algorithms to mitigate the effects of DoS and DDoS attacks in high-speed networks. In order to be effective, DDoS mitigation schemes must be executed at relatively high speeds, upstream from the victim. We are involved in a DARPA-sponsored project called NetBouncer, in collaboration with NAI Labs, to develop a fast DDoS filtering device. A key feature of NetBouncer is its ability to distinguish legitimate from illegimate traffic and to perform appropriate rate limiting at high traffic rates [Thom03a, Thom03b]. A prototype of the device is being developed at NAI Labs based on network processor technology. In related work, a recent M.S. thesis [Moh02] developed a novel policing mechanism for TCP to avoid DDoS attacks and a prototype of the device was implemented using FPGA technology.
[Thom04b] R.K. Thomas, B.L. Mark, T. Johnson, and J. Croall, "NetBouncer: Client-legitimacy-based High-performance DDoS Filtering," McAfee Research Advanced Security Research Journal, vol. 6, no. 1, pp. 27-40, Spring 2004.
[Thom04a] R.K. Thomas, B.L. Mark, T. Johnson, and J. Croall, "High-speed Legitimacy-based DDoS Packet Filtering with Network Processors: A Case Study and Implementation on the Intel IXP 1200," in Network Processor Design: Issues and Practices, Volume 2, Eds. P. Crowley et al., chapter 12, pp. 243-272, Morgan Kaufmann Publishers, San Francisco, 2004.
[Thom03b] R.K. Thomas, B.L. Mark, T. Johnson, and J. Croall, "NetBouncer: Client-legitimacy-based High-performance DDoS Filtering," in Proc. DISCEX'2003, Washington DC, April 2003.
[Thom03a] R.K. Thomas, B.L. Mark, T. Johnson, and J. Croall, "High-performance DDoS Packet Filtering Using Network Processors: Architecture and Performance on the IXP 1200," in Proc. Workshop on Network Processors - NP2, Annaheim, California, Feb. 2003.
[Moh02] A.A. Mohammed, "High Speed Network Security: Defense of DDoS Attacks," M.S. thesis, Dept. of Electrical and Computer Engineering, George Mason University, Dec. 2002.
Wireless networks are inherently more vulnerable to security attacks that wired networks, due to the broadcast nature of the wireless medium and the mobility of the users. In ad hoc wireless networks, the dynamically changing nature of the network topology introduces further security vulnerabilities. Our research focuses on the problem of providing both security and quality-of-service in ad hoc networks, taking the viewpoint that security can be viewed as a quality-of-service metric. This research is being conducted in the context of the SEQUOIA (SEcurity and QUality-Of-service In Ad hoc networks) project.
[Hej06b] M. Hejmo, B. L. Mark, and C. Zouridaki, "Denial-of-Service Resistant Bandwidth Allocation for MANETs," in Proc. Int. Conference on Computer Communications (ICCCN), Arlington, VA, Oct. 2006 (to appear).
[Hej06] M. Hejmo, B.L. Mark, C. Zouridaki, and R.K. Thomas, "Design and Analysis of a Denial-of-Service Resistant Quality-of-Service Signaling Protocol for MANETs," IEEE Trans. on Vehicular Technology, vol. 55, no. 3, pp. 743-751, May 2006.
[Hej06a] M. Hejmo, B.L. Mark, C. Zouridaki, and R.K. Thomas, "On the Fairness of Flow Aggregation for Denial-of-Service Resistant QoS in MANETs," in Proc. IEEE/ACM Workshop on Quality-of-Service in Heterogeneous Wireless/Wired Networks (QShine), Waterloo, Canada, August 2006 (to appear).
[Zou05b] C. Zouridaki, B.L. Mark, M. Hejmo, and R.K. Thomas, "A Quantitative Trust Establishment Framework for MANETs," Proc. ACM Workshop on Sensor and Ad-hoc Systems and Networks (SASN), Alexandria, VA, November 2005.
[Hej05] M. Hejmo, B.L. Mark, C. Zouridaki, and R.K. Thomas, "A Denial-of-Service Resistant Quality-of-Service Signaling Protocol for Mobile Ad Hoc Networks," Proc. IEEE/ACM Workshop on Quality-of-Service in Heterogeneous Wireless/Wired Networks (QShine), Orlando, FL, August 2005.
[Zou05a] C. Zouridaki, M. Hejmo, B.L. Mark, R.K. Thomas, and K. Gaj, "Analysis of Attacks and Defense Mechanisms for QoS Signaling Protocols in MANETs," Proc. Wireless Information Systems (WIS) Workshop, Miami, FL, May 2005.
[Hej04] M. Hejmo, B.L. Mark, C. Zouridaki, and R.K. Thomas, "Denial-of-Service Resistant Quality-of-Service Signaling for Mobile Ad Hoc Networks," Proc. ACM Workshop on Sensor and Ad hoc Networks (SASN), Washington DC, pp. 23-28, October 2004.
[Zou04] C. Zouridaki, B.L. Mark, K. Gaj, and R.K. Thomas, "Distributed CA-based PKI for Mobile Ad hoc Networks using Elliptic Curve Cryptography," in Lecture Notes in Computer Science (LCNS), vol. 3093, Springer-Verlag, Proc. 1st European PKI Workshop: Research and Applications, pp. 232-245, Samos Island, Greece, June 2004.