texas a&m university page 1 10/10/2014 5:19:49 pm real-time traffic modeling and its application...

Texas A&M UniversityPage 1 04/11/23 01:16 AM

Real-Time Traffic Modeling and its Application in Network

Camouflaging

Wei Zhao, Riccardo Bettati, Nitin VaidyaDepartment of Computer Science

Texas A&M UniversityCollege Station, TX 77843-3112

zhao@cs.tamu.edu409 845-5098

Texas A&M UniversityPage 2 04/11/23 01:16 AM

Outline

1. Project Overview

2. Real-Time Traffic Modeling

3. Design and Implementation of NetCamo

4. Camouflaging Other Network Entities

5. Summary

Texas A&M UniversityPage 3 04/11/23 01:16 AM

1. Project Overview

• Objectives

• Characteristics

• Major Results

Texas A&M UniversityPage 4 04/11/23 01:16 AM

Project Objectives

• Development of countermeasures for generalized

traffic analysis

• Development of countermeasures for denial of services

Texas A&M UniversityPage 5 04/11/23 01:16 AM

Characteristics of our Work

• Based on real-time traffic modeling

• Countermeasures for generalized traffic analysis:Camouflaging the network activities whileguaranteeing end-to-end delays

• Countermeasures for denial of services:Detecting DoS attacks in real-time

• Our solutions intended for wired and wireless networks

• Our solutions are upward and downward compatible

Texas A&M UniversityPage 6 04/11/23 01:16 AM

Major Results

• Developed a prototype of NetCamo/M

A middle-ware solution for dealing with traffic analysis

+ No change to current network architecture+ Efficient

• Developed a prototype of NetCamo/N

Using independent “mini routers” for camouflaging

+ No disturbance to application hosts+ To be used by Navy HiPer-D 2000

Texas A&M UniversityPage 7 04/11/23 01:16 AM

Faculty Members Wei Zhao, Riccardo Bettati, and Nitin Vaidya

Previous Results• Our bandwidth allocation method has been officially

adopted by DoD SAFENET• Two releases of NetEx tool kit:

NetEx/Basic and NetEx/Adaptation• Two best paper awards• Two U.S. patents• Support from DoD and industry: Nortel, Networks, Cisco, Myricom, Packet Engine,

and XYLAN.

The Team

Texas A&M UniversityPage 8 04/11/23 01:16 AM

The Collaborators

Government

Navy Surface Warfare Center

HiPer-D Project (Dave Marlow and Mike Masters)

Navy SPAWAR

Distributed real-time combat systems (Russell Johnston)

West Point

Camouflaging technology (Daniel Ragsdale)

Texas A&M UniversityPage 9 04/11/23 01:16 AM

Industry

Alcatel (Packet Engines and XYLAN)

High speed routers (Kim Stearns and Dennis Majeski)

Intrusion.Com

Real-time intrusion and camouflaging devices (Joe Head)

3INet

Real-time intrusion and camouflaging devices (Mike Wang)

The Collaborators

Texas A&M UniversityPage 10 04/11/23 01:16 AM

TAMU Internal

Texas Transportation Institute

ALERT Project (Cedric J. Sims)

Texas Center for Applied Technology

University XXI Project (James Wall)

The Collaborators

Texas A&M UniversityPage 11 04/11/23 01:16 AM

2. Real-Time Traffic Modeling

Motivations

To gain information on payload traffic in orderto predict the behavior of the applications and systems

* Predict the worst-case delay

* Provide profile information of payload

- on-line verification

- on-line masking

Texas A&M UniversityPage 12 04/11/23 01:16 AM

Traffic Modeling

I

I)t(t, intervalin arrived bits of #max(I)

t

1. Peak rate methodpessimistic; over-estimating delay

2. Average rate methodoptimistic; under-estimating delay

3. Timing history methodimpractical, too much information

4. Our method: the maximum rate function:

(I) can also be randomized to deal with statistical rate bounds

Texas A&M UniversityPage 13 04/11/23 01:16 AM

Traffic Modeling

Features of (I):

* It covers a wide range of applications

* It is mathematically analyzable

* It is enforceable

* It is holographic

Texas A&M UniversityPage 14 04/11/23 01:16 AM

(I) is Mathematically Analyzable

(I) (I) = ?

F*(I) = Output between t and t + I

< Input between t - d and t+I

= F(I+d) = (I+d) * (I+d)

(I) = F*(I)/I = (I+d) * (I+d)/I

Texas A&M UniversityPage 15 04/11/23 01:16 AM

(I) is Enforceable

(I) = ( + I)/ILeaky Bucket

Any traffic

I

Size of tokenbucket

Line rate

F*(I)

Texas A&M UniversityPage 16 04/11/23 01:16 AM

(I) is Holographic

(I) can be approximated by any number of points.

Assume that (I1) = then (I) is approximated by

+ min(I1, I - I

Formula can be used recursively if more points areknown.

Texas A&M UniversityPage 17 04/11/23 01:16 AM

Traffic Modeling

H1 H 2

M

Sender Receiver

ATM Switch

Protocol Analyzer

VC

M: ATM Module H: Host VC: Virtual Channel

An experiment: A workstation (H1) sends 16Mbit data per second.

Texas A&M UniversityPage 18 04/11/23 01:16 AM

Traffic Modeling

. .

Time interval I (microseconds)

0

20

40

60

80

100

120

140

160

1 10 100 1,000 10,000 100,000 1,000,000

observed

app[6]

(I)

(I)

v

alu

es in

meg

abit

s p

er s

econ

d

Peak Rate

Average Rate

Derived by our method

Observed

Texas A&M UniversityPage 19 04/11/23 01:16 AM

Applications ofReal-Time Traffic Modeling

* NetEx: Providing Delay-Guaranteed Communications

A Quorum project

Integrated with Honeywell RTARM system

* Countermeasure for Traffic Analysis

* Countermeasure for Denial Services

Texas A&M UniversityPage 20 04/11/23 01:16 AM

Preventing Traffic Analysis by RTTM

Traffic Analysis:

Obtain the mission status by observing network traffic

Our objectives:

» Camouflaging the traffic density

» Camouflaging the connectivity

Texas A&M UniversityPage 21 04/11/23 01:16 AM

Countermeasure for Traffic Analysis

Approaches

» Network flooding

» Traffic rerouting

Texas A&M UniversityPage 22 04/11/23 01:16 AM

Network Flooding

Flooding the network at right place and right time to make it appear to be constant rate network

Challenge: How much?

For link j,

i Fi,j( I ) + Sj( I ) = I

?

?

?

Texas A&M UniversityPage 23 04/11/23 01:16 AM

Traffic Rerouting

Indirect delivery of packets

Challenge: Can we still guarantee real-time delay bound?

For for connection j,

i di,,j, < Dj

Texas A&M UniversityPage 24 04/11/23 01:16 AM

Objectives

• Camouflage network activities

• Provide QoS-guaranteed communication services

• Be upward and downward compatible with existing

operating systems, applications, and network technologies

• Be scalable and evolvable

3. Design and Implementation of NetCamo

Texas A&M UniversityPage 25 04/11/23 01:16 AM

• Traffic camouflaging: rerouting and traffic padding based on real-time traffic modeling theory.

• Real-time communication: providing delay guaranteed services to applications while having traffic camouflaged

• NetCamo/M: A middle-ware solution» No change to current network architecture» Efficient

• NetCamo/N: Using independent “routers” for camouflaging» No disturbance to application hosts» To be used by Navy HiPer-D 2000

NetCamo Approaches

Texas A&M UniversityPage 26 04/11/23 01:16 AM

NetCamo/M

PayloadHost

PayloadHost

PayloadHost

PayloadHost

Network

Middle-Ware Middle-WareMiddle-WareMiddle-Ware

Texas A&M UniversityPage 27 04/11/23 01:16 AM

NetCamo/M WorkflowC

lien

tA

pp

lica

tion

s NetCamo Network

Controller

Cli

ent

Ap

pli

cati

ons

NetCamo Host

ControllerNetwork

NetCamo Host

Controller

1

5

444

4

2

3

Texas A&M UniversityPage 28 04/11/23 01:16 AM

NetCamo/M ArchitectureNetCamo Network Controller

Host Agent Host Agent

Router AgentRouter Agent

NetCamo Traffic Manager

Router Router

API

Host Manager

Cli

ent

Ap

pli

cati

ons

Traffic

Controller

H323

NetCamo Host Controller

API

Host Manager

Traffic

Controller

H323

NetCamo Host Controller

Host Host

Network

Cli

ent

Ap

pli

cati

ons

Texas A&M UniversityPage 29 04/11/23 01:16 AM

Texas A&M UniversityPage 30 04/11/23 01:16 AM

Texas A&M UniversityPage 31 04/11/23 01:16 AM

NetCamo/M Host Implementation

Texas A&M UniversityPage 32 04/11/23 01:16 AM

NetCamo/M Host Traffic Controller

Texas A&M UniversityPage 33 04/11/23 01:16 AM

NetCamo/M Testbed

Texas A&M UniversityPage 34 04/11/23 01:16 AM

NetCamo/M Testbed

Texas A&M UniversityPage 35 04/11/23 01:16 AM

NetCamo/M Results

Station 1 Station 2: CBR 250 pps (200 Direct + 50 Re-route via Station 4)

Station 1 Station 4: VBR 40pps (Direct)

Station 4 Station 1: VBR 20pps (Direct)

Station 4 Station 2: VBR 20pps (Direct)

Texas A&M UniversityPage 36 04/11/23 01:16 AM

NetCamo/N

PayloadHost

PayloadHost

PayloadHost

PayloadHost

Network

Mini Router Mini Router Mini Router Mini Router

Texas A&M UniversityPage 37 04/11/23 01:16 AM

NetCamo Mini Router

Texas A&M UniversityPage 38 04/11/23 01:16 AM

Use of NetCamo/N in HiPer-D 2000

Navy SD Base NSWC

Mini Router

Mini Router

Texas A&M UniversityPage 39 04/11/23 01:16 AM

NetCamo/N Testbed

Texas A&M UniversityPage 40 04/11/23 01:16 AM

NetCamo/N Results

Cover Mode

Payload

Dummy

Texas A&M UniversityPage 41 04/11/23 01:16 AM

4. Camouflaging Other Entities

• Camouflaging the topology

So that distributed denial of service attacks

can be prevented or avoided

• Camouflaging servers

No one can attack them anymore

• Camouflaging wireless networks

Be power aware.

Texas A&M UniversityPage 42 04/11/23 01:16 AM

Motivation

Reducing the damage of organized and distributed DoS attacks

Topology Camouflaging

Texas A&M UniversityPage 43 04/11/23 01:16 AM

Topology Camouflaging Approaches

Preventive Camouflaging

• Purposely let a group of routers misunderstandthe topology

Reactive Camouflaging

• Dynamically change routing strategy

Texas A&M UniversityPage 44 04/11/23 01:16 AM

Topology Camouflaging: Challenges

• Consistency: An altered topology should still make sense

• Efficiency: Minimizing the network management effort tolet an altered topology be perceived for a giveneffectiveness measure

• Effectiveness: Minimizing the potential damage of DoN attacksfor a given attack power

Texas A&M UniversityPage 45 04/11/23 01:16 AM

Topology Camouflaging: Realization Methods

Preventive Camouflaging (PC)

• Change Internet Control Message Protocol atsome routers

Reactive Camouflaging (RC)

• Adaptively and autonomously adjust routingtables at some routers

Texas A&M UniversityPage 46 04/11/23 01:16 AM

5. Summary

• Cyber space camouflaging (CSC) is an important strategy to

realize tolerant networks

• Traditional encryption is a special case of CSC:

i.e., camouflaging the content of payload

• While some concepts can be borrowed from physical

camouflaging techniques, much more challenges

are ahead.

Texas A&M UniversityPage 47 04/11/23 01:16 AM

Camouflaging, Concealment, and Decoyin Cyber Space

Means Packet Conn. Traffic Server Topology Op Mode

Hide

Blend Encryption Flooding

Disguising Anycasting Neutral mode

Disrupting Re-routing RC

Decoy PC Multiple cover modes