Secure Virtually Isolated Networks to Avoid and Tolerate Denial of Service

保护虚拟隔离的网络以避免和容忍拒绝服务

• 批准号: 0087609
• 负责人: Daniel Mosse
• 金额: $ 30万
• 依托单位: University of Pittsburgh
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2001
• 资助国家: 美国
• 起止时间: 2001-10-01 至 2005-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0087609&HistoricalAwards=false
• 关键词: Secure; Virtually; Isolated; Networks; Avoid

The widespread need and ability to connect machines across the Internet, in a world where intelligent objects rather than documents are exchanged, has caused the network to be more vulnerable to intrusions and has facilitated break-ins of a variety of types. Most of the methods currently available to deal with networkvulnerability to abuse and attacks are either inadequate, inefficient oroverly restrictive. Compounding theproblem is the need to maintain an acceptable level of quality of service (QoS). The proposed research project considers a heterogeneous network environment where servers, whichprovide different levels of QoS support to clients through a contract protocol, are prone to faults and denialof service attacks. The research project assumes the existence of intrusion detection mechanisms, and aimsat investigating new and potentially revolutionary approaches for the development of scalable and efficientservice deployment strategies and network resource management schemes to maintain acceptable levels ofQoS and security, despite faults. Two types of faults, namely, benign malfunctions and malicious intrusions,will be considered. The former can be caused by a faulty, yet legitimate client that accidentally loses controlover its behavior, while the latter occurs with the intent to cause damage, such asDenial of Service (DoS).Both types of faults can severely affect the performance of the network and compromise the integrity andsecurity of its services. These faults can manifest themselves in the form of a protocol breach or a contract violation. The formeris exemplified by an authorized clients (impersonation may take place) who attempt to deliberately breachthe contract protocol and impact the behavior of the server to eventually cause its failure. Contract violationoccurs when a client attempts to acquire a level of service beyond what has been agreed upon in the servicecontract. In order to protect the servers and the network, we propose two new techniques: fault avoidance,based on the concept of replicated elusive servers, and fault tolerance, based on resource management schemes through the creation of a Virtually Isolated Network (VIN). The concept of replicated elusive servers espouses ideas such as roaming addresses and frequent frequencychanges in wireless networks. Replication is coordinated through group communication supported by anunderlying multicast mechanism. VINs, on the other hand, provide the basis to achieve both physical andlogical separation (in space and time) of the resources reserved for each service, client, or class of clients. Efficient management of network resources is achieved based on an integrative approach which considersnetwork performance, fault tolerance and security asintegral components of a multi-dimensional QoS space.QoS support can then be perceived as a multi-layered optimization process which considers security, fault-tolerance, resource allocation, communication protocol optimization and user level application managementas inhabitants of the same QoS spectrum and seeks to exploit tradeoffs in order to reach anoptimal operatingpoint. The techniques developed will be designed to handle multiple coordinated intrusions, clustered inboth space and time. A coordinated/clustered fault model will be developed and a study of its effect on thedeveloped techniques and algorithms will be conducted. The proposed research will build on a foundation of prior work developed by the PIs which have astrong track record of success in a wide range of research topics related to fault-tolerance, operating systemdevelopment and resource management for QoS support in wired and wireless networks. It is anticipatedthat through algorithms development and analysis, simulation and testbed implementations, the results ofthis project will lead to a better understanding of how to provide efficient support to QoS performance,fault-tolerance and securityin an integrated manner, both in wired and wireless environments. An equallyimportant contribution of this project will be the training of high quality students in a field where expertiseis scarce.

在交换智能对象而不是文档的世界中，通过互联网连接机器的广泛需求和能力使网络更容易受到入侵，并促进了各种类型的入侵。目前，大多数用于处理网络易受滥用和攻击的方法要么是不充分的，效率低下的，要么是限制性过强的。复杂的问题是需要保持一个可接受的服务质量（QoS）水平。 建议的研究项目考虑了一个异构的网络环境中，服务器，whitprovides不同级别的QoS支持客户端通过合同协议，容易发生故障和拒绝服务攻击。该研究项目假设存在的入侵检测机制，并aimsat调查新的和潜在的革命性的方法，可扩展的和高效的服务部署策略和网络资源管理计划的发展，以保持可接受的水平ofQoS和安全，尽管故障。将考虑两种类型的故障，即良性故障和恶意入侵。前者可能是由一个错误的，但合法的客户端意外失去控制其行为，而后者发生的意图造成损害，如拒绝服务（DoS）。这两种类型的故障可以严重影响网络的性能，并危及其服务的完整性和安全性。 这些错误可以以违反协议或违反合同的形式表现出来。前者的例子是一个授权的客户端（可能会发生冒充），他们试图故意违反合同协议并影响服务器的行为，最终导致其失败。当客户试图获得超出服务合同约定的服务水平时，就会发生合同违约。为了保护服务器和网络，我们提出了两种新的技术：故障避免，基于复制难以捉摸的服务器的概念，和容错，基于资源管理方案，通过创建一个虚拟隔离网络（VIN）。 复制难以捉摸的服务器的概念支持的想法，如漫游地址和频繁的频率变化的无线网络。复制是通过底层多播机制支持的组通信来协调的。另一方面，VIN提供了实现为每个服务、客户端或客户端类保留的资源的物理和逻辑分离（在空间和时间上）的基础。 网络资源的有效管理是基于一种综合的方法，该方法将网络性能、容错和安全作为多维QoS空间的组成部分，QoS支持可以看作是一个考虑安全、容错、资源分配通信协议优化和用户级应用管理作为同一QoS频谱的居民，并寻求利用权衡，以达到最佳的操作点开发的技术将被设计为处理多个协调的入侵，在空间和时间集群。将开发一个协调/集群故障模型，并研究其对所开发的技术和算法的影响。 拟议的研究将建立在PI开发的先前工作的基础上，PI在与有线和无线网络中的QoS支持的容错，操作系统开发和资源管理相关的广泛研究主题中具有良好的成功记录。预计通过算法的开发和分析，仿真和测试平台的实现，该项目的结果将导致更好地了解如何提供有效的支持QoS性能，容错和安全在一个集成的方式，在有线和无线环境。这个项目的一个同样重要的贡献是在一个缺乏专业知识的领域培养高素质的学生。