ZhiFeng Zhan,Wei Xing

DOI: https://doi.org/10.1007/978-3-642-25769-8-42

2012-01-01

Abstract:Internet traffic is modest growth worldwide due to popular applications. But the growth does not change the well-known characteristic heavy-tailed of the traffic in Internet. Mice flow would dominate the next generation of ubiquitous wireless networks because the frequent and important communications would be mice flow due to the limits of terminal and network. The most important factor which affects the performance of applications is the duration time of mice flow. For a long time the modifications on traditional TCP protocol did not reveal the nature reasons for the duration time of mice flow: ACK-based slow pacing transmission and window-based conservative packet transmitting strategy. Based on the previous work of window-based transmission schedule, this paper proposes a delay-sensitive Fast-Pacing TCP (FP-TCP) transmission mechanism for mice flow: the definite network status and RTO could be obtained by measuring RTT for each packet in mice flow, the proper transmitting pace and rate base on the network status and the fast packet retransmission schedule. Simulated experiments show that the duration time of mice flow can be shortened by FP-TCP up to about 22% at most in the condition of network is busy, meanwhile only little growth is taken to the lose rate of packet. © Springer-Verlag Berlin Heidelberg 2012.

王彬,戴连奎,吴铁军

DOI: https://doi.org/10.3969/j.issn.1007-0249.2004.01.017

2004-01-01

Abstract:With the rapid development of Internet, congestion becomes one of the major problems to be solved in network communication. Many congestion control schemes have been figured out to ensure the robustness and stability of TCP/IP networks. They are usually classified into two categories: end-to-end, such as TCP control algorithm, and Active Queue Management (AQM) schemes. However, most of these schemes are based on expert experience, not on the network dynamic characteristics. For this reason, the purpose of this paper is to analyze TCP/IP networks in control theory. Specifically, a fluid-based data transmission dynamic model is built for a simple TCP/IP network with a single bottle-neck link, then this simple network is decomposed into several basic parts with respective dynamic models. The model of the whole network is thus built from synthesizing models of sub- networks mentioned above. Based on the proposed dynamic model, performances of TCP/IP networks can be estimated and new algorithms for congestion control can be developed. This model is well validated by comparing the analytical results with the NS simulation results.

Dongqin Feng,Wenjun Huang,Jianxiang Jin,Jian Chu

DOI: https://doi.org/10.1109/icca.2003.1595168

2003-01-01

Abstract:The Ethernet is more and more used in the industrial environments. Because of the non-deterministic protocol of CSMA/CD, Ethernet is thought not to be suitable for the control of real time applications. With the worldwide application and development of Ethernet, its transmission rate is considered sufficiently high enough to estimate that all messages can be received inside a predefined temporal window. Especially, using Ethernet in industrial network will brings a lot of advantages: (1) consistency with the other communication systems installed in the enterprise; (2) employment of the same hardware all over the factory; (3) short cycle-times due to the high transmission speed; (4) large availability of chips implementing the MAC protocol, etc. In this paper, we first analyze the real-time capability of Ethernet and features of traffic for industrial network. Then, we propose some technologies for the design of an Ethernet-based real-time application. Finally, we present an EPA (Ethernet for Plant Automation)-based open network control system.

HX Duan,JP Wu,X Li

DOI: https://doi.org/10.1109/icon.2000.875800

2001-01-01

Journal of Software

Abstract:This paper focus on the issues of management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of a large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under an environment with policy requirements described in this paper the new algorithm reduces the time complexity of lookup from O(N) of the traditional sequential algorithm to O(1), which therefore increases largely the throughput of firewalls.

Feyza Keceli,Inanc Inan,Ender Ayanoglu

DOI: https://doi.org/10.48550/arXiv.0806.1089

2008-06-06

Abstract:When the stations in an IEEE 802.11 infrastructure Basic Service Set (BSS) employ Transmission Control Protocol (TCP) in the transport layer, this exacerbates per-flow unfair access which is a direct result of uplink/downlink bandwidth asymmetry in the BSS. We propose a novel and simple analytical model to approximately calculate the per-flow TCP congestion window limit that provides fair and efficient TCP access in a heterogeneous wired-wireless scenario. The proposed analysis is unique in that it considers the effects of varying number of uplink and downlink TCP flows, differing Round Trip Times (RTTs) among TCP connections, and the use of delayed TCP Acknowledgment (ACK) mechanism. Motivated by the findings of this analysis, we design a link layer access control block to be employed only at the Access Point (AP) in order to resolve the unfair access problem. The novel and simple idea of the proposed link layer access control block is employing a congestion control and filtering algorithm on TCP ACK packets of uplink flows, thereby prioritizing the access of TCP data packets of downlink flows at the AP. Via simulations, we show that short- and long-term fair access can be provisioned with the introduction of the proposed link layer access control block to the protocol stack of the AP while improving channel utilization and access delay.

Networking and Internet Architecture

Duan Haixin,Wu Jianping,Li Xing

2001-01-01

Abstract:Efforts of this paper focus on the issues about management and throughput of firewalls (or screening routers) applied in transit networks. On the one hand, manual configuration of large amount of firewalls distributed in many access points can not meet the global security requirements in the open and dynamic environment. On the other hand, the ordinal lookup of filtering rules in each individual firewall results in great decrease of throughput. Aimed at a typical transit network and its security policy requirements, a policy-based access control framework (PACF) is proposed in this paper. This framework is based on three levels of abstract access control policy: organizational access control policy (OACP), global access control policy (GACP) and local access control policy (LACP). The GACP, which comes from the results of IDSes and search engines according to OACP, is automatically and dynamically distributed to firewalls as LACPs. Each LACP is then enforced by an individual firewall. Some key algorithms for distribution of GACP and enforcement of LACP are described. A hash-based algorithm is proposed, for lookup of filtering rules in LACP. Under the environment with policy requirements described in this paper, the new algorithm reduces the time complexity of lookup from O (N) of traditional sequential algorithm to O (1), which therefore increases largely the throughput of firewalls.

P. Dorey,C. Dunning,A. Millican-Slater,R. Tateo

DOI: https://doi.org/10.48550/arXiv.hep-th/0309054

2003-09-04

Abstract:We review some surprising links which have been discovered in the last few years between the theory of certain ordinary differential equations, and particular integrable lattice models and quantum field theories in two dimensions. An application of this correspondence to a problem in non-Hermitian (PT-symmetric) quantum mechanics is also discussed.

High Energy Physics - Theory

Bing Xiong,Kun Yang,Jinyuan Zhao,Keqin Li

DOI: https://doi.org/10.1016/j.jnca.2016.04.013

2017-01-01

Abstract:The continual growth of network traffic rates leads to heavy packet processing overheads, and a typical solution is to partition traffic into multiple network processors for parallel processing especially in emerging software-defined networks. This paper is thus motivated to propose a robust dynamic network traffic partitioning scheme to defend against malicious attacks. After introducing the conceptual framework of dynamic network traffic partitioning based on flow tables, we strengthen its TCP connection management by building a half-open connection separation mechanism to isolate false connections in the initial connection table (ICT). Then, the lookup performance of the ICT table is reinforced by applying counting bloom filters to cope with malicious behaviors such as SYN flooding attacks. Finally, we evaluate the performance of our proposed traffic partitioning scheme with real network traffic traces and simulated malicious traffic by experiments. Experimental results indicate that our proposed scheme outperforms the conventional ones in terms of packet distribution performance especially robustness against malicious attacks.

Guang Jin,Jian-gang Yang,Wei Wei,Ya-bo Dong

DOI: https://doi.org/10.3724/sp.j.1146.2007.00460

2008-01-01

Abstract:Major defensive mechanisms against DoS attacks in the Internet are reviewed. Especially the most recent capabilities techniques, such as basic concepts, stateless flow filtering and the Traffic Validation Architecture (TVA), are analyzed deeply. The related discussions about the shortcomings of current capabilities techniques, such as potential Denial-of-Capability (DoC) attacks, decrement of transmission efficiency, are given in detail. Some improvement methods are provided. They include protecting capabilities requests with notifications, bi-level capabilities, flexible and dynamical capabilities assignment, etc. These methods enhance the robustness and efficiency of capabilities. Theoretical evaluations and simulations show that the improvements outperform original schemes and are more practical in the Internet.

Cheng Zang,Zhongdong Huang,Gang Chen,Jinxiang Dong

DOI: https://doi.org/10.1109/CSCWD.2006.253234

2006-01-01

Abstract:The access control architecture using state-transfer-based dynamic policy is proposed to make access control more flexible and dynamic. This architecture can dynamically change the policy according to a state-transfer composed of a previous state and a current state. It can indicate the tendency of the system by using both previous and current information in order to decide a more appropriate policy to the current system and future condition. And there are two steps in this dynamic policy method, one is deciding a partial-state and the other one is deciding a state, two dynamic policy decision layers are included into this architecture in order to manage these two steps

Zohre Ranjbar Mojaveri,Andras Farago

DOI: https://doi.org/10.48550/arXiv.2101.10558

2021-01-26

Abstract:Filtering packet traffic and rules of permit/denial of data packets into network nodes are granted by facilitating Access Control Lists (ACL). This paper proposes a procedure of adding a link load threshold value to the access control list rules option, which acts on the basis of threshold value. The ultimate goal of this enhanced ACL is to avoid congestion in targeted subnetworks. The link load threshold value allows to decide that packet traffic is rerouted by the router to avoid congestion, or packet drop happens on the basis of packet priorities. The packet rerouting in case of high traffic loads, based on new packet filtering procedure for congestion avoidance, will result in the reduction of the overall packet drop ratio, and of over-subscription in congested subnetworks.

Networking and Internet Architecture

Li Wei,Cai Zhongmin,Xiaohong Guan

DOI: https://doi.org/10.3321/j.issn:0253-987x.2006.10.001

2006-01-01

Abstract:An analysis method of Internet architecture security is presented by introducing the concept of access relations and access streams to show that the access control is a procedure to reduce access relations according to certain security policies in the traditional network access control. On the basis of the concept, a new scheme of data classification is proposed based on real and anonymous addresses and network addresses of the control and application data. A set of the corresponding global access control rules is established under the conditions of the openness and manageability of the uniform network, security and user privacy. The analysis of the scheme shows that the proposed method reduces access relations significantly, and the level of the Internet architecture security is increased wholly.

John Nagle

DOI: https://doi.org/10.1145/205447.205454

IF: 1.937

1995-01-11

ACM SIGCOMM Computer Communication Review

Abstract:Congestion control is a recognized problem in complex networks. We have discovered that the Department of Defense's Internet Protocol (IP), a pure datagram protocol, and Transmission Control Protocol (TCP), a transport layer protocol, when used together, are subject to unusual congestion problems caused by interactions between the transport and datagram layers. In particular, IP gateways are vulnerable to a phenomenon we call congestion collapse, especially when such gateways connect networks of widely different bandwidth. We have developed solutions that prevent congestion collapse.These problems are not generally recognized because these protocols are used most often on networks built on top of ARPANET IMP technology. ARPANET IMP based networks traditionally have uniform bandwidth, identical switching nodes, and are sized with substantial excess capacity. This excess capacity, and the ability of the IMP system to throttle the transmissions of hosts has for most IP/TCP hosts and networks, been adequate to handle congestion. With the recent split of the ARPANET into two interconnected networks and the growth of other networks with differing properties connected to the ARPANET, however, reliance on the benign properties of the IMP system is no longer enough to allow hosts to communicate rapidly and reliably. Improved handling of congestion is now mandatory for successful network operation under load.Ford Aerospace and Communications Corporation, and its parent company, Ford Motor Company, operate the only private IP/TCP long-haul network in existence today. This network connects six facilities (one in Michigan, two in California, one in Colorado, one in Texas, and one in England) some with extensive local networks. This net is cross-tied to the ARPANET but uses its own long-haul circuits; traffic between Ford facilities flows over private leased circuits, including a leased transatlantic satellite connection. All switching nodes are pure IP datagram switches with no node-to-node flow control, and all hosts run software either written or heavily modified by Ford or Ford Aerospace. Bandwidth of links in this network varies widely, from 1200 to 10,000,000 bits per second. In general, we have not been able to afford the luxury of excess long-haul bandwidth that the ARPANET possesses, and our long-haul links are heavily loaded during peak periods. Transit times of several seconds are thus common in our network.Because of our pure datagram orientation, heavy loading, and wide variation in bandwidth, we have had to solve problems that the ARPANET/MILNET community is just beginning to recognize. Our network is sensitive to suboptimal behavior by host TCP implementations, both on and off our own net. We have devoted considerable effort to examining TCP behavior under various conditions, and have solved some widely prevalent problems with TCP. We present here two problems and their solutions. Many TCP implementations have these problems; if throughput is worse through an ARPANET/MILNET gateway for a given TCP implementation than throughput across a single net, there is a high probability that the TCP implementation has one or both of these problems.

computer science, information systems

Jonathon Anderson

2024-09-24

Abstract:Currently, the TCP/IP model enables exploitation of vulnerabilities anonymously by unconditionally fulfilling every request for a connection into an application; the model only incorporates authentication within applications themselves, rather than as a precondition for access into applications. I am proposing the Universal Session Protocol as a change to the architecture of the TCP/IP model to include a session layer featuring a structured generalized process for authentication negotiation and fulfillment. The Universal Session Protocol addresses an urgent and vital need to eliminate unauthenticated data processing on security critical systems. Previous work regarding TCP/IP security has focused on the application design and implementation and existing protocol layers, but has failed to posit the addition of a session layer as a mitigating control. Failing to implement a distinct authentication layer leaves every resource connected to the global Internet, including life and security critical infrastructure, vulnerable to attacks from anonymous and untraceable sources. The Universal Session Protocol provides a solution by establishing a TCP/IP Session Layer that explicitly provides authentication before a data stream is accessible within an application. After authentication, an identity is associated with the data stream so that all data may be related back to that identity for forensic purposes. If authentication fails, the application will never process user data, rendering the service safe from anonymous bad actors.

Cryptography and Security,Networking and Internet Architecture

Katerina J. Argyraki,David R. Cheriton

DOI: https://doi.org/10.1109/TNET.2008.2007431

2004-05-24

Abstract:A distributed denial-of-service (DDoS) attack can flood a victim site with malicious traffic, causing service disruption or even complete failure. Public-access sites like amazon or ebay are particularly vulnerable to such attacks, because they have no way of a priori blocking unauthorized traffic. We present Active Internet Traffic Filtering (AITF), a mechanism that protects public-access sites from highly distributed attacks by causing undesired traffic to be blocked as close as possible to its sources. We identify filters as a scarce resource and show that AITF protects a significant amount of the victim's bandwidth, while requiring from each participating router a number of filters that can be accommodated by today's routers. AITF is incrementally deployable, because it offers a substantial benefit even to the first sites that deploy it.

Networking and Internet Architecture

Shu Yang,Mingwei Xu,Dan Wang,Jianping Wu

DOI: https://doi.org/10.1109/ICCCN.2012.6289219

2012-01-01

Abstract:Source address filtering is used as an important mechanism to prevent malicious traffic. Currently, most networks store filters in hardware such as TCAM, which has limited capacity, high power consumption and high cost. Although software can accommodate large number of filters, it needs multiple accesses to memory on the border router, which bears much more additional burden than other routers.In this paper, we propose a software-based mechanism for source address filtering. In our mechanism, we only need to check a few bits in source addresses on each router, rather than checking all bits on the ingress router. Through cooperation among routers, our mechanism ensures that malicious traffic will be filtered in the network.We formulate this problem as finding a cooperative scheme such that the loads on all routers are optimally balanced. We show that the problem can be optimally solved by dynamic programming. We evaluate our algorithms using comprehensive simulations with BRITE generated topologies and real world topologies. We conduct a case study on China Education and Research Network 2 (CERNET2) configurations, a large IPv6 network. Compared to checking 128-bit IP addresses on ingress routers, our algorithm checks at most 40 bits on each router.

YANG Xin,LI Hui,QUE Jianming,MA Zhentai,LI Gengxin,YAO Yao,WANG Bin,JIANG Fuli

DOI: https://doi.org/10.11896/jsjkx.220600265

2023-01-01

Abstract:Traditional IP-based Internet offers an end-to-end data transport service and has developed rapidly in the past half-century.However,serious security incidents emerged from attacks based on traditional networks.Traditional security mechanisms(e.g.,firewalls,intrusion detection systems) enhance security.However,most of them only provide some remedial strategies rather than solve the address-security problem radically due to the lack of change in network design.The overall in-depth security of the networked system cannot be guaranteed without a fundamental change.In order to meet the development requirements of the next generation of an endogenous security network,one of the future networks,the multi-identifier network(MIN),is introduced as our research background.This paper proposes an efficient scheme in hieratical architecture that provides comprehensive protection by addressing the security aspects pertaining to the network and application layers.At the network layer,the proposed architecture develops a multi-identifier routing scheme with embedded identity-based authentication and packet signature mechanisms to provide data tamper-resistance and traceability.At the application layer,the proposed architecture designs a mimic defensive scheme combined with weighted network centrality measures.This scheme focuses on protecting the core components of the whole network to improve the service's robustness and efficiently resist potential attacks.This paper tests and evaluates the proposed scheme from a theoretical and practical perspective.An analytical model is built based on the random walk for theoretical evaluation.In experiments,the proposed scheme is developed in MIN as MIN-VPN.Then considering IP-VPN as a baseline,anti-attack tests are conducted on IP-VPN and MIN-VPN.The results of theoretical evaluations and experiments show that the proposed scheme provides excellent transmission performance and successful defense against various TCP/IP-based attacks with acceptable defensive cost,demonstrating this security mechanism's effectiveness.In addition,after long-period penetration testing in three international elite security contests,the proposed method is effectively immune to all TCP/IP-based attacks from thousands of professional teams,thus verifying its strong security.

Timothy Murkomen

DOI: https://doi.org/10.30574/gscarr.2024.18.3.0106

2024-03-30

GSC Advanced Research and Reviews

Abstract:TCP/IP is the backbone of modern network communication, connecting devices across the world. TCP/IP at its core is a suite of protocols that enables the transmission of data between computers, facilitating the foundation of the interconnected global network. At the Application Layer of TCP/IP is where the interaction between software applications and the network occurs. The user-centric protocols such as HTTP, SMTP, FTP, POP3, IMAP and DNS facilitate various tasks at this layer such as web browsing, email communication, and file transfer. This comprehensive survey conducted an exploration of the performance, security and privacy issues at the application layer of the TCP/IP. It initiated by providing a background of TCP/IP model, it’s architecture and the core characteristics, with major focus on the application layer. This paper aimed to discuss the state-of-the-art of performance, privacy and security concerns in TCP/IP application layer. It also proposed future research areas to equip researchers, practitioners, policy makers and the decision makers with tangible knowledge, offering guidance in navigating the performance, privacy and security concerns in TCP/IP Application Layer. It aimed to discuss the current performance, privacy and security research gaps at the Application Layer of the TCP/IP Model. The findings of this research sheds light on the performance, privacy and security issues while suggesting the countermeasures to strengthen and optimize the overall performance, security and privacy of TCP/IP model at the application layer. The paper finally suggests future directions and research areas at the TCP/IP application layer.

Xiong Liu,Haiwei Xue,Xiaoping Feng,Yiqi Dai

DOI: https://doi.org/10.1109/iccsn.2011.6013582

2011-01-01

Abstract:The administrator shall implement multilevel security policy in a multilevel security network system. The policy must ensure the information flow from low level host to the same level host or high level host, and prevent the information flow from high level host to low level host, but traditional network is difficult to meet the requirement. This paper proposes a design of multi-level security network switch system. The design adds a module named Filter based on OpenFlow. OpenFlow can control the packets flow of the network, and the Filter can check the packet's content and delay the packets then restrict covert channel. Using OpenFlow and the Filter, the system can implement the multilevel security policy in the scenario of local area network. The experiment verified the feasibility of the design.

Yuan Liang,Hai-Xin Duan

DOI: https://doi.org/10.1109/waim.2008.98

2008-01-01

Abstract:To make the Internet today more connective with better performance, we developed the SoftInternet system, which consists of application layer proxies operated in P2P structure. To keep malicious peers out of the system in the beginning, we propose the model for admission control policy based on trust friend recommendations in social networks. We simulate the model to analyze the parameters and its performance. It is concluded that our model can effectively protect the system from malicious peers while keep good expandability of the system. In the end, we introduce the implementation of the model in SoftInternet, and discuss future works.