Bo Wu,Ke Xu,Qi Li,Bingyang Liu,Shoushou Ren,Fan Yang,Meng Shen,Kui Ren

DOI: https://doi.org/10.1016/j.comnet.2019.04.023

IF: 5.493

2019-01-01

Computer Networks

Abstract:The current Internet is vulnerable to various attacks, e.g., source spoofing and flow hijacking attacks, which are incurred by misconfigurations or attacks. Either users or network operators are unable to easily localize these faults. Existing fault localization mechanisms can detect such attacks under an assumption that localization is performed upon reliable communication channels. Unfortunately, the assumption does not always hold. The forwarding paths of localization are not always reliable. Packets are usually dropped for some reasons. In particular, adversaries can interfere with fault localization by maliciously dropping packets. In this paper, we relax the assumption and propose a robust data-plane fault localization protocol named RFL that can localize faults and achieve source authenticity and path compliance even if communication channels in the network are not reliable. RFL samples and verifies packets in each network entity so that the packet source can efficiently localize faults of packet forwarding by verifying the sampled packets. By leveraging packet acknowledgment, packet sampling based fault localization is not impacted by packet loss in the communication channels. In particular, RFL leverages a symmetric key distribution scheme to implement robust key distribution among different entities, which ensures that packet sources can always correctly fresh their keys to perform correct localization. Our security and theoretical analysis demonstrates the robustness of RFL protocol. We implement the RFL prototype on Click routers. The experiment results with the prototype demonstrate that RFL achieves more than 99.5% localization accuracy while incurring only 10% throughput degradation.

Fanfu Zhou,Zhengwei Qi,Jianguo Yao,Ruhui Ma,Bin Wang,Athanasios V. Vasilakos,Haibing Guan

DOI: https://doi.org/10.1109/tdsc.2016.2599881

2018-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Compromised or misconfigured routers have been a major concern in large-scale networks, Such routers sabotage packet delivery, and thus hurt network performance. Data-plane fault localization (FL) promises to solve this problem. Regrettably, the path-based FL fails to support dynamic routing, and the neighbor-based FL requires a centralized trusted administrative controller (AC) or global clock synchronization in each router and introduces storage overhead for caching packets. To address these problems, we introduce a dynamic distributed and low-cost model, (DFL)-F-2. Using random two-hop neighborhood authentication, (DFL)-F-2 supports volatile path without the AC or global clock synchronization. Besides, (DFL)-F-2 requires only constant tens of KB for caching which is independent of the packet transmission rate. This is much less than the cache size of DynaFL or DFL which consumes several MB. The simulations show that (DFL)-F-2, achieves low false positive and false negative rate with no more than 3 percent bandwidth overhead. We also implement an open source prototype and evaluate its effect. The result shows that the performance burden in user space is less than 10 percent with the dynamic sampling algorithm.

Xin Zhang,Fanfu Zhou,Xinyu Zhu,Haiyang Sun,Adrian Perrig,Athanasios V. Vasilakos,Haibing Guan

DOI: https://doi.org/10.1109/tnet.2013.2274662

2014-01-01

IEEE/ACM Transactions on Networking

Abstract:Datacenter networking has gained increasing popularity in the past few years. While researchers paid considerable efforts to enhance the performance and scalability of datacenter networks, achieving reliable data delivery in these emerging networks with misbehaving routers and switches received far less attention. Unfortunately, documented incidents of router compromise underscore that the capability to identify adversarial routers and switches is an imperative and practical need rather than merely a theoretical exercise. To this end, data-plane fault localization (FL) aims to identify faulty links and is an effective means of achieving high network availability. However, existing secure FL protocols assume that the source node knows the entire outgoing path that delivers the source node's packets and that the path is static and long-lived. These assumptions are invalidated by the dynamic traffic patterns and agile load balancing commonly seen in modern datacenter networks. We propose the first secure FL protocol, DFL, with no requirements on path durability or the source node knowing the outgoing paths. Through a core technique we named delayed function disclosure, DFL incurs little communication overhead and a small, constant router state independent of the network size or the number of flows traversing a router.

Songtao Fu,Qi Li,Xiaoliang Wang,Su Yao,Xuewei Feng,Ziqiang Wang,Xinle Du,Kao Wan,Ke Xu

DOI: https://doi.org/10.1109/TDSC.2024.3392486

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Secure data forwarding is critical for users to meet their requirements. In this paper, we propose D3 (Demon Detector in Data Plane), a source-driven, secure fault localization mechanism, which empowers the source to localize faulty link in Path Aware Networking, thus circumventing faulty link to guarantee secure data forwarding. D3 utilizes the source to instruct the on-path routers, thus empowering it to detect whether the on-path routers forward the packet as expected. Compared with existing schemes that are difficult to be deployed in practice due to the heavy storage, computation, and communication overhead, D3 offloads most of the on-path router's storage and computation overhead, thus dramatically improving the deployment efficiency. Particularly, the length of the additional packet header in D3 is 2-5 times less than the state-of-the-art mechanisms, thus having a low communication overhead. Besides that, the destination in D3 could keep stateless processing, thus having backward compatibility and eliminating the opportunity for DoS attacks toward a stateful destination. The BMv2 and Barefoot Tofino hardware evaluations show that D3 could achieve high fault localization accuracy and process the packet at line rate.

Xi Sun,Xiang Chen,Di Wang,Zhengyan Zhou,Xinyue Jiang,Wenhai Wang,Chunming Wu,Haifeng Zhou

DOI: https://doi.org/10.1109/secon58729.2023.10287419

2023-01-01

Abstract:How to satisfy the latency and reliability requirements of flow data transfer is an essential problem. To address this problem, we propose RFT, a framework that aims to satisfy the user-specified latency and reliability requirements of flow data transfer, especially in the situation where the network resources are insufficient. Firstly, we formulate the problem of satisfying the user-specified latency and reliability requirements of data transfer via mixed integer linear programming (MILP), and a heuristic algorithm is then designed to solve it in a polynomialtime. Secondly, to satisfy these requirements under insufficient network resources, we proposed a greedy-based algorithm used to select the minimum number of links added to the network, which can be deployed with low cost, especially in production networks such as data centers. Finally, we have implemented RFT on a 64$\times$100 Gbps Intel Barefoot Tofino switch. Our experimental results indicate that RFT satisfies the user-specified latency and reliability requirements in all test cases at acceptable costs, even when the network resources are insufficient.

Yanjun Li,Jiming Chen,Ruizhong Lin,Zhi Wang

DOI: https://doi.org/10.1109/mahss.2005.1542774

2005-01-01

Abstract:Many routing protocols have been proposed for wireless sensor networks in recent years. For some special applications, not only energy aware but link reliable is needed. Historical link status should be captured while making routing decisions. In this paper, we design a reliable link quality estimation based routing protocol (LQER), which integrates the approach of minimum hop field and (m, k). The performance of LQER is evaluated by simulation experiments to be more energy-aware, with lower loss rate and better scalability than MHFR (Z. Ma and Y. Sun, 2004) and MCR (F. Ye et al., 2001). Thus the whole network may obtain longer lifetime and better link quality.

Boyang Zhou,Chunming Wu,Shuangxi Chen,Zhen Li,Hong Fan

DOI: https://doi.org/10.1109/iucc-cit-dsci-smartcns57392.2022.00030

2022-01-01

Abstract:The distributed network control in software-defined networking is greatly challenged by the design demands of evolving a running distributed control plane (DCP), and by the complexity of handling the control state dynamics. In this paper, we propose RIFFLE to address the problem using a distributed network operating system approach. RIFFLE enables the evolvability of control states of DCP deployed on a global scale. RIFFLE handles spatial and temporal dynamics that occur when updating and migrating the distributed control states, which overcomes the critical barrier to the evolvability. It fills the gap by enabling temporal reconfigurability in DCP. Moreover, RIFFLE reduces the complexities of building and maintaining network control services in DCP by enabling componentization and abstracting the underlying network dynamics. We evaluated the prototype RIFFLE through experiments running in PlanetLab. The results show that the prototype scales well for 135 nodes. We also validate that RIFFLE ensures the continuity and low content request delay for the supported the information-centric network supported during cache update periods owing to the enabled evolvability.

Xiaoliang Wang,Xiaohong Jiang,Cam-Tu Nguyen,Xiao Zhang,Sanglu Lu

2013-01-01

Abstract:Communication networks are vulnerable to the natural disasters or malicious attacks, which may cause a large area of corruptions and long term disconnection of network services. Such significant outage has become a serious problem today with regard to the stringent reliability requirement of the mission critical applications. In this paper, we focus on fast and effective failure recovery in face of region failures. Rather than rely on the time consuming failure localization, we introduce and evaluate a direct restoration mechanism upon detecting the path failure, which use the geographically distributed intermediate nodes, named “landmarks”, to reestablish the connection through a (near-)shortest detour path. The experimental analysis on randomly generated and realistic network topologies have shown that this approach can achieve high reliability and low stretch in case of region failures, and thus significantly reduce the impact of region failures on network based mission critical services.

Rongyu Liang,Feng Liu,Jie Liu

DOI: https://doi.org/10.3390/s20236950

IF: 3.9

2020-12-05

Sensors

Abstract:A small fault in a large communication network may cause abrupt and large alarms, making the localization of the root cause of failure a difficult task. Traditionally, fault localization is carried out by an operator who uses alarms in alarm lists; however, fault localization process complexity needs to be addressed using more autonomous and intelligent approaches. Here, we present an overall framework that uses a message propagation mechanism of belief networks to address fault localization problems in communication networks. The proposed framework allows for knowledge storage, inference, and message transmission, and can identify a fault’s root cause in an event-driven manner to improve the automation of the fault localization process. Avoiding the computational complexity of traditional Bayesian networks, we perform fault inference in polytrees with a noisy OR-gate model (PTNORgate), which can reduce computational complexity. We also offer a solution to store parameters in a network parameter table, similar to a routing table in communication networks, with the aim of facilitating the development of the algorithm. Case studies and a performance evaluation show that the solution is suitable for fault localization in communication networks in terms of speed and reliability.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Qingjun Xiao,Kai Bu,Zhijun Wang,Bin Xiao

DOI: https://doi.org/10.1145/2422966.2422981

2013-01-01

Abstract:In wireless sensor networks, a critical system service is the localization service that determines the locations of geographically distributed sensor nodes. The raw data used by this service are the distance measurements between neighboring nodes and the position knowledge of anchor nodes. However, these raw data may contain outliers that strongly deviate from their true values, which include both the outlier distances and the outlier anchors. These outliers can severely degrade the accuracy of the localization service. Therefore, we need a robust localization algorithm that can reject these outliers. Previous studies in this field mainly focus on enhancing multilateration with outlier rejection ability, since multilateration is a primitive operation used by localization service. But patch merging, a powerful operation for increasing the percentage of localizable nodes in sparse networks, is almost neglected. We thus propose a robust patch merging operation that can reject outliers for both multilateration and patch merging. Based on this operation, we further propose a robust network localization algorithm called RobustLoc. This algorithm makes two major contributions. (1) RobustLoc can achieve a high percentage of localizable nodes in both dense and sparse networks. In contrast, previous methods based on robust multilateration almost always fail in sparse networks with average degrees between 5 and 7. Our experiments show that RobustLoc can localize about 90% of nodes in a sparse network with 5.5 degrees. (2) As far as we know, RobustLoc is the first to uncover the differences between outlier distances and outlier anchors. Our simulations show that RobustLoc can reject colluding outlier anchors reliably in both convex and concave networks.

Hancun Sun,Xu Chen,Yantian Luo,Wei Feng,Yunfei Chen,Ning Ge

DOI: https://doi.org/10.1109/icct59356.2023.10419782

2023-01-01

Abstract:Link flooding attack (LFA) is a kind of stealthy distributed denial of service (DDoS) attack that has been commonly exploited by attackers to disconnect victims from the Internet by congesting critical links on the paths. With the development of 5G, a massive number of insecure Internet of Things (IoT) devices have been connected to the network, which significantly increases the risk of LFA. Detecting and mitigating LFA is difficult since malicious traffic is of low speed and protocol confirming from legitimate traffic. Traditional LFA detection methods face the challenge of high complexity. Due to the numerous attack sources of LFA, the mainstream traffic engineering-based mitigation methods introduce high signaling communication costs. To over-come these challenges, we propose a novel LFA defense system in software defined networking (SDN) architecture that consists of a distributed relative entropy-based LFA detection method and an optimized rerouting method for LFA mitigation. This framework is lightweight to implement. It can not only reduce the communication overhead of signaling transmission in mitigation, but also avoid the cascading congestion of other links after rerouting. We verify our detection and mitigation method in an experimental testbed. Numerical results show that our method can detect and mitigate LFAs effectively with low cost.

Xing Li,Yinbo Yu,Kai Bu,Yan Chen,Jianfeng Yang,Ruijie Quan

2019-01-01

Abstract:The control plane of Software-Defined Networking (SDN) is the key component that oversees and manages networks. However, involving design or logic flaws in its policy enforcement and network control is inevitable, which can cause it to behave incorrectly and induce network anomalies. Unfortunately, existing approaches mainly focus on policy verification or fault troubleshooting with little fault localization capability for repairing these flaws in production environments. In this paper, we present FALCON, the first FAult Localization tool for SDN CONtrol plane. We design a novel causal inference mechanism based on differential checking, which symmetrically compares two system behaviors with similar processes and identifies the causality in related code execution paths with concrete contexts to explain why a fault happened in the SDN network. Our main contributions include 1) a lightweight rule-based dynamic tracing mechanism for recording system behaviors of the SDN control plane, 2) a context-aware modeling mechanism for modeling these behaviors, and 3) a differential checking mechanism for localizing controller faults according to formulated symptoms. Our evaluation shows that FALCON is capable of localizing faults in SDN control plane with low overhead on performance.

Xudong Zuo,Qing Li,Jingyu Xiao,Dan Zhao,Jiang Yong

DOI: https://doi.org/10.1145/3555050.3569137

2022-01-01

Abstract:Network failure severely impairs network performance, affecting latency and throughput of data transmission. Existing failure localization solutions for general networks face problems such as difficulty in acquiring data from end hosts, need for extra infrastructure, and excessive resource consumption. Meanwhile, solutions designed for data center networks are hard to apply in general networks, as they usually rely on the topology regularity of DCNs. In this paper, we propose Drift-Bottle, a lightweight and distributed approach to failure localization in general networks. In Drift-Bottle, each switch judges the status of flows and makes a local inference for suspicious links. We design a distributed localization scheme where each normal packet is used as a "drift-bottle" that carries a "letter", i.e., a lightweight inference header, while traversing the network. Each switch along the path updates the inference header by aggregating it with its local inference. Whenever the inference is evident enough to identify the culprit links of failures, a warning is sent to the operator immediately. Drift-Bottle implements its function mainly on the data plane of programmable switches and thus reduce the overhead brought to switches significantly. Evaluation based on simulation on different topologies demonstrates that Drift-Bottle provides fast, precise and lightweight failure localization to operators of general networks.

Lei Xue,Xiaobo Ma,Xiapu Luo,Edmond W. W. Chan,Tony T. N. Miu,Guofei Gu

DOI: https://doi.org/10.1109/tifs.2018.2815555

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:A new class of target link flooding attacks (LFA) can cut off the Internet connections of a target area without being detected because they employ legitimate flows to congest selected links. Although new mechanisms for defending against LFA have been proposed, the deployment issues limit their usages since they require modifying routers. In this paper, we propose LinkScope, a novel system that employs both the end-to-end and the hop-by-hop network measurement techniques to capture abnormal path performance degradation for detecting LFA and then correlate the performance data and traceroute data to infer the target links or areas. Although the idea is simple, we tackle a number of challenging issues, such as conducting large-scale Internet measurement through noncooperative measurement, assessing the performance on asymmetric Internet paths, and detecting LFA. We have implemented LinkScope with 7174 lines of C codes and the extensive evaluation in a testbed and the Internet show that LinkScope can quickly detect LFA with high accuracy and low false positive rate.

Songtao Fu,Qi Li,Xiaoliang Wang,Su Yao,Xuewei Feng,Ziqiang Wang,Xinle Du,Kao Wan,Ke Xu

DOI: https://doi.org/10.1109/icdcs54860.2022.00056

2022-01-01

Abstract:In pursuit of high-performance applications, the cloud is moving out of the data center and towards the edge. Secure data forwarding is critical for the users between the edge and the remote cloud. In this paper, we propose D3 (Demon Detector in Data Plane), a lightweight, secure fault localization mechanism, which can enable the users in the edge cloud to localize faulty links and thus avoid the faulty links to guarantee secure data forwarding along the path to the remote cloud. D3 utilizes the user to instruct the transit routers, thus empowering the user to detect whether the transit routers forward the packet as expected. Compared with existing schemes that are difficult to be deployed in practice due to the incurred heavy storage, computation, and communication overhead, D3 offloads most of the transit router’s storage and computation overhead, thus dramatically improving the deployment efficiency. Particularly, the length of the additional packet header in D3 is 2-5 times less than the state-of-the-art mechanisms, and the extra control packet overhead is ten times less while keeping a little constant storage overhead in the data plane. The evaluations in BMv2 and Barefoot Tofino hardware show that D3 could achieve high fault localization accuracy and efficiency.

Lei Xue,Xiaobo Ma,Xiapu Luo,Edmond W. W. Chan,Tony T. N. Miu,Guofei Gu

2018-01-01

Abstract:A new class of target link flooding attacks (LFA) can cut off the Internet connections of a target area without being detected because they employ legitimate flows to congest selected links. Although new mechanisms for defending against LFA have been proposed, the deployment issues limit their usage since they require either additional modules to enhance routers or using the software-defined network (SDN) to replace the traditional routers. In this paper, we propose a novel framework that employs both the end-to-end and the hop-by-hop network measurement techniques to capture abnormal path performance degradation for detecting LFA and then locate the target links or areas whenever possible, and develop a prototype of the framework named LinkScope. Although using network measurement to capture network anomaly is not new, we tackle a number of challenging issues, such as conducting large-scale Internet path monitoring via non-cooperative measurement so that users do not need to install LinkScope on every host, profiling the performance of asymmetric Internet paths, and detecting LFA. The extensive evaluation in a testbed and the Internet shows that with limited bandwidth and computational overhead LinkScope can achieve timely detection and diagnosis of LFA with high detection rate and low false positive rate.

Yanyong Zhang,Wade Trappe,Zang Li,Manali Joglekar,Badri Nath

DOI: https://doi.org/10.1007/978-0-387-46276-9_6

2007-01-01

Abstract:Many sensor applications are being developed that require the location of wireless devices, and localization schemes have been developed to meet this need. However, as location-based services become more prevalent, the localization infrastructure will become the target of malicious attacks. These attacks will not be conventional security threats, but rather threats that adversely affect the ability of localization schemes to provide trustworthy location information. This paper identifies a list of attacks that are unique to localization algorithms. Since these attacks are diverse in nature, and there may be many unforseen attacks that can bypass traditional security countermeasures, it is desirable to incorporate an additional layer in the data path to classify/clean the corrupted location data. To address these attacks, we outline a general framework for validating location information through data classification and data cleansing techniques. Consistency checking methods can be used to verify that physical measurements are consistent with each other and with physical reality. We then explore more powerful techniques that employ robust statistical methods to make localization schemes attack-tolerant. We examine two broad classes of localization: triangulation and RF-based fingerprinting methods. For triangulation-based localization, we propose an adaptive least squares and least median squares position estimator that has the computational advantages of least squares in the absence of attacks and is capable of switching to a robust mode when being attacked. We introduce robustness to fingerprinting localization through the use of a median-based distance metric. We evaluate our robust localization schemes under different threat conditions.

R Hao,D Lee,J Ma,J Yang

DOI: https://doi.org/10.1109/noms.2004.1317646

2004-01-01

Abstract:For network fault management, we present a new technique that is based on on-line monitoring of networks with link state routing protocols, such as OSPF (open shortest path first) and integrated IS-IS. Our approach employs an agent that monitors the on-line information of the network link state database, analyzes the events generated by network faults for event correlation, and detects and localizes the faults. We apply our method to a real network topology with various types of network faults. Experimental results show that our approach can detect and localize the faults in a timely manner, yet without disrupting normal network operations.

Zhiliang Qian,Ying Fei Teh,Chi-Ying Tsui

DOI: https://doi.org/10.1109/vlsisoc.2011.6081674

2011-01-01

Abstract:In this work, we propose a fault-tolerant framework for Network on Chips (NoC) to achieve maximum performance under fault. A fine-grained fault model is first introduced. Different from the traditional link or node NoC fault models which assume the faulty resource to be totally unfunctional, we distinguish the faulty components and handle them according to their fault classes. By doing so, we can avoid unnecessary partitioning of the network and hence achieve a higher connectivity under high fault rate. Two new dynamic reconfiguration schemes at the router level, namely Dynamic Buffer Swapping (DBS) and Dynamic MUX Swapping(DMS), are proposed to deal with the buffer and cross-bar faults accordingly, which are the main sources of failure in the router. In these schemes, the healthy resources in the router are maximally utilized to mitigate the faults. Experimental results show that we can achieve higher packet acceptance rate and lower latency compared with state-of-the-art fault-tolerant routing schemes.

Qianfeng Shen,Paul Chow

2023-11-02

Abstract:In today's data centers, the performance of interconnects plays a pivotal role. However, many of the underlying technologies for these interconnects have a history of several decades and existed long before data centers came into <a class="link-external link-http" href="http://being.To" rel="external noopener nofollow">this http URL</a> better cater to the requirements of data center networks, particularly in the context of intra-rack communication, we have developed a new interconnect. This interconnect is based on a lossless link layer protocol, named RIFL. In this work, we designed and implemented RIFL Layer 2, a scalable network that supports up to multi-hundred Gbps communication. RIFL Layer 2 includes the RIFL switch and RIFL NIC. By utilizing a simple Batcher Banyan and iSLIP RIFL switch, we effectively keep the typical intra-rack latency under 400 nanoseconds. Moreover, for a 32-port 100Gbps network, under both Bernoulli arrival and bursty arrival traffic patterns, we ensure that the 99\% tail latency does not exceed 12microseconds.

Networking and Internet Architecture