SENSS: Software Defined Security Service

SENSS is a security service for collaborative mitigation of distributed attacks. SENSS enables the victim of an attack to request help on demand from direct and remote ISPs in an automated and secure manner, and pay for services rendered. Simple and generic SENSS APIs enable victims to build custom detection and mitigation approaches against a variety of attacks. SENSS is deployable in today’s infrastructure, and it has strong economic incentives both for ISPs and for the attack victims.

Project Link | Code

BLAG: Blacklist Aggregator

Blacklists contain identities of known offenders and can be used to preventively filter unwanted traffic. Yet, any single blacklist may only be effective for a given type of attack and only over certain portions of address space. Further, each blacklist is compiled and updated using proprietary methods, and thus may have stale information or it may be slow to include new offenders, leading to false positives or false negatives. Finally, blacklists contain addresses of offenders, which lowers their accuracy in networks where there is dynamic addressing. BLAG is a sophisticated approach to select and aggregate only the accurate pieces of information from multiple blacklists. BLAG calculates information about accuracy of each blacklist over regions of address space, and uses recommender systems to select most reputable and accurate pieces of information to aggregate into its master blacklist.

Project Link

SDProber: A Software Defined Prober for SDN

(Work done as an intern at AT&T Labs Research 2017, mentored by Yaron Kanza and Balachander Krishnamurthy)

Proactive measurement of the delay in communication networks aims to detect congestion and find links on which the traffic flow is obstructed. The goal is to detect delayed links as early as possible, without interfering with the network traffic. There is, however, a tradeoff between the detection time and the cost (e.g., bandwidth utilization). An adaptive measurement adjusts the inspection rate per each link, for effective monitoring with reduced costs, but it requires control over forwarding rules. SDProber is a tool for proactive measurement of delays in SDN. SDProber uses probe packets that are routed by adding tailored rules to the vSwitches. Adaptation is achieved by changing the probabilities that govern the random walk.

A Framework for ML-Based Prediction of Network Events on Programmable Switches

(Work done as an intern at AT&T Labs Research 2018, mentored by Yaron Kanza and Balachander Krishnamurthy)

Machine learning can be powerful in predicting network events, which can help network operators to take proactive decisions. However, modern switches are limited in operations that would allow machine learning in them. We propose a framework, which performs real-time prediction of network events (such as microbursts or link utilization) in switches. Our framework uses offline learning to understand scenarios leading to a particular network event, translates the learned model to a DFA and finally compile it to a switch using P4.

Quantifying the impact of blacklisting

(Work done as an intern at ICSI Berkeley 2019, mentored by Sadia Afroz)

Blacklists are a list of addresses that are known to be malicious. Blacklists are simple to implement and are often used as the first layer of defense. However, blacklists using IP addresses as an identifier for malicious activity has two drawbacks. Firstly, there is a shortage of IPv4 address space, which is forcing network operators to accommodate several users behind the same IP address using Carrier-grade NAT. Blacklisting an address in such an address space can inadvertently affect several other legitimate users who share the same IP address with the malicious user. Secondly, many ISPs adopt the policy of dynamic addressing where a particular user can get multiple IP addresses over time. Therefore, a malicious user can send attacks with one IP address, but can no longer be identified as malicious by IP address in case of dynamic addressing. In the worst cases, a legitimate user may be assigned the previous IP address of the malicious user, which can lead to unintentional blocking of the legitimate user. In this work, we attempt to quantify the collateral damage incurred by representing blacklists using IP addresses.