Department: Computer Science & Engineering
Keith Marzullo | Stefan Savage
Name: Alper T Mizrak
Email: amizrak @ ucsd.edu
Grad Year: 2007
An emerging set of cyberattacks are against the control plane of routers. Such attacks allow an intruder to force the router to make arbitrary routing decisions. This includes dropping, delaying and reordering packets as well as misrouting and altering them. We have developed the Fatih system that detects the presence of such compromised routers and isolates their effects.
- We have specified the problem Fatih addresses. The problem is a kind of anomalous behavior intrusion detection system. We have used the specification to understand what the fundamental limitations are in any solution to a problem.
- All solutions are based on some form of traffic collection and analysis. For high resilience, the traffic data needs to be distributed among some routers for anomalous behavior detection in the face of compromised routers. We have developed low-overhead protocols, both in space and time, to do this dissemination.
- Perhaps the simplest (yet effective) attack that a compromised router can wage is to selectively and maliciously drop packets belonging to the victim. However, there is a subtle technical problem with attributing a missing packet to a malicious action: congestion. Modern networks routinely drop packets due to load that temporarily exceeds a router's buffering capacity. Formerly, detection protocols have tried to mask this issue using a user-defined threshold: too many dropped packets implies malicious intent. However this heuristic is fundamentally limiting; setting this threshold is, at best, an art and necessarily will either create false positives or mask highly-focused attacks. We have developed techniques for detecting such focused attacks by distinguishing legitimate packet dropping from malicious packet dropping.
<< Back to Posters or Search Results