Академический Документы
Профессиональный Документы
Культура Документы
0
Rate of host compromises based on new vulnerabilities
v
Rate of host compromises based on known vulnerabilities
s
Rate of proactive resets
d
Speed of reactive recovery
r
Rate of proxy migration
A) Host State Transitions
Attacks, resource recovery (both proactive and reactive), and correlated host
vulnerabilities are the three main factors that affect the transitions of host states. We
first describe how our model captures attacks and resource recovery when the host
77
vulnerabilities are uncorrelated; we then describe how our model captures correlated
host vulnerabilities.
Figure 5-1 Host State Transitions
The shaded area in Figure 5-1 shows the host state transitions when the host
vulnerabilities are uncorrelated. Our model uses three parameters
0
,
d
, and
s
to
describe the speed of attacks, reactive resource recovery, and proactive resets,
respectively. Within a discrete time step, attackers have a probability
0
to compromise
an intact host by exploiting a vulnerability of the host. Meanwhile, reactive resource
recovery has a probability
d
to recover a compromised host by detecting and removing
the infection, while proactive resets have a probability
s
to recover a compromised host
by proactively reloading the host with a clean system image.
Our model also captures correlated host vulnerabilities. We use domains to
describe the correlated vulnerabilities among hosts (see Figure 5-2). Hosts are grouped
into domains. Within a domain, hosts use similar software with similar configurations,
thereby sharing similar vulnerabilities. Across domains, hosts differ in software,
configurations, and other attributes, thereby providing a model for uncorrelated
vulnerabilities. A system with uncorrelated host vulnerabilities (see Figure 5-2.A) is an
intact
Host compromise
Reactive Recovery
Proactive Reset
s
intact
v
compromised
d
78
extreme case where each host is in its own domain. Another extreme case is one where
all hosts are in the same domain (see Figure 5-2.B). In general, hosts in a system are
grouped into multiple domains (see Figure 5-2.C), and the number of domains is a
measure of host diversity in the system.
Figure 5-2 Domain-Based Correlated Host Vulnerability Model
To model the impact of correlated host vulnerabilities, we introduce an intermediate
host state intact
v
(an intact host with a known vulnerability) and one more parameter
v
(see Figure 5-1). Here is the revised model. Within a discrete time step, with
probability
0
attackers can compromise an intact host by exploiting a new vulnerability,
changing the other intact hosts in the same domain to the intact
v
state. With
probability
v
attackers can compromise an intact
v
host by exploiting a known
vulnerability. Meanwhile, with probability
s
proactive resets can return a host from the
ntact
v
state to the intact state, by removing the known vulnerabilities. With
probability
d
and
s
, reactive recovery and proactive resets can return a compromised
host to the intact state respectively.
Uncorrelated
Host
Vulnerabilities
( Domains)
Correlated
Host
Vulnerabilities
(1 Domain)
Correlated
Host
Vulnerabilities
(k Domains)
host
domain
A B
C
79
B) Proxy State Transition
Figure 5-3 Proxy State Transition
A proxys state depends on three factors: the state of the host where the proxy runs,
the state of the neighboring proxies, and whether or not the proxy is an edge proxy.
Based on the host state transition model described above, we can use the following rules
to determine the state of a proxy under host compromise attacks.
- A proxy is compromised if and only if its host is.
- The neighbors of a compromised proxy are exposed, or compromised.
- All edge proxies are exposed or compromised.
Furthermore, proxy migration moves a proxy to a different host and changes the
proxys state accordingly. We use a migration rate
r
to describe the proxy migration
process, where proxies choose migration targets randomly and the migration overhead is
small compared to the interval between migrations. More precisely, a proxy has
probability
r
to move to a different host within a discrete time step. After migration,
the proxys state is determined by the rules above.
intact
exposed
Host compromise
attack
Resource Recovery
Proxy Migration
compromised
80
C) Discussion of the Model and Real World Data
Our model, while simple, captures all the key factors of the system, including speed
of attack, speed of defense, proxy network structure, and correlated host vulnerabilities.
These factors together determine how the system state changes over time, and allow us
to study the system dynamics under penetration attacks. To interpret our model (see
Table 5-1) in practical settings, we present numbers from real systems.
Table 5-2 Windows Vulnerability Statistics
Year 2001 2002 2003 2004
WinXp Pro 5 20 19 18
Win2K Server 28 24 19 18
Parameter
0
is the rate of discovery and exploit of new host vulnerabilities, an
example of which is the exploitable vulnerabilities of the operating system software.
The Microsoft security bulletin [110] catalogues critical and remotely exploitable
vulnerabilities of Windows XP Professional and Windows 2K Server. Table 5-2 shows
the number of new vulnerabilities discovered for each period. On average, there are
about 20 new vulnerabilities discovered each year, one new vulnerability every two to
three weeks. These numbers provide a realistic approximation of
0
in practice.
Parameter
v
is the rate of host compromises using known vulnerabilities. Studies
on computer vulnerabilities and attack incidents [111, 112] show that discovery and
exploitation of new vulnerabilities is time-consuming and requires a significant amount
of expertise in the victim system. In contrast, compromising a host using a known bug
is fairly easy, because techniques and tools used in previous attacks can be leveraged.
81
Therefore,
v
is typically significantly larger than
0
(
0
<<
v
). An example of
correlated host compromises is worms [11-13, 113] which use the same bug to
compromise hundreds of hosts in minutes, or even less.
Parameter
d
is the speed of reactive recovery which depends on intrusion
detection. Previous research on Intrusion Detection Systems (IDS) [17, 18] indicates
that modern IDS can achieve real time detection. Therefore
d
is primarily determined
by how fast a detected intrusion can be removed.
Parameter
r
is the proxy migration rate. Our prototype implementation of a proxy
network has a sub-second migration overhead in a large network. This suggests that
current technology can support daily, or even hourly, proxy migration rates, i.e.
10x~100x higher than
0
.
5.3 SYSTEM DYNAMICS UNDER PENETRATION ATTACKS
We use an example to show how to use the stochastic model to describe a system
under penetration attacks. Figure 5-4 shows a snapshot of a proxy networks state (the
state of all the proxies) under a penetration attack. As shown in Figure 5-4, an attacker
penetrates the proxy network along a path from an edge proxy to the application
(proxies on the path are labeled with 1, 2 d in Figure 5-4).
Within a discrete time step, attackers have probability
0
(or
v
) to compromise the
deepest exposed proxy on the chain (proxy 2 in the figure). If successful, attackers
expose the next proxy (proxy 3 in the figure) on the chain, and penetrate one step
further. Meanwhile, the deepest exposed proxy has probability
r
to migrate to a new
82
location, thereby returning to the intact state and reducing the attack progress by one or
more steps. Furthermore, reactive (proactive) resource recovery has probability
d
(
s
)
to return compromised proxies to the exposed state by recovering compromised hosts.
As such, we can characterize the system dynamics using the stochastic model.
In addition, our model considers correlated host vulnerabilities. For example, as
shown in Figure 5-4 (shaded areas mark the domains for proxy hosts), since proxy 2s
host is the first being attacked in its domain, compromising it requires exploitation of a
new vulnerability; therefore, the probability to compromise proxy 2 is
0
. On the other
hand, since proxy 2 and 3 run on hosts in the same domain, once proxy 2 is
compromised, proxy 3 can be compromised using the same vulnerability; therefore, the
probability to compromise proxy 3 after compromising proxy 2 is
v
. As such, we
model the impact of correlated host vulnerabilities on system dynamics.
Figure 5-4 System Dynamics under Penetration Attacks
Compromised
Exposed
Intact
1 2 3 d
Application
Penetration Attack
Domain
Proxy Network
83
5.4 ANALYTICAL RESULTS: UNCORRELATED VULNERABILITIES
In this section we study analytically a system with uncorrelated host vulnerabilities
to provide a baseline for understanding proxy networks ability to resist penetration
attacks. This study also provides a basis for a more general analysis. We first present
and prove two theorems which quantify the expected time for attackers to penetrate a
proxy network, then address feasibility questions.
5.4.1 Theorems for Penetration Resistance
We study proxy networks under penetration attacks in two cases. First, we study
proxy networks which do not use reconfiguration schemes. This allows us to
understand whether the proxy indirections of a proxy network are sufficient for
penetration resistance. Second, we study whether simple reconfiguration schemes, such
as random proxy migration, can improve a proxy networks ability to resist penetration
attacks.
5.4.1.1 Theorem 1: Systems without Proxy Network Reconfiguration
Theorem 1. Without proxy network reconfiguration, the expected time to application
exposure is TsdT
where T
=
0
-1
is the expected time to compromise a host and d is the
proxy network depth.
Proof:
If there are no reconfiguration mechanisms which can invalidate the information
that attackers have acquired, a proxy remains exposed once it has become so. Consider
a proxy network of depth d.
0
is the probability for a successful host compromise in
one stochastic trial. The Markov state transition graph for the system is shown in Figure
84
5-5. Node i (0sisd) corresponds to the state where the deepest exposed proxy is at
depth i. Initially, system is at state 0, because edge proxy is exposed.
Figure 5-5 Markov State Transition (without reconfiguration)
Consider the case where there is only one attacker. Let p
d
(t) be the probability of
the system reaching state d before time t. It is straightforward to see that p
d
(t) follows
an Erlang distribution (each state transition to the right in Figure 5-5 can be viewed as a
Poisson event with rate
0
, therefore reaching state d is equivalent to occurrence of the
dth Poisson event with rate
0
). Therefore the expected time to application exposure T
= d
0
-1
=dT
(T
=
0
-1
). In the general case, where there are multiple attackers, the
expected time to application exposure can only be shorter. Therefore the time to
application exposure T is TsdT
. Q.E.D.
5.4.1.2 Theorem 2: Systems with Proxy Migration
Theorem 2. Consider a proxy network with random proxy migration rate
r
. When
r
>2
0
, the expected time to application exposure T grows exponentially with the proxy
network depth d; as
T
d r
) ) ((
2
2
0
O sTs
T
d r
) ) ((
1
0
O ; when
r
<
0
, the expected time
to application exposure T grows linearly with the proxy network depth d; as
Ts
T
r
d
) (
0
0
O , where T
=
0
-1
is the expected time to compromise a host.
0 1 2
0
0
0
d
85
Proof:
Consider a chain of proxies with depth d. Each proxy on the chain is labeled with
its depth, e.g. edge proxy is proxy 0, and a proxy at depth k is proxy k. The Markov
state transition graph for this proxy network is shown in Figure 5-6 (for brevity, let =
0
for the remainder of the proof). In state 0, only the edge proxy is exposed. In state k
(1sksd), the (k-1)th proxy is compromised and the kth proxy is exposed. In state k, the
kth proxy is exposed, but the (k-1)th proxy is not compromised. We study the expected
time from state 0 to reach state d in two boundary cases: no recovery and perfect
recovery. When there is no recovery, a proxy stays compromised until it migrates.
With perfect recovery, hosts are recovered instantaneously after being compromised (in
Figure 5-6, state k goes to state k with certainty).
Let T
k
denote the expected time to reach state d from state k (0sksd); let T
k
denote
the expected time to reach state d from state k (1sksd-1). By definition T
d
= 0. We
must compute T
0
, the expected time to penetrate a proxy network of depth d from an
edge proxy. We compute T
0
for the two cases: no recovery and perfect recovery.
0 1 2 d -1 d
1 2 d-1
r
r
r
No Recovery
0 1 2 d -1 d
1 2 d-1
1
1
r
Perfect Recovery
1
r
Figure 5-6 Markov State Transition (with proxy migration)
86
A) No Recovery
From the Markov state transition graph (see Figure 5-6), we can get
+ + + + =
> + + + =
+ + + + =
+ + =
+ + =
+
+
' ' 1 1 '
' 1
' 1 0 1 2 ' 1
1 2 1
0 1 0
) 2 1 ( ) ( 1
) 1 ( ) 1 ( 1
) 2 1 ( ) ( 1
) 1 ( 1
) 1 ( 1
k r k r k k k
k r k r k k
r r
T T T T T
k T T T T
T T T T T
T T T
T T T
.
Solve it and we get
)
1 ) (
1
1
1 ) (
1
1 ) (
) 1 ) ((
1 ) (
1 ) (
1 ) (
1 (
1
2
2 2
2
2
1
2
2
1
2
0
+
+
+
+
+ =
x
x x
x
d x
x
d x
d
x x
T
(I)
where
r
x = . Therefore in the case of no recovery, when
r
>2,
T T
d
r
) ) ((
2
2
0
O =
where T
=
-1
.
B) Perfect Recovery
From the Markov state transition graph (see Figure 5-6), we can get
+ + + + =
> + =
+ + + + =
+ =
+ + =
+ ' ' 1 1 '
'
' 1 0 1 2 ' 1
' 1 1
0 1 0
) 2 1 ( ) ( 1
) 1 ( 1
) 2 1 ( ) ( 1
1
) 1 ( 1
k r k r k k k
k k
r r
T T T T T
k T T
T T T T T
T T
T T T
.
Solve it and we get
)
1
1
) 1 (
)(
1
2 ( )
1
)(
1
1 (
1
2
0
+ +
+ + =
x
d
x
x x
x
x x
T
d d
(II)
87
where
r
x = . Therefore in the case of perfect recovery, when
r
>, we have
T T
d
r
) ) ((
1
0
O = ; and when
r
<, we have
T
r
d
) (
O where T
=
-1
.
Combining both cases, we know that, in general, when
r
>2
0
, T
0
is between
T
d r
) ) ((
2
2
0
O and
T
d r
) ) ((
1
0
O ; when
r
<
0
, T
0
is no greater than
T
r
d
) (
0
0
O .
Q.E.D.
Equipped with these theorems, we study proxy networks ability to resist
penetration attacks. First, we study whether proxy networks can hide an applications
location indefinitely from penetration attacks. Then, we identify important system
parameters for effective defense against penetration attacks by analyzing the impact of
defenses, such as proxy migration, proxy network depth, and resource recovery.
5.4.2 Can Proxy Networks Resist Penetration Attacks?
Without proxy network reconfiguration, a proxy network is vulnerable to
penetration attacks, since Theorem 1 shows that an attacker can penetrate the proxy
network within a short period of time, which is a linear function of proxy network depth.
The reason for this linear growth is that without reconfiguration, a proxy network allows
attackers to gain information monotonically (once a proxy is exposed, it remains so), so
that attackers need only compromise the proxies on a path to the application exactly
once to penetrate the proxy network.
On the other hand, with proxy migration, a proxy network can resist penetration
attacks effectively. Theorem 2 shows that when proxy migration is added, the time to
88
penetrate a proxy network can be made to grow exponentially with the proxy network
depth. Thus, small increases in proxy network depth (small increased application
overhead) can significantly improve resistance to penetration attacks. Consequently,
proxy networks of moderate depth can resist penetration attacks effectively, securely
hiding the applications IP address. For example, using the numbers in Table 5-2, if
attackers take two weeks to compromise a host, and proxies migrate once per day
(
r
10
0
), then penetrating a proxy network of depth four takes about fifty years on
average, a proxy network of depth six would take about five thousand years on average,
eliminating this type of attacks as a practical concern.
In summary, without reconfiguration, proxy networks are vulnerable to penetration
attacks. However, when proxy migration is added, proxy networks can not only resist
penetration attacks effectively, but their resistance to penetration attacks has excellent
scaling properties.
5.4.3 What System Parameters Enable Effective Resistance?
To identify which system parameters matter most, we study the impact of system
defenses. There are three key defense parameters: proxy network depth, proxy
migration rate and resource recovery performance. To understand the impact of proxy
network depth and migration rate, we vary them and study the amount of time required
to penetrate a proxy network. To understand the impact of resource recovery schemes,
we explore two cases: no recovery and perfect recovery. With no recovery,
compromised hosts are never recovered (this case assumes an infinite resource pool).
89
With perfect recovery, all compromised hosts are recovered immediately. These
cases provide an envelope for general cases using any resource recovery schemes.
5.4.3.1 Impact of Proxy Network Depth
0 5 10 15 20
10
0
10
5
10
10
10
15
10
20
Proxy Network Depth (d)
T
i
m
e
t
o
A
p
p
l
i
c
a
t
i
o
n
E
x
p
o
s
u
r
e
(
u
n
i
t
:
0 -
1
)
No Recovery
Perfect Recovery
r
=10
0
Figure 5-7 Impact of Proxy Network Depth
Proxy network depth is critical for resisting penetration attacks. Theorem 2 shows
that increasing a proxy networks depth can increase the time to application exposure
exponentially (when
r
>2
0
), thereby improving penetration resistance significantly.
For example, Figure 5-7 shows the time to application exposure (computed using
equation (I) and (II) in Section 5.4.1.2) as a function of proxy network depth for a
migration rate
r
=10
0
; the X-axis is a proxy networks depth, and the Y-axis is the
amount of time required for exposing the application. Figure 5-7 clearly shows that the
time to application exposure increases exponentially with proxy network depth (note the
log scale). For example, in Figure 5-7, when the depth grows by five (e.g. from 5 to 10),
the time to application exposure grows by several orders of magnitude (10
4
X and 10
5
X
90
on each curve, respectively). Thus, proxy networks can be an effective barrier to
penetration attacks and proxy network depth is a critical factor to increase the resistance.
5.4.3.2 Impact of Proxy Migration Rate
Proxy migration rate is critical for effective resistance to penetration attacks; it can
change a proxy networks penetration resistance qualitatively. Theorem 2 states that
when the proxy migration rate is sufficiently fast (
r
>2
0
), the time to penetrate a proxy
network grows exponentially with the proxy networks depth. In this case, small
increases in proxy network depth can improve penetration resistance significantly.
Consequently, proxy networks of moderate depth can resist penetration attacks
effectively. For example, using the numbers in Table 5-2 (attackers take two weeks to
compromise a host), if the proxy migration rate is sufficiently fast (e.g.
r
=10
0
), then
penetrating a proxy network of depth four takes about fifty years on average, a proxy
network of depth six would take about five thousand years on average, thus eliminating
penetration attacks as a practical concern. In contrast, Theorem 2 states that when the
proxy migration rate is insufficient (
r
<
0
), the time to penetrate a proxy network grows
at most linearly with the proxy networks depth. In this case, increasing proxy network
depth cannot improve resistance significantly, and proxy networks of moderate depth
can be penetrated in a short period of time. For example, with the same attack speed as
the previous example, if proxy migration rate is insufficient (e.g.
r
=0.1
0
), then
penetrating a proxy network of depth four only takes two months on average, a proxy
network of depth six would only take three months on average, providing no effective
defense against penetration attacks.
91
0 10 20 30 40 50 60 70 80 90 100
10
0
10
2
10
4
10
6
10
8
10
10
Proxy Migration Rate
r
(unit:
0
)
T
i
m
e
t
o
A
p
p
l
i
c
a
t
i
o
n
E
x
p
o
s
u
r
e
(
u
n
i
t
:
0 -
1
)
Perfect Recovery
No Recovery
proxy network depth d = 5
0 10 20 30 40 50 60 70 80 90 100
10
0
10
5
10
10
10
15
10
20
Proxy Migration Rate
r
(Unit:
0
)
T
i
m
e
t
o
A
p
p
l
i
c
a
t
i
o
n
E
x
p
o
s
u
r
e
(
u
n
i
t
:
0 -
1
)
Perfect Recovery
No Recovery
proxy network depth d = 10
Figure 5-8 Impact of Proxy Migration
Furthermore, proxy migration rate also affects the time to application exposure
significantly. Figure 5-8 shows how proxy migration rate affects the expected time to
application exposure for proxy networks of depth 5 and 10 respectively. These results
clearly show that increasing migration rate increases the time to application exposure
significantly (note the log scale). For example, for a proxy network of depth 10,
doubling the migration rate increases the time to application exposure by 1000 times.
5.4.3.3 Impact of Resource Recovery
In both Figure 5-7 and Figure 5-8, the curves for no recovery and perfect
recovery differ by moderate margin, indicating that resource recovery has only
moderate impact on the resistance to penetration attacks. Adjusting the proxy migration
rate and the proxy network depth can compensate for poor resource recovery by
92
allowing proxies to flee the compromised area. This is workable as long as sufficient
intact hosts remain in the resource pool. However, in general, good resource recovery is
necessary because it can sustain an intact host population in the resource pool, and help
to overcome correlated host vulnerabilities as discussed in Section 5.5.2.
5.5 SIMULATION RESULTS: CORRELATED VULNERABILITIES
From the previous section, we know that with proxy migration, proxy networks can
resist penetration attacks effectively; the time to penetrate a proxy network increases
exponentially with the proxy networks depth. However, analysis so far assumed
uncorrelated host vulnerabilities. Typically, hosts share a range of correlated host
vulnerabilities (e.g. exploitable bugs in the same software or operating systems,
common configuration errors, same user accounts with same passwords), and
compromising one host can increase the chance of compromising others significantly.
In this section, we use a Monte-Carlo simulation to study systems in which hosts have
correlated vulnerabilities. We first analyze how adding correlated host vulnerabilities
affects the previous results, and what can be used to mitigate the negative impact of
correlated host vulnerabilities. Then, based on these results, we study whether proxy
networks can resist penetration attacks with correlated host vulnerabilities.
In the simulation, we choose
v
to be close to 1, to represent highly correlated host
vulnerabilities
3
; i.e. once attackers compromise a host, they can compromise any other
host in the same domain with a high probability
v
within the next time step (recall that
hosts in a domain have highly correlated vulnerabilities, and hosts across domains are
3
As long as
v
is significantly larger than
0
, the results are qualitatively the same.
93
uncorrelated).
0
is set according to Table 5-2; other parameters are relative to
0
, and
can be easily inferred.
5.5.1 How Does Adding Correlated Host Vulnerabilities Affect Previous Results?
0 5 10 15 20 25 30 35
0
0.5
1
1.5
2
2.5
3
3.5
4
Proxy Network Depth
T
i
m
e
t
o
A
p
p
l
i
c
a
t
i
o
n
E
x
p
o
s
u
r
e
(
U
n
i
t
:
0 -
1
)
r
=10
0
,
v
=0.90
r
=30
0
,
v
=0.90
Figure 5-9 Impact of Proxy Network Depth with Correlated Host Vulnerabilities
To answer this question, we consider a system in which all hosts are in the same
domain where the host vulnerabilities are highly correlated (
v
=0.9) and the hosts do not
use proactive resets to remove known vulnerabilities (
s
=0). Figure 5-9 shows the time
to application exposure as a function of proxy network depth with high proxy migration
rates (
r
=10
0
and
r
=30
0
respectively) and instantaneous reactive resource recovery
(
d
=1, all hosts are recovered immediately after they are compromised). In Figure 5-9,
the X-axis is proxy network depth, and the Y-axis is the time to application exposure.
Our simulation results show that correlated vulnerabilities have a major impact on a
proxy networks resistance to penetration attacks. Recall that if host vulnerabilities are
uncorrelated (as in Figure 5-7), the time to application exposure would increase
exponentially with proxy network depth. However, both curves in Figure 5-9 stay flat,
94
indicating that in a system with correlated host vulnerabilities, the time to application
exposure does not increase much with proxy network depth, which means that the proxy
network cannot resist penetration attacks effectively. Therefore, correlated host
vulnerabilities can change a proxy networks ability to resist penetration attacks
qualitatively, thus dramatically reducing the effectiveness of defense.
5.5.2 How to Mitigate the Impact of Correlated Host Vulnerabilities?
Unless the negative impact of correlated host vulnerabilities can be mitigated,
proxy networks cannot resist penetration attacks effectively. We consider two
techniques for mitigation: proactive resets and host diversity. Proactive resets can
remove known host vulnerabilities before they can be attacked, thereby mitigating the
impact of correlated host vulnerabilities. Meanwhile, host diversity (recall that the
degree of host diversity is the number of domains in the system) can reduce correlated
host vulnerabilities because only hosts inside the same domain have correlated host
vulnerabilities, and hosts in different domains are uncorrelated.
0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n
P
r
o
b
a
b
i
l
i
t
y
(
1
0
6
t
i
m
e
s
t
e
p
s
)
s
=1
0
s
=5
0
s
=10
0
s
=20
0
No Correlation
r
=10
0
v
=0.99
1 domain
Figure 5-10 Penetration Probability under Varied Proactive Reset Rates
95
To study how proactive resets reduce the negative impact of correlated host
vulnerabilities, we vary the proactive reset rate and study the penetration probability for
proxy networks in a system of one domain (all the hosts have highly correlated
vulnerabilities,
v
=0.90). Specifically, for a range of proxy networks with varied
depths, we measure the probability of penetrating them within 10
6
time steps under
varied proactive reset rates. The results are shown in Figure 5-10. The X-axis is the
depth of a proxy network, and the Y-axis is the probability of penetrating the proxy
network within 10
6
time steps. Each curve corresponds to a proactive reset rate (
s
).
The case of uncorrelated host vulnerabilities is also shown for comparison; it displays a
contrast to the uncorrelated case. A smaller difference indicates a better reduction of the
negative impact of correlated host vulnerabilities. Figure 5-10 shows that even for high
proactive reset rates, the impact of correlated host vulnerabilities is still prominent. This
is because proactive resets are not guaranteed to happen before attacks, and known host
vulnerabilities are not always removed before being attacked. Therefore proactive resets
alone cannot contain the impact of correlated host vulnerabilities effectively.
We study whether adding host diversity into the system can reduce the negative
impact of correlated host vulnerabilities. In particular, at a fixed proactive reset rate
(e.g.
s
=10
0
) and a fixed proxy migration rate (e.g.
r
=10
0
), we measure the
probability of penetrating a proxy network in systems of varied degrees of host
diversity. In each system, hosts are partitioned equally into k domains (k = 1, 2, 3, 4, 8),
and proxies are placed randomly on the hosts. The results are shown in Figure 5-11.
The X-axis is the depth of a proxy network, and the Y-axis is the probability of
96
penetrating the proxy network within 10
6
time steps. Each curve corresponds to a
certain degree of host diversity; the case of uncorrelated host vulnerabilities is also
plotted for comparison, and shows a contrast to the uncorrelated case.
0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n
P
r
o
b
a
b
i
l
i
t
y
No Correlation ( domains)
1 domain (no diversity)
2 domains
3 domains
4 domains
8 domains
r
=10
0
s
=10
0
v
=0.99
Figure 5-11 Penetration Probability under Varied Host Diversity
Figure 5-11 shows that adding even small degrees of host diversity into the system
can reduce the impact of correlated host vulnerabilities significantly. In Figure 5-11,
without host diversity, a proxy network of depth 32 can be penetrated within 10
6
time
steps (with probability 1). In contrast, in a system with two domains, a proxy network
of depth 25 cannot be penetrated within 10
6
time steps (penetration probability is close
to zero); and in a system with three domains, a proxy network of depth 15 cannot be
penetrated within 10
6
time steps.
Figure 5-12 Host Diversity in a Proxy Chain
1 2 3 d Application
Proxies
Domain 1
Domain 2
97
We use an example to explain why host diversity reduces the negative impact of
correlated host vulnerabilities. Consider a proxy chain shown in Figure 5-12; proxy 1
and 3 run on hosts in the same domain, while proxy 2 runs on a host in a different
domain. After proxy 1 is compromised, the host of proxy 3 becomes vulnerable because
it has the same vulnerability used for compromising proxy 1. However, proxy 3 is not
exposed yet, and attackers cannot attack proxy 3 before compromising proxy 2. Since
proxy 1 and proxy 2 are uncorrelated, proxy 2 is not affected by proxy 1s compromise,
and becomes a barrier to slow down attackers. By the time attackers compromise proxy
2 and start attacking proxy 3, there is a good chance that proactive resets have already
removed the known vulnerability on proxy 3s host. Therefore, host diversity (with
proactive resets) can greatly reduce the impact of correlated host vulnerabilities.
5.5.3 Can Proxy Networks Resist Penetration Attacks with Correlated
Vulnerabilities?
We have shown that host diversity and proactive resets can potentially counter the
negative impact of correlated host vulnerabilities. However, as shown in Figure 5-11, a
nave scheme (proxies are randomly placed on hosts) is insufficient to remove the
negative impact of correlated host vulnerabilities. The simple scheme has two main
shortcomings.
First, placing proxies randomly allows neighboring proxies to run in the same
domain, so their host vulnerabilities are correlated and they will fail together. A better
approach is to place neighboring proxies on hosts in different domains, which will
increase the effectiveness of the proxy network in slowing the attack progress.
98
Second, allowing proxies to migrate to random hosts may help attackers, because a
proxy may migrate to a host which has known vulnerabilities, allowing it to be
compromised quickly, thereby improving the attack progress.
Figure 5-13 Interleaved Design for A Proxy Chain
To address these issues, we develop an interleaved proxy network design where 1)
proxy hosts are selected such that the distance is maximized between any pair of proxies
in the same domain, and 2) proxy migrations are confined to hosts from the same
domain. For example, as shown in Figure 5-13, we can place a chain of proxies to hosts
of k domains using a round-robin order
4
.
To understand the effectiveness of the interleaved design in reducing the impact of
correlated host vulnerabilities, we measure the probability of penetrating proxy
networks using this design in systems with varied degrees of host diversity. The results
for two proxy migration rates (
r
=5
0
and
r
=10
0
) are shown in Figure 5-14. The X-
axis is the depth of a proxy network, and the Y-axis is the probability of penetrating the
proxy network within 10
6
time steps. Each curve corresponds to a certain degree of host
diversity, and the case of uncorrelated host vulnerabilities is also plotted for comparison.
In Figure 5-14, the curves for 4 and 8 domains closely follow the curve for the
4
Here we only consider simple proxy network topologies, such as a line or a tree, in which round-robin
assignment can trivially implement the heuristic. Complex topologies require more sophisticated
assignment schemes; for a system of k domains the minimum distance between proxies of the same
domain may be less than k-1.
1 2 3 Application
Proxies
Domain 1
Domain 2
Domain 3
4 5
99
uncorrelated case. To verify this finding, we also study the system for longer time
periods (10
7
and 10
8
time steps, see Figure 5-15), and observe the same phenomena
with 4 or more domains, the system behaves almost identically to one with uncorrelated
vulnerabilities. This indicates that using a small degree of host diversity, e.g. 4
domains, our design can reduce the negative impact of correlated host vulnerabilities
significantly, and enable a proxy network to resist penetration attacks effectively.
0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n
P
r
o
b
a
b
i
l
i
t
y
(
1
0
6
t
i
m
e
s
t
e
p
s
)
No Correlation ( domains)
2 domains
3 domains
4 domains
8 domains
r
=5
0
s
=10
0
v
=0.99
0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n
P
r
o
b
a
b
i
l
i
t
y
(
1
0
6
t
i
m
e
s
t
e
p
s
)
No Correlation ( domains)
2 domains
3 domains
4 domains
8 domains
r
=10
0
s
=10
0
v
=0.99
Figure 5-14 Effectiveness of Interleaved Design
no correlation
100
0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n
P
r
o
b
a
b
i
l
i
t
y
(
1
0
7
t
i
m
e
s
t
e
p
s
)
No Correlation ( domains)
2 domains
3 domains
4 domains
8 domains
r
=10
0
s
=10
0
v
=0.99
0 5 10 15 20 25 30 35
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
Proxy Network Depth
P
e
n
e
t
r
a
t
i
o
n
P
r
o
b
a
b
i
l
i
t
y
(
1
0
8
t
i
m
e
s
t
e
p
s
)
No Correlation ( domains)
2 domains
3 domains
4 domains
8 domains
r
=10
0
s
=10
0
v
=0.99
Figure 5-15 Effectiveness of Interleaved Design
(data points observed from 10
7
and 10
8
time steps)
Here is why a small degree of host diversity can be used for effective defense. In
the interleaved design for a chain of proxies in a system of k domains (illustrated in
Figure 5-13), between any two proxies (A and B) in the same domain there is a path of
k-1 proxies in the different domains. After compromising proxy A, attackers must
penetrate this path before they can attack proxy B. Since the penetration time grows
exponentially with the path length (which is k-1), a small degree of host diversity (or the
number of domains k) can provide a large penetration time
5
, allowing enough time for
5
It takes 100 times longer to penetrate a path with length three (case of 4 domains) than length one (case
of 2 domains), when
r
=10
0
.
no correlation
no correlation
101
proactive resets to remove the known vulnerabilities on proxy Bs host (used for proxy
As compromise) before they are attacked. Therefore, the interleaved design can reduce
the impact of correlated host vulnerabilities significantly, thus enabling effective
resistance to penetration attacks.
5.6 SUMMARY
We develop a stochastic model based on the generic framework introduced in
Chapter 4 and use it to characterize the impact of attacks and defenses on the proxy
network system. Based on this model, we combine analysis with Monte Carlo
simulation to study proxy networks resistance to penetration attacks. We show that,
- without reconfiguration mechanisms, a proxy network is vulnerable to penetration
attacks,
- with proxy migration, a proxy network can resist penetration attacks effectively
the time to penetrate the proxy network grows exponentially with its depth, so that a
moderate depth enables effective resistance to penetration attacks. Proxy network depth
and proxy migration rates are the critical factors for achieving effectiveness.
- in many cases, correlated host vulnerabilities can make a proxy network vulnerable
to penetration attacks.
- by exploiting the host (OS/software) diversity and intelligent proxy network
construction, a proxy network can mitigate the negative impact of correlated host
vulnerabilities and resist penetration attacks effectively.
102
First, we analyze situations with uncorrelated host vulnerabilities. We prove that
without reconfiguration, the time to penetrate a proxy network grows linearly with the
proxy network depth; it indicates that, without reconfiguration, a proxy network is
vulnerable to penetration attacks. We also prove that with proxy migration, the time to
penetrate a proxy network can grow exponentially with the proxy network depth; it
indicates that, with proxy migration, a proxy network of a moderate depth can resist
penetration attacks effectively.
Then, using Monte Carlo simulations, we study situations with correlated host
vulnerabilities. We show that, by exploiting host diversity and intelligent proxy network
construction, a proxy network can behave as well as in the uncorrelated case, mitigating
the impact of correlated host vulnerabilities and enabling effective resistance to
penetration attacks.
103
Chapter 6 RESISTING PROXY DEPLETION ATTACKS
Proxy depletion attacks are a critical threat for applications using proxy network-
based DoS defense. By compromising proxies along a proxy networks topology, such
attacks can increase the number of compromised proxies, and may eventually make the
proxy network dysfunctional by compromising all the proxies. In this chapter, we study
proxy networks ability to resist proxy depletion attacks and characterize the
requirements for effective resistance.
6.1 INTRODUCTION
We study the circumstances under which a proxy network can provide stable
defense against proxy depletion attacks in a system where host vulnerabilities are
uncorrelated. In particular, we study the question of when a proxy network is
recoverable under proxy depletion attacks and when it is not. As defined in Section 4.4,
a proxy network is recoverable if all the compromised proxies can be recovered
regardless of how many proxies are compromised initially.
We study these problems analytically. We use the stochastic model defined in
Section 5.2 to characterize the dynamics of system components. In particular, the model
quantifies how attacks and defenses affect changes in the state of system components.
Based on this model, we use a graph-based analysis to study the changes in
compromised proxy population as a function of attacks, defenses, and proxy network
topology.
104
Through this analysis, we find that topology is critical for a proxy networks
resistance to proxy depletion attacks. We provide two theorems one which
characterizes the class of topologies that allow the attackers progress to be erased
quickly, thereby enabling effective defense against proxy depletion attacks, and the
other which identifies the class of topologies that allows attacks to expand quickly,
thereby making the proxy network vulnerable. Using these results, we conduct a case
study on a range of popular proxy network topologies to identify the topologies that can
support effective resistance to proxy depletion attacks, and those that cannot.
The remainder of the chapter is structured as follows. Section 6.2 describes the
stochastic model used in our analysis. Section 6.3 presents our analytical results and the
design principles based on the analysis. Section 6.4 presents the case study. Section 6.5
summarizes our results.
6.2 STOCHASTIC MODEL
We use the stochastic model defined in Chapter 5 to describe how attacks and
defenses change the state of system components; as such, we can quantify how attacks,
defenses, and proxy network topology affect the system dynamics under proxy depletion
attacks. Since considering topology in the analysis adds significant complexity, we only
study systems with uncorrelated host vulnerabilities and without resource recovery
6
to
make the analysis tractable. Specifically, we fix the following parameters in the model.
First, the resource recovery rates (both reactive and proactive) are fixed to zero. Second,
host vulnerabilities are uncorrelated.
6
This assumes an infinite resource pool.
105
Figure 6-1 Proxy State Transition
For clarity, we briefly describe the model used in the analysis. The model, denoted
by M(G, , ), uses three parameters to describe proxy state transition (see Figure 6-1).
Parameter G is the proxy network topology; parameter is the speed of attack (host
compromise rate
0
in the previous model); parameter is the speed of defense (proxy
migration rate
r
in the previous model). Proxies change state according to three rules:
- With probability , an exposed proxy can be changed into the compromised state at
the next step.
- With probability , a compromised or exposed proxy can be changed into the intact
state at the next step (or exposed, according to the last rule).
- u and v are vertices of G. If uv is an edge in G, and u is compromised and v is intact,
then v is instantaneously exposed.
We use an example to show how to apply the stochastic model to describe a system
under proxy depletion attacks. Figure 6-2 shows a snapshot of a proxy networks state
(the state of all the proxies) under a proxy depletion attack. As shown in Figure 6-2,
proxy depletion attacks propagate along proxy network topology. Within a discrete time
step, attackers have probability to compromise an exposed proxy; if successful,
intact
exposed
compromised
106
attackers expose all the neighbors of the compromised proxy. Meanwhile, within a
discrete time step, defenses have probability to migrate an exposed (or compromised)
proxy to a new location, thereby changing its state to intact. As such, we can use the
stochastic model to describe a proxy network under proxy depletion attacks.
Figure 6-2 System Dynamics under Proxy Depletion Attacks
6.3 GRAPH-THEORETIC ANALYSIS
In this section we study, analytically, proxy networks resistance to proxy depletion
attacks. Using the stochastic model described in Section 6.2, we study the changes of
compromised proxy population as a function of attacks, defenses, and topology, in order
to understand when a proxy network can provide stable defense against proxy depletion
attacks. Specifically, we present and prove two theorems which characterize the
circumstances when a proxy network is recoverable under proxy depletion attacks, and
when it is not. Based on these results, we discuss design principles for proxy networks
in order to achieve effective resistance to proxy depletion attacks.
Compromised
Exposed
Intact
Proxy Depletion Attack
107
6.3.1 Analysis and Results
Using the stochastic model defined in Section 6.2, we study the time evolution of
compromised proxy population by analyzing the state transitions for all the proxies in
the proxy network. Specifically, for each proxy, we consider its probability of being
compromised, and study how this probability changes over time, according to the proxy
state transition rules described in the stochastic model. Through this approach, we can
determine whether or not a proxy network is recoverable. If for all proxies in a proxy
network the probability of being compromised approaches zero over time, then the
proxy network is recoverable; on the other hand, if there are always proxies whose
probability of being compromised is non-zero, then the proxy network is not
recoverable.
Through this analysis, we provide Theorem 3 and Theorem 4, which characterize
the circumstances when a proxy network is recoverable and when it is not, respectively.
They show how attack, defense, and the spectra or eigenvalues of proxy network
topology G determine a proxy networks resistance to attacks. In the following, we
describe the theorems, discuss their meaning, and present proofs. For reference, some
general graph theory background about the spectra of graphs used in the proofs is
introduced in the Appendix.
108
A) Theorem for Recoverable Proxy Networks
Theorem 3. Theorem for Recoverable Proxy Networks: For model M(G, , ), G is
robust if
1
) (
o
>
+
, where o
1
be the largest eigenvalue of the adjacency matrix of G.
In particular, for any initial states, almost surely all compromised and exposed vertices
vanish after
|
|
.
|
\
|
+
+
n O log
2
1
2
1
o
o
steps, where n is the number of vertices in G.
Theorem 3 uses attack speed , defense speed , and graph property o
1
of proxy
network topology to characterize when a proxy network is recoverable under proxy
depletion attacks. o
1
is the eigenvalue of proxy network topology, characterizing
connectivity. Informally, we can treat o
1
as an average vertex degree of the graph.
7
Figure 6-3 Illustration of Theorem 3
Theorem 3 provides a sufficient condition of a proxy network being recoverable. It
says that when the defense speed (proxy migration rate) is o
1
times
8
faster than the
attack speed (host compromise rate), the proxy network is recoverable. In this case, all
7
We have d
min
o
1
d
max
for any graph G. d
min
and d
max
are, respectively, the smallest and the largest
vertex degree of the graph. In particular, o
1
= d for any d-regular graph.
8
More precisely, (+)/ >o
1
. We know + is a non-trivial constant. Therefore, / is the deciding
factor of the left-hand side of the inequality.
Compromised Proxy
Proxy
Attack
109
compromised proxies will be quickly returned to the intact state regardless of the initial
state of the proxy network, even if there are many compromised proxies initially. Here
is an intuitive explanation of Theorem 3. As shown in Figure 6-3, a proxy depletion
attack propagates along the proxy network topology; once a proxy is compromised, all
its neighbors (each proxy has approximately o
1
neighbors) are exposed and subject to
immediate attacks. If the defense speed is o
1
times faster than the attack speed, then the
defense can move all the newly exposed proxies to new locations before attackers
compromise any of them, thereby preventing attack propagation. Proof of Theorem 3 is
given below.
Proof of Theorem 3:
Let
t
v
f (or
t
v
g ) be the probability that the node v is compromised (or exposed) at
time t, respectively. We have the following recurrence formula for every vertex v and
time t.
+ =
+ =
[ [
+ + + +
+
v u v u
t
u
t
v
t
u
t
v
t
v
t
v
t
v
t
v
f g f f g
g f f
~ ~
1 1 1 1
1
) 1 ( ) 1 ( )) 1 ( 1 )( 1 (
) 1 (
Here u~v means uv is an edge. The first additive item in
1 + t
v
g is the contribution
due to the fact that a neighbor of v is compromised at time t+1. The second item is the
probability that a vertex is being exposed at time t and continues to be exposed at t+1.
We can rewrite it as follows.
+ =
+ =
[
+ +
+
v u
t
v
t
u
t
v
t
v
t
v
t
v
t
v
t
v
g f g f g
g f f
~
1 1
1
) 1 ( )) 1 ( 1 )( ) 1 ( ) 1 ( 1 (
) 1 (
110
Furthermore, we have
+ s
+ +
v u
t
v
t
u
t
v
g f g
~
1 1
) 1 ( . Here we use the inequality
[
+ +
s
v u v u
t
u
t
u
f f
~ ~
1 1
)) 1 ( 1 ( . Let
t
f be the column vector with i-th entry
t
i
f . Let
t
g
be the column vector with i-th entry
t
i
g . We get the following equations.
+ s
+ =
+ +
+
t t t
t t t
g Af g
g f f
) 1 (
) 1 (
1 1
1
A is the adjacency matrix of G. Given two vectors X and Y, the notation X s Y
means X
i
s Y
i
for every index i. We can rewrite it into the following matrix form.
|
|
.
|
\
|
|
|
.
|
\
|
s
|
|
.
|
\
|
|
|
.
|
\
|
+
+
t
t
t
t
g
f
I
I I
g
f
I A
I
) 1 ( 0
) 1 ( 0
1
1
We left-multiply both sides with a non-negative matrix
|
|
.
|
\
|
I A
I 0
, and we have
|
|
.
|
\
|
=
|
|
.
|
\
|
|
|
.
|
\
|
+
s
|
|
.
|
\
|
+
+
t
t
t
t
t
t
g
f
M
g
f
I A A
I I
g
f
) 1 ( ) 1 (
) 1 (
1
1
(i)
Let M denote the square matrix in the above inequality. We have
|
|
|
.
|
\
|
+
|
|
|
.
|
\
|
+
+ +
+
|
|
.
|
\
|
+
=
|
|
.
|
\
|
+ + +
+
=
I
I
x
I
A
x
x
I x
I x
I A
x
I
I x A A
I I x
M xI
0
1
1
) 1 ( 0
0 ) 1 (
1
1
0
) 1 ( ) 1 (
) 1 (
111
Therefore
[
=
+ + + =
n
i
i
x x x M xI
1
) ) 1 )( 1 (( ) det( o ...(ii).
Here o
1
>o
2
>>o
n
are the eigenvalues of A. Furthermore, let x
1
>x
2
>>x
2n
be the
eigenvalues of M, and we know that
|
|
.
|
\
|
=
|
|
.
|
\
|
0
0
lim
t
t
t
g
f
if |x
i
|<1. It is clear from (ii) that
all the eigenvalues of M are positive. Therefore, for |x
i
|<1, it is sufficient if x
1
<1.
x
1
satisfies the equation 0 ) 1 )( 1 ( ) (
1
= + + + = x x x x o k and x
1
<1 if and
only if 0 ) ( ) 1 (
1
> + = o k which is
1
) (
o
>
+
. Therefore, when
1
) (
o
>
+
, for any initial state, almost surely there are no compromised or exposed
nodes after ) log
2
( )
log
log
(
1
2
1
1
n O
x
n
O
o
o
+
+
=
steps. Q.E.D.
B) Theorem for Unrecoverable Proxy Networks
Theorem 4. Theorem for Unrecoverable Proxy Networks: For the model M(G, , ),
G is vulnerable if 1
1
2
<
t
, where
i i
t t =
=
1 max
0
and {t
i
} are the Laplacian
spectrum of G. In particular, with some constant probability, the volume of
compromised vertices reaches
|
.
|
\
|
O ) (
2
G vol t within
|
|
.
|
\
|
+ +
O n log
) 1 ) /( (
2
2
t
t
steps, where n is the number of vertices in G. The volume of a vertex set S, vol(S), is
the sum of degrees of the vertices in S, i.e.
e
=
S v
v
d S vol ) ( .
112
Theorem 4 uses attack speed , defense speed , and graph propertyt of proxy
network topology to characterize when a proxy network is not recoverable under proxy
depletion attacks. Parametert is the Laplacian spectrum of the proxy network
topology graph. The Laplacian spectrumt is another important property that
characterizes graph connectivity, describing how a set of vertices expands to its
neighborhood; informally, it is the ratio between the number of edges connecting these
vertices, and the total number of edges these vertices have. For any graph, 0 st s 1; a
smallert implies richer connectivity and better neighborhood expansion in the graph,
where a small set of vertices connect many neighbors. Extensive discussion about
Laplacian spectrum can be found in [114].
Figure 6-4 Illustration of Theorem 4
Theorem 4 describes a sufficient condition of a proxy network being unrecoverable.
It says that when the defense speed (proxy migration rate) is less than 1
2
t times the
attack speed (host compromise rate), the proxy network is unrecoverable. In this case,
even if attackers only have one compromised proxy at the beginning, the number of
compromised proxies will grow quickly, and the defense can never cleanly remove
Compromised Proxy
Proxy
Attack
113
them. More importantly, this theorem applies to any sub-graph of a proxy network
topology. If this condition holds in any sub-graph of a proxy network, then the
compromised proxies in that sub-graph will linger and never be completely removed.
Here is an intuitive explanation of Theorem 4. As shown in Figure 6-4, for a set of N
compromised proxies (in the shaded area in Figure 6-4), there are approximately
N ) 1 (
2
t
times the attack speed, then there is a high level of probability that the defense cannot
move all the newly exposed proxies to new locations before some of them are
compromised, thereby allowing the attack to propagate. Proof of Theorem 4 is given
below.
Proof of Theorem 4:
In the proof, we use the following lemma about Laplacian spectrum, which has
already been proved in [114].
Lemma 0: Suppose G is not a complete graph. For S c V(G), the neighborhood
N(S) satisfies
) (
) (
) 1 (
1
) (
) (
2 2
G vol
S vol
S vol
S volN
t t +
> , where
i i
t t =
=
1 max
0
is the
Laplacian spectrum of G.
Let S
t
(or T
t
) be the set of compromised (or exposed) nodes at time t, respectively.
Let X
t
be the volume of the set of compromised nodes, i.e. X
t
=vol(S
t
). Let Y
t
=vol(T
t
) be
the volume of the set of exposed nodes. We have
114
+ + >
+ =
+ =
+ +
+ + + + +
+
)) \ ) ( ( ( ) ( ) ( ) 1 (
)) \ ) ( ( ( ))) \ ) ( ( \ ( ( ) 1 ( ) (
) ( ) ( ) 1 ( ) (
1 1
1 1 1 1 1
1
t t t
t t t t t t
t t t
S S N vol E Y E
S S N vol E S S N T vol E Y E
Y E X E X E
.
From Lemma 0, for any subset S with vol(S) s cvol(G), we have
c t t ) 1 (
) (
)) ( (
2 2
+
>
S vol
S N vol . Let 1
) 1 (
1
2 2
+
=
c t t
o . The following recurrence
formula holds as long as vol(S
t+1
) s cvol(G).
+ + >
+ =
+ +
+
) ( ) ( ) ( ) 1 ( ) (
) ( ) ( ) 1 ( ) (
1 1
1
t t t
t t t
X E Y E Y E
Y E X E X E
o
We can rewrite it into the following form.
|
|
.
|
\
|
|
|
.
|
\
|
>
|
|
.
|
\
|
|
|
.
|
\
|
+
+
+
) (
) (
1 0
1
) (
) (
1 ) (
0 1
1
1
t
t
t
t
Y E
X E
Y E
X E
o
Left-multiplying both sides by a non-negative matrix
|
|
.
|
\
|
+ 1 ) (
0 1
o
, we have
|
|
.
|
\
|
>
|
|
.
|
\
|
+
+
) (
) (
) (
) (
1
1
t
t
t
t
Y E
X E
M
Y E
X E
, where
|
|
.
|
\
|
+ + +
=
o o
) ( ) 1 ( ) 1 ( ) (
1
M .
The characteristic polynomial p(x) of M is
x x x x p o ) ( ) 1 )( 1 ( ) ( + + + + = .
Since ) )( ( ) 1 ( o + = p , the largest eigenvalue o(M) of M is greater than 1 if
<o. In this case, we have
o
o
) ( 2
2
) (
2
+ +
+
> M . Let (c
1
,c
2
) be the
corresponding eigenvector of o(M) so that (c
1
, c
2
)M=o(M)(c
1
, c
2
). Then, both c
1
and c
2
115
are positive. The expect value of c
1
X
t
+c
2
Y
t
increases by a factor of at least
o
o
o
) ( 2
) )( (
1 ) (
+ +
+
+ > M until X
t
> cvol(G).
Let Z
t
= c
1
X
t
+c
2
Y
t
. The statement above shows the expected value of Z
t
grows
exponentially as a function of t. By the recurrence formula of E(X
t
) and E(Y
t
), both
expected values of X
t
and Y
t
will grow exponentially. It is sufficient to show Z
t
grow
exponentially with constant probability.
By Chernoff's Inequality, we can show Z
t
concentrates on its expected value. There
exists an absolute constant c so the following statement holds.
) (
2
)) ( ) 1 ( Pr(
t
Z E c
t t
e Z E Z
c
c
s > .
Since E(Z
t
) increases by a factor of o(M) and
>
0
) (
2
t
M c
t
e
o c
converges, there
exists an absolute constant t
0
such that
2
1
0
2
) (
<
>
t t
Z E c
t
e
c
. Moreover, there is a
constant probability that ) (
0
t t
Z E Z > for some t s 2t
0
. Hence, with a positive constant
probability, Z
t
will grow at least by a factor 1
2
) ( 1
>
+ M o
until X
t
reaches cvol(G). We
choose ) (
2
t c O = so that 1
1
2
~
t
o . Therefore we have the following statement.
116
When 1
1
2
~ <
t
o
, Z
t
, X
t
and Y
t
will reach )) ( (
2
G vol t O with a constant
probability within ) log
) 1 ) /( (
( ) log
2
) )( (
(
2
2
2
n n
t
t
o o
o
+ +
O =
+
+
O steps.
Therefore Theorem 4 is proved. Q.E.D.
6.3.2 Design Principles
Our analysis shows that topology is important for a proxy networks resistance to
proxy depletion attacks. A good topology supports robust defense against proxy
depletion attacks, enabling attackers' progress to be erased quickly; conversely, a bad
topology allows attacks to expand quickly, making a proxy network vulnerable to proxy
depletion attacks. Our theorems reveal the relation between key properties of topology
and a proxy networks resistance to proxy depletion attacks. As a result, the theorems
allow us to identify favorable and unfavorable proxy network topologies for effective
defense against proxy depletion attacks.
A) Unfavorable Topologies for Resisting Proxy Depletion Attacks
Topologies with high vertex degrees or large clusters of tightly connected vertices
are unfavorable for supporting effective defense against proxy depletion attacks. From
Theorem 3, we know that topologies with high vertex degrees allow attackers to expose
a large number of proxies by compromising one proxy, thereby requiring the defense
speed to be significantly faster than the attack speed to erase the attack progress, and
thus make the proxy network recoverable. Therefore, such topologies are unfavorable
for supporting effective defense against proxy depletion attacks. Furthermore, from
117
Theorem 4 we know that topologies with large clusters of tightly connected nodes (such
clusters have large 1
2
=
(
n
i
i
z
1
2
Chord graph with N=2
n
nodes 2
n
2n-1 n
k-ary de Bruijn graph of order n (undirected) k
n
s2k n
n-dimensional hypercube 2
n
n n
119
6.4.1.1 Chord
As a convention, we use N to denote the number of vertices in a graph. Chord [38]
topology is a regular graph with degree 1 log 2
2
N . Consider a Chord network with N =
2
n
nodes, each node is given a unique ID between 0 and N-1, and there is an edge
between vertices i and j if and only if
k
j i 2 = , where 0 s k s (n-1) is an integer
(Figure 6-5). Intuitively, in a Chord topology all the nodes are on a ring and two nodes
are connected if and only if there are 2
k
-1 nodes between them.
Figure 6-5 Chord Network Topology (N=8)
6.4.1.2 CAN
Figure 6-6 Two-dimensional CAN Network (N=9)
120
CAN [39] topology is an n-dimensional Cartesian space torus [40]. A n-
dimensional torus of dimensions z
1
,,z
n
is a regular graph of degree 2n, which has
N=
[
=
n
i
i
z
1
vertices with edges joining two vertices, whenever their Cartesian coordinates
adjacent (wrap-around allowed) and differ only in one dimension. The diameter of it is
=
(
n
i
i
z
1
2
. Figure 6-6 shows a 2D-CAN network with 9 nodes.
6.4.1.3 De Bruijn
Figure 6-7 Undirected Binary de Bruijn Graph (N=8)
A binary de Bruijn graph is the state transition graph of a shift register. A binary de
Bruijn graph [40] of order n has N=2
n
nodes labeled with a bit representation of the
numbers 02
n
-1, where vertices are connected if and only if the label of one is the left-
or right-shifted label of the other, or it is the left- or right-shifted label of the other and
differs, correspondingly, in the first or last bit. An undirected de Bruijn graph can be
straightforwardly derived by removing self-loops and redundant edges. Figure 6-7
shows an undirected binary de Bruijn graph of order 3. Furthermore, a k-ary de Bruijn
graph is defined similarly by allowing k labeling symbols instead of bits. A k-ary de
000
111
100
001
010
101
110
011
121
Bruijn graph of order n has N=k
n
nodes with a maximum vertex degree of 2k and a
diameter of n.
6.4.1.4 Hypercube
A n-dimensional hypercube [40] is a graph with N=2
n
vertices labeled by n-bit
binary strings, with edges joining two vertices whenever their labels differ in a single
bit. Figure 6-8 shows a 3-dimensional hypercube. It is a regular graph with vertex
degree of n and has a diameter of n.
Figure 6-8 3-dimensional Hypercube (N=8)
6.4.2 Comparison using Theory
We study the following seven representative topologies: 2D-, 3D- and 4D-CAN,
Chord, binary and 4-ary de Bruijn, and hypercube. We study proxy networks of
moderate sizes, which have 256 and 1024 nodes. Figure 6-9 and Figure 6-10 show the
eigenvalues and the 1
2
t values (close to 0), indicating that attackers need a high attack speed that
is significantly higher than the defense speed to make proxy networks of such topologies
unrecoverable. Therefore, 2D-CAN and binary de Bruijn graphs are the most favorable
among these topologies because they need the lowest defense speed to support effective
resistance to proxy depletion attacks, and a high attack speed to make the proxy network
vulnerable.
1
2
n
kt
for k=0,, n-1. Let G
1
and
G
2
are two graphs of size n
1
and n
2
. The cartesian product G
1
G
2
of G
1
and G
2
is
defined as a graph on n
1
n
2
vertices. The edges are added to the pair (u
1
, u
2
) and (v
1
, v
2
)
if and only if u
1
= v
1
and ) (
2 2 2
G E v u e or u
2
= v
2
and ) (
1 1 1
G E v u e . The spectrum of
G=G
1
G
2
can be computed as follows. We have
)). ( ) ( ( ) (
)} ( ), ( min{ ) (
2 1 1 1
2
1
1
2 1 1 1
2
1
1
2 1 2 1
G G G
G G G
n n n n
+ =
=
In particular, for the d-dimensional Torus graph
d
n
C , the 1 = if n is even,
otherwise } cos 1 , max{cos
2 1 1
n d d n
t t
+ = .
If G is d-regular graph, the Laplacian becomes A I L
d
1
= . Thus,
i n
d
i
= o
1
1
for 0s is n-1. In general, the spectrum of the graph G can be very different from the
eigenvalues of the adjacency matrix. Laplacian eigenvalues control the expansion rate
of the neighborhoods for any subset S.
166
REFERENCES
1. Fallows, D., Search Engine Users, 2005, PEW Internet & American Life
Project,1615 L Street NW, Washington DC,
http://www.pewtrusts.org/pdf/PIP_Searchengine_users.pdf.
2. Fallows, D., The Internet and Daily Life, 2004, PEW Internet & American Life
Project,1615 L Street NW, Washington DC, http://www.pewtrusts.org/.
3. eMarketer, Online Travel Marketing and Selling, 2004, eMarketer,75 Broad
Street, New York, NY, http://www.emarketer.com/Report.aspx?travel_nov04.
4. eMarketer, Online Selling and eCRM, 2004, eMarketer,75 Broad Street, New
York, NY, http://www.emarketer.com/Report.aspx?crm_aug04.
5. Fox, S., Online Banking Jump 47% in Two Years, 2005, PEW Internet &
American Life Project,1615 L Street NW, Washington DC,
http://www.pewtrusts.org/.
6. Commerce, U.D.o., Quarterly Retail E-Commerce Sales 4th Quarter 2004, 2005,
US Department of Commerce,1401 Constitution Avenue, NW, Washington DC,
http://www.census.gov/mrts/www/data/html/04Q4.html.
7. CERT, CERT Coordination Center Annual Reports, 2004, Pittsburgh, PA.
8. Dittrich, D., The DoS Project's "trinoo" distributed denial of service attack tool,
1999, University of Washington,
http://staff.washington.edu/dittrich/misc/trinoo.analysis.
9. Dittrich, D., et al., The "mstream" distributed denial of service attack tool, 2000,
http://staff.washington.edu/dittrich/misc/mstream.analysis.txt.
10. Dittrich, D., The "Tribe Flood Network" distributed denial of service attack tool,
1999, University of Washington,
http://staff.washington.edu/dittrich/misc/tfn.analysis.txt.
11. CERT, "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service
DLL, 2001, Pittsburgh, PA, http://www.cert.org/incident_notes/IN-2001-
08.html.
12. CERT, "Code Red II:" Another Worm Exploiting Buffer Overflow In IIS
Indexing Service DLL, 2001, Pittsburgh, PA,
http://www.cert.org/incident_notes/IN-2001-09.html.
167
13. Moore, D., et al., The Spread of the Sapphire/Slammer Worm. 2003, CAIDA,
UCSD, ICIR & LBNL, Silicon Defense, UC Berkeley
14. Hines, E.S., MyDoom.B Worm Analysis, 2004, Applied Watch Technologies,
Inc., http://isc.sans.org/presentations/MyDoom_B_Analysis.pdf.
15. Williams, M., EBay, Amazon, Buy.com hit by attacks, 2000,
http://www.nwfusion.com/news/2000/0209attack.html.
16. Fonseca, B., Yahoo outage raises Web concerns, 2000,
http://www.nwfusion.com/news/2000/0209yahoo2.html.
17. CSI/FBI, Cyber Attacks Continue, but Financial Losses are Down, 2003,
http://www.gocsi.com/press/20030528.jhtml?_requestid=335314.
18. Moore, D., G.M. Voelker, and S. Savage. Inferring Internet Denial-of-Service
Activity. in proceedings of the 2001 USENIX Security Symposium. 2001.
19. Ferguson, P. and D. Senie, Network Ingress Filtering: Defeating Denial of
Service Attacks which employ IP Source Address Spoofing. The Internet
Society, 1998.
20. Cisco, Defining Strategies to Protect Against TCP SYN Denial of Service
Attacks, http://cio.cisco.com/warp/public/707/4.html.
21. Cisco, Using CAR During DOS Attacks,
http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html.
22. Song, D.X. and A. Perrig. Advanced and authenticated marking schemes for IP
traceback. in 20th Annual Joint Conference of the IEEE Computer and
Communications Societies. 2001. Anchorage, AK, United States: Proceedings -
IEEE INFOCOM. v 2 2001.
23. Snoeren, A.C., et al. Hash-based IP traceback. in ACM Special Interest Group
on Data Communications (SIGCOMM). 2001. San Diego, CA, United States:
Computer Communication Review. v 31 n 4 2001.
24. Savage, S., et al., Practical network support for IP traceback. Computer
Communication Review, 2000. 30(4): p. 295-306.
25. Stavrou, A., et al., WebSOS: An Overlay-based System For Protecting Web
Servers From Denial of Service Attacks. Elsevier Journal of Computer
Networks, special issue on Web and Network Security, 2005.
26. Keromytis, A.D., V. Misra, and D. Rubenstein. SOS: Secure Overlay Services.
in ACM Special Interest Group on Data Communications (SIGCOMM). 2002.
Pittsburgh, PA: ACM.
168
27. Andersen, D.G. Mayday: Distributed Filtering for Internet Services. in 4th
Usenix Symposium on Internet Technologies and Systems. 2003. Seattle,
Washington.
28. Adkins, D., et al., Towards a More Functional and Secure Network
Infrastructure. 2003, Computer Science Division, UC Berkeley: Berkeley
29. Adkins, D., et al. Taming IP Packet Flooding Attacks. in HotNets-II. 2003.
30. Keromytis, A.D., V. Misra, and D. Rubenstein. Using Overlays to Improve
Network Security. in the ITCom Conference, special track on Scalability and
Traffic Control in IP Networks. 2002.
31. Keromytis, A., V. Misra, and D. Rubenstein, SOS: An Architecture For
Mitigating DDoS Attacks. IEEE Journal on Selected Areas of Communications
(JSAC), 2004. 21(1): p. 176-188.
32. Ioannidis, S., et al. Implementing a Distributed Firewall. in the 7th ACM
International Conference on Computer and Communications Security (CCS).
2000.
33. Xuan, D., S. Chellappan, and X. Wang. Analyzing the Secure Overlay Services
Architecture under Intelligent DDoS Attacks. in 24th International Conference
on Distributed Computing Systems (ICDCS'04). 2004.
34. Lakshminarayanan, K., et al. Towards a Secure Indirection Infrastructure. in
ACM Symposium on Principles of Distributed Computing. 2004.
35. Stoica, I., et al. Internet Indirection Infrastructure. in ACM Special Interest
Group on Data Communications (SIGCOMM). 2002.
36. Akamai, Akamai Technology Overview,
http://www.akamai.com/en/html/technology/overview.html.
37. Liu, X. and A.A. Chien. Realistic Large-Scale Online Network Simulation. in
SuperComputing'04. 2004. Pittsburgh, PA.
38. Stoica, I., et al. Chord: A Scalable Peer-to-peer Lookup Service for Internet
Applications. in ACM Special Interest Group on Data Communications
(SIGCOMM). 2001.
39. Ratnasamy, S., et al. A Scalable Content-Addressable Network. in ACM Special
Interest Group on Data Communications (SIGCOMM). 2001.
40. Leighton, F.T., Introduction to Parallel Algorithms and Architectures: Arrays,
Trees, Hypercubes. 1991: Morgan Kaufmann Pub.
169
41. Liu, X., H. Xia, and A.A. Chien, Validating and Scaling the MicroGrid: A
Scientific Instrument for Grid Dynamics. Journal of Grid Computing, 2003.
42. Liu, X. and A. Chien. Traffic-based Load Balance for Scalable Network
Emulation. in SuperComputing 2003. Noverber 2003. Phoenix, Arizona: the
Proceedings of the ACM Conference on High Performance Computing and
Networking.
43. Peng, T., C. Leckie, and R. Kotagiri. Protection from Distributed Denial of
Service Attacks Using History-based IP Filtering. in the IEEE International
Conference on Communications (ICC 2003). 2003.
44. Burch, H. and B. Cheswick. Tracing Anonymous Packets to Their Approximate
Source. in USENIX The Large Installation Systems Administration Conference
(LISA). 2000. New Orleans, LA: usenix.org.
45. Gil, T.M. and M. Poletto. MULTOPS: A Data-Structure for Bandwidth Attack
Detection. in the 10th USENIX Security Symposium. 2001.
46. Dean, D., M. Franklin, and A. Stubblefield, An Algebraic Approach to IP
Traceback. Information and System Security, 2002. 5(2): p. 119-137.
47. Wang, H., D. Zhang, and K. Shin. Detecting SYN flooding attacks. in The 21st
Conference of the IEEE Communications Society (INFOCOM02). 2002.
48. Ioannidis, J. and S.M. Bellovin. Implementing Pushback: Router-Based Defense
Against DDoS Attacks. in Network and Distributed System Security Symposium.
2002.
49. Cisco, Remote Monitoring Specification (RMON),
http://www.cisco.com/warp/public/614/4.html.
50. cisco, Netflow Services and Applications,
http://www.cisco.com/warp/public/732/netflow/.
51. Estan, C., et al. Building a Better NetFlow. in ACM Special Interest Group on
Data Communications (SIGCOMM). 2004.
52. Fergusson, P. and D. Seine, Network Ingress Filtering: Defeating Denial-of-
Service Attacks Which Employ IP Source Address Spoofing (RFC 2827), in
RFC 2827. 2000
53. Mirkovic, J., G. Prier, and P. Reiher. Attacking DDoS at the Source. in the 10th
IEEE International Conference on Network Protocols (ICNP02). 2002.
170
54. Mirkovic, J., D-WARD: Source-End Defense Against Distributed Denial-of-
Service Attacks, in Computer Science. 2003, University of California, Los
Angeles
55. Jin, C., H. Wang, and K. Shin. Hop-Count Filtering: An Effective Defense
Against Spoofed DoS Traffic. in Conference on Computer and Communications
Security. 2003.
56. Mankin, A., et al. On Design and Evaluation of Intention-Driven ICMP
Traceback. in 10th IEEE International Conference on Computer
Communications and Networks. 2001.
57. Stone, R. CenterTrack: An IP Overlay Network for Tracking DoS Floods. in the
9th USENIX Security Symposium. 2000.
58. Sripanidkulchai, K., et al. The Feasability of Supporting Large-Scale Live
Streaming Applications with Dynamic Application End-Points. in ACM Special
Interest Group on Data Communications (SIGCOMM). 2004.
59. Pappas, V., et al. Fault-Tolerant Data Delivery for Multicast Overlay Networks.
in the 24th IEEE International Conference on Distributed Computing Systems
(ICDCS 04). 2004.
60. Jannotti, J., et al. Overcast: Reliable Multicasting with an Overlay Network. in
The 2nd Symposium on Operating Systems Design and Implementation
(USENIX OSDI 2000). 2000.
61. Castro, M., et al., Scribe: A large-scale and decentralized application-level
multicast infrastructure. IEEE Journal on Selected Areas in Communications,
2002.
62. Kwon, M. and S. Fahmy. Topology-aware Overlay Networks for Group
Communication. in the 12th International Workshop on Network and Operating
Systems Support for Digital Audio and Video (NOSSDAV02). 2002.
63. Ratnasamy, S., et al., Application-level Multicast using Content-Addressable
Network. Networked Group Communication, 2001.
64. Banerjee, S., B. Bhattacharjee, and C. Kommareddy. Scalable Application Layer
Multicast. in ACM Special Interest Group on Data Communications
(SIGCOMM). 2002.
65. Chu, Y.H., S. Rao, and H. Zhang. A Case for End System Multicast. in
International Conference on Measurement and Modeling of Computer Systems
(ACM SIGMETRICS). 2000.
171
66. Jain, S., et al., Scalable Self Organizing Overlays. 2002, Technical Report of
Department of Computer Science, University of Washington
67. Zhao, B.Y., et al. Rapid Mobility via Type Indirection. in the Third International
Workshop on Peer-to-Peer Systems (IPTPS'04). 2004.
68. Czerwinsky, S., et al. An Architecture for a Secure Service Discovery Service. in
ACM/Balzer Mobile Networking and Applications (MONET). 2002.
69. Zhuang, S.Q., et al. Host Mobility using an Internet Indirection Infrastructure. in
First International Conference on Mobile Systems, Applications, and Services
(ACM/USENIX Mobisys). 2003.
70. Gnutella, Gnutella: Distributed Information Sharing, 2000,
http://gnutella.wego.com/.
71. Zhuang, S.Q., et al. Bayeux: An Architecture for Scalable and Fault-tolerant
Wide-area Data Dissemination. in Eleventh International Workshop on Network
and Operating Systems Support for Digital Audio and Video (NOSSDAV01).
2001.
72. Druschel, P. and A. Rowstron. PAST: Persistent and Anonymous Storage in a
Peer-to-Peer Networking Environment. in the 8th Workshop on Hot Topics in
Operating Systems (USENIX HotOS VIII). 2001.
73. Kubiatowicz, J., et al. OceanStore: An Architecture for Global-scale Persistent
Storage. in the Ninth International Conference on Architectural Support for
Programming Languages and Operating Systems (ASPLOS 2000). 2000.
74. Clarke, I., et al., Freenet: A Distributed Anonymous Information Storage and
Retrieval System. Design Issues in Anonymity and Unobservability, 2000.
75. Rhea, S., et al. Pond: The OceanStore Prototype. in the 2nd USENIX Conference
on File and Storage Technologies (FAST'03). 2003.
76. Y. Chen, R.H.K., J. D. Kubiatowicz. SCAN: a Dynamic Scalable and Efficient
Content Distribution Network. in International Conference on Pervasive
Computing. 2002.
77. Andersen, D.G., et al. Resilient Overlay Networks. in Symposium on Operating
Systems Principles (ACM SOSP). 2001.
78. Andersen, D.G., et al. The Case for Resilient Overlay Networks. in The 8th
Workshop on Hot Topics in Operating Systems (USENIX HotOS VIII). 2001.
172
79. Feamster, N., et al. Measuring the Effects of Internet Path Faults on Reactive
Routing. in International Conference on Measurement and Modeling of
Computer Systems (ACM SIGMETRICS). 2003.
80. Amir, Y. and C. Danilov. Reliable Communication in Overlay Networks. in the
IEEE International Conference on Dependable Systems and Networks (DSN03).
2003.
81. Zhao, B.Y., et al., Tapestry: A Resilient Global-scale Overlay for Service
Deployment. IEEE Journal on Selected Areas in Communications, 2004. 22(1):
p. 41-53.
82. Zhao, B.Y., et al. Exploiting Routing Redundancy via Structured Peer-to-Peer
Overlays. in the 11th IEEE International Conference on Network Protocols
(ICNP03). 2003.
83. Subramanian, L., et al. OverQoS: An Overlay based Architecture for Enhancing
Internet QoS. in First Symposium on Networked Systems Design and
Implementation (NSDI'04). 2004.
84. Zhou, F., et al. Approximate Object Location and Spam Filtering on Peer-to-
Peer Systems. in ACM/IFIP/USENIX International Middleware Conference
(Middleware 2003). 2003.
85. Awerbuch, B. and C. Scheideler. Group Spreading: A protocol for provably
secure distributed name service. in 31st Int. Colloquium on Automata,
Languages, and Programming (ICALP). 2004.
86. Loguinov, D., et al. Graph-Theoretic Analysis of Structured Peer-to-Peer
Systems: Routing Distances and Fault Resilience. in ACM Special Interest
Group on Data Communications (SIGCOMM). 2003. Karlsruhe, Germany:
ACM.
87. Jain, S., R. Mahajan, and D. Wetherall. A Study of the Performance Potential of
DHT-based Overlays. in the 4th Usenix Symposium on Internet Technologies
and Systems (USITS). 2003. Seattle, WA.
88. Hinrikus, T., Skype Application Programming Interface, 2004,
http://www.skype.com/community/devzone/Skype%20API%20description%20
1.2.pdf.
89. Cohen, B., Incentives Build Robustness in BitTorrent, 2003,
http://www.bittorrent.com/bittorrentecon.pdf.
90. Garfinkel, S., G. Spafford, and A. Schwartz, Practical Unix & Internet Security,
3rd Edition. 2003: O'Reilly.
173
91. One, A., Smashing The Stack For Fun And Profit, 1997, BugTraq, r00t, and
Underground.Org, http://downloads.securityfocus.com/library/P49-14.txt.
92. Sidiroglou, S. and A. Keromytis, Countering Network Worms Through
Automatic Patch Generation. 2005, Columbia University
93. Sidiroglou, S., et al. Building a Reactive Immune System for Software Services.
in the USENIX Annual Technical Conference. 2005.
94. Cowan, C., et al. StackGuard: Automatic Adaptive Detection and Prevention of
Buffer-Overflow Attacks. in Proceedings of the 7th USENIX Security
Conference. 1997.
95. Prasad, M. and T. Chiueh. A Binary Rewriting Defense Against Stack-based
Buffer Overflow Attacks. in the USENIX Annual Technical Conference. 2003.
96. DuVarney, D.C., V.N. Venkatakrishnan, and S. Bhatkar. SELF: a Transparent
Security Extension for ELF Binaries. in New Security Pardigms Workshop.
2003.
97. Baratloo, A., N. Singh, and T. Tsai. Transparent Run-Time Defense Against
Stack Smashing Attacks. in the USENIX Annual Technical Conference. 2000.
98. Vigna, G. and R.A. Kemmerer, NetSTAT: a network-based intrusion detection
system. Journal of Computer Security, 1999. 7(1): p. 37-71.
99. Porras, P.A. and P.G. Neumann. EMERALD: Event Monitoring Enabling
Responses to Anomalous Live Disturbances. in 1997 National Information
Systems Security Conference. 1997.
100. Kumar, S. and E.H. Spafford. A Pattern Matching Model For Misuse Intrusion
Detection. in Proceedings of the 17th National Computer Security Conference.
1994.
101. Axelsson, S., Intrusion Detection Systems: A Survey and Taxonomy. 2000,
Chalmers University of Technology: Goteborg, Sweden
102. Paxson, V., Bro: A System for Detecting Network Intruders in Real-Time.
Computer Networks, 1999. 31(23-24): p. 2435-2463.
103. Handley, M., C. Kreibich, and V. Paxson. Network Intrusion Detection:
Evasion, Traffic Normalization, and End-to-End Protocol Semantics. in USENIX
Security Symposium 2001. 2001.
104. Zhang, Y. and V. Paxson. Detecting Stepping Stones. in the 9th USENIX
Security Symposium. 2000.
174
105. Zhang, Y. and V. Paxson. Detecting Backdoors. in 9th USENIX Security
Symposium. 2000.
106. Lee, W. and S. Stolfo. Data Mining Approaches for Intrusion Detection. in the
7th USENIX Security Symposium. 1998.
107. Kruegel, C., et al. Stateful Intrusion Detection for High-Speed Networks. in the
IEEE Symposium on Research on Security and Privacy. 2002.
108. Ertoz, L., et al., The MINDS - Minnesota Intrusion Detection System, in Next
Generation Data Mining. 2004, MIT Press.
109. Chun, B., et al., PlanetLab: An Overlay Testbed for Broad-Coverage Services.
ACM Computer Communications Review, a special issue on tools and
technologies for networking research and education, 2003. 33(3).
110. Microsoft, Microsoft Security Bulletin, 2004, Microsoft Corporation,
http://www.microsoft.com/technet/.
111. Arbaugh, W.A., W.L. Fithen, and J. McHugh, Windows of Vulnerability: A
Case Study Analysis". IEEE Computer, 2000. 33: p. 52-59.
112. Browne, H.K., et al., A Trend Analysis of Exploitations. Proceedings of the
2001 IEEE Symposium on Security and Privacy, 2001.
113. CERT, CERT Advisory CA-2003-04 MS-SQL Server Worm, 2003,
Pittsburgh, PA, http://www.cert.org/advisories/CA-2003-04.html.
114. Chung, F., Spectral Graph Theory. 1997: AMS Publications.
115. apache, Apache HTTP Server Version 2.0 Documentation, www.apache.org.
116. JoeDog.org, Siege - An HTTP Regression Tester & Benchmarking Utility, 2003,
http://www.joedog.org/siege/index.php.
117. Medina, A., et al. BRITE: An Approach to Universal Topology Generation. in
the International Workshop on Modeling, Analysis and Simulation of Computer
and Telecommunications Systems- MASCOTS '01. 2001. Cincinnati, Ohio.
118. Lougheed, K. and Y. Rekhter, RFC 1106: Border Gateway Protocol (BGP).
1990
119. Moy, J., RFC 2178: OSPF Version 2. 1998
120. Socolofsky, T. and C. Kale, RFC 1180 - TCP/IP tutorial. 1991
121. Postel, J., RFC 792 - Internet Control Message Protocol. 1981
175
122. Faloutsos, M., P. Faloutsos, and C. Faloutsos. On Power-Law Relationships of
the Internet Topology. in ACM Special Interest Group on Data Communications
(SIGCOMM). 1999.
123. Swany, D.M. and R. Wolski. Data Logistics in Network Computing: The
Logistical Session Layer. in IEEE Network Computing and Applications
(NCA'01). 2001.
124. Nielsen, J., Usability Engineering. 1994, San Francisco: Morgan Kaufmann.
125. King, A.B., Speed Up Your Site: Web Site Optimization. First ed. 2003: Pearson
Education. 528.
126. Sherman, A., et al. ACMS: The Akamai Configuration Management System. in
the 2nd Symposium on Networked Systems Design & Implementation (USENIX
NSDI05). 2005.
127. Anderson, P., P. Goldsack, and J. Paterson. SmartFrog Meets LCFG:
Autonomous Reconfiguration with Central Policy Control. in USENIX The
Large Installation Systems Administration Conference (LISA03). 2003.
128. Anderson, P. and A. Scobie. LCFG - The Next Generation. in the UK Unix and
Open Systems User Group (UKUUG) Winter Conference. 2002.
129. Microsoft Windows Update, http://windowsupdate.microsoft.com.
130. HP Open View - Computer and Network Management,
http://www.managementsoftware.hp.com/.
131. Castro, M., et al. Exploiting network proximity in peer-to-peer overlay networks.
in the International Workshop on Future Directions in Distributed Computing
(FuDiCo). 2002. Bertinoro, Italy.
132. Shen, K. Structure Management for Scalable Overlay Service Construction. in
Symposium on Networked Systems Design & Implementation (USENIX NSDI).
2004.
133. Gummadi, K., et al. The Impact of DHT Routing Geometry on Resilience and
Proximity. in ACM Special Interest Group on Data Communications
(SIGCOMM). 2003.
134. Chawathe, Y., et al. Making Gnutella-like P2P Systems Scalable. in ACM
Special Interest Group on Data Communications (SIGCOMM). 2003.
135. Ratnasamy, S., et al. Topologically-Aware Overlay Construction and Server
Selection. in The 21st Conference of the IEEE Communications Society
(INFOCOM02). 2002.
176
136. Chen, Y., D. Bindel, and R.H. Katz. Tomography-based Overlay Network
Monitoring. in ACM Internet Measurement Conference (IMC). 2004.
137. Chen, Y., C. Overton, and R.H. Katz, Internet Iso-bar: A Scalable Overlay
Distance Monitoring System. Journal of Computer Resource Management,
2002.
138. Zhang, M., et al. PlanetSeer: Internet Path Failure Monitoring and
Characterization in Wide-Area Services. in In Proceedings of the Sixth
Symposium on Operating Systems Design and Implementation (OSDI '04). 2004.
139. Akamai Network Operations Command Center, Akamai Technologies Inc.,
http://www.akamai.com/en/html/technology/nocc.html.
140. K.Goseva-Popstojanova, et al. Characterizing intrusion tolerant systems using a
state transition model. in DARPA Information Survivability Conference and
Exposition (DISCEX II). 2001.
141. Wigner, E.P., On the distribution of the roots of certain symmetric matrices. The
Annals of Mathematics, 1958. 67: p. 325-327.
142. Goh, K.-I., B. Kahng, and D. Kim, Spectra and eigenvectors of scale-free
networks. Phy. Rev. E, 2001. 64(051903).
143. Furedi, Z. and J. Komlos, The eigenvalues of random symmetric matrices.
Combinatorica, 1981. 1(3): p. 233--241.
144. Farkas, I.J., et al., Spectra of "Real-World" graphs: Beyond the semi-circle law.
Phy. Rev. E, 2001. 64(026704).
145. ErdHos, P. and A. Renyi, On random graphs. Publ. Math. Debrecen, 1959. 6: p.
290-291.
146. Chung, F., L. Lu, and V. Vu, Eigenvalues of random power law graphs. Annals
of Combinatorics, 2003.