Executive Summary

Over the last few years, the phrase “The Internet is Broken” has been repeatedly used to highlight the current Internet’s inability to combat network attacks, such as self-propagating malware and distributed denial-of-service attacks. There is widespread consensus that in the next-generation Internet, the entire burden of security cannot be assigned to the endpoints and edge networks, and that some notion of security needs to be embedded into the network core.

The project will investigate a network-embedded security framework, in which the endpoints, the edge networks and the network core act in a coordinated and practical manner to defeat high-rate traffic attacks. More specifically, under the proposed framework, packets suspected of being malicious are progressively marked by network nodes (including the senders, the core and edge routers, and the receivers) along the packet’s path. Packets with high maliciousness level are then dropped en-route. To determine a packet’s maliciousness level, it is proposed that network nodes correlate the packets passing through them to identify packets with similar underlying features. Increase in the number and frequency of similar packets can then be used as an indication of an ongoing attack. An automated attack signature generator using packet features will be developed. The project will investigate security-aware routing and congestion control techniques that can operate on a network with embedded security and will also study the impact of this framework on other protocols, such as exiting congestion control and routing protocols.

The project will significantly contribute in the development of software tools and protocols that can facilitate development and deployment of security-aware packet processing and protocols along a network path. Novel extensions and adaptations of these tools will also be explored.

The project proposes to develop theoretically-sound, practical and scalable security-based packet marking methods, including security-induced packet marking at wire-speeds within the core network. It also aims to develop robust strategies for discarding (or more generally “handling”) of security-marked malicious packets while ensuring stability, fairness and convergence objectives for benign and legitimate flows.

The key benefits of this project are:

• The proposed security framework deployed at major Pakistan gateways will allow networking monitoring and malicious packet dropping in Pakistan’s network core, thereby protecting Pakistan from high-rate network attacks and the consequent bandwidth wastage.
• The proposed security framework will allow the designers of the next generation Internet and Internet Service Providers (ISPs) remote monitoring and detection at the ISP gateways.
• Pakistan Education Research Network (PERN) can significantly benefit from the proposed network-embedded security framework, as it will allow detection and localization of the infected university hosts. Moreover, the proposed framework can be used to develop a collaborative and distributed firewall that can be deployed on PERN’s university edge networks to block traffic from infected hosts.
• Patents are planned to be filed based on the proposed framework