Award Abstract # 1717313
SaTC: CORE: Small: Hybrid Capability-Enforcement for Endpoint-Driven Traffic Control

NSF Org: CNS
Division Of Computer and Network Systems
Recipient: UNIVERSITY OF ILLINOIS
Initial Amendment Date: August 29, 2017
Latest Amendment Date: August 29, 2017
Award Number: 1717313
Award Instrument: Standard Grant
Program Manager: Phillip Regalia
pregalia@nsf.gov  (703)292-2981
CNS  Division Of Computer and Network Systems
CSE  Directorate for Computer and Information Science and Engineering
Start Date: September 1, 2017
End Date: August 31, 2021 (Estimated)
Total Intended Award Amount: $500,000.00
Total Awarded Amount to Date: $500,000.00
Funds Obligated to Date: FY 2017 = $500,000.00
History of Investigator:
  • Yih-Chun Hu (Principal Investigator)
     yihchun@uiuc.edu
Recipient Sponsored Research Office: University of Illinois at Urbana-Champaign
 506 S WRIGHT ST
 URBANA
 IL  US  61801-3620
(217)333-2187
Sponsor Congressional District: 13
Primary Place of Performance: University of Illinois at Urbana-Champaign
 IL  US  61820-7473
Primary Place of Performance
Congressional District:		 13
Unique Entity Identifier (UEI): Y8CWNJRCNN91
Parent UEI: V2PHZ2CSCH63
NSF Program(s): Secure &Trustworthy Cyberspace
Primary Program Source: 01001718DB NSF RESEARCH & RELATED ACTIVIT
Program Reference Code(s): 025Z, 065Z, 7434, 7923
Program Element Code(s): 806000
Award Agency Code: 4900
Fund Agency Code: 4900
Assistance Listing Number(s): 47.070

ABSTRACT

The Internet has become a societally transformative technology. Because the design of the Internet allows any Internet-connected device to send any amount of traffic to any other Internet-connected device, attackers can send large volumes of traffic to a victim, overwhelming the ability of the network to carry legitimate traffic to the victim. When many different devices send such attack traffic in a coordinated manner, the attack is called a Distributed Denial-of-Service (DDoS) attack, and is difficult to filter in the current Internet architecture. This research investigates a new architecture for filtering DDoS attacks that is efficient, economical, and readily deployable. The proposed architecture aims to alleviate the burden of maintaining an Internet service in the presence of DDoS attacks, and to improve the availability of Internet services.

The proposed architecture combines a filtering functionality deployed in the cloud with a network state estimation algorithm performed with the cooperation of the cloud and the victim server. Traffic is redirected to the cloud server using DNS; the cloud server then polices each sender's traffic according to a receiver-selected fair sharing policy. The fair sharing algorithm uses the bandwidth estimate derived from the network state estimator. The network state estimator uses capability feedback from the receiver to estimate the available bandwidth for fair-sharing. This research expands the proposed architecture to make it more secure, more effective at catching obvious Denial-of-Service attacks, and more robust against powerful adversaries. The research will also provide a more through evaluation of the proposed architecture. The work will advance the understanding of how incrementally-deployable approaches, deployed based on economic incentives rather than relying on altruistic deployments, can also provide strong properties. Specifically, it aims to develop and evaluate a collection of methods that when fully deployed would provide the same strengths as an approach like SIBRA, yet be incrementally deployable, providing benefits as each Internet entity deploys each individual mechanism.

PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH

Note:  When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

Jagadeesh, Harshan and Vithalkar, Amogh and Kabra, Manthan and Jhunjhunwala, Naman and Manav, Prafull and Hu, Yih-Chun "Double-Edge Embedding Based Provenance Recovery for Low-Latency Applications in Wireless Networks" IEEE Transactions on Dependable and Secure Computing , 2020 https://doi.org/10.1109/TDSC.2020.3001185 Citation Details
Lin, Hui and Zhuang, Jianing and Hu, Yih-Chun and Zhou, Huayu "DefRec: Establishing Physical Function Virtualization to Disrupt Reconnaissance of Power Grids' Cyber-Physical Infrastructures" Network and Distributed Systems Security (NDSS) Symposium 2020 , 2020 https://doi.org/10.14722/ndss.2020.24365 Citation Details
Liu, Zhuotao and Chen, Kai and Wu, Haitao and Hu, Shuihai and Hu, Yih-Chun and Wang, Yi and Zhang, Gong "Enabling Work-conserving Bandwidth Guarantees for Multi-tenant Datacenters via Dynamic Tenant-Queue Binding" Proceedings of the 37th IEEE International Conference on Computer Communications , 2018 Citation Details
Liu, Zhuotao and Xiang, Yangxi and Shi, Jian and Gao, Peng and Wang, Haoyu and Xiao, Xusheng and Wen, Bihan and Hu, Yih-Chun "HyperService: Interoperability and Programmability Across Heterogeneous Blockchains" CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security , 2019 10.1145/3319535.3355503 Citation Details
Wu, Bo and Xu, Ke and Li, Qi and Liu, Zhuotao and Hu, Yih-Chun and Reed, Martin J. and Shen, Meng and Yang, Fan "Enabling Efficient Source and Path Verification via Probabilistic Packet Marking" Proceedings of the 26th International Symposium on Quality of Service , 2018 Citation Details
Wu, Bo and Xu, Ke and Li, Qi and Liu, Zhuotao and Hu, Yih-Chun and Zhang, Zhichao and Du, Xinle and Liu, Bingyang and Ren, Shoushou "SmartCrowd: Decentralized and Automated Incentives for Distributed IoT System Detection" SmartCrowd: Decentralized and Automated Incentives for Distributed IoT System Detection. , 2019 10.1109/ICDCS.2019.00112 Citation Details

PROJECT OUTCOMES REPORT

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

We evaluated destination-driven sharing techniques based on a variety of metrics, such as quality-of-experience, and showed that we can achieve TCP friendliness while providing a wide range of performance ratios between flows under our control. This work is currently undergoing review. We believe this work could potentially impact the field by opening a new area of research, and could potentially impact society broadly via adoption by content providers.

We have evaluated, and continue to evaluate, same-bottleneck detection, which has proven challenging as the rise of higher-bitrate networks makes signals for same-bottleneck detection much more subtle; for example, increasing the bottleneck bandwidth from 10Gbps to 100Gbps decreases the impact of queue length on latency by a factor of 10. We have proposed a combination of same-bottleneck signals, including latency, and demonstrated such combinations at speeds up to 1Gbps. Future work may consider the expansion of such signals, including potentially active approaches, to expand beyond 1Gbps. We expect our work to add to the growing literature in same-bottleneck detection, which is useful in scenarios such as bottleneck-sharing and multipath TCP.

We have explored mechanisms for in-network feedback through SCION beacons. This work is ongoing, and the impact will include future collaborations with Prof. Adrian Perrig at ETH Zurich.

Several graduate students were trained during the course of this project; these students will further impact the field either as industry researchers or faculty.


Last Modified: 09/28/2021
Modified by: Yih-Chun Hu

Please report errors in award information by writing to: awardsearch@nsf.gov.

Print this page

Back to Top of page

Top