Improving Network Security through Obfuscation
OPEN ACCESS
Loading...
Author / Producer
Date
2022
Publication Type
Doctoral Thesis
ETH Bibliography
yes
Citations
Altmetric
OPEN ACCESS
Data
Rights / License
Abstract
While it is impressive that many of the prevalent protocols and algorithms in
today's networks and the Internet have remained essentially unchanged since the
very first computer networks in the Sixties, they were not designed for today's
security environment. Only thanks to protocol extensions and new technologies,
today's network users are protected against many threats. For example, most
hosts are behind firewalls that prevent some malicious traffic from reaching
them, and most traffic is encrypted to prevent eavesdropping. However, today's
protections are not enough. For example, denial-of-service attacks can cut a
host's connection even if their traffic does not reach it, and encrypted traffic
still leaks information about its contents.
In this dissertation, we explore how obfuscation can help to prevent such
weak points. To this end, we present two solutions:
First, we present NetHide, a system that mitigates denial-of-service attacks
against the network infrastructure by obfuscating the network topology. The key
idea behind NetHide is to formulate topology obfuscation as a multi-objective
optimization problem that allows for a flexible trade-off between the security
of the topology and the usability of network debugging tools. NetHide then
intercepts and modifies path-tracing probes in the data plane to ensure that
attackers can only learn the obfuscated topology.
Second, we present ditto, a system that prevents traffic-analysis attacks by
obfuscating the timing and size of packets. The key idea behind ditto is to add
padding to packets and to introduce chaff packets such that the resulting
traffic is independent of production traffic with respect to packet sizes and
timing. ditto provides high throughput without requiring changes at hosts, which
makes it ideal for protecting wide area networks.
Both systems leverage recent advances in network programmability. They show that
programmable switches can increase the security of high-throughput networks
without degrading their performance.
However, programmable switches do not only provide high performance for
obfuscation, but they also allow analyzing traffic at scale. We complete this
dissertation with a discussion of four use cases where programmable switches
analyze traffic – for both benign and malicious purposes.
Permanent link
Publication status
published
External links
Editor
Contributors
Examiner : Vanbever, Laurent
Examiner : Lenders, Vincent
Examiner : Chen, Ang
Examiner : Perrig, Adrian
Book title
Journal / series
Volume
Pages / Article No.
Publisher
ETH Zurich
Event
Edition / version
Methods
Software
Geographic location
Date collected
Date created
Subject
Computer networks; Computer network security; Obfuscation; programmable data plane
Organisational unit
09477 - Vanbever, Laurent / Vanbever, Laurent