Anat Bremler-barr | Idc - Academia.edu (original) (raw)

Papers by Anat Bremler-barr

International Conference on Computer Communications, 2009

Proceedings of the ACM SIGCOMM 2019 Conference Posters and Demos

ACM Reference Format: Anat Bremler-Barr, Bar Meyuhas, and Ran Shister. 2021. Poster: IoT Location... more ACM Reference Format: Anat Bremler-Barr, Bar Meyuhas, and Ran Shister. 2021. Poster: IoT Location Impact on Network Behavior and MUD. In Internet Measurement Conference (IMC ’21), November 2–4, 2021, Virtual Event. ACM, New York, NY, USA, 2 pages. https://doi.org/TBA

Abstract—Performance analysis and the design of computer and networking systems have traditionall... more Abstract—Performance analysis and the design of computer and networking systems have traditionally accounted for the stochastic nature of the problem addressed and been based on stochastic type analysis, mainly expected value (”the good”). In some related disciplines, mainly computer science and algorith-mic design, worst-case analysis (”the bad”) has been popular. In recent years we have experienced a wave of DDoS and Cyber attacks threatening the welfare of the internet. These are launched by malicious users whose only incentive is to degrade the performance of other, innocent, users. This has triggered a new direction of research aiming at evaluating system performance while accounting for the malicious behavior of the attackers (”the ugly”). The performance metrics in this case differs from both the average-case and the worst-case and can affect system design considerably. The purpose of this work is to expose and discuss this new analysis approach as well as to distinguish it f...

ArXiv, 2016

Motivated by a recent new type of randomized Distributed Denial of Service (DDoS) attacks on the ... more Motivated by a recent new type of randomized Distributed Denial of Service (DDoS) attacks on the Domain Name Service (DNS), we develop novel and efficient distinct heavy hitters algorithms and build an attack identification system that uses our algorithms. Heavy hitter detection in streams is a fundamental problem with many applications, including detecting certain DDoS attacks and anomalies. A (classic) heavy hitter (HH) in a stream of elements is a key (e.g., the domain of a query) which appears in many elements (e.g., requests). When stream elements consist of a pairs, ( ) a distinct heavy hitter (dhh) is a key that is paired with a large number of different subkeys. Our dHH algorithms are considerably more practical than previous algorithms. Specifically the new fixed-size algorithms are simple to code and with asymptotically optimal space accuracy tradeoffs. In addition we introduce a new measure, a combined heavy hitter (cHH), which is a key with a large combination of distinc...

ArXiv, 2021

In recent years, we have witnessed a new kind of DDoS attack, the burst attack(Chai, 2013; Dahan,... more In recent years, we have witnessed a new kind of DDoS attack, the burst attack(Chai, 2013; Dahan, 2018), where the attacker launches periodic bursts of traffic overload on online targets. Recent work presents a new kind of Burst attack, the YoYo attack (Bremler-Barr et al., 2017) that operates against the auto-scaling mechanism of VMs in the cloud. The periodic bursts of traffic loads cause the auto-scaling mechanism to oscillate between scale-up and scale-down phases. The auto-scaling mechanism translates the flat DDoS attacks into Economic Denial of Sustainability attacks (EDoS), where the victim suffers from economic damage accrued by paying for extra resources required to process the traffic generated by the attacker. However, it was shown that YoYo attack also causes significant performance degradation since it takes time to scale-up VMs. In this research, we analyze the resilience of Kubernetes auto-scaling against YoYo attacks. As containerized cloud applications using Kubernetes gain popularity and replace VM-based architecture in recent years. We present experimental results on Google Cloud Platform, showing that even though the scale-up time of containers is much lower than VM, Kubernetes is still vulnerable to the YoYo attack since VMs are still involved. Finally, we evaluate ML models that can accurately detect YoYo attack on a Kubernetes cluster.

ArXiv, 2021

Proceedings of the fifth ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies, 2017

Random Subdomain DDoS a acks on the Domain Name System (DNS) infrastructure are becoming a popula... more Random Subdomain DDoS a acks on the Domain Name System (DNS) infrastructure are becoming a popular vector in recent a acks (e.g., recent Mirai a ack on Dyn). In these a acks, many queries are sent for a single or a few victim domains, yet they include highly varying non-existent subdomains generated randomly. Motivated by these a acks we designed and implemented novel and e cient algorithms for distinct heavy hi ers (dHH). A (classic) heavy hi er (HH) in a stream of elements is a key (e.g., the domain of a query) which appears in many elements (e.g., requests). When stream elements consist of ¡key, subkey¿ pairs, (¡domain, subdomain¿) a distinct heavy hi er (dhh) is a key that is paired with a large number of di erent subkeys. Our algorithms dominate previous designs in both the asymptotic (theoretical) sense and practicality. Speci cally the new xed-size algorithms are simple to code and with asymptotically optimal space accuracy tradeo s. Based on these algorithms, we build and implement a system for detection and mitigation of Random Subdomain DDoS a acks. We perform experimental evaluation, demonstrating the e ectiveness of our algorithms.

2016 IFIP Networking Conference (IFIP Networking) and Workshops, 2016

URL matching lies at the core of many networking applications and Information Centric Networking ... more URL matching lies at the core of many networking applications and Information Centric Networking architectures. For example, URL matching is extensively used by Layer 7 switches, ICN/NDN routers, load balancers, and security devices. Modern URL matching is done by maintaining a rich database that consists of tens of millions of URL which are classified to dozens of categories (or egress ports). In real-time, any input URL has to be searched in this database to find the corresponding category. In this paper, we introduce a generic framework for accurate URL matching (namely, no false positives or miscategorization) that aims to reduce the overall memory footprint, while still having low matching latency. We introduce a dictionary-based compression method that compresses the database by 60%, while having only a slight overhead in time. Our framework is very flexible and it allows hot-updates, cloud-based deployments, and can deal with strings that are not URLs.

ACM SIGMETRICS Performance Evaluation Review, 2001

A new general theory about restoration of network paths is first introduced. The theory pertains ... more A new general theory about restoration of network paths is first introduced. The theory pertains to restoration of shortest paths in a network following failure, e.g., we prove that a shortest path in a network after removing k edges is the concatenation of at most k + 1 shortest paths in the original network.The theory is then combined with efficient path concatenation techniques in MPLS (multi-protocol label switching), to achieve powerful schemes for restoration in MPLS based networks. We thus transform MPLS into a flexible and robust method for forwarding packets in a network.

NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium

Monitoring medical data, e.g., Electrocardiogram (ECG) signals, is a common application of Intern... more Monitoring medical data, e.g., Electrocardiogram (ECG) signals, is a common application of Internet of Things (IoT) devices. Compression methods are often applied on the massive amounts of sensor data generated prior to sending it to the Cloud to reduce the storage and delivery costs. A lossy compression provides high compression gain (CG), but may reduce the performance of an ECG application (downstream task) due to information loss. Previous works on ECG monitoring focus either on optimizing the signal reconstruction or the task's performance. Instead, we advocate a self-adapting lossy compression solution that allows configuring a desired performance level on the downstream tasks while maintaining an optimized CG that reduces Cloud costs. We propose Dynamic-Deep, a task-aware compression geared for IoT-Cloud architectures. Our compressor is trained to optimize the CG while maintaining the performance requirement of the downstream tasks chosen out of a wide range. In deployment, the IoT edge device adapts the compression and sends an optimized representation for each data segment, accounting for the downstream task's desired performance without relying on feedback from the Cloud. We conduct an extensive evaluation of our approach on common ECG datasets using two popular ECG applications, which includes heart rate (HR) arrhythmia classification. We demonstrate that Dynamic-Deep can be configured to improve HR classification F1-score in a wide range of requirements. One of which is tuned to improve the F1-score by 3 and increases CG by up to 83% compared to the previous stateof-the-art (autoencoder-based) compressor. Analyzing Dynamic-Deep on the Google Cloud Platform, we observe a 97% reduction in cloud costs compared to a no compression solution. To the best of our knowledge, Dynamic-Deep is the first end-toend system architecture proposal to focus on balancing the need for high performance of cloud-based downstream tasks and the desire to achieve optimized compression in IoT ECG monitoring settings.

The Domain Name System (DNS) infrastructure, a most critical system the Internet depends on, has ... more The Domain Name System (DNS) infrastructure, a most critical system the Internet depends on, has recently been the target for different DDoS and other cyber-attacks, e.g., the notorious Mirai botnet. While these attacks can be destructive to both recursive and authoritative DNS servers, little is known about how recursive resolvers operate under such attacks (e.g., NXDomain, water-torture). In this paper, we point out a new vulnerability and show an attack, the NXNSAttack, that exploits the way DNS recursive resolvers operate when receiving NS referral response that contains name-servers but without their corresponding IP addresses (i.e., missing glue-records). We show that the number of DNS messages exchanged in a typical resolution process might be much higher in practice than what is expected in theory, mainly due to a proactive resolution of name-servers' IP addresses. We show how this inefficiency becomes a bottleneck and might be used to mount a devastating attack against ...

2021 IEEE International Conferences on Internet of Things (iThings) and IEEE Green Computing & Communications (GreenCom) and IEEE Cyber, Physical & Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics (Cybermatics), 2021

Manufacturer Usage Description (MUD) is a new, whitelist-based cybersecurity standard that was re... more Manufacturer Usage Description (MUD) is a new, whitelist-based cybersecurity standard that was recently proposed by the IETF to cope with the huge attack surface and a constantly increasing number of IoT devices connected to the Internet. MUD allows the IoT manufacturers themselves to publish the legitimate communication patterns of their devices, making it easier for security devices to enforce this policy, filter out non-complying traffic, and block a device in case it has been compromised. Typically, MUD includes a set of legitimate endpoints, specified either by domain names or by IP addresses, along with the legitimate port numbers and protocols. While these descriptions are adequate when IoT devices connect (as clients) to servers (e.g., services in the cloud), they cannot adequately describe the cases where IoT devices act as servers to which endpoints connect. These endpoints (e.g., users' mobile devices) typically do not have fixed IP addresses, nor do they associate with a domain name. In this case, accounting for 78 % of IoT devices we have surveyed, MUD degrades nowadays to allow all possible endpoints and cannot mitigate any attack. In this work, we evaluate this phenomenon and show it has a high prevalence today, thus harming dramatically the MUD framework security efficiency. We then present a solution, MUDirect, which en-hances the MUD framework to deal with these cases while preserving the current MUD specification. Finally, we have implemented our solution (extending the existing osMUD implementation) and showed that it enables P2P IoT devices protection while having minimal changes to the osMUD code.

NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium, 2020

In recent years the number of IoT devices in home networks has increased dramatically. Whenever a... more In recent years the number of IoT devices in home networks has increased dramatically. Whenever a new device connects to the network, it must be quickly managed and secured using the relevant security mechanism or QoS policy. Thus a key challenge is to distinguish between IoT and NoT devices in a matter of minutes. Unfortunately, there is no clear indication of whether a device in a network is an IoT. In this paper, we propose different classifiers that identify a device as IoT or non-IoT, in a short time scale, and with high accuracy. Our classifiers were constructed using machine learning techniques on a seen (training) dataset and were tested on an unseen (test) dataset. They successfully classified devices that were not in the seen dataset with accuracy above 95%. The first classifier is a logistic regression classifier based on traffic features. The second classifier is based on features we retrieve from DHCP packets. Finally, we present a unified classifier that leverages the advantages of the other two classifiers. We focus on the home-network environment, but our classifiers are also applicable to enterprise networks.

Packet classification is an indispensable building block of nu-merous Internet applications in th... more Packet classification is an indispensable building block of nu-merous Internet applications in the areas of routing, monitoring, security, and multimedia. The routers use a classification database that consists of a set of rules (a.k.a. filters). Each such rule speci-

NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium, 2020

A new scalable ISP level system architecture to secure and protect all IoT devices in a large num... more A new scalable ISP level system architecture to secure and protect all IoT devices in a large number of homes is presented. The system is based on whitelisting, as in the Manufacturer Usage Description (MUD) framework, implemented as a VNF. Unlike common MUD suggestions that place the whitelist application at the home/enterprise network, our approach is to place the enforcement upstream at the provider network, combining an NFV (Network Function Virtualization) with router/switching filtering capabilities, e.g., ACLs. The VNF monitors many home networks simultaneously, and therefore, is a highly-scalable managed service solution that provides both the end customers and the ISP with excellent visibility and security of the IoT devices at the customer premises. The system includes a mechanism to distinguish between flows of different devices at the ISP level despite the fact that most home networks (and their IoT devices) are behind a NAT and all the flows from the same home come out with the same source IP address. Moreover, the NFV system needs to receive only the first packet of each connection at the VNF, and rules space is proportional to the number of unique types of IoT devices rather than the number of IoT devices. The monitoring part of the solution is off the critical path and can also uniquely protect from incoming DDoS attacks. To cope with internal traffic, that is not visible outside the customer premise and often consists of P2P communication, we suggest a hybrid approach, where we deploy a lightweight component at the CPE, whose sole purpose is to monitor P2P communication. As current MUD solution does not provide a secure solution to P2P communication, we also extend the MUD protocol to deal also with peer-to-peer communicating devices. A PoC with a large national level ISP proves that our technology works as expected, identifying the various IoT devices that are connected to the network and detecting any unauthorized communications.

NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium, 2020

This demo focuses on demonstrating features of a new system to protect IoT devices in customer pr... more This demo focuses on demonstrating features of a new system to protect IoT devices in customer premises at the ISP level. The core of the system is deployed as a Virtual Network Function (VNF) within the ISP network, and is based on the Manufacturer Usage Description (MUD) framework, a white-list IoT protection scheme that has been proposed in recent years. As MUD is designed for on-premise deployment, the system makes the necessary adaptations to enable its deployment outside the customer premise. Moreover, the system includes a mechanism to distinguish between flows of different devices at the ISP level despite the fact that most home networks (and their IoT devices) are behind a NAT and all the flows from the same home come out with the same source IP address. Our demo follows closely a proof-of-concept that we have done with a large national level ISP, showing how our system can identify the various IoT devices that are connected to the network and detecting any unauthorized communications.

IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, 2017

Traditional DDoS anti-spoofing scrubbers require dedicated middleboxes thus adding CAPEX, latency... more Traditional DDoS anti-spoofing scrubbers require dedicated middleboxes thus adding CAPEX, latency and complexity in the network. This paper starts by showing that the current SDN match-and-action model is rich enough to implement a collection of anti-spoofing methods. Secondly we develop and utilize advance methods for dynamic resource sharing to distribute the required mitigation resources over a network of switches. None of the earlier attempts to implement anti-spoofing in SDN actually directly exploited the match and action power of the switch data plane. They required additional functionalities on top of the match-and-action model, and are not implementable on an SDN switch as is. Our method builds on the premise that an SDN data path is a very fast and efficient engine to perform low level primitive operations at wire speed. The solution requires a number of flow-table rules and switch-controller messages proportional to the legitimate traffic. To scale when protecting multiple large servers the flow tables of multiple switches are harnessed in a distributed and dynamic network based solution. We have fully implemented all our methods in either Open-Flow1.5 in Open-vSwitch and in P4. The system mitigates spoofed attacks on either the SDN infrastructure itself or on downstream servers.

IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, 2017

Auto-scaling mechanisms are an important line of defense against Distributed Denial of Service (D... more Auto-scaling mechanisms are an important line of defense against Distributed Denial of Service (DDoS) in the cloud. Using auto-scaling, machines can be added and removed in an on-line manner to respond to fluctuating load. It is commonly believed that the auto-scaling mechanism casts DDoS attacks into Economic Denial of Sustainability (EDoS) attacks. Rather than suffering from performance degradation up to a total denial of service, the victim suffers only from the economic damage incurred by paying for the extra resources required to process the bogus traffic of the attack. Contrary to this belief, we present and analyze the Yo-Yo attack, a new attack against the auto-scaling mechanism, that can cause significant performance degradation in addition to economic damage. In the Yo-Yo attack, the attacker sends periodic bursts of overload, thus causing the auto-scaling mechanism to oscillate between scale-up and scale-down phases. The Yo-Yo attack is harder to detect and requires less resources from the attacker compared to traditional DDoS. We demonstrate the attack on Amazon EC2 [4], and analyze protection measures the victim can take by reconfiguring the auto-scaling mechanism.

International Conference on Computer Communications, 2009

Proceedings of the ACM SIGCOMM 2019 Conference Posters and Demos

ArXiv, 2016

ArXiv, 2021

Proceedings of the fifth ACM/IEEE Workshop on Hot Topics in Web Systems and Technologies, 2017

2016 IFIP Networking Conference (IFIP Networking) and Workshops, 2016

ACM SIGMETRICS Performance Evaluation Review, 2001

NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium

NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium, 2020

IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, 2017