Person: Natarajan, Sriram
Loading...
Email Address
Birth Date
Research Projects
Organizational Units
Job Title
Faculty Member
Last Name
Natarajan
First Name
Sriram
Discipline
Digital Communications and Networking
Systems and Communications
Systems and Communications
Expertise
Introduction
Name
Search Results
Now showing 1 - 2 of 2
Publication Security Issues in Network Virtualization for the Future Internet(2012-09-01) Natarajan, SriramNetwork virtualization promises to play a dominant role in shaping the future Internet by overcoming the Internet ossification problem. Since a single protocol stack cannot accommodate the requirements of diverse application scenarios and network paradigms, it is evident that multiple networks should co-exist on the same network infrastructure. Network virtualization supports this feature by hosting multiple, diverse protocol suites on a shared network infrastructure. Each hosted virtual network instance can dynamically instantiate custom set of protocols and functionalities on the allocated resources (e.g., link bandwidth, CPU, memory) from the network substrate. As this technology matures, it is important to consider the security issues and develop efficient defense mechanisms against potential vulnerabilities in the network architecture. The architectural separation of network entities (i.e., network infrastructures, hosted virtual networks, and end-users) introduce set of attacks that are to some extent different from what can be observed in the current Internet. Each entity is driven by different objectives and hence it cannot be assumed that they always cooperate to ensure all aspects of the network operate correctly and securely. Instead, the network entities may behave in a non-cooperative or malicious way to gain benefits. This work proposes set of defense mechanisms that addresses the following challenges: 1) How can the network virtualization architecture ensure anonymity and user privacy (i.e., confidential packet forwarding functionality) when virtual networks are hosted on third-party network infrastructures?, and 2) With the introduction of flexibility in customizing the virtual network and the need for intrinsic security guarantees, can there be a virtual network instance that effectively prevents unauthorized network access by curbing the attack traffic close to the source and ensure only authorized traffic is transmitted?. To address the above challenges, this dissertation proposes multiple defense mechanisms. In a typical virtualized network, the network infrastructure and the virtual network are managed by different administrative entities that may not trust each other, raising the concern that any honest-but-curious network infrastructure provider may snoop on traffic sent by the hosted virtual networks. In such a scenario, the virtual network might hesitate to disclose operational information (e.g., source and destination addresses of network traffic, routing information, etc.) to the infrastructure provider. However, the network infrastructure does need sufficient information to perform packet forwarding. We present Encrypted IP (EncrIP), a protocol for encrypting IP addresses that hides information about the virtual network while still allowing packet forwarding with longest-prefix matching techniques that are implemented in commodity routers. Using probabilistic encryption, EncrIP can avoid that an observer can identify what traffic belongs to the same source-destination pairs. Our evaluation results show that EncrIP requires only a few MB of memory on the gateways where traffic enters and leaves the network infrastructure. In our prototype implementation of EncrIP on GENI, which uses standard IP header, the success probability of a statistical inference attack to identify packets belonging to the same session is less than 0.001%. Therefore, we believe EncrIP presents a practical solution for protecting privacy in virtualized networks. While virtualizing the infrastructure components introduces flexibility by reprogramming the protocol stack, it doesn't directly solve the security issues that are encountered in the current Internet. On the contrary, the architecture increases the chances of additive vulnerabilities, thereby increasing the attack space to exploit and launch several attacks. Therefore it is important to consider a virtual network instance that ensures only authorized traffic is transmitted and attack traffic is squelched as close to their source as possible. Network virtualization provides an opportunity to host a network that can guarantee such high-levels of security features thereby protecting both the end systems and the network infrastructure components (i.e., routers, switches, etc.). In this work, we introduce a virtual network instance using capabilities-based network which present a fundamental shift in the security design of network architectures. Instead of permitting the transmission of packets from any source to any destination, routers deny forwarding by default. For a successful transmission, packets need to positively identify themselves and their permissions to each router in the forwarding path. The proposed capabilities-based system uses packet credentials based on Bloom filters. This high-performance design of capabilities makes it feasible that traffic is verified on every router in the network and most attack traffic can be contained within a single hop. Our experimental evaluation confirm that less than one percent of attack traffic passes the first hop and the performance overhead can be as low as 6% for large file transfers. Next, to identify packet forwarding misbehaviors in network virtualization, a controller-based misbehavior detection system is discussed as part of the future work. Overall, this dissertation introduces novel security mechanisms that can be instantiated as inherent security features in the network architecture for the future Internet. The technical challenges in this dissertation involves solving problems from computer networking, network security, principles of protocol design, probability and random processes, and algorithms.Publication Surgnet: An Integrated Surgical Data Transmission System over Collaborative Networks(2009-01-01) Natarajan, SriramTelesurgery relies on fast and reliable data transmission between the surgeon and tele-operator side over lossy and delay constrained networks. Medical data involves audio, video, ECG and Force Feedback data. When these media streams are transmitted through best effort networks, the temporal information gets affected due to network constraints. Major network degradation is due to the Force Feedback device with rendering rate of 1 KHz, hence data is generated every millisecond. In our proposal we concentrate on improving the synchronization of force feedback device on varying networking conditions. Force feedback data is generated by operating a source (surgical) device which controls the movement of remote device. It has a great potential in improving telemedicine facilities, when included with the support of different multimedia services. The channel imposes delay and packet loss constraints for such devices which require unique solutions, unlike audio or video media, due to its high rendering rate. Current research supports Force Feedback in fiber optic communication, packet switched networks. However, such schemes are not feasible in supporting surgical telepresence system. While efforts are made to support force feedback media in wireless medium, few works have addressed delay synchronization and loss of data. There exists no previous work which has attempted to provide an efficient integrated solution where video and force feedback information have been supported by the same network. This thesis focuses in providing an integrated architecture that supports the force feedback data over a collaborative network and improves the data synchronization and packet loss prediction in the remote side over a varying network link. The goal will be to evaluate the support of such data types. We have implemented a Linear Packet Predictor Algorithm which predicts the missing packet value. Data generated from the source device are sent as UDP packets. UDP transmission is unreliable and hence we use an RTP over UDP to make it reliable. Each packet will have the current position of the device and force applied. We use a Microsoft Sidewinder Force Feedback joystick. The handle of the joystick is located at the center of the base. So we record the position of the device on both positive and negative axis moving in a two dimensional space. This device provides rotational movement and hence drastic change in position occurs within milliseconds. Once the packet arrives at the receiver side, the control unit checks for the sequence number of the packet. If continuity is missing then, the control unit passes the packet to the predictor algorithm which predicts the packet else it directly updates the packet to the Virtual Time Rendering Algorithm Another major issue is the delay jitter. On the source (server) side the intra time difference between two packets will be 1msec. But due to varying delay in the network the data packets arrive at the receiver with fluctuating intra time difference. In order to counter the delay jitter effect, we implement the Virtual Time Rendering algorithm which reads the time stamp value at which the packet was generated at the source and modifies the update time at the receiver side. In our work we do not control another device on the remote side, rather an applet which was developed using a Virtual Reality Markup Language in Matlab. Another challenge which is imposed when other multimedia is introduced with force feedback is the intra media synchronization. Real time video is captured from the applet side and given as feedback to the server side to improve the interactivity of the application. At every instant in time, different multimedia data produce data to be updated at the remote end. Since all the information are inter dependent with other media in time, efficient intra media synchronization is required. This thesis also focuses in providing an architecture which not only supports force feedback data but have a multiplexed model which allows an efficient transmission of all surgical information in real time. Each data occupies significant part of bandwidth in the network and the effect of multiplexing might affect the synchronization scheme of the force feedback device. Our architecture supports the efficient transmission of all types of multimedia information and also maintain the synchronization of the scheme. This method is unique with its methodical approach to support different multimedia information.