SGuard: Security Architectures and Algorithms for Overlay Network Services 1

Description

Overlay network computing systems and applications have continued to evolve over the past five years, ranging from SETI@Home and music sharing systems to more sophisticated applications, including file storage systems, publish-subscribe systems, and Skype-like voice over IP (VoIP) systems. The overlay network computing model provides many opportunities for information dissemination across different organizational boundaries, heterogeneous platforms, and a large, dynamic population of users and has shown the potential to become a prominent network computing paradigm for massively distributed applications. However, decentralized overlay network computing models also confront with various vulnerabilities and risks that impede such a new computing paradigm from being widely deployed in mission critical business systems and applications. There are three important security challenges for the overlay network service model: (i) confidentiality and integrity, (ii) authenticity, and (iii) availability. A curious node on the overlay network may threaten the confidentiality of application data. Using untrusted overlay nodes to deliver services threatens the authenticity of the service. Spamming, flooding and message dropping based denial of service (DoS) attacks may compromise the availability of the service.

The SGuard project focuses on architectures and algorithms for building secure and scaleable information dissemination services on wide area overlay networks. Our research is conducted in three stages. First, we study application independent vulnerabilities and risks in overlay network computing models, focusing on targeted attacks on topology and peer to peer communication protocols. Second, we investigate on application specific vulnerabilities and security requirements for two important types of distributed information dissemination applications: event-driven publish-subscribe systems (push model) and file storage systems (pull model). In the third stage, we focus on developing security architecture and mechanisms for securing overlay network services against targeted attacks at the overlay network system layer, including failure and attack resilient overlay network topology and secure overlay routing protocols.

The ultimate goal of this project is to develop a secure architecture and a set of efficient algorithms to secure wide-area overlay network services. We refer to our architecture development as SGuard. SGuard comprises of a suite of security guards that can be seamlessly plugged into an overlay network service. Two categories of security guards are provided: the application independent security guards are used to guarantee availability and authenticity. In addition, SGuard includes an application independent key dissemination mechanism for secure and scaleable distribution of keys to a large and dynamic population of users. Given that the application independent guards for maintaining data confidentiality essentially reduce to secure multi-party computation (SMPC) protocols, which unfortunately are known to be inefficient and hard to scale. In SGuard, we resort to application specific techniques to guarantee data confidentiality and integrity. SGuard uses application specific guards to guarantee confidentiality and integrity for publish-subscribe overlay service and file storage service. We are building prototype implementations of several security guards to show that SGuard is easily stackable on an overlay network service. Our experimental results so far indicate that one can secure an overlay network service while preserving its performance and scalability metrics.

Detailed description available as [PDF]

Conference Publications

  • Mudhakar Srivatsa and Ling Liu, "Secure Event Dissemination in Content-Based Publish-Subscribe Networks" , To appear in the Proceedings of 27th IEEE International Conference on Distributed Computing Systems (ICDCS 2007)
  • Aameek Singh, Mudhakar Srivatsa and Ling Liu, "Efficient and Secure Search of Enterprise Data Repositories", To appear in the Proceedings of IEEE International Conference on Web Services (ICWS 2007)
  • Mudhakar Srivatsa, Arun Iyengar, Thomas Mikalsen, Isabelle Rouvellou and Jian Yin, "An Access Control Model for Web Service Compositions", To appear in the Proceedings of IEEE International Conference on Web Services (ICWS 2007)
  • Mudhakar Srivatsa, Arun Iyengar, Jian Yin and Ling Liu, "A Middleware System for Protecting Against Application Level Denial of Service Attacks" , In the Proceedings of 7th ACM/IFIP/USENIX International Middleware Conference (Middleware 2006)
  • Mudhakar Srivatsa, Arun Iyengar, Jian Yin and Ling Liu, "A Client-Transparent Approach to Defend Against Denial of Service Attacks", In the Proceedings of 25th IEEE Symposium on Reliable Distributed Systems (SRDS 2006)
  • Mudhakar Srivatsa and Ling Liu, "Key Derivation Algorithms for Monotone Access Structures in Cryptographic File Systems" , In the Proceeding of 11th European Symposium on Research in Computer Security (ESORICS 2006)
  • Mudhakar Srivatsa and Ling Liu, "Securing Publish-Subscribe Overlay Services With EventGuard" , In the Proceedings 12th ACM Conference on Computer and Communication Security (ACM CCS 2005)
  • Mudhakar Srivatsa and Ling Liu, "Countering Targeted File Attacks using Location Keys" , In the Proceedings of 14th USENIX Security Symposium (USENIX Security 2005)
  • Sungkeun Park, Ling Liu, Calton Pu, Mudhakar Srivatsa, Jianjun Zhang, "Resilient Trust Management for Web Service Integration" , In the Proceedings of 3rd International Conference on Web Services (ICWS 2005).
  • Mudhakar Srivatsa, Li Xiong and Ling Liu, "TrustGuard: Countering Vulnerabilities in Reputation Management for Decentralized Overlay Networks" , In the Proceedings of 14th World Wide Web Conference (WWW 2005).
  • Mudhakar Srivatsa, Li Xiong and Ling Liu, "XChange: A Distributed Protocol for Electronic Fair-Exchange" , In the Proceedings of 19th IEEE International Parallel and Distributed Processing Symposium (IPDPS 2005).
  • Mudhakar Srivatsa and Ling Liu, "Vulnerabilities and Security Threats in Structured Overlay Networks: A Quantitative Analysis" , In the Proceedings of the 20th IEEE Annual Computer Security Applications Conference (ACSAC 2004)
  • Mudhakar Srivatsa, Ling Liu and Arun Iyengar, "Caller Identification Attacks on VoIP Networks", under submission.
  • Mudhakar Srivatsa and Ling Liu, "Privacy in VoIP Networks: A k-Anonymity Approach", under preparation.
  • Mudhakar Srivatsa, Arun Iyengar, Jian Yin and Ling Liu, "Scalable Key Management Algorithms for Spatio-Temporal Access Control", under preparation.

    • Workshop Publications

  • Mudhakar Srivatsa, James Caverlee and Ling Liu, "Security Architectures and Algorithms for Publish-Subscribe Network Services" , In the Proceedings 2nd Cyber Security and Information Infrastructure Research Workshop (CSIIRW 2006)
  • James Caverlee, Mudhakar Srivatsa and Ling Liu, "Countering Web Spam Using Link-Based Analysis" , In the Proceedings 2nd Cyber Security and Information Infrastructure Research Workshop (CSIIRW 2006)

    • Journal Publications

  • Mudhakar Srivatsa and Ling Liu "EventGuard: A Dependable System Architecture for securing Publish-Subscribe Networks", Submitted to IEEE TDSC.
  • Mudhakar Srivatsa and Ling Liu, "Securing Decentralized Reputation Management using TrustGuard", To Appear in the Proceedings of Journal of Parallel and Distributed Computing (JPDC) Special Issue on Security in Grid and Distributed Systems.
  • Mudhakar Srivatsa and Ling Liu, "DHTGuard: Security Threats in Structured Overlay Networks", To Appear in the Proceedings of Springer International Journal of Information Security.

    • Patents Filed

  • Mudhakar Srivatsa, "System and Method for Temporal Access Control", with Arun Iyengar and Jian Yin.
  • Mudhakar Srivatsa, "System and Method for Access Control in Web Service Compositions", with Arun Iyengar, Thomas Mikalsen, Isabelle Rouvellou and Jian Yin, Rated File.
  • Mudhakar Srivatsa, "A Client-Transparent Approach to Defend against Denial of Service Attacks", with Arun Iyengar and Jian Yin, Rated File.
  • Mudhakar Srivatsa, "Protecting against Application Level Denial of Service Attacks", with Arun Iyengar and Jian Yin, Rated File.

    • Technical Reports

  • Mudhakar Srivatsa and Ling Liu, "Key Derivation Algorithms for *nix-like Access Structures in Cryptographic File Systems", GIT-CERCS-04-11, Georgia Tech, 2004.
  • Mudhakar Srivatsa and Ling Liu, "Efficient Group Key Management for Large Scale Overlay Networks", GIT-CERCS-05-08, Georgia Tech, 2005.
  • Mudhakar Srivatsa and Ling Liu, "Scalable Access Control in Content-Based Publish-Subscribe Systems", GIT-CERCS-06-05, Georgia Tech 2006.

    • 1This research is partially supported by NSF CNS CCR, NSF ITR, DoE SciDAC, DARPA, CERCS Research Grant, IBM Faculty Award, IBM SUR grant, HP Equipment Grant, and LLNL LDRD. Any opinions, findings, and conclusions or recommendations expressed in the project material are those of the authors and do not necessarily reflect the views of the sponsors.