Although IP Multicast offers efficient data delivery for large group communications, the most critical issue delaying widespread deployment of IP Multicast is the scalability of multicast forwarding state as the number of multicast groups increases. Sender-Initiated Multicast (SIM) was proposed as an alternative multicast forwarding scheme for small group communications with incremental deployment capability. The key feature of SIM is in its Preset mode with the automatic SIM tunneling function, which maintaining forwarding information states only on the branching routers. To demonstrate how SIM increases scalability with respect to the number of groups, in this paper we evaluate the proposed protocol both through simulations and real experiments. As from the network operator's point of view, the bandwidth consumption, memory requirements on state-and-signaling per session in routers, and the processing overhead are considered as evaluation parameters. Finally, we investigated the strategies for incremental deployment.

Switching a communication path from one Access Point (AP) to another in inter-domain WLANs is a critical challenge for delay-sensitive applications such as Voice over IP (VoIP) because communication quality during handover (HO) is more likely to be deteriorated. To maintain VoIP quality during HO, we need to solve many problems. In particular, in bi-directional communication such as VoIP, an AP becomes a bottleneck with the increase of VoIP calls. As a result, packets queued in the AP buffer may experience a large queuing delay or packet losses due to increase in queue length or buffer overflow, thereby causing the degradation of VoIP quality for the Mobile Nodes (MNs) side. To avoid this degradation, MNs need to appropriately and autonomously execute HO in response to the change in wireless network condition, i.e., the deterioration of wireless link quality and the congestion state at the AP. In this paper, we propose an HO decision strategy considering frame retries, AP queue length, and transmission rate at an MN for maintaining VoIP quality during HO. Through simulation experiments, we then show that our proposed method can maintain VoIP quality during HO by properly detecting the wireless network condition.

Hash-based IP traceback is a technique to generate audit trails for traffic within a network. Using the audit trails, it reconstructs not only the true attack paths of a Distributed Denial of Service attack (DDoS attack), but also the true path of a single packet attack. However, hash-based IP traceback cannot identify attacker nodes themselves because it has no audit trail on the subnet's layer-2 network under the detected leaf router, which is the nearest node to an attacker node on a layer-3 network. We propose a layer-2 extension to hash-based IP traceback, which stores two identifiers with packets' audit trails while reducing the memory requirement for storing identifiers. One of these identifiers shows the leaf router's interface through which an attacking packet came, and the other represents the ingress port on a layer-2 switch through which the attacking packet came. We implement a prototype on FreeBSD and evaluate it in a preliminary experiment.

The Bloom Filter (BF), a space-and-time-efficient hash-coding method, is used as one of the fundamental modules in several network processing algorithms and applications such as route lookups, cache hits, packet classification, per-flow state management or network monitoring. BF is a simple space-efficient randomized data structure used to represent a data set in order to support membership queries. However, BF generates false positives, and cannot count the number of distinct elements. A counting Bloom Filter (CBF) can count the number of distinct elements, but CBF needs more space than BF. We propose an alternative data structure of CBF, and we called this structure an Adaptive Bloom Filter (ABF). Although ABF uses the same-sized bit-vector used in BF, the number of hash functions employed by ABF is dynamically changed to record the number of appearances of a each key element. Considering the hash collisions, the multiplicity of a each key element on ABF can be estimated from the number of hash functions used to decode the membership of the each key element. Although ABF can realize the same functionality as CBF, ABF requires the same memory size as BF. We describe the construction of ABF and IABF (Improved ABF), and provide a mathematical analysis and simulation using Zipf's distribution. Finally, we show that ABF can be used for an unpredictable data set such as real network traffic.

Modern web applications incorporate many programmatic frameworks and APIs that are often pushed to the client-side with most of the application logic while contents are the result of mashing up several resources from different origins. Such applications are threatened by attackers that often attempts to inject directly, or by leveraging a stepstone website, script codes that perform malicious operations. Web scripting based malware proliferation is being more and more industrialized with the drawbacks and advantages that characterize such approach: on one hand, we are witnessing a lot of samples that exhibit the same characteristics which make these easy to detect, while on the other hand, professional developers are continuously developing new attack techniques. While obfuscation is still a debated issue within the community, it becomes clear that, with new schemes being designed, this issue cannot be ignored anymore. Because many proposed countermeasures confess that they perform better on unobfuscated contents, we propose a 2-stage technique that first relieve the burden of obfuscation by emulating the deobfuscation stage before performing a static abstraction of the analyzed sample's functionalities in order to reveal its intent. We support our proposal with evidence from applying our technique to real-life examples and provide discussion on performance in terms of time, as well as possible other applications of proposed techniques in the areas of web crawling and script classification. Additionally, we claim that such approach can be generalized to other scripting languages similar to JavaScript.

Building an experimental network within a testbed has been a tiresome process for experimenters, due to the complexity of the physical resource assignment and the configuration overhead. Also, the process could not be expedited across testbeds, because the syntax of a configuration file varies depending on specific hardware and software. Re-configuration of an experimental topology for each testbed wastes time, an experimenter could not carry out his/her experiments during the limited lease time of a testbed at worst. In this paper, we propose the AnyBed: the experimental network-building system. The conceptual idea of AnyBed is "If experimental network topologies can be portable across any kinds of testbed, then, it would expedite building an experimental network on a testbed while manipulating experiments by each testbed support tool". To achieve this concept, AnyBed divide an experimental network configuration into the logical and physical network topologies. Mapping these two topologies, AnyBed can build intended logical network topology on any PC clusters. We have evaluated the AnyBed implementation using two distinct clusters. The evaluation result shows a BGP topology with 150 nodes can be constructed on a large scale testbed in less than 113 seconds.

Polling I/O mechanisms on the Unix platform such as select() and poll() cause high processing overhead when they are used in a heavily-loaded network server with many concurrent open sockets. Large waste of processing power incurs not only service degradation but also various troubles such as high electronic power consumption and worsened MTBF of server hosts. It is thus a serious issue especially in large-scale service providers such as an Internet data center (iDC) where a great number of heavily-loaded network servers are operated. As a solution of this problem, we propose a technique of fine-grained control on the invocation intervals of the polling I/O function. The uniqueness of this study is the utilization of POSIX real-time scheduling to enable the fine-grained execution control. Although earlier solutions such as an explicit event delivery mechanism also addressed the problem, they require major modification in the OS kernel and transition from the traditional polling I/O model to the new explicit event-notification model. On the other hand, our technique can be implemented with low cost because it just inserts a few small blocks of codes into the server program and does not require any modification in the OS kernel.

The increasing diversity in Internet applications necessitates extended Internet architecture that can differentiate forwarding treatment of different types of flows. Diffserv can be a solution to the problem when it is augmented by several additional components. In this paper we describe various issues and possible directions in augmenting Diffserv. We present our analysis of Diffserv architecture, anticipated developments to augment Diffserv architecture, and potential applications of Diffserv.

In future mobile networks, new technologies will be needed to enable a mobile host to move across heterogeneous wireless access networks without disruption of the connection. In the past, many researchers have studied handover in such IP networks. In almost all cases, special network devices are needed to maintain the host's mobility. Moreover, a host cannot move across heterogeneous wireless access networks without degradation of the goodput for real-time communication, although a mobile host with multiple network interfaces can connect to multiple wireless access networks. For these reasons, we consider that a mobile host needs to manage seamless handover on an end-to-end basis. In this paper, we propose a multi-path transmission algorithm for end-to-end seamless handover. The main purpose of this algorithm is to improve the goodput during handover by sending the same packets along multiple paths, minimizing unnecessary consumption of network resources. We evaluate our algorithm through simulations and show that a mobile host gains a better goodput.

Detecting traffic anomalies is an indispensable component of overall security architecture. As Internet and traffic data with more sophisticated attacks grow exponentially, preserving security with signature-based traffic analyzers or analyzers that do not support massive traffic are not sufficient. In this paper, we propose a novel method based on combined sketch technique and S-transform analysis for detecting anomalies in massive traffic streams. The method does not require any prior knowledge such as attack patterns and models representing normal traffic behavior. To detect anomalies, we summarize the entropy of traffic data over time and maintain the summarized data in sketches. The entropy fluctuation of the traffic data aggregated to the same bucket is observed by S-transform to detect spectral changes referred to as anomalies in this work. We evaluated the performance of the method with real-world backbone traffic collected at the United States and Japan transit link in terms of both accuracy and false positive rates. We also explored the method parameters' influence on detection performance. Furthermore, we compared the performance of our method to S-transform-based and Wavelet-based methods. The results demonstrated that our method was capable of detecting anomalies and overcame both methods. We also found that our method was not sensitive to its parameter settings.

We investigated client honeypots for detecting and circumstantially analyzing drive-by download attacks. A client honeypot requires both improved inspection performance and in-depth analysis for inspecting and discovering malicious websites. However, OS overhead in recent client honeypot operation cannot be ignored when improving honeypot multiplication performance. We propose a client honeypot system that is a combination of multi-OS and multi-process honeypot approaches, and we implemented this system to evaluate its performance. The process sandbox mechanism, a security measure for our multi-process approach, provides a virtually isolated environment for each web browser. It prevents system alteration from a compromised browser process by I/O redirection of file/registry access. To solve the inconsistency problem of file/registry view by I/O redirection, our process sandbox mechanism enables the web browser and corresponding plug-ins to share a virtual system view. Therefore, it enables multiple processes to be run simultaneously without interference behavior of processes on a single OS. In a field trial, we confirmed that the use of our multi-process approach was three or more times faster than that of a single process, and our multi-OS approach linearly improved system performance according to the number of honeypot instances. In addition, our long-term investigation indicated that 72.3% of exploitations target browser-helper processes. If a honeypot restricts all process creation events, it cannot identify an exploitation targeting a browser-helper process. In contrast, our process sandbox mechanism permits the creation of browser-helper processes, so it can identify these types of exploitations without resulting in false negatives. Thus, our proposed system with these multiplication approaches improves performance efficiency and enables in-depth analysis on high interaction systems.

This paper presents an architecture for content internetworking, which we call CRN (Content Routing Network) architecture. The CRN architecture is different from other content internetworking architectures in many respects: the peering of authentication, authorization and accounting systems, hierarchical and policy-driven request routing, and the web-based system to interconnect distinct CDNs. Both requirements and functional architecture of CRN are presented, followed by the description of its prototypical implementation. CRN is designed to satisfy both content provider's service requirements and service provider's economic/operational requirements. A prototypical implementation has been deployed successfully under one of the biggest live-streaming experiments.

Due to the depletion of the public IPv4 address pool, the transition to IPv6 became inevitable. However, this ongoing transition is taking a long time, and the two incompatible versions of the Internet Protocol must coexist. Different IPv6 transition technologies were developed, which can be used to enable communication in various scenarios, but they also involve additional security issues. In this paper, first, we introduce our methodology for analyzing the security of IPv6 transition technologies in a nutshell. Then, we develop a priority classification method for the ranking of different IPv6 transition technologies and their most important implementations, so that the vulnerabilities of the most crucial ones may be examined first. Next, we conduct a comprehensive survey of the existing IPv6 transition technologies by describing their application scenarios and the basics of their operation and we also determine the priorities of their security analysis according to our ranking system. Finally, we show that those IPv6 transition technologies that we gave high priorities, cover the most relevant scenarios.