-- Sharad Agarwal, sagarwal@cs.berkeley.edu
``Why We Don't Know How To Simulate The Internet'', Paxson, V. and Floyd, S., Under review, October 1999.
Simulations
- Explore a constructed, abstracted model of the world
- "Reality Check", challenge implicit assumptions, challenge analysis, simulate intractable analysis
- Avoid success disasters
- Escape & spread of protocols / programs at an alarming rate
- HTTP
- Risk of oversimplification
- Need verification
Internet is hard to simulate
- Heterogeneous
(different policies, networking stack behaviours, etc.)
Thanks to IP's tolerant nature
- Topology
- Changing
- Nobody willing to allow
anal probes
- Links
- Slow modems --> fiber links
- Point-to-point vs broadcast
- wired vs wireless vs satellite
- Dynamic routing, asymmetric routing
- Protocol
- Traffic
Can't model typical traffic
Can't use trace because it is not TCP adaptive
Can't use trace/source because it is not HUMAN adaptive
- BIG - 55 million (06/99)
How do we determine this? Used IP addrs? What about NAT? Firewalls?
- Range of heterogeneity is large
- Scaling
- Rapidly changing
- 65%/yr growth
- USENET 80%/yr
- LBNL connections 54%/yr
- Variation in FTP size, MBone usage
- Will evolve over time
- Pricing
- Fair scheduling
- QoS
- Wireless
- Native multicast
- More WWW caching
- New app (telephony, games - Sims online)
Coping Strategies
- Invariants
Some facet that has been empirically shown to hold in a wide range of environments
- Diurnal patterns of activity
- Self-similarity, fractalness
- Poisson arrivals
- log(duration or size) is Gaussian
- Heavy tailed distributions
- Invariant distribution of Telnet packets
- Invariants of topology
- Continents
- Speed of Light
- Explore behaviour while varying parameters, measure sensitivity
NS
- Simulator needs to evolve via other researchers
- Simulations need to be verified by other researchers
- Does it have these coping strategies???
- Does it allow different levels of abstraction???
``Intrusion Detection for Wireless Ad-Hoc Networks'', Y. Zhang (HRL) and W. Lee (NCSU), MOBICOM 2000.
I didn't pick this paper for its contributions to the field, but for the issues that it raises.
Ad-hoc wireless networks are especially vulnerable
- Wireless link - passive eavesdropping & active jamming
- Roaming / mobility allows physical compromise
- Decentralized networking relies on cooperating nodes
- Cooperative MAC protocols
mis-use results in breakdowns
- Ad-hoc routing
can breakdown routing, grab all packets
Intrusion prevention
- encryption
- authentication
no such thing as intrusion proof
Most of the MILCOM papers on this subject tend to rely on lower level security (i.e. intrusion prevention) such as secure spreading and hopping codes, with an emphasis on not being detected in a hostile network
Intrusion detection
- Assumptions
- User/program activities are observable
- ``Normal'' usage has distinct behaviour
- Misuse detection
Detect instances of known attacks
- Anomaly detection
Detect breaks in usage patterns
- Detection is hard in ad-hoc wireless networks
- No central traffic monitor
- Normal usage is different
- Anomalous usage need not be
Intrusion response
Proposed system
- IDS agents at every node
- local data collection
- local detection
compare normal profiles to deviations
- cooperative detection
for suspicous, but not confirmed, activity
- local response, global response
- Anomaly detection
Problems
- Boy who cried wolf!
I can try to masquerade as several different nodes, each providing the same global data that indicates that goody-two-shoes is a bad node. We take it out. Then I do the same with other nodes.