Active Networking provides a framework in which executable code within data packets can execute upon intermediate network nodes. Active Virtual Network Management Prediction (AVNMP) provides a network prediction service that utilizes the capability of Active Networks to easily inject fine-grained models into the communication network to enhance network performance. The models injected into the network allow state to be predicted and propagated throughout an active network enabling the network to operate simultaneously in real time and in the future. State information such as load, security intrusion, mobile location, faults, and other state information found in typical Management Information Bases (MIB) is available for use by the management system both with current values and with values expected to exist in the future. Implementing a load prediction and CPU prediction application has experimentally validated AVNMP. AVNMP implements a distributed, active, and truly proactive network management system. Active Networking enables the implementation of new concepts utilized in AVNMP such as the ability to quickly and easily inject models into a network. In addition, Active Networking enables the ability of messages to refine their prediction as they travel through the network as well as several enhancements to the basic AVNMP algorithm, including migration of AVNMP components and reduction in overhead by means of message fusion.

This paper describes an approach to detecting distributed denial of service (DDoS) attacks that is based on fundamentals of information theory, specifically Kolmogorov complexity. The algorithm is based on a concept of Kolmogorov complexity that states that the joint complexity measure of random strings is lower than the sum of the complexities of the individual strings if the strings exhibit some correlation. Furthermore, the joint complexity measure varies inversely with the amount of correlation. The proposed algorithm exploits this feature to correlate traffic flows in the network and detect possible denial-of-service attacks. One of the strengths of this algorithm is that it does not require special filtering rules and hence it can be used to detect any type of DDoS attack. This algorithm is shown to perform better than simple packet-counting or load-measuring approaches.

Page Title Symbol Compression Ratio for String Compression and Estimation of Kolmogorov Complexity Author(s) S.C. Evans Phone (518)387-7014 S.F. Bush 8*833-7014 Component Information and Decision Technologies Report Number 2001CRD159 Date November 2001 Number of Page 11 Class 1 Key Words Kolmogorov Complexity, Compression, Minimum Message Length, Bio-informatics, Biotechnology, DNA sequence analysis A new compression algorithm is derived that computes and encodes the Minimum Message Length (MML) near optimal partition of symbols in a string for compression. Using Symbol Compression Ratio (SCR) as a driving function this algorithm produces a binary tree model of the data that introduces a fundamental parameter of information related to Kolmogorov Complexity -- the size of the alphabet in the near optimal partition. Manuscript received October 25, 2001 Published at: http://www.crd.ge.com/~bushsf/ftn 1 Symbol Compression Ratio for String Compression and Estimation of Kolmogorov Complexity S.C. Evans and S.F. Bush http://www.crd.ge.com/~bushsf/ftn 1.

Computer network traffic is analyzed via mutual information techniques, implemented using linear and nonlinear canonical correlation analyses, with the specific objectiveofdetectingUDPflooding attacks. NS simulation of HTTP, FTP and CBR traffic shows that flooding attacks are accompanied by a change of mutual information, either at the link being flooded or at another upstream or downstream link. This observation appears topology independent, as the technique is demonstrated on the so-called parking-lot topology, random 50-node topology, and 100-node transit-stub topology. This technique is also employ to detect UDP flooding with low false alarm rate on a backbone link. These results indicate that a change in mutual information provides a useful detection criterion when no other signature of the attack is available. I.

This paper presents the architecture and initial feasibility results of a proto-type communication network that utilizes genetic programming to evolve services and protocols as part of network operation. The network evolves responses to environmental conditions in a manner that could not be pre-programmed within legacy network nodes apriori. Aprioriin this case means before network operation has begun. Genetic material is exchanged, loaded, and run dynamically within an active network. The transfer and execution of code in support of the evolution of network protocols and services would not be possible without the active network environment. Rapid generation of network service code occurs via a genetic programming paradigm. Complexity and Algorithmic Information Theory play a key role in understanding and guiding code evolution within the network.

Page Title Complexity-Based Information Assurance Author(s) S.F. Bush Phone (518)387-6827 S.C. Evans 8*833-6827 Component Electronic Systems Laboratory Report Number 2001CRD084 Date October 2001 Number of Page 18 Class 1 Key Words Kolmogorov Complexity, Information Assurance, Network Security, Network Management, Information Theory, Evolution of Complexity Unless vulnerabilities can be identified and measured, the information assurance of a system can never be properly designed or guaranteed. Results from a study on complexity evolving within an information system using Mathematica, Swarm, and a new Java complexity probe toolkit are presented in this paper. An underlying definition of information security is hypothesized based upon the attacker and defender as reasoning entities, capable of learning to outwit one another. This leads to a study of the evolution of complexity in an information system and the effects of the environment upon the evolution of information complexity. Understanding the evolution of complexity in a system enables a better understanding of how to measure and quantify the vulnerability of a system. Finally, the design of the Java complexity probe toolkit under construction for automated measurement of information assurance is presented. Manuscript received May 11, 2001 Complexity-Based Information Assurance Stephen F Bush 1 http://www.crd.ge.com/~bushsf Scott Evans (evans@crd.ge.com) Abstract Unless vulnerabilities can be identified and measured, the information assurance of a system can never be properly designed or guaranteed. Results from a study on complexity evolving within an information system using Mathematica, Swarm, and a new Java complexity probe toolkit are presented in this paper. An underlying definition...

Zero-day attacks, new (anomalous) attacks exploiting previously unknown system vulnerabilities, are a serious threat. Defending against them is no easy task, however. Having identified “degree of system knowledge” as one difference between legitimate and illegitimate users, theorists have drawn on information theory as a basis for intrusion detection. In particular, Kolmogorov complexity (K) has been used successfully. In this work, we consider information distance (Observed K − Expected K) as a method of detecting system scans. Observed K is computed directly, Expected K is taken from compression tests shared herein. Results are encouraging. Observed scan traffic has an information distance at least an order of magnitude greater than the threshold value we determined for normal Internet traffic. With 320 KB packet blocks, separation between distributions appears to exceed 4σ. 1.

A new compression algorithm is derived that computes and encodes the Minimum Message Length (MML) near optimal partition of symbols in a string for compression. Using Symbol Compression Ratio (SCR) as a driving function this algorithm produces a binary tree model of the data that introduces a fundamental parameter of information related to Kolmogorov Complexity – the size of the alphabet in the near optimal partition.

Abstract. The difficulty associated with breaching an enterprise network is commensurate with the security of that network. A security breach, or a security policy violation, occurs as a result of an attacker successfully executing some attack path. The difficulty associated with this attack path, then, is critical to understanding how secure a given network is. Currently, however, there are no consistent methods for measuring attack path complexity that make the assumptions of a modeler explicit while providing flexibility in how the modeler models the attack path. To provide these desirable attributes, we propose a regularexpressions-inspired language whose rationale for attack path complexity measurement is based on Kolmogorov Complexity. After detailing our Kolmogorov Complexity-based method, we demonstrate how it can be applied to a novel security metric: the K-step Capability Accumulation metric–a metric that defines the security of a network in terms of the network assets attainable for attack effort exerted.