angelos,misra,danr¥ Denial of service (DoS) attacks continue to threaten the reliability of networking systems. Previous approaches for protecting networks from DoS attacks are reactive in that they wait for an attack to be launched before taking appropriate measures to protect the network. This leaves the door open for other attacks that use more sophisticated methods to mask their traffic. We propose an architecture called Secure Overlay Services (SOS) that proactively prevents DoS attacks, geared toward supporting Emergency Services or similar types of communication. The architecture is constructed using a combination of secure overlay tunneling, routing via consistent hashing, and filtering. We reduce the probability of successful attacks by (i) performing intensive filtering near protected network edges, pushing the attack point perimeter into the core of the network, where high-speed routers can handle the volume of attack traffic, and (ii) introducing randomness and anonymity into the architecture, making it difficult for an attacker to target nodes along the path to a specific SOS-protected destination. Using simple analytical models, we evaluate the likelihood that an attacker can successfully launch a DoS attack against an SOSprotected network. Our analysis demonstrates that such an architecture reduces the likelihood of a successful attack to minuscule levels.

Automated trust negotiation is a new approach to establishing trust between strangers through the exchange of property-based digital credentials, and the use of mobile access control policies that specify what combinations of credentials a stranger must supply in order to gain access to each local service or credential. In this paper, we show that access control policies can also contain sensitive information that should be protected from inappropriate access by strangers during negotiation. We present and analyze two automated trust negotiation strategies that support protection for access control policies. The first is the relevant credentials set strategy, which does not directly disclose access control policies and has a fast running time, but may disclose more credentials than strictly necessary. The second strategy is the all relevant policies strategy, which freely discloses all relevant access control policies that the other negotiating party has earned access to during negotia...

In this paper we develop the concept of Usage Control (UCON) that encompasses traditional access control, trust management, and digital rights management and goes beyond them in its definition and scope. While usage control concepts have been mentioned off and on in the security literature for some time, there has been no systematic treatment so far. By unifying these three areas UCON offers a promising approach for the next generation of access control. Traditional access control has focused on a closed system where all users are known and primarily utilizes a server-side reference monitor within the system. Trust management has been introduced to cover authorization for strangers in an open environment such as the Internet. Digital rights management has dealt with client-side control of digital information usage. Each of these areas is

We address the goal of making Delegation Logic (DL) into a practically implementable and tractable trustmanagement system. DL [22] is a logic-based knowledge representation (i.e., language) for authorization in largescale, open, distributed systems. As introduced in [22], DL inferencing is computationally intractable and highly impractical to implement. We introduce a new version of Delegation Logic that remedies these difficulties. To achieve this, we impose a syntactic restriction and redefine the semantics somewhat. We show that, for this revised version of DL, inferencing is computationally tractable under the same commonly met restrictions for which Ordinary Logic Programs (OLP) inferencing is tractable (e.g., Datalog and bounded number of logical variables per rule). We give an implementation architecture for this version of DL; it uses a delegation compiler from DL to OLP and can modularly exploit a variety of existing OLP inference engines. As proof of concept, we have impleme...

IPsec is the standard suite of protocols for networklayer confidentiality and authentication of Internet traffic. The IPsec protocols, however, do not address the policies for how protected traffic should be handled at security endpoints. This paper introduces an efficient policy management scheme for IPsec, based on the principles of trust management. A compliance check is added to the IPsec architecture that tests packet filters proposed when new security associations are created for conformance with the local security policy, based on credentials presented by the peer host. Security policies and credentials can be quite sophisticated (and specified in the trustmanagement language), while still allowing very efficient packet-filtering for the actual IPsec traffic. We present a practical, portable implementation of this design, based on the KeyNote trust-management language, that works with a variety of Unix-based IPsec implementations. 1. Introduction The IPsec protocol suite, whic...

We introduce a new micropayment scheme, suitable for certain kinds of transactions, that requires neither online transactions nor trusted hardware for either the payer or payee. Each payer is periodically issued certified credentials that encode the type of transactions and circumstances under which payment can be guaranteed. A risk management strategy, taking into account the payers' history, and other factors, can be used to generate these credentials in a way that limits the aggregated risk of uncollectable or fraudulent transactions to an acceptable level. These credentials can also permit or restrict types of purchases. We show a practical architecture for such a system that uses a Trust Management System to encode the credentials and policies. We describe a prototype implementation of the system in which vending machine purchases are made using consumer PDAs.

FILETELLER is a credential-based network file storage system with provisions for paying for file storage and getting paid when others access files. Users get access to arbitrary amounts of storage anywhere in the network, and use a micropayments system to pay for both the initial creation of the file and any subsequent accesses. Widescale information sharing requires that a number of issues be addressed; these include distributed access, access control, payment, accounting, and delegation (so that information owners may allow others to access their stored content). In this paper we demonstrate how all these issues are addressed using a micropayment architecture based on a trust-management system. Utilizing the same mechanism for both access control and payment results in an elegant and scalable architecture.

The design principle of restricting local autonomy only where necessary for global robustness has led to a scalable Internet. Unfortunately, this scalability and capacity for distributed control has not been achieved in the mechanisms for specifying and enforcing security policies. This shortcoming must be overcome if end-to-end security mechanisms (such as IPsec or TLS) are to ever replace solutions of short-term convenience such as firewalls. The

Policy enforcement is an integral part of many applications. Policies are often used to control access to sensitive information. Current policy specification languages give users fine-grained control over when and how information can be accessed, and are flexible enough to be used in a variety of applications. Evaluation of these policies, however, is not optimized for performance. Emerging applications, such as real-time enforcement of privacy policies in a sensor network or location-aware computing environment, require high throughput. Our experiments indicate that current policy enforcement solutions are unable to deliver the level of performance needed for such systems, and limit their overall scalability. To deal with the need for high-throughput evaluation, we propose CPOL, a flexible C++ framework for policy evaluation. CPOL is designed to evaluate policies as efficiently as possible, and still maintain a level of expressiveness comparable to current policy languages. CPOL achieves its performance goals by efficiently evaluating policies and caching query results (while still preserving correctness). To evaluate CPOL, we ran a simulated workload of users making privacy queries in a location-sensing infrastructure. CPOL was able to handle policy evaluation requests two to six orders of magnitude faster than a MySql implementation and an existing policy evaluation system. We present the design and implementation of CPOL, a high-performance policy evaluation engine, along with our testing methodology and experimental results. Categories and Subject Descriptors

We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-centric interface, and the extensibility inherent in many browsers through downloadable “applets. ” We guarantee access to a web server for a large number of previously unknown users, without requiring pre-existing trust relationships between users and the system, by using Reverse Graphic Turing Tests. Furthermore, our system makes it easy for service providers to charge users, providing incentives to a commercial offering of the service. Users can dynamically decide whether to use the WebSOS overlay, based on the prevailing network conditions. Our prototype requires no modifications to either servers or browsers, and makes use of graphical Turing tests, web proxies, and client authentication using the SSL/TLS protocol, all readily supported by modern browsers. We then extend this system with a credentialbased micropayment scheme that combines access control and payment authorization in one operation. Turing Tests ensure that malicious code, such as a worm, cannot abuse a user’s micropayment wallet. We use the WebSOS prototype to conduct a performance evaluation over the Internet using PlanetLab, a testbed for experimentation with network overlays. We determine the end-to-end latency using both a Chord-based approach and our shortcut extension. Our evaluation shows the latency increase by a factor of 7 and 2 respectively, confirming our simulation results.