research-article

Privacy-preserving quantification of cross-domain network reachability

Editor: R. Srikant Authors:

Bruhadeshwar Bezawada,

Alex X. LiuAuthors Info & Claims

IEEE/ACM Transactions on Networking (TON), Volume 23, Issue 3

Pages 946 - 958

https://doi.org/10.1109/TNET.2014.2320981

Published: 01 June 2015 Publication History

Abstract

Network reachability is an important characteristic for understanding end-to-end network behavior and helps in detecting violations of security policies across the network. While quantifying network reachability within one administrative domain is a difficult problem in itself, performing the same computation across a network spanning multiple administrative domains presents a novel challenge. The problem of quantifying network reachability across multiple administrative domains is more difficult because the privacy of security policies of individual domains is a serious concern and needs to be protected through this process. In this paper, we propose the first cross-domain privacy-preserving protocol for quantifying network reachability. Our protocol constructs equivalent representations of the Access Control List (ACL) rules and determines network reachability while preserving the privacy of the individual ACLs. This protocol can accurately determine the network reachability along a network path through different administrative domains. We have implemented and evaluated our protocol on both real and synthetic ACLs. The experimental results show that the online processing time of an ACL containing thousands of rules is less than 25 s. Given two ACLs, each containing thousands of rules, the comparison time is less than 6 s, and the total communication cost is less than 2100 kB.

References

[1]

F. Chen, B. Bruhadeshwar, and A. X. Liu, "Privacy-preserving cross-domain network reachability quantification," in Proc. IEEE ICNP, 2011, pp. 155--164.

Digital Library

[2]

D. Oppenheimer, A. Ganapathi, and D. A. Patterson, "Why do Internet services fail, what can be done about it?," in Proc. USITS, 2003, pp. 1--15.

Digital Library

[3]

Z. Kerravala, "As the value of enterprise networks escalates, so does the need for configuration management," Enterprise Computing & Networking, The Yankee Group Report, 2004.

[4]

E. Al-Shaer, W. Marrero, A. El-Atawy, and K. ElBadawi, "Network configuration in a box: Towards end-to-end verification of network reachability and security," in Proc. IEEE ICNP, 2009, pp. 123--132.

Digital Library

[5]

K. Ingols, R. Lippmann, and K. Piwowarski, "Practical attack graph generation for network defense," in Proc. ACSAC, 2006, pp. 121--130.

Digital Library

[6]

A. X. Liu and A. R. Khakpour, "Quantifying and verifying reachability for access controlled networks," IEEE/ACM Trans. Netw., vol. 21, no. 2, pp. 551--565, Apr. 2013.

Digital Library

[7]

P. Matousek, J. Rab, O. Rysavy, and M. Sveda, "A formal model for network-wide security analysis," in Proc. IEEE Int. Conf. Workshop Eng. Comput. Based Syst., 2008, pp. 171--181.

Digital Library

[8]

Y.-W. E. Sung, C. Lund, M. Lyn, S. Rao, and S. Sen, "Modeling and understanding end-to-end class of service policies in operational networks," in Proc. SIGCOMM, 2009, pp. 219--230.

Digital Library

[9]

G. G. Xie et al., "On static reachability analysis of IP networks," in Proc. IEEE INFOCOM, 2005, pp. 2170--2183.

[10]

A. Wool, "A quantitative study of firewall configuration errors," Computer, vol. 37, no. 6, pp. 62--67, Jun. 2004.

Digital Library

[11]

M. G. Gouda and A. X. Liu, "Firewall design: Consistency, completeness and compactness," in Proc. ICDCS, 2004, pp. 320--327.

Digital Library

[12]

M. G. Gouda and A. X. Liu, "Structured firewall design," Comput. Netw. J., vol. 51, no. 4, pp. 1106--1120, 2007.

Digital Library

[13]

E. A. Emerson, "Temporal and modal logic," in Handbook of Theoretical Computer Science. Cambridge, MA, USA: MIT Press, 1990, pp. 995--1072.

Digital Library

[14]

S. Bandhakavi, S. Bhatt, C. Okita, and P. Rao, "Analyzing end-to-end network reachability," in Proc. IFIP/IEEE Int. Symp. Integrated Netw. Manage., 2009, pp. 585--590.

Digital Library

[15]

B. Zhang, T. S. E. Ng, and G. Wang, "Reachability monitoring and verification in enterprise networks," presented at the SIGCOMM, 2008, (poster).

[16]

M. Casado et al., "Sane: A protection architecture for enterprise networks," in Proc. USENIX Security Symp., 2006, pp. 137--151.

Digital Library

[17]

F. Le, S. Lee, T. Wong, H. S. Kim, and D. Newcomb, "Detecting network-wide and router-specific misconfigurations through data mining," IEEE/ACM Trans. Netw., vol. 17, no. 1, pp. 66--79, Feb. 2009.

Digital Library

[18]

T. Benson, A. Akella, and D. Maltz, "Unraveling the complexity of network management," in Proc. NSDI, 2009, pp. 335--348.

Digital Library

[19]

J. Cheng, H. Yang, S. H. Wong, and S. Lu, "Design and implementation of cross-domain cooperative firewall," in Proc. IEEE ICNP, 2007, pp. 284--293.

[20]

A. X. Liu and F. Chen, "Collaborative enforcement of firewall policies in virtual private networks," in Proc. PODC, 2008, pp. 95--104.

Digital Library

[21]

A. X. Liu and F. Chen, "Privacy preserving collaborative enforcement of firewall policies in virtual private networks," IEEE Trans. Parallel Distrib. Syst., vol. 22, no. 5, pp. 887--895, May 2011.

Digital Library

[22]

F. Chen, B. Bruhadeshwar, and A. X. Liu, "Cross-domain privacy-preserving cooperative firewall optimization," IEEE/ACM Trans. Netw., vol. 21, no. 3, pp. 857--868, Jun. 2013.

Digital Library

[23]

M. Freedman, K. Nissim, and B. Pinkas, "Efficient private matching and set intersection," in Proc. EUROCRYPT, 2004, pp. 1--19.

[24]

L. Kissner and D. Song, "Privacy-preserving set operations," in Proc. CRYPTO, 2005, pp. 241--257.

Digital Library

[25]

Y. Sang and H. Shen, "Efficient and secure protocols for privacy-preserving set operations," Trans. Inf. Syst. Security, vol. 13, no. 1, pp. 9:1--9:35, 2009.

Digital Library

[26]

O. Goldreich, Foundations of Cryptography: Volume II (Basic Applications). Cambridge, U.K.: Cambridge Univ. Press, 2004.

Digital Library

[27]

R. Chen, I. E. Akkus, and P. Francis, "SplitX: High-performance private analytics," in Proc. SIGCOMM, 2013, pp. 315--326.

Digital Library

[28]

A. X. Liu and M. G. Gouda, "Complete redundancy detection in firewalls," in Proc. DBSec, 2005, pp. 196--209.

Digital Library

[29]

Y.-K. Chang, "Fast binary and multiway prefix searches for packet forwarding," Comput. Netw., vol. 51, no. 3, pp. 588--605, 2007.

Digital Library

[30]

S. C. Pohlig and M. E. Hellman, "An improved algorithm for computing logarithms over GF(p) and its cryptographic significance," IEEE Trans. Inf. Theory, vol. IT-24, no. 1, pp. 106--110, Jan. 1978.

Digital Library

[31]

D. K. H. D. R. Safford and D. L. Schales, "Secure RPC authentication (SRA) for TELNET and FTP," Tech. Rep., 1993.

[32]

A. X. Liu and M. G. Gouda, "Diverse firewall design," IEEE Trans. Parallel Distrib. Syst., vol. 19, no. 8, pp. 1237--1251, Aug. 2008.

Digital Library

[33]

R. Agrawal, A. Evfimievski, and R. Srikant, "Information sharing across private databases," in Proc. SIGMOD, 2003, pp. 86--97.

Digital Library

[34]

O. Goldreich, "Secure multi-party computations," ver. 1.4, Working draft, 2002.

[35]

P. Gupta and N. McKeown, "Algorithms for packet classification," IEEE Netw., vol. 15, no. 2, pp. 24--32, Apr. 2001.

Digital Library

[36]

S. Singh, F. Baboescu, G. Varghese, and J. Wang, "Packet classification using multidimensional cutting," in Proc. SIGCOMM, 2003, pp. 213--224.

Digital Library

[37]

R. A. DeMillo, R. J. Lipton, and F. G. Sayward, "Hints on test data selection: Help for the practicing programmer," Comput., vol. 11, no. 4, pp. 34--41, Apr. 1978.

Digital Library

Cited By

Li WZou LPeng PQin Z(2021)NREngine: A Graph-Based Query Engine for Network ReachabilityDatabase Systems for Advanced Applications. DASFAA 2021 International Workshops10.1007/978-3-030-73216-5_7(90-106)Online publication date: 11-Apr-2021
https://dl.acm.org/doi/10.1007/978-3-030-73216-5_7

Index Terms

Privacy-preserving quantification of cross-domain network reachability

Recommendations

Privacy-preserving cross-domain network reachability quantification
ICNP '11: Proceedings of the 2011 19th IEEE International Conference on Network Protocols

Network reachability is one of the key factors for capturing end-to-end network behavior and detecting the violation of security policies. While quantifying network reachability within one administrative domain is already difficult, quantifying network ...
Privacy preserving of trust management credentials based on trusted computing
ISPEC'10: Proceedings of the 6th international conference on Information Security Practice and Experience

Privacy disclosure of forward direction credentials and backward direction credentials is an important security defect in existing trust management systems. In this paper, a novel distributed privacy preserving scheme for trust management credentials is ...
A Review on Privacy-Preserving Data Mining
CIT '14: Proceedings of the 2014 IEEE International Conference on Computer and Information Technology

Data mining has been widely studied and applied into many fields such as Internet of Things (IoT) and business development. However, data mining techniques also occur serious challenges due to increased sensitive information disclosure and privacy ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image IEEE/ACM Transactions on Networking

IEEE/ACM Transactions on Networking Volume 23, Issue 3

June 2015

337 pages

ISSN:1063-6692

Editor:
R. Srikant
Univ. Illinois at Urbana-Champaign, Urbana, IL

Issue’s Table of Contents

Publisher

IEEE Press

Publication History

Published: 01 June 2015

Published in TON Volume 23, Issue 3

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
94
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)1

Reflects downloads up to 18 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li WZou LPeng PQin Z(2021)NREngine: A Graph-Based Query Engine for Network ReachabilityDatabase Systems for Advanced Applications. DASFAA 2021 International Workshops10.1007/978-3-030-73216-5_7(90-106)Online publication date: 11-Apr-2021
https://dl.acm.org/doi/10.1007/978-3-030-73216-5_7

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents