Network Transparency for Better Internet Security

作     者：Pappas, Christos Lee, Taeho Reischuk, Raphael M. Szalachowski, Pawel Perrig, Adrian 

作者机构：UBS AG CH-8048 Zurich Switzerland Google Inc CH-8004 Zurich Switzerland Zuhlke Engn CH-8952 Zurich Switzerland SUTD Informat Syst Technol & Design Pillar ISTD Singapore 487372 Singapore Swiss Fed Inst Technol Informat Secur Inst CH-8092 Zurich Switzerland 

出 版 物：《IEEE-ACM TRANSACTIONS ON NETWORKING》 (IEEE/ACM网络汇刊)

年 卷 期：2019年第27卷第5期

页      面：2028-2042页

核心收录：

学科分类：0810[工学-信息与通信工程] 0808[工学-电气工程] 08[工学] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：European Research Council under the European Union European Research Council (ERC) Funding Source: European Research Council (ERC) 

主　　题：Network transparency accountability verifiable misbehavior host policies 

摘      要：The lack of transparency for Internet communication prevents effective mitigation of today s security threats: i) Source addresses cannot be trusted and enable untraceable reflection attacks. ii) Malicious communication is opaque to all network entities, except for the receiver;and although ISPs are control points that can stop such attacks, effective detection and mitigation requires information that is available only at the end hosts. We propose TRIS, an architecture that bootstraps transparency for Internet communication. TRIS enables the definition of misbehavior according to the unique requirements of hosts, and then it constructs verifiable evidence of misbehavior. First, hosts express desired traffic properties for incoming traffic;a deviation from these properties signifies misbehavior. Second, ISPs construct verifiable evidence of misbehavior for the traffic they forward. If misbehavior is detected, it can then be proven to the ISPs of the communicating hosts. We implement our architecture on commodity hardware and demonstrate that verifiable proof of misbehavior introduces little overhead with respect to bandwidth and packet processing in the network: our prototype achieves line-rate performance for common packet sizes, saturating a 10 Gbps link with a single CPU core. In addition, we tackle incremental deployment issues and describe interoperability with today s Internet architecture.