Baltimore, Maryland - Johns Hopkins University computer scientists have led an effort to create a proven way to prevent sabotage from disrupting electronic networks supporting major infrastructure such as power grids and the electronic cloud.
The system – meant to protect against the sort of attack that in 2010 disrupted thousands of internet networks in the United States and around the world – is now available to the public as open source and was scheduled to be presented by the researchers today at an engineering conference in Japan.
“As the internet becomes an important part of the infrastructure our society depends on, it is crucial to construct networks that are able to work even when part of the network is compromised,” the authors wrote in their summary of the research led by Yair Amir, professor and chair of the Department of Computer Science at Johns Hopkins’ Whiting School of Engineering. Amir and three of the papers co-authors also affiliated with Johns Hopkins were scheduled to present their solution today for this long-standing network security challenge to the International Conference on Distributed Computing Systems, sponsored by the Institute for Electrical and Electronics Engineers in Nara, Japan. The other three Johns Hopkins scientists making the presentation are Thomas Tantillo and Amy Babay, both doctoral students, and Daniel Obenshain, who just finished his doctorate in computer science.
The four Johns Hopkins scientists worked on the project as part of a team of eight researchers from three universities and two private technology companies. The universities are Northeastern and Purdue and the tech companies are Spread Concepts, LLC and LTN Global Communications.
Developed over the course of five years, this approach to protecting a network has been proven to keep a network going if part of it is compromised by an attack. The authors call this the “first practical intrusion-tolerant network service” because this is the first network service that can overcome sophisticated attacks and compromises and be deployed on a global scale over the existing internet. The system was evaluated and validated in a test that ran for nearly a year using the LTN Global Communications cloud spanning East Asia, North America and Europe. The test showed success, albeit with a higher cost that makes sense for vital infrastructure, such as power grids and the cloud.
The authors say this system would have protected the internet from the sort of disruption that occurred in April 2010, when some 8,000 U.S. networks were affected by bad routing information sent by a Chinese Internet Service Provider (ISP) through a state-owned company in China. The disruption appeared to be an accident, and may have stopped some traffic and redirected other traffic to malicious computers in China.
Amir said that as a rule, networks are based on trust that members showing the right credentials really are who they appear to be. That trust is easily exploited by saboteurs who manage to obtain valid member credentials. In effect, Amir said, the researchers on this project have created “a system where no one is trusted.”
Instead, an “overlay” system looks beyond credentials, verifying that claims made by members of the network make sense. However, even members of the network who make valid claims are not completely trusted. The most sophisticated attack, Amir said “you may not be able to detect. You can only detect the guys who are not sophisticated. They made a mistake.”
Rather than relying on detecting sabotage that would divert traffic, the system sends redundant messages over multiple paths to avoid relying on any single node, or data center, to faithfully transmit messages to their intended destinations. The user can select different degrees of redundancy with higher cost.
A rough analogy would be to a cargo delivery fleet. If a driver – even one carrying the right credentials – claims he can move the goods a great deal faster or cheaper than expected, something is clearly amiss. However, even if the driver proposes a reasonable cost and timeframe, he may not actually deliver the goods. To protect against this, the fleet can run more than one truck to make the same delivery to ensure at least one of the packages arrives at the right destination.
To ensure that there is at least one path through the network that can faithfully transmit messages, the network service is built with enough redundancy “to prevent anything short of a complete simultaneous meltdown of multiple ISP backbones from interrupting the ability to deliver messages,” the authors wrote, allowing critical services to continue to work without any downtime.
The authors write that the system “provides a complete and practical solution for high-value applications that previous work, including our own past efforts, has failed to offer.”
This research was supported in part by grant N660001-1-2-4014 from the Defense Advanced Research Projects Agency (DARPA), an agency of the U.S. Department of Defense.