Prof. Laurent Vanbever
Group Leader
My research interests lie at the crossroads of theory and practice, with a focus on network programmability. Overall, I aim at making networks both more performant and easier to manage.
I completed my PhD in computer science in 2012 at the University of Louvain under the guidance of Olivier Bonaventure. My thesis is entitled "Methods and Techniques for Disruption-Free Network Reconfiguration". After my PhD, I spent two years at Princeton University working with Jennifer Rexford as a postdoctoral researcher.
Prior to my PhD, I earned my master degree in computer science from the University of Louvain in 2008. I also earned a master degree in management from the Solvay Brussels School of Economics and Management in 2010.
Check my resume for further information.
Recent Selected Publications
NetHide: Secure and Practical Network Topology Obfuscation
USENIX Security 2018. Baltimore, MD, USA (August 2018).
Full paper coming soon
Bayonet: Probabilistic Inference for Networks
PLDI 2018. Philadelphia, Pennsylvania, USA (June 2018).
Network operators often need to ensure that important probabilistic properties are met, such as that the probability of network congestion is below a certain threshold. Ensuring such properties is challenging and requires both a suitable language for probabilistic networks and an automated procedure for answering probabilistic inference queries. We present Bayonet, a novel approach that consists of: (i) a probabilistic network programming language and (ii) a system that performs probabilistic inference on Bayonet programs. The key insight behind Bayonet is to phrase the problem of probabilistic network reasoning as inference in existing probabilistic languages. As a result, Bayonet directly leverages existing probabilistic inference systems and offers a flexible and expressive interface to operators. We present a detailed evaluation of Bayonet on common network scenarios, such as network congestion, reliability of packet delivery, and others. Our results indicate that Bayonet can express such practical scenarios and answer queries for realistic topology sizes (with up to 30 nodes).
Stroboscope: Declarative Network Monitoring on a Budget
USENIX NSDI 2018. Renton, Washington, USA (April 2018).
@inproceedings {211289,
author = {Olivier Tilmans and Tobias B{\"u}hler and Ingmar Poese and Stefano Vissicchio and Laurent Vanbever},
title = {Stroboscope: Declarative Network Monitoring on a Budget},
booktitle = {15th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 18)},
year = {2018},
address = {Renton, WA},
url = {https://www.usenix.org/conference/nsdi18/presentation/tilmans},
publisher = {{USENIX} Association},
}
For an Internet Service Provider (ISP), getting an accurate picture of how its network behaves is challenging. Indeed, given the carried traffic volume and the impossibility to control end-hosts, ISPs often have no other choice but to rely on heavily sampled traffic statistics, which provide them with coarse-grained visibility at a less than ideal time resolution (seconds or minutes). We present Stroboscope, a system that enables fine-grained monitoring of any traffic flow by instructing routers to mirror millisecond-long traffic slices in a programmatic way. Stroboscope takes as input high-level monitoring queries together with a budget and automatically determines: (i) which flows to mirror; (ii) where to place mirroring rules, using fast and provably correct algorithms; and (iii) when to schedule these rules to maximize coverage while meeting the input budget. We implemented Stroboscope, and show that it scales well: it computes schedules for large networks and query sizes in few seconds, and produces a number of mirroring rules well within the limits of current routers. We also show that Stroboscope works on existing routers and is therefore immediately deployable.
NetComplete: Practical Network-Wide Configuration Synthesis with Autocompletion
USENIX NSDI 2018. Renton, Washington, USA (April 2018).
@inproceedings {211247,
author = {Ahmed El-Hassany and Petar Tsankov and Laurent Vanbever and Martin Vechev},
title = {NetComplete: Practical Network-Wide Configuration Synthesis with Autocompletion},
booktitle = {15th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 18)},
year = {2018},
address = {Renton, WA},
url = {https://www.usenix.org/conference/nsdi18/presentation/el-hassany},
publisher = {{USENIX} Association},
}
Network operators often need to adapt the configuration of a network in order to comply with changing routing policies. Evolving existing configurations, however, is a complex task as local changes can have unforeseen global effects. Not surprisingly, this often leads to mistakes that result in network downtimes. We present NetComplete, a system that assists operators in modifying existing network-wide configurations to comply with new routing policies. NetComplete takes as input configurations with “holes” that identify the parameters to be completed and “autocompletes” these with concrete values. The use of a partial configuration addresses two important challenges inherent to existing synthesis solutions: (i) it allows the operators to precisely control how configurations should be changed; and (ii) it allows the synthesizer to leverage the existing configurations to gain performance. To scale, NetComplete relies on powerful techniques such as counter-example guided inductive synthesis (for link-state protocols) and partial evaluation (for path-vector protocols). We implemented NetComplete and showed that it can autocomplete configurations using static routes, OSPF, and BGP. Our implementation also scales to realistic networks and complex routing policies. Among others, it is able to synthesize configurations for networks with up to 200 routers within few minutes.
Net2Text: Query-Guided Summarization of Network Forwarding Behaviors
USENIX NSDI 2018. Renton, Washington, USA (April 2018).
@inproceedings {211231,
author = {Rudiger Birkner and Dana Drachsler-Cohen and Laurent Vanbever and Martin Vechev},
title = {Net2Text: Query-Guided Summarization of Network Forwarding Behaviors},
booktitle = {15th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 18)},
year = {2018},
address = {Renton, WA},
url = {https://www.usenix.org/conference/nsdi18/presentation/birkner},
publisher = {{USENIX} Association},
}
Today network operators spend a significant amount of time struggling to understand how their network forwards traffic. Even simple questions such as "How is my network handling Google traffic?" often require operators to manually bridge large semantic gaps between low-level forwarding rules distributed across many routers and the corresponding high-level insights. We introduce Net2Text, a system which assists network operators in reasoning about network-wide forwarding behaviors. Out of the raw forwarding state and a query expressed in natural language, Net2Text automatically produces succinct summaries, also in natural language, which efficiently capture network-wide semantics. Our key insight is to pose the problem of summarizing ("captioning") the network forwarding state as an optimization problem that aims to balance coverage, by describing as many paths as possible, and explainability, by maximizing the information provided. As this problem is NP-hard, we also propose an approximation algorithm which generates summaries based on a sample of the forwarding state, with marginal loss of quality. We implemented Net2Text and demonstrated its practicality and scalability. We show that Net2Text generates high-quality interpretable summaries of the entire forwarding state of hundreds of routers with full routing tables, in few seconds only.
Integrating Verification and Repair into the Control Plane
ACM HotNets 2017. Palo Alto, California, USA (November 2017).
@inproceedings {AGJRV2017,
title = {{Integrating Verification and Repair into the Control Plane}},
author = {Aaron Gember-Jacobson and Costin Raiciu and Laurent Vanbever},
year = {2017},
booktitle = {Proceedings of HotNets-XVI},
}
Network verification has made great progress recently, yet existing solutions are limited in their ability to handle specific protocols or implementation quirks or to diagnose and repair the cause of policy violations. In this positioning paper, we examine whether we can achieve the best of both worlds: full coverage of control plane protocols and decision processes combined with the ability to diagnose and repair the cause of violations. To this end, we leverage the happens-before relationships that exist between control plane I/Os (e.g., route advertisements and forwarding updates). These relationships allow us to identify when it is safe to employ a data plane verifier and track the root-cause of problematic forwarding updates. We show how we can capture errors before they are installed, automatically trace down the source of the error and roll-back the updates whenever possible.
SWIFT: Predictive Fast Reroute.
ACM SIGCOMM 2017. Los Angeles, California, USA (August 2017).
@inproceedings{holterbach2017swift,
title={SWIFT: Predictive Fast Reroute},
author={Holterbach, Thomas and Vissicchio, Stefano and Dainotti, Alberto and Vanbever, Laurent},
booktitle={Proceedings of the Conference of the ACM Special Interest Group on Data Communication},
pages={460--473},
year={2017},
organization={ACM}
}
Network operators often face the problem of remote outages in transit networks leading to significant (sometimes on the order of minutes) downtimes. The issue is that BGP, the Internet routing protocol, often converges slowly upon such outages, as large bursts of messages have to be processed and propagated router by router. In this paper, we present SWIFT, a fast-reroute framework which enables routers to restore connectivity in few seconds upon remote outages. SWIFT is based on two novel techniques. First, SWIFT deals with slow outage notification by predicting the overall extent of a remote failure out of few control-plane (BGP) messages. The key insight is that significant inference speed can be gained at the price of some accuracy. Second, SWIFT introduces a new dataplane encoding scheme, which enables quick and flexible update of the affected forwarding entries. SWIFT is deployable on existing devices, without modifying BGP.
We present a complete implementation of SWIFT and demonstrate that it is both fast and accurate. In our experiments with real BGP traces, SWIFT predicts the extent of a remote outage in few seconds with an accuracy of ?90% and can restore connectivity for 99% of the affected destinations.
Network-wide Configuration Synthesis.
CAV 2017. Heidelberg, Germany (July 2017).
@inproceedings{el2017network,
title={Network-wide configuration synthesis},
author={El-Hassany, Ahmed and Tsankov, Petar and Vanbever, Laurent and Vechev, Martin},
booktitle={International Conference on Computer Aided Verification},
pages={261--281},
year={2017},
organization={Springer}
}
Computer networks are hard to manage. Given a set of highlevel requirements (e.g., reachability, security), operators have to manually figure out the individual configuration of potentially hundreds of devices running complex distributed protocols so that they, collectively, compute a compatible forwarding state. Not surprisingly, operators often make mistakes which lead to downtimes.
To address this problem, we present a novel synthesis approach that automatically computes correct network configurations that comply with the operator’s requirements. We capture the behavior of existing routers along with the distributed protocols they run in stratified Datalog. Our key insight is to reduce the problem of finding correct input configurations to the task of synthesizing inputs for a stratified Datalog program. To solve this synthesis task, we introduce a new algorithm that synthesizes inputs for stratified Datalog programs. This algorithm is applicable beyond the domain of networks.
We leverage our synthesis algorithm to construct the first network-wide configuration synthesis system, called SyNET, that support multiple interacting routing protocols (OSPF and BGP) and static routes. We show that our system is practical and can infer correct input configurations, in a reasonable amount time, for networks of realistic size (>50 routers) that forward packets for multiple traffic classes.
Hijacking Bitcoin: Routing Attacks on Cryptocurrencies.
IEEE Symposium on Security and Privacy 2017. San Jose, CA, USA (May 2017).
@inproceedings{apostolaki2017hijacking,
title={Hijacking Bitcoin: Routing Attacks on Cryptocurrencies},
author={Apostolaki, Maria and Zohar, Aviv and Vanbever, Laurent},
booktitle={Security and Privacy (SP), 2017 IEEE Symposium on},
pages={375--392},
year={2017},
organization={IEEE}
}
As the most successful cryptocurrency to date, Bitcoin constitutes a target of choice for attackers. While many attack vectors have already been uncovered, one important vector has been left out though: attacking the currency via the Internet routing infrastructure itself. Indeed, by manipulating routing advertisements (BGP hijacks) or by naturally intercepting traffic, Autonomous Systems (ASes) can intercept and manipulate a large fraction of Bitcoin traffic.
This paper presents the first taxonomy of routing attacks and their impact on Bitcoin, considering both small-scale attacks, targeting individual nodes, and large-scale attacks, targeting the network as a whole. While challenging, we show that two key properties make routing attacks practical: (i) the efficiency of routing manipulation; and (ii) the significant centralization of Bitcoin in terms of mining and routing. Specifically, we find that any network attacker can hijack few (<100) BGP prefixes to isolate 50% of the mining power—even when considering that mining pools are heavily multi-homed. We also show that on-path network attackers can considerably slow down block propagation by interfering with few key Bitcoin messages.
We demonstrate the feasibility of each attack against the deployed Bitcoin software. We also quantify their effectiveness on the current Bitcoin topology using data collected from a Bitcoin supernode combined with BGP routing data.
The potential damage to Bitcoin is worrying. By isolating parts of the network or delaying block propagation, attackers can cause a significant amount of mining power to be wasted, leading to revenue losses and enabling a wide range of exploits such as double spending. To prevent such effects in practice, we provide both short and long-term countermeasures, some of which can be deployed immediately.
Mille-Feuille: Putting ISP traffic under the scalpel.
ACM HotNets 2016. Atlanta, Georgia, USA (November 2016).
@inproceedings {TBVV16,
title = {{Mille-Feuille: Putting ISP traffic under the scalpel}},
author = {Olivier Tilmans and Tobias Bühler and Stefano Vissicchio and Laurent Vanbever},
year = {2016},
booktitle = {Proceedings of HotNets-XV},
}
For Internet Service Provider (ISP) operators, getting an accurate picture of how their network behaves is challenging. Given the traffic volumes that their networks carry and the impossibility to control end-hosts, ISP operators are typically forced to randomly sample traffic, and rely on aggregated statistics. This provides coarse-grained visibility, at a time resolution that is far from ideal (seconds or minutes).
In this paper, we present Mille-Feuille, a novel monitoring architecture that provides fine-grained visibility over ISP traffic. Mille-Feuille schedules activation and deactivation of traffic-mirroring rules, that are then provisioned networkwide from a central location, within milliseconds. By doing so, Mille-Feuille combines the scalability of sampling with the visibility and controllability of traffic mirroring. As a result, it supports a set of monitoring primitives, ranging from checking key performance indicators (e.g., one-way delay) for single destinations to estimating traffic matrices in subseconds. Our preliminary measurements on existing routers confirm that Mille-Feuille is viable in practice.
Lectures
Communication Networks
Spring 2018
Discrete Event Systems
Autumn 2017
Communication Networks
Spring 2017
Discrete Event Systems
Autumn 2016
Communication Networks
Spring 2016
Discrete Event Systems
Autumn 2015
