Improving Network Security through Obfuscation

Author: Roland Meier
Doctoral Thesis

Abstract

While it is impressive that many of the prevalent protocols and algorithms in today’s networks and the Internet have remained essentially unchanged since the very first computer networks in the Sixties, they were not designed for today’s security environment. Only thanks to protocol extensions and new technologies, today’s network users are protected against many threats. For example, most hosts are behind firewalls that prevent some malicious traffic from reaching them, and most traffic is encrypted to prevent eavesdropping. However, today’s protections are not enough. For example, denial-of-service attacks can cut a host’s connection even if their traffic does not reach it, and encrypted traffic still leaks information about its contents.

In this dissertation, we explore how obfuscation can help to prevent such weak points. To this end, we present two solutions:

First, we present NetHide, a system that mitigates denial-of-service attacks against the network infrastructure by obfuscating the network topology. The key idea behind NetHide is to formulate topology obfuscation as a multi-objective optimization problem that allows for a flexible trade-off between the security of the topology and the usability of network debugging tools. NetHide then intercepts and modifies path-tracing probes in the data plane to ensure that attackers can only learn the obfuscated topology.

Second, we present ditto, a system that prevents traffic-analysis attacks by obfuscating the timing and size of packets. The key idea behind ditto is to add padding to packets and to introduce chaff packets such that the resulting traffic is independent of production traffic with respect to packet sizes and timing. ditto provides high throughput without requiring changes at hosts, which makes it ideal for protecting wide area networks.

Both systems leverage recent advances in network programmability. They show that programmable switches can increase the security of high-throughput networks without degrading their performance.

However, programmable switches do not only provide high performance for obfuscation, but they also allow analyzing traffic at scale. We complete this dissertation with a discussion of four use cases where programmable switches analyze traffic – for both benign and malicious purposes.

People

Dr. Roland Meier
PhD student
2017—2022

BibTex

@PHDTHESIS{meier2022improving,
	copyright = {In Copyright - Non-Commercial Use Permitted},
	year = {2022},
	type = {Doctoral Thesis},
	author = {Meier, Roland},
	size = {165 p.},
	abstract = {While it is impressive that many of the prevalent protocols and algorithms intoday's networks and the Internet have remained essentially unchanged since thevery first computer networks in the Sixties, they were not designed for today'ssecurity environment. Only thanks to protocol extensions and new technologies,today's network users are protected against many threats. For example, mosthosts are behind firewalls that prevent some malicious traffic from reachingthem, and most traffic is encrypted to prevent eavesdropping. However, today'sprotections are not enough. For example, denial-of-service attacks can cut ahost's connection even if their traffic does not reach it, and encrypted trafficstill leaks information about its contents.In this dissertation, we explore how obfuscation can help to prevent suchweak points. To this end, we present two solutions:First, we present NetHide, a system that mitigates denial-of-service attacksagainst the network infrastructure by obfuscating the network topology. The keyidea behind NetHide is to formulate topology obfuscation as a multi-objectiveoptimization problem that allows for a flexible trade-off between the securityof the topology and the usability of network debugging tools. NetHide thenintercepts and modifies path-tracing probes in the data plane to ensure thatattackers can only learn the obfuscated topology.Second, we present ditto, a system that prevents traffic-analysis attacks byobfuscating the timing and size of packets. The key idea behind ditto is to addpadding to packets and to introduce chaff packets such that the resultingtraffic is independent of production traffic with respect to packet sizes andtiming. ditto provides high throughput without requiring changes at hosts, whichmakes it ideal for protecting wide area networks.Both systems leverage recent advances in network programmability. They show thatprogrammable switches can increase the security of high-throughput networkswithout degrading their performance.However, programmable switches do not only provide high performance forobfuscation, but they also allow analyzing traffic at scale. We complete thisdissertation with a discussion of four use cases where programmable switchesanalyze traffic – for both benign and malicious purposes.},
	keywords = {Computer networks; Computer network security; Obfuscation; programmable data plane},
	language = {en},
	address = {Zurich},
	publisher = {ETH Zurich},
	DOI = {10.3929/ethz-b-000584627},
	title = {Improving Network Security through Obfuscation},
	school = {ETH Zurich}
}

Research Collection: 20.500.11850/584627