Header - Networks



Application transparent HTTP over a disruption tolerant Smart-Net 

Geoffrey Xie, Assist USMC Systems Command in its evaluation and deployment of DTN.

This research explores methods to increase the performance of HTTP traffic when operating on a network that is prone to disrup-tions. The SmartNet architecture is presented as an open and extensible software framework for experimenting with and deploying application-transparent network optimization solutions, including the incorporation of the disruption tolerant networking (DTN) and split TCP (SplitTCP) technologies into an IP network. The architecture fashions a plugin-based system architecture where each plu-gin implements a small set of application or transport protocol specific network adaptations that can be chained with other plugins to form a packet processing pipeline. The SmartNet framework is implemented along with plugins to route packets through native-IP, the Bundle Protocol, or SplitTCP. Performance of the SmartNet is measured under five network disruption patterns and five link speeds. The results conclude that HTTP performance can be increased by using the SmartNet to transparently route packets over the DTN bundle protocol or SplitTCP when the network is prone to disruptions.

IPV6 alias resolution via induced router fragmentation 

Robert Beverly

IPv4 addresses are a scarce resource with available allocations nearing exhaustion. DoD and government agencies were mandated to transition to IPv6 for greater security and flexibility. The transition to IPv6 faces a series of challenges associated with protecting the network. Among many defensive challenges associated with IPv6 is the inability to accurately identify and understand the network's router-level topology. Providing an accurate IPv6 topology map is needed for security, situational awareness, and understanding the operational deployment and evolution of IPv6. To better understand IPv6 networks, this thesis focuses on the alias resolution problem whereby we seek to identify multiple interfaces belonging to a single IPv6 router. Alias resolution is critical to developing an accurate router-level topology map. This thesis presents a fingerprint-based IPv6 alias resolution technique that induces fragmented responses from IPv6 router interfaces. We demonstrate perfect alias resolution accuracy in a controlled environment, and on a small subset of the production IPv6 Internet for which ground-truth is known. Internet-wide testing finds that over 70% of IPv6 interfaces probed respond to the method.

Techniques for the detection of faulty packet header modifications 

Ryan Craven, Robert Beverly, and Mark Allman.

Understanding, measuring, and debugging IP networks, particularly across administrative domains, is challenging.Compounding the problem are transparent in-path appliances and middleboxes that can be difficult to manage and sometimes left out-of-date or misconfigured.As a result, packet headers can be modified in unexpected ways, negatively impacting end-to-end performance.We discuss the impact of such packet header modifications, present an array of techniques for their detection, and define strategies to add tamper-evident protection to our detection techniques.We select a solution for implementation into the Linux TCP stack and use it to examine real-world Internet paths.We discover various instances of in-path modifications and extract lessons learned from them to help drive future design efforts.


A Secure Mobile Distributed File System 

Geoffrey Xie Won IEEE Fred W. Ellersick Award for the best unclassified paper in MILCOM'11. Transferred to a Navy SBIR program.

The goal of this research is to provide a way for frontline troops to securely store and exchange sensitive information on a network of mobile devices with resiliency. The first portion of the thesis is the design of a file system to meet military mission specific security and resiliency requirements. The design integrates advanced concepts including erasure coding, Shamir's threshold based secret sharing algorithm, and symmetric AES cryptography. The resulting system supports two important properties: (1) data can be recovered only if some minimum number of devices are accessible, and (2) sensitive data remains protected even after a small number of devices are compromised. The second part of the thesis is to implement the design on Android mobile devices and demonstrate the system under real world conditions. We implement and demonstrate a functional version of MDFS on Android hardware. Due to the device's limited resources, there are some issues that must be explored before MDFS could be deployed as a viable distributed file system.

Malicious Activity Simulation Tool (MAST) 

Gurminder Singh and John Gibson, Support realistic cyber security training without an increase in risk of network degradations.

For computer network infiltration and defense training within the Defense, the use of Red Teams results in the most effective, realistic, and comprehensive training for network administrators. Our thesis is meant to mimic that highly trained adversary. We developed a framework that would exist in that operational network, that mimics the actions of that adversary or malware, that creates observable behaviors, and that is fully controllable and configurable. The framework is based upon a client-server relationship. The server is a Java multi-threaded server that issues commands to the Java client software on all of the hosts of the operational network. Our thesis proved that commands could be sent to those clients to generate scanning behavior that was observable on the network, that the clients would generate or cease their behavior within five seconds of the issuance of the command, and that the clients would return to a failsafe state if communication with the command and control server was lost. The framework that was created can be expanded to control more than twenty hosts. Furthermore, the software is extensible so that additional modules can be created for the client software to generate additional and more complex malware mimic behaviors.


HELP: Handheld Emergency Logistics Program for generating structured requests for resources in stressful conditions 

Ryan Barnes, and Buck Bradley, Advisor Gurminder Singh, evaluates the feasibility of DARPA developed sensors for small-unit defense Ops.

The speed and efficacy with which front-line warfighters in stressful conditions can submit resource requests, such as a casualty evacuation, could mean the difference between life and death. Traditional methods to call for resources require training, are error-prone and can be sluggish. The Handheld Emergency Logistics Program (HELP) was developed by the authors of this thesis to assist both trained and untrained persons in requesting resources from supporting agencies. HELP was developed to prove the concept that off-the-shelf mobile technology can significantly improve the speed and efficacy of resource requests. This thesis aims to allow HELP to exploit built-in sensors in modern commercial off-the-shelf handheld smart devices and their computation and communication capability to reduce the chance of error, reduce the need to pull information from memory, reduce manual data entry, and provide multiple redundant modalities for performing the same action. Our findings indicate that with the assistance of HELP, users submitting resource requests committed half as many errors and completed the request in half the amount of time as compared to a control group using traditional methods. We recommend that the concept of using smart devices to call for resources be further developed into a program of record.

Employing deceptive dynamic network topology through software-defined networking 

Jason Hughes, Advisor, Robert Beverly, uses principles of military deception to present a false picture of the network structure to adversaries.

Computer networks are constantly being actively probed in attempts to build topological maps of intermediate nodes and discover endpoints, either for academic research or nefarious schemes. While some networks employ recommended conventional countermea-sures to simply block such probing at the boundary or shunt such traffic to honey pot systems, other networks remain completely open either by design or neglect. Our research builds on previous work on the concept of presenting a deceptive network topology, which goes beyond conventional network security countermeasures of detecting and blocking network probe traffic. By employing the technologies from the emerging field of Software-Defined Networking and the OpenFlow protocol, we constructed a custom-built SDN controller to listen for network probes and craft customized deceptive replies to those probes. Through employment of various network probing utilities against our custom-built SDN controller in a test network environment, we are able to present a believable deceptive representation of the network topology to an adversary. Therefore, this work demonstrates that the primitives of the expand-ing OpenFlow protocol show strong potential for constructing an enterprise-grade dynamic deceptive network topology solution to protect computer networks.

Tactical Networked Communication Architecture Design

Justin Rohrer

Spanning areas of disruption-tolerant networking, network measurement, and system modeling, with the common thread between those being network resilience and survivability research, and leveraging a tri-pronged approach of graph theory, system simulation and modeling, and validation via testbed implementation.


Computer Science Department

Address:  Computer Science Dept., Glasgow Hall East, Building 305, Room 311, 1411 Cunningham Rd, Monterey, CA, 93943

Phone: Admin: 831.656.3389, DSN 756-, Program Office: 831.656.7980/7981, DSN 756-. 

Fax:  Admin: 831. 656.2814, DSN 756-, Program Office:831.656.3681, DSN 756-

Email:  The following email addresses can be reached using the '@nps.edu' suffix:  Chairman - CS_Chair, Program Officer - ProgramOfficer_CS, Computer Science Academic Associate - AcademicAssociate_CS, Software Engineering Academic Associate - AcademicAssociate_SE, Computer Science Search Committee - cssrch, Additional contact information is available for CS Department faculty members.