A New Solution of Peer-To-Peer Anonymous Communication

MISSING IMAGE

Material Information

Title:
A New Solution of Peer-To-Peer Anonymous Communication
Physical Description:
1 online resource (44 p.)
Language:
english
Creator:
Park, Yangbae
Publisher:
University of Florida
Place of Publication:
Gainesville, Fla.
Publication Date:

Thesis/Dissertation Information

Degree:
Master's ( M.S.)
Degree Grantor:
University of Florida
Degree Disciplines:
Computer Engineering, Computer and Information Science and Engineering
Committee Chair:
Chen, Shigang
Committee Members:
Sahni, Sartaj
Liu, Chien-Lian

Subjects

Subjects / Keywords:
anonymity -- anonymous -- communication -- computer -- networks -- onionrouting -- p2p
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre:
Computer Engineering thesis, M.S.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract:
Anonymous communication prevents network sniffers or any third parties from identifying communication parties. Whenever we use the Internet, our IP addresses are exposed to anyone along the routes; however, these addresses often allow an adversary to trace identities of senders and recipients. Since privacy protection has become more important, the demands for anonymous communication have also increased a lot. In particular, the Tor network is the most popular and widely used anonymous communication system, but it is not very scalable. Many researchers have suggested peer-to-peer (P2P) based solution to cope with this limitation of Tor. However, none of them have yet offered the anonymity that Tor provides. Our goal is to improve anonymity of a Tor-like system based on P2P architecture. It should not depend on any central authority or trusted third party that limits scalability. In addition, it should be resistant to large-scale coordinated eavesdropping. In this thesis, we propose a new anonymous communication solution that satisfies these requirements.
General Note:
In the series University of Florida Digital Collections.
General Note:
Includes vita.
Bibliography:
Includes bibliographical references.
Source of Description:
Description based on online resource; title from PDF title page.
Source of Description:
This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility:
by Yangbae Park.
Thesis:
Thesis (M.S.)--University of Florida, 2012.
Local:
Adviser: Chen, Shigang.
Electronic Access:
RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2013-05-31

Record Information

Source Institution:
UFRGP
Rights Management:
Applicable rights reserved.
Classification:
lcc - LD1780 2012
System ID:
UFE0044200:00001


This item is only available as the following downloads:


Full Text

PAGE 1

ANEWSOLUTIONOFPEER-TO-PEERANONYMOUSCOMMUNICATIONByYANGBAEPARKATHESISPRESENTEDTOTHEGRADUATESCHOOLOFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENTOFTHEREQUIREMENTSFORTHEDEGREEOFMASTEROFSCIENCEUNIVERSITYOFFLORIDA2012

PAGE 2

c2012YangbaePark 2

PAGE 3

Idedicatethisthesistomyparents. 3

PAGE 4

ACKNOWLEDGMENTS Firstandforemost,Iwouldliketoexpressmysinceregratitudetomyadvisor,Dr.ShigangChen.Thisthesiswouldnothavebeenpossiblewithouthisadvice,guidance,andpersistenthelp.IwouldalsoliketothankDr.SartajSahniandDr.JonathanLiuforservingonthesupervisorycommittee.Theirconstructiveassistanceandcommentshavealwaysinspiredmetothinkcreatively.Itwasmygreatpleasureandhonortohavethemonthecommittee.Inaddition,IthankMinChen,TaoLi,WenLuo,ZhenMo,YanQiao,andYianZhenwhohavestudiedanddiscussedanumberofinterestingtopicswithme.IamgratefultoDr.LingguoCuiforgivingmevaluablecomments.Iamalsoindebtedtomyothercolleagues,including,butnotlimitedto,InchulChoi,HokyuKang,DunamKim,andCoralieRichard,whohelpedmestaysaneandhappy.Iwishthemallwellintheirfutureendeavors. 4

PAGE 5

TABLEOFCONTENTS page ACKNOWLEDGMENTS .................................. 4 LISTOFTABLES ...................................... 6 LISTOFFIGURES ..................................... 7 ABSTRACT ......................................... 8 CHAPTER 1INTRODUCTION ................................... 9 2PREVIOUSRESEARCHANDAPPLICATIONS .................. 11 2.1LowLatencyvs.HighLatencyAnonymousCommunication ........ 11 2.2AttackModelsforAnonymousCommunication ............... 11 2.3AnonymousProxyServers .......................... 12 2.4OnionRoutingandTor ............................. 13 2.5DistributedHashTables ............................ 15 2.6DHTsandTor .................................. 16 3MOTIVATION ..................................... 19 3.1DHTLookup .................................. 19 3.2RoutingTablePrediction ............................ 21 4PROPOSEDSOLUTION .............................. 24 4.1PredictiveLookup:LocatingaRelayinaSpecialCondition ........ 24 4.2PredictiveLookup:GeneralizedVersion ................... 26 4.3YetAnotherIssueofPredictiveLookupandSolution ............ 28 4.4BuildingaVirtualCircuit ............................ 31 5SIMULATIONRESULTS ............................... 33 5.1SimulationforPredictiveLookup ....................... 33 5.2Simulationwithfcuto .............................. 35 6CONCLUSIONSANDFUTURERESEARCH ................... 38 6.1Conclusions ................................... 38 6.2FutureResearch ................................ 38 REFERENCES ....................................... 40 BIOGRAPHICALSKETCH ................................ 44 5

PAGE 6

LISTOFTABLES Table page 2-1ComparisonofP2P ................................. 16 4-1Classicationofresultsofrangeestimationforpredictivelookup ........ 28 5-1Averagehopcountoftraditionalandpredictivelookup .............. 34 5-2Comparisonbetweentraditionalandpredictivelookup .............. 35 5-3RangeestimationsuccessratiofRESwithfcuto .................. 36 6

PAGE 7

LISTOFFIGURES Figure page 2-1AnonymousHTTPproxy ............................... 12 2-2Anexampleofavirtualcircuit ........................... 14 2-3Messageencapsulationanddecapsulation .................... 15 2-4RangeestimationduringlookupinNISAN .................... 18 3-1DHTnodes ...................................... 19 3-2ADHTroutingtableexample ............................ 20 3-3Ascenarioofmulti-hopqueries .......................... 21 3-4Pseodu-codeoflookupfunction .......................... 22 3-5Fully-lled3-bitidspace .............................. 23 4-1Predictivelookupversion1 ............................. 25 4-2Pseudo-codeofpredictivelookupversion1 .................... 25 4-3Failureofpredictivelookupversion1 ....................... 26 4-4oaltpredandoxpredinthe8-bitDHTidspace .................... 27 4-5oxsuccvs.oxpredinalargeDHTidspace ...................... 28 4-6Locatingxusingpredictivelookupversion2 ................... 29 4-7Pseudo-codeofthepredictivelookupversion2 ................. 29 4-8Successfulrangeestimationwhenxaltisnearbyx ................ 30 4-9Pseudo-codewithpredictivetablecutoff ..................... 31 5-1Averagehopcountoftraditionalandpredictivelookup .............. 34 5-2Comparisonbetweentraditionalandpredictivelookup .............. 36 5-3RangeestimationsuccessratiofRESwhenfcutoissecret ............ 37 5-4RangeestimationsuccessratiofRESwhenfcutoisrevealed ........... 37 7

PAGE 8

AbstractofThesisPresentedtotheGraduateSchooloftheUniversityofFloridainPartialFulllmentoftheRequirementsfortheDegreeofMasterofScienceANEWSOLUTIONOFPEER-TO-PEERANONYMOUSCOMMUNICATIONByYangbaeParkMay2012Chair:ShigangChenMajor:ComputerEngineeringAnonymouscommunicationpreventsnetworksniffersoranythirdpartiesfromidentifyingcommunicationparties.WheneverweusetheInternet,ourIPaddressesareexposedtoanyonealongtheroutes;however,theseaddressesoftenallowanadversarytotraceidentitiesofsendersandrecipients.Sinceprivacyprotectionhasbecomemoreimportant,thedemandsforanonymouscommunicationhavealsoincreasedalot.Inparticular,theTornetworkisthemostpopularandwidelyusedanonymouscommunicationsystem,butitisnotveryscalable.Manyresearchershavesuggestedpeer-to-peer(P2P)basedsolutiontocopewiththislimitationofTor.However,noneofthemhaveyetofferedtheanonymitythatTorprovides.OurgoalistoimproveanonymityofaTor-likesystembasedonP2Parchitecture.Itshouldnotdependonanycentralauthorityortrustedthirdpartythatlimitsscalability.Inaddition,itshouldberesistanttolarge-scalecoordinatedeavesdropping.Inthisthesis,weproposeanewanonymouscommunicationsolutionthatsatisestheserequirements. 8

PAGE 9

CHAPTER1INTRODUCTIONAnonymouscommunicationpreventsnetworksniffersoranythirdpartiesfromidentifyingcommunicationparties.Cryptographyhassolvedmanyissuesforcondentialityandintegrity.Howevernetworkaddressesinpacketsarestillexposed,andanyonealongtheroutescanmonitortheaddresses.Suchaddressesoftenbecomecriticalhints,enablinganadversarytotraceidentitiesofsendersandrecipients.Sinceprivacyprotectionhasbecomemoreimportant,thedemandsforanonymouscommunicationhavealsoincreased.TheTornetwork[ 1 ]isthemostpopularandwidelyusedanonymouscommunicationsystem.Torallowshundredsofthousandsofusers[ 2 ]tosurftheInternetwithoutscaricingprivacy.ThereareavarietyofusersandcountriesaccessingTor,fromjournalistsinEgypttoIranian,Indian,Japanese,andRussianembassies[ 3 ].IntheTornetwork,thenumberoftrusteddirectoryserversislimited,andallusershavetostoreaglobalviewofthesystem.Althoughthisdesignpreventsattackersfrompoisoningthedirectoryorcircuits,itcausesascalabilityproblem.McLachanetal.[ 4 ]showthattrafctomanageaglobalviewwillsoonbecomelargerthanactualanonymoustrafc.Withregardtothisissue,someresearchersconsideradaptingpeer-to-peer(P2P)approachesonTororitsvariants[ 5 ][ 6 ][ 7 ][ 4 ][ 8 ][ 9 ].P2ParchitecturecannotbenoteasilyapplicableforTorbecauseitcausesanewproblemtoanonymouscommunication.Forexample,AP3[ 7 ]andSalsa[ 6 ]utilizeDistributedHashTable(DHT)todistributecentralizedoverhead,andusersarerequiredtomaintainonlyapartialviewofasystem.HoweverMittalandBorisov[ 10 ]showedthatattackerscanrevealidentitiesofcommunicationpartiesduringthelookupprocedure.Morerecently,NISAN[ 8 ]hasproposedananonymouslookupmechanism.NISANprovidesbetterredundancyandboundcheckingagainstactiveattackerswhileithides 9

PAGE 10

therelationshipbetweenusersandrelaysfrompassiveattackers.HoweverWangetal.[ 11 ]showthatagroupofcompromisednodesmaystillbreakanonymityduringlookup.Inthisthesis,weproposeanewP2PanonymouscommunicationsolutionbasedonChord[ 12 ],whichiswidelyusedbymanyP2Presearchersandapplications.Oursolutioniscompletelydecentralized,anditisrobustagainstalargescaleadversary.Itdoesnotrelyonanytrustedthirdpartyonthesystem,norredundantactivitiesthatcancauseanothertypeofvulnerability.Thekeyideaofoursolutioniscalledpredictivelookup.Wendamechanismtopredictanothernode'sroutingtable.Basedonthismechanism,wedesignanewlookupprotocoltoinitiateanonymouscommunication.Wefurtherdevelopourideaintoageneralcondition,regardlessofthesizeofnodes,orthedensityofthenetwork.Therestofthisthesisisorganizedasfollows.InChapter 2 ,wedescribepreviousresearchandapplications.InChapter 3 ,weshowdetailsofroutingtablepredictionwhichwillbelaterakeymechanismforournewsolution.InChapter 4 ,weproposeanewsolution,andweexpandourideatogeneralizethesolution.InChapter 5 ,weconductedasimulation,andtheexperimentalresultsareshown.FinallyweconcludeinChapter 6 10

PAGE 11

CHAPTER2PREVIOUSRESEARCHANDAPPLICATIONS 2.1LowLatencyvs.HighLatencyAnonymousCommunicationAnonymouscommunicationcanbecategorizedbasedonlatency.Lowlatencycommunicationistypicallyforinteractiveapplicationswhichrequireshortdelayoftransmission.Forinstance,webbrowserswillshowHTTPError408(Requesttimeout)unlesstheyretrieveawebpagewithinafewseconds.Likewise,mostpeoplewillclosevoicechattingiftheirpartnersbecomemute.Althoughlowlatencycommunicationcanbenetmostapplications,itisweakagainstapowerfulglobaladversarywhocanmonitortheentirenetwork[ 13 ][ 14 ][ 15 ][ 16 ].Theglobaladversarycanmeasureend-to-enddatatransmissionandreceptiontime,andtheycanthendiscoversendersandcorrespondingrecipients.Highlatencycommunicationusuallytakeshoursorevendaystotransmitamessage,anditisrobustagainstaglobaladversary.Mixminion[ 17 ]andMixmaster[ 18 ]arewell-knownexamplesofhighlatencycommunicationsystems.Howeverduetohighlatency,onlylimitedapplicationsareabletousehighlatencycommunicationsystems,suchasemails.Inthisthesis,wefocusonlowlatencyanonymouscommunication.WeassumethatthereisnoglobalattackerontheInternet,butwestillconsidertheexistenceofsemi-globalattackers. 2.2AttackModelsforAnonymousCommunicationTypicallyattackmodelsforanonymouscommunicationareclassiedintoactiveandpassiveattacks.Activeattackersjoininandmanipulateanonymouscommunicationchannelsactivelysothattheycanbreakanonymity,ortheydamagethesystemitself.Althoughactiveattackscouldcausecriticaldamage,theyareusuallyvisibleduetoabnormalactivities. 11

PAGE 12

Ontheotherhand,passiveattackersonlyobservesomeportionofanonymoustrafc.Unlikeactiveattackers,passiveattackersdonotexposethemselves,sotheyarerarelydetected.Furthermore,MittalandBorisov[ 10 ]showthatseveraldefensetechniquesagainstactiveattackscreatenewvulnerabilitiesofanonymityfrompassiveattacks.Wefocusonpassiveattacksparticularlyinthisthesis. 2.3AnonymousProxyServersAproxyserverisanetworknodethatforwardsincomingpacketstoothers.Ananonymousproxyserverhasananonymizerthatconcealstheoriginalsender'sidentity.Figure 2-1 showshowanHTTPanonymousproxysystemworks. Figure2-1. AnonymousHTTPproxy FirstclientAencryptsaHTTPrequestmessagewithasharedsecretkeyKABorB'spublickeyKB+.NextAsendstheencryptedrequesttotheanonymousproxy 12

PAGE 13

serverB.Authenticationisoptionallyrequiredatthismoment.OnceBacceptsAanditsmessage,theanonymizerremovesanyA'sidentityfromthemessage.ProxyBthenforwardstheanonymousmessagetowardtheactualdestinationC.WhenBreceivesaresponsefromC,itencryptstheresponseagainwithKABorA'spublickeyKA+,andthenforwardstoA.AkeyroleinthismodelistheproxyB.IfBiscompromised,attackerscantraceA'saddress.MoreoverevenwithoutcontrolsoverB,attackerscanstillusetrafcortiminganalysisattackstondaconnectionfromAtoB,andacorrespondingconnectionfromBtoC. 2.4OnionRoutingandTorReedetal.[ 19 ]proposedafreelyavailableanonymouscommunicationsystemcalledonionrouting.Onionroutingutilizesmultiplenetworknodestopreventeavesdroppingandtrafcanalysis.Torisapredominantimplementationofonionrouting,servinghundredsofthousandsofusers[ 2 ].Tortypicallycallsthenetworknodesrelays,andanyonecanrunaTorrelayvoluntarily.OnionroutingisbasedonPublicKeyEncryption.Eachrelayoruserhasapublicandprivatekeypair.Publickeysareavailableforall,whileprivatekeysshouldbekeptinsecret.Thelistofrelaysiscalledthedirectory.IntheTornetwork,allclients,aswellasseveraltrusteddirectoryserversmaintainthedirectory.Beforetransmittingactualmessages,anonionroutingclienthastochooseseveralrelays.TypicallyTorselectsthreerandomrelays.Themorerelaystheclientuses,thehigheranonymityandperformanceareobtained[ 20 ],butlatencywillalsoincreasemore.Next,theclientcreatesavirtualcircuitcomposedofthechosenrelays,asFigure 2-2 shows.AvirtualcircuitisanetworktunnelontopoftheInternet.Iftheclientselectsthreerelays,messageswillbetransmittedthroughthethreerelays. 13

PAGE 14

Asapowerfuladversarymayattempttotracethesequenceofrelaystodiscovercommunicationparties,Torexpireseachvirtualcircuitevery10minutes. Figure2-2. Anexampleofavirtualcircuit Inordertohideidentitiesofsendersandrecipients,anactualmessageiswrappedinseverallayersofencryption.Figure 2-3 showshowaclienttransmitsamessagethroughavirtualcircuitthatconsistsofthreerelaysR1,R2,andR3.ItrstencryptsthemessagewithR3'spublickeyKR3+.Next,theclientencryptsR3'saddressandthepreviouslyencryptedmessagewithR2'spublickeyKR2+.Thisprocedurecontinuesuntiltheclientencryptswiththerstrelay'spublickey,whichisKR1+inFigure 2-3 .WhentherstrelayR1receivesthewrappedmessagefromtheclient,R1decryptsthemessagewithR1'sprivatekeyKR2)]TJ /F1 11.955 Tf 10.41 -5.15 Td[(toextractthepayloadandthenextdestination.Thisislikepeelinganonion,butR1canonlypeeltherstlayerbecausetheotherlayersareencryptedwithotherkeys,KR2+andKR3+.FromtheperspectiveofR1,thedestinationisR2,andnootherrelaysordestinationarevisiblebecausetheiraddressesareencryptedwithdifferentkeys.OnceR1forwardsthemessagetoR2,R2hasnowaytorecognizetheclient'sexistence,thoughR2canseeR3.R3knowsthenaldestination,butitisunabletotracewhosentthismessage.Thus,noonecandeanonymizethecommunication.AlthoughTorisaverysuccessfulonionroutingapplication,itdependsonasingledirectoryauthority.Inaddition,eachclientmanagesaglobalpictureofthenetwork,and 14

PAGE 15

Figure2-3. Messageencapsulationanddecapsulation(KR+:R'spublickey) thesecausescalabilityissues.McLachanetal.[ 4 ]showthattrafctomanagetheglobalviewwillbecomelargerthanactualanonymoustrafcinthenearfuture. 2.5DistributedHashTablesPeer-to-peer(P2P)systemshavebeenverysuccessfulinaddressingresourcesharingandcontentaccessovertheInternet[ 12 21 23 ].SomeresearchershaveconsideredP2PapproachestoresolvescalabilityissuesinaTornetwork[ 7 ][ 6 ][ 4 ][ 8 ][ 9 ].AvarietyofP2Psystemsareavailablenow,buttheyarebrieycategorizedintocentralizedanddecentralizedsystems.Decentralizedsystemsareagainclassiedintounstructuredandstructuredsystems.IncentralizedP2Psystems,asingledirectoryauthoritymaintainsacentralizeddirectory.Thisstructurehasseveraladvantages.Itpreventsmaliciousnodesfrom 15

PAGE 16

Table2-1. ComparisonofP2P P2PtypesLookuptimeStoragerequirementApplication(s) CentralizedO(1)O(N)Napster,eDonkey,BitTorrentDecentralized&UnstructuredO(N)O(1)GnutellaDecentralized&StructuredO(lg(N))O(lg(N))DHTs,BitTorrent poisoningthedirectory,anditalsorespondstoqueriesveryquicklybecausethedirectoryisstoredinalocalarea.Howeverthedirectorybecomesbottleneckedwhenthenumberofnodesandqueriessoars,sothisarchitectureisnotveryscalable.DecentralizedP2Psystemsarebasedonoverlaynetworks.Eachnodestoresandsharesonlyasmallportionofthedirectory.Inparticular,unstructuredP2Psystemsdonotimposeanytopologyorstructureonthenetwork,sothenetworkexpandsarbitrarily.InanN-nodesystem,thiscausesqueryingtimetoexpandtoO(N)intheworstcase.Ontheotherhand,astructuredP2Psystemhasaconsistentprotocolthatrestrictsnodesfromforminganinefcientoverlaynetwork.DistributedHashTables(DHTs)areofthisclass.Becauseofthestrictstructure,importantoperations,suchasjoining,Lookup,andquitting,canbedonewithinO(lg(N))orO(lg2(N))[ 12 ].Thus,DHTsaregenerallyfasterthanunstructuredP2Psystems,andmorereliablethancentralizedP2P.Chord[ 12 ],Pastry[ 24 ],CAN[ 25 ],andTapestry[ 26 ]arefamousexamplesofDHTs. 2.6DHTsandTorDHTshavebeenadaptedbymanyresearcherstoresolveTor'sscalabilityissues,andSalsa[ 6 ]isoneofthepioneeringworks.SalsareliesonaDHTsystemtostoredirectoryinformation.Itcalculatesacryptographichashvalueofthenode'sIPaddresstocreateanidentityintheDHT.Unlikelesharingapplications,anonymouscommunicationdoesnotneedexternaldatatoshare,suchasles,sonodesonlysharedirectoryinformation.WhenaSalsaclientneedstolocatearelay,itgeneratesarandomvalue,andndsthecorrespondingnodewhichisuniqueintheDHTidspace.HoweverlaterMittalandBorisov[ 10 ]showthatthisisnotadequatelysecure.Moreovertheyalso 16

PAGE 17

provethatSalsa'sdefensemechanismagainstactiveattacksironicallyincreasesthreatsofpassiveattacks.Torsk[ 4 ]proposessecretbuddyscheme.Insteadofanonymizinglookupitself,aTorskclientexecutesrandomwalkstoselectsecretbuddynodes,andthesenodeswillserveasproxiesduringlookup.TheclientthengeneratesarandomvalueintheDHTidspace,andndthecorrespondingnodetoselectarelay.HoweverWangetal.[ 11 ]presentbuddyexhaustionattacks,andthisblockshonestnodesfromchoosingasecretbuddy.TheyalsoshowthatTorskisweakagainspassiveattacks,astherandomvalueisleakedtoothers.Thisenablesintermediatenodestoquerytherandomvalue,whicheventuallyexposestherelay.Panchenkoetal.[ 8 ]introduceanalternativeapproach,namedNISAN.InNISAN,aclientalsoneedsarandomvaluex.However,insteadofannouncingxtoothernodes,theclientasksothernodestosendtheirroutingtables1.Thispreventsothernodesfromknowingthevaluex,whichshouldbekeptsecret.AlthoughNISANprotectsxfrombeingdirectlyrevealed,itisstillfarfromperfect.Wangetal.[ 11 ]provethatattackerscanstillshrinkrangeofxsignicantly.Thisiscalledrangeestimation,anditisbasedonthefactthataclientwillqueryonlynodesprecedingx.WhenquerierQinFigure 2-4 queriestoacompromisednodeC,Ccanestimatex'sboundaryxasfollows:m:thenumberofbitsinagivenidspaceidn:theidentierofnodenx=(idMAX,idMIN) 1NISANisbasedonChord-likeDHT,andChordcallsroutingtablesngertables.Inthisthesis,wealwaysuseroutingtablestopreventconfusion. 17

PAGE 18

idMIN=idCidMAX=(idQ+2i)mod2mwhereidQ+2i)]TJ /F7 7.97 Tf 6.58 0 Td[(1
PAGE 19

CHAPTER3MOTIVATIONInthischapter,wedescribemotivatingideasrelatedtoournewsolution.Itconsistsofseveralsteps.WerstexplainalookupprocedureofChord-likeDHT,andthendiscoverhowtopredictothernodes'routingtables. 3.1DHTLookupEveryDHTnodehasasinglem-bitidentier(id)positionedinasharedidspace.TypicallyanidisgeneratedbyrunningacryptographichashfunctionsuchasSHA-1.Forsimplicity,weusesmallidspacestodescribeexamples.Figure 3-1 shows5nodesin8bitDHTidspace. Figure3-1. DHTnodes Chapter 2 showsthataDHTsystemdoesnotrelyonacentraldirectoryservice.Instead,everyDHTnodenhasaroutingtableTnthatconsistsofmroutingentries.EachentryEn,ihasakeykn,ianditscorrespondingnodeokn,i. 19

PAGE 20

Tn=fEn,ij0i
PAGE 21

exampleofmulti-hopqueries,andFigure 3-4 showsthepseudo-codeoftheDHTqueryfunction. Figure3-3. Ascenarioofmulti-hopqueries 3.2RoutingTablePredictionLet'srstassumethataDHTidspaceisfullylled,likeFigure 3-5 .InFigure 3-5 ,nodeAshallhavenodeB,C,andEinitsroutingtablebecausethedistancefromA 21

PAGE 22

Figure3-4. Pseodu-codeoflookupfunction toB,C,orEisexactlythepowerof2.Likewise,nodeCshallhavenodeD,E,andG.NodeDshallhavenodeE,F,andH.WenotethatnodesA,C,andDmustcontainnodeEintheirroutingtables.Inotherwords,EisreachablefromA,C,orDwithinasinglehop.ThefollowingformulashowshowtoderiveacollectionCidTofkeysidnofnodesthatmusthaveaspecicnodeTintheirroutingtables.CkisthegeneralizedversionofCidTforanyidk.CidT=fidnjidn=(idT)]TJ /F8 11.955 Tf 11.95 0 Td[(2i)mod2m,0i
PAGE 23

Figure3-5. Fully-lled3-bitidspace 23

PAGE 24

CHAPTER4PROPOSEDSOLUTIONInthischapter,weexploreanewlookupmechanismcalledpredictivelookuptoobfuscaterangeestimation.WerstassumethattheDHTidspaceisfull,andthenwegeneralizeourmethodbyremovingtheassumption.Wealsodealwithhowtobuildavirtualcircuitusingthenewlookupmechanismtomakeitevenmoredifcultforattackerstoestimatetherange. 4.1PredictiveLookup:LocatingaRelayinaSpecialConditionThepreviouschaptershowsthatwhenDHTidspaceisfull,wecanpredictCk,asetofmnodesthathaveaspecickeykintheirroutingtables.WecallCkpredictiontable.Withthisknowledge,wecandesignanewlookupprocess.FirstwegeneratearandomidxandcorrespondingpredictiontableCx.Nextwegeneratearandomindexi(0i
PAGE 25

Figure4-1. Predictivelookupversion1 Thismechanismsuppressesrangeestimationbecauseitforcesthemajorityofqueriestoheadtoxalt.Thereforepassiveattackersarehighlyunabletoestimatethecorrectrangeofx.Figure 4-2 showsthepseudo-codeofpredictivelookupversion1. Figure4-2. Pseudo-codeofpredictivelookupversion1 25

PAGE 26

4.2PredictiveLookup:GeneralizedVersionAlthoughpredictivelookupversion1limitsrangeestimation,thisisnotalwaysapplicable.PracticalDHTidspacesaresobig;forinstance,Kademlia[ 27 ]isafamousDHTprotocolusedbymanyapplications,suchasBitTorrent,andithasa160-bitidspace.Suchanidspaceissospaciousthatitisunrealistictobelledout.Whenpredictivelookupversion1locatesoalt,itreturnstherstsuccessorofxaltunlessoalt'sidisexactlyxalt.Becauseoaltsucceedsxalt,oalt's(i+1)-throutingentryalsorefersox'ssuccessordenotedbyoxsucc.Thus,thequerierwillfailtolocatethecorrectox.InFigure 4-3 ,thequeriergeneratesx=8inthe4-bitidspace,anditchoosesthelastentryonC8,soxalt=0.Sincethereisnosuchnodewhoseidis0,nodeAbecomesoalt.IfthequerierfollowsnodeA'slastroutingentry,itwilleventuallyarriveatnodeF,whichisanincorrectdestination. Figure4-3. Failureofpredictivelookupversion1 Suchafailurecausesadditionallookuptorelocatex.Therearetwowaystorelocatexfromtheincorrectdestinationoxsucc.Therstoptionissearchingbackwardfromoxsucc.Thisrequirestosendaquerytoeverynodebetweenxandoxsuccbecauseeachnodeonlyholdstheclosestpredecessorpointerinthebackwarddirection.Theotheroptionissearchingforward,butthisisalsoabadideabecausexistoofaraway 26

PAGE 27

fromoxsucc.Therefore,alltheseoptionsareriskyenoughtoenablerangeestimationagain.Wefocusonhowtominimizetherelocationprocess.Insteadoflookingforoaltwhichistherstsuccessorofxalt,thequeriercansearchoalt'srstpredecessoroaltpred.InFigure 4-4 ,nodeAisoalt,whereasnodeGisoaltpred.oaltpredcanbeobtainedwithinconstanttimebecauseeachChordnodemaintainsapredecessorpointer.Wenotethatoaltpredistheclosestpredecessorfromxalt,andoaltistheclosestsuccessorfromxalt.Thus,unlikeoalt,oaltpred'sroutingentrypointsx'spredecessor,whichisdenotedbyoxpred.SinceChordidspaceisdirectional,thenewdistancefromoxpredtoxisshorterthaneithertheforwarddistanceorbackwarddistancefromoxsucctox.Figure 4-5 comparesthenewdistancewiththebackwarddistancewhennodesarenear-uniformlydistributed. Figure4-4. oaltpredandoxpredinthe8-bitDHTidspace Althoughthismethoddoesnotguaranteeaonehopincrementduringlookup,itaddsreasonablysmallhopsingeneralbecausethedistancefromoxpredtoxistypicallyshorterthanthedistancefromthequeriertoxalt.Wenamethismethodpredictive 27

PAGE 28

Figure4-5. oxsuccvs.oxpredinalargeDHTidspace Table4-1. Classicationofresultsofrangeestimationforpredictivelookup ClassLeakagewhilelocatingxaltLeakagewhilelocatingxSafety SafeXXSafeMisestimatedOXSafeLeakedXOUnsafeConfusingOOAlmostsafe lookupversion2,andFigure 4-6 andFigure 4-7 showtherevisedwaytolocatexusingpredictivelookupversion2.Forsimplicity,Figure 4-6 isdrawninarecursivewayalthoughitisactuallydoneiteratively.Withregardtopredictivelookupversion2,anattemptforrangeestimationresultsinoneoffollowing: 1. Therelayiscompletelysafe:whennoqueryisleakedduringthewholeprocess,therelayisobviouslysafe. 2. Therelayismisestimated:whenoneormorequeriesonlyduringthersttraditionallookupstepareleaked,theattackersmisestimatetherangeoftherelay. 3. Therelayisleaked:whenoneormorequeriesonlyduringthepredictivelookupstepareleaked,theattackerscancorrectlyestimatetherangeoftherelay. 4. Therelayisconfusing:whenbothtraditionallookupstepandpredictivelookupstepareleaked,theattackershavetodecidewhichrangeincludesacorrectrelay.Weuseshufingandconcurrentqueryingtoconfuseattackersevenmoreinthisscenario.MoredetailsaboutthetechniquesaredescribedinSection 4.4 4.3YetAnotherIssueofPredictiveLookupandSolutionThereisyetanotherminorissue:whichentrydoesalookupinitiatorhavetochooseinCx?TherearetotalmentriesavailableinCx,butchoosingakeynearbythetargetx 28

PAGE 29

Figure4-6. Locatingxusingpredictivelookupversion2 Figure4-7. Pseudo-codeofthepredictivelookupversion2 29

PAGE 30

isgenerallyinsecure.Thisisbecausewhenattackersestimaterangeofx,theresultwillaccidentallyintersectwithbothxandxaltifxandxaltareclosed,asFigure 4-8 shows. Figure4-8. Successfulrangeestimationwhenxaltisnearbyx Whennodesarenear-uniformlydistributed,theprobabilityPrneighborthataclientselectsthetarget'sneighborisasfollows:distance=2m Nxalt,x=2iPrneighbor=Pr(distance>xalt,x)=Pr(2m N>2i)=Pr(lg(2m N)>i)=Pr(m)]TJ /F3 11.955 Tf 11.96 0 Td[(lg(N)>i),(0i
PAGE 31

nodes,andxalt,xisthedistancefromxalttox.Sincemisxed,andlog(N)doesnotvarydramatically,Prneighbordependsoni.Wheniistoosmall,predictivelookupisnolongerbenecial.Withregardtothisissue,weproposepredictiontablecutofftechnique,whichrestrictsclientsfromselectingsmalli.Abasicpredictiontablehasmelement,butclientscutthefrontpart(therstmfcutoentries)ofthetableoptionallysothattheydonotselectsmalli.WewillexploretheimpactofcutoffratiofcutomorebyobservingthesimulationresultsinChapter 5 Figure4-9. Pseudo-codewithpredictivetablecutoff 4.4BuildingaVirtualCircuitWehavediscussedhowtolocateasinglerelaywithpredictivelookupmechanism,butinordertobuildavirtualcircuit,wehavetoselectmultiplerelays.Tortypicallyrequiresthreerelays,butmorerelaysarerecommendedinaP2Pbasedenvironmentbecauseofsecurityandscalabilityissues.First,anyP2PanonymouscommunicationisinevitablyweakerthanTorintermsofanonymitybecausethelookupprocessreliesonqueriestoothernodes.WheneveraqueriersendsarequestmessageusingaDHTprotocol,thereceiveratleastrecognizesthatthequerierisattemptingtoinitiateanonymouscommunication.ThususingthesameconstantnumberofrelaysthatTorusesisnotagoodidea.Moreover,P2Parchitectureismorescalable;thesystemcansupportmorevolunteernodes,andthisprovidesmoreoptionstoutilizemorerelays.Although 31

PAGE 32

addingarelayincreasesdelayduringcircuitinitializationandcommunication,itmoreimportantlyguaranteesimprovedanonymity.Anaveapproachtolocaterrelaysisrunningrindependentpredictivelookupssequentially.Aclientinitiallylocatestherstrelay,thensecond,andsubsequentrelays.However,alargesetofpassiveattackersbelongingtoasingleadversarycananalyzequeryingtimetodiscovertheorderofqueries.Inordertopreventtimingattacksduringrrelaysselection,weadapttwostrategies:shufingandconcurrentquerying.Shufingrandomizesorderofrelays.Eachpredictivelookuprequiresgeneratingarandomvalue,soweneedrrandomvalues,namedxi,where0i
PAGE 33

CHAPTER5SIMULATIONRESULTSWewriteaJavaapplicationtosimulateaDHTbasedanonymouscommunicationsystemwhichhas32-bitidspace.(m=32)Thenwesetup500,000nodes,(N=500,000)andassignadifferentidentierforeachnoderandomly.OnceallnodesjoinintotheDHT,weselect10,000randomsourcessrciandcorrespondingrandomtargetkeysxi.(0i<10000,i2Z) 5.1SimulationforPredictiveLookupWesimulateatraditionallookupmethodandournewpredictivelookupmethodtoseehowmuchoursolutionimprovesanonymity.Forbothmethods,weconsiderthefollowingcriteria. 1. Theaveragenumberofqueries(hops)thatsourcenodessend.(=hopcount) 2. RangeEstimationSuccessRatiofRESfRES=8>><>>:0,ifNrange=0orx=2[range]1 Nrange,ifx2[range]whererangeistheestimatedrangebytheattackersandNrangeisthenumberofnodesintherange.fRES=1meansthattheattackersexactlyndtherelay.fRESiszerowhentheyfailtoestimaterange.fRES=0.5meansthattheyndtwonodes,andoneofthemshallbetherelay.Likewise,fRES=1 3meansthattheyndthreenodes,andoneofthemiscertainlytherelay.ThelowerfRESis,themoreanonymousitis.Wexfcuto=0,andsettheratioofcompromisednodesfasavariable.Wethensimulatetraditionallookupandpredictivelookup10,000timesfordifferentf.Werstmeasurehowmanyhopsareadditionallyrequiredforpredictivelookup.Figure 5-1 showsthattheaveragehopcountofpredictivelookupisapproximately25%largerthanatraditionallookup.Furthermore,wesimulate1millionnodeswhichgreatlyexceed 33

PAGE 34

Table5-1. Averagehopcountoftraditionalandpredictivelookup NAveragehopcountoftraditionallookupAveragehopcountofpredictivelookup 100006.4647.99620,0007.0488.76930,0007.3668.95240,0007.5399.42250,0007.7349.50160,0007.7429.50070,0007.9489.88380,0007.99210.04590,0008.11210.278100,0008.13010.291.........500,0009.24411.960.........1,000,0009.90812.952 currentTorusers,andwendthatpredictivelookuprequiresonly3morehopswhichisnear-constant. Figure5-1. Averagehopcountoftraditionalandpredictivelookup WhenitcomestofRES,Table 5-2 andFigure 5-2 showthatpredictivelookupisapproximately4timesmoresecurethantheoriginalDHTlookupwhen20%ofnodesarecompromised.Whenitcomestolargef,thedifferencebecomesmore 34

PAGE 35

Table5-2. Comparisonbetweentraditionalandpredictivelookup ffRESoftraditionallookupfRESofpredictivelookup 0000.050.00290.00070.100.01120.00330.150.02780.00780.200.03260.00820.250.06610.01360.300.09850.02000.350.12770.02320.400.15810.02670.450.17330.02540.500.23150.03260.550.20880.03280.600.24580.03580.650.28170.03860.700.30920.04050.750.35090.04190.800.39150.04680.850.43640.05640.900.46260.05350.950.50430.0548 signicantupto10times.However,usinganyP2Pbasedanonymouscommunicationsolutionisnotrecommendedwhentheportionofcompromisednodesistoohigh. 5.2SimulationwithfcutoWhileweanalyzetheprevioussimulationresults,wenotethatmanyqueriersattempttoselectxaltwhichisveryclosedtox.Wesetxedf=0.3andvariablefcutoratioatthistime.WemeasurerangeestimationsuccessratiofRESforthedifferentfcutovalues.Figure 5-3 showsthatrangeestimationismorelikelytofailwhenfcutoislarge.However,theattackersmayndthefcutovalueiftheyreverse-engineeronionroutingapplications.Whenattackersknowthefcutovalue,theycandesignanewrangeestimationalgorithmtoexcludethecutoffedrange.Figure 5-4 showsthatfcutoshouldnotexceed0.8whenf=0.3andanadversaryknowsfcuto. 35

PAGE 36

Figure5-2. Comparisonbetweentraditionalandpredictivelookup Table5-3. RangeestimationsuccessratiofRESwithfcuto fcutofRESwhenfcutoissecretfRESwhenfcutoisrevealed 00.02000.02000.050.01400.01470.100.01520.01690.150.01720.02020.200.01520.01900.250.01280.01710.300.01180.01690.350.01480.02280.400.01090.01820.450.00920.01670.500.00890.01780.550.00790.01760.600.00660.01650.650.00730.02090.700.00400.01330.750.00490.01960.800.00400.02000.850.00350.02330.900.00330.03300.950.00170.0340 36

PAGE 37

Figure5-3. RangeestimationsuccessratiofRESwhenfcutoissecret Figure5-4. RangeestimationsuccessratiofRESwhenfcutoisrevealed 37

PAGE 38

CHAPTER6CONCLUSIONSANDFUTURERESEARCH 6.1ConclusionsInthispaper,weproposedanewanonymouscommunicationsystembasedonP2Parchitecture.Inparticular,wefocusedonChord-likeDHTs,andwepresentedpredictivelookup.Thenewlookupmechanismisdesignedtoprotectanonymitywithoutrelyingonanytrustedpartieswhichusuallybecomeeasytargetsofactiveattacks.Oursolutionsuppressesthepossibilityofrangeestimationfrompassiveattackers.Wehavealsodealtwithsideeffectsofoursolution,andsuggestedpredictiontablecutofftoreducetheriskofaccidentaldeanonymization.Moreover,shufingandconcurrentqueryingobfuscatealargegroupoftimingattackerswhilelocatingmultiplerelays.Werunsimulationstoassessoursolutioninapracticalenvironment,andthesimulationsshowthatwhen30%ofnodesareoccupiedbyanadversary,theanonymityincreasesupto5timesbysacricingonlytinyadditionallatencyduringcircuitinitialization.Thisshowsthatoursolutionisnotonlysecure,butitisalsoverypractical. 6.2FutureResearchAlthoughthisthesisdiscoversanewanonymouscommunicationsolution,moreresearchisstillnecessaryinthiseld.NoneoftheP2Pbasedsolutionsguaranteesperfectanonymityyet.InterestingresearchissueswillrisewhenwejointlyconsiderotheraspectsofnetworkingsuchasQoS/resourcemanagement/distributedcomputing[ 28 36 ],DDoSattacks[ 37 38 ],wirelessclients[ 39 ],etc.Webelievethisareaisstillimmature,soenthusiasticresearchersmayconsiderjumpingintothiseld.ThecompatibilitywithTorisanotherimportantissue.SinceTorisadominantanonymouscommunicationapplication,manypeopleareconsideringusingToronly.WithoutabsorbingtheTorusers,anyothersolutionmaynotreplaceTorevenifitprovidesbetteranonymityorscalability. 38

PAGE 39

Wefocusedonpassiveattacksinthisthesis,butwealsoneedpreciseanalysisagainstactiveattacks.Asdifferentsolutionsmayintroducedifferenttypesofattacks,anewvulnerabilitycanbealwaysdiscovered,andoursolutionneedstobeanalyzedandtestedmore.Finally,thetypesofidentityleakageshowninSection 4.2 couldbemorepreciselyclassied.Eachclassmayhavehiddensub-classeswhichmayhavedifferentvulnerabilities,andthisisanotherinterestingissuespeciedforoursolution. 39

PAGE 40

REFERENCES [1] R.Dingledine,N.Mathewson,andP.Syverson,Tor:thesecond-generationonionrouter,inProceedingsofthe13thconferenceonUSENIXSecuritySymposium-Volume13,ser.SSYM'04.Berkeley,CA,USA:USENIXAssociation,2004,pp.21. [2] S.HahnandK.Loesing,Privacy-preservingwaystoestimatethenumberoftorusers,TorProject,Tech.Rep.,2010,tech.rep.,TorProject,https://metrics.torproject.org/papers/countingusers-2010-11-30.pdf. [3] D.Goodin,Toratheartofembassypasswordsleak,TheRegister,September2007. [4] J.McLachlan,A.Tran,N.Hopper,andY.Kim,Scalableonionroutingwithtorsk,inProceedingsofthe16thACMconferenceonComputerandcommunicationssecurity,ser.CCS'09.NewYork,NY,USA:ACM,2009,pp.590. [5] M.J.FreedmanandR.Morris,Tarzan:apeer-to-peeranonymizingnetworklayer,inProceedingsofthe9thACMconferenceonComputerandcommunicationssecurity,ser.CCS'02.NewYork,NY,USA:ACM,2002,pp.193. [6] A.NambiarandM.Wright,Salsa:astructuredapproachtolarge-scaleanonymity,inProceedingsofthe13thACMconferenceonComputerandcommunicationssecurity,ser.CCS'06.NewYork,NY,USA:ACM,2006,pp.17. [7] A.Mislove,G.Oberoi,A.Post,C.Reis,P.Druschel,andD.S.Wallach,Ap3:cooperative,decentralizedanonymouscommunication,inProceedingsofthe11thworkshoponACMSIGOPSEuropeanworkshop,ser.EW11.NewYork,NY,USA:ACM,2004. [8] A.Panchenko,S.Richter,andA.Rache,Nisan:networkinformationserviceforanonymizationnetworks,inProceedingsofthe16thACMconferenceonComputerandcommunicationssecurity,ser.CCS'09.NewYork,NY,USA:ACM,2009,pp.141. [9] P.MittalandN.Borisov,Shadowwalker:peer-to-peeranonymouscommunicationusingredundantstructuredtopologies,inProceedingsofthe16thACMconferenceonComputerandcommunicationssecurity,ser.CCS'09.NewYork,NY,USA:ACM,2009,pp.161. [10] ,Informationleaksinstructuredpeer-to-peeranonymouscommunicationsystems,inProceedingsofthe15thACMconferenceonComputerandcommuni-cationssecurity,ser.CCS'08.NewYork,NY,USA:ACM,2008,pp.267. [11] Q.Wang,P.Mittal,andN.Borisov,Insearchofananonymousandsecurelookup:attacksonstructuredpeer-to-peeranonymouscommunicationsystems, 40

PAGE 41

inProceedingsofthe17thACMconferenceonComputerandcommunicationssecurity,ser.CCS'10.NewYork,NY,USA:ACM,2010,pp.308. [12] I.Stoica,R.Morris,D.Karger,M.F.Kaashoek,andH.Balakrishnan,Chord:Ascalablepeer-to-peerlookupserviceforinternetapplications,SIGCOMMComput.Commun.Rev.,vol.31,pp.149,August2001. [13] B.N.Levine,M.K.Reiter,C.Wang,andM.K.Wright,Timingattacksinlow-latencymix-basedsystems,inProceedingsofFinancialCryptography(FC'04),A.Juels,Ed.,Springer-Verlag,LNCS3110.Springer-Verlag,LNCS3110,February2004,p.251. [14] V.ShmatikovandM.-H.Wang,Timinganalysisinlow-latencymixnetworks:attacksanddefenses,inProceedingsOFESORICS,2006,pp.18. [15] P.Syverson,G.Tsudik,M.Reed,andC.Landwehr,Towardsananalysisofonionroutingsecurity,inInternationalWorkshopOnDesigningPrivacyEnhancingTechnologies:DesignIssuesInAnonymityandUnobservability.Springer-VerlagNewYork,Inc.,2001,pp.96. [16] Y.Zhu,X.Fu,B.Graham,R.Bettati,andW.Zhao,Onowcorrelationattacksandcountermeasuresinmixnetworks,inProceedingsofPrivacyEnhancingTechnologiesworkshop,2004,pp.26. [17] G.Danezis,R.Dingledine,andN.Mathewson,Mixminion:designofatypeiiianonymousremailerprotocol,inSecurityandPrivacy,2003.Proceedings.2003Symposiumon,may2003,pp.215. [18] U.Moeller,L.Cottrell,P.Palfrader,andL.Sassaman,Mixmasterprotocolversion2,IETFInternetDraft,2005. [19] M.G.Reed,P.F.Syverson,andD.M.Goldschlag,Anonymousconnectionsandonionrouting,SelectedAreasinCommunications,IEEEJournalon,vol.16,no.4,pp.482,may1998. [20] R.DingledineandN.Mathewson,Anonymitylovescompany:Usabilityandthenetworkeffect,inProceedingsoftheFifthWorkshopontheEconomicsofInformationSecurity,ser.WEIS'06,2006. [21] Z.Zhang,S.Chen,andM.Yoon,MARCH:ADistributedIncentiveSchemeforPeer-to-peerNetworks,inProc.ofIEEEINFOCOM.IEEE,2007,pp.1091. [22] Z.Zhang,S.Chen,Y.Ling,andR.Chow,Capacity-awareMulticastAlgorithmsonHeterogeneousOverlayNetworks,IEEETransactionsonParallelandDistributedSystems,vol.17,no.2,pp.135,2006. [23] S.Chen,B.Shi,S.Chen,andY.Xia,Acom:Any-sourceCapacity-constrainedOverlayMulticastinnon-DHTP2PNetworks,IEEETransactionsonParallelandDistributedSystems,vol.18,no.9,pp.1188,2007. 41

PAGE 42

[24] A.I.T.RowstronandP.Druschel,Pastry:Scalable,decentralizedobjectlocation,androutingforlarge-scalepeer-to-peersystems,inProceedingsoftheIFIP/ACMInternationalConferenceonDistributedSystemsPlatformsHeidelberg,ser.Middleware'01.London,UK:Springer-Verlag,2001,pp.329. [25] S.Ratnasamy,P.Francis,M.Handley,R.Karp,andS.Shenker,Ascalablecontent-addressablenetwork,SIGCOMMComput.Commun.Rev.,vol.31,pp.161,August2001. [26] B.Y.Zhao,L.Huang,J.Stribling,S.C.Rhea,A.D.Joseph,andJ.D.Kubiatowicz,Tapestry:Aresilientglobal-scaleoverlayforservicedeployment,IEEEJournalonSelectedAreasinCommunications,vol.22,pp.41,2004. [27] P.MaymounkovandD.Mazieres,Kademlia:Apeer-to-peerinformationsystembasedonthexormetric,inRevisedPapersfromtheFirstInternationalWorkshoponPeer-to-PeerSystems,ser.IPTPS'01.London,UK:Springer-Verlag,2002,pp.53. [28] Y.Tang,S.Chen,andY.Ling,StateAggregationofLargeNetworkDomains,Computercommunications,vol.30,no.4,pp.873,2007. [29] R.A.GuerinandA.Orda,QoSroutinginnetworkswithinaccurateinformation:theoryandalgorithms,IEEE/ACMTransactionsonNetworking(TON),vol.7,no.3,pp.350,1999. [30] S.ChenandK.Nahrstedt,MaxminFairRoutinginConnection-orientedNetworks,Proc.Euro-ParallelandDistributedSystemsConf,pp.163,1998. [31] K.Lui,K.Nahrstedt,andS.Chen,HierarchicalQoSRoutinginDelay-bandwidthSensitiveNetworks,inProc.of25thAnnualIEEEConferenceonLocalComputerNetworks.IEEE,2000,pp.579. [32] Z.WangandJ.Crowcroft,Quality-of-serviceroutingforsupportingmultimediaapplications,IEEEJournalonSelectedAreasinCommunications,vol.14,no.7,pp.1228,1996. [33] S.Chen,M.Song,andS.Sahni,TwoTechniquesforFastComputationofConstrainedShortestPaths,IEEE/ACMTransactionsonNetworking,vol.16,no.1,pp.105,2008. [34] S.BhatnagarandB.Nath,DistributedAdmissionControltoSupportGuaranteedServicesinCore-statelessNetworks,Proc.ofIEEEINFOCOM,2003. [35] S.ChenandY.Shavitt,SoMR:AScalableDistributedQoSMulticastRoutingProtocol,JournalofParallelandDistributedComputing,vol.68,no.2,pp.137,2008. [36] S.Chen,Y.Deng,P.Attie,andW.Sun,OptimalDeadlockDetectioninDistributedSystemsbasedonLocallyConstructedWait-forGraphs,inProc.ofthe16th 42

PAGE 43

InternationalConferenceonDistributedComputingSystems.IEEE,1996,pp.613. [37] K.ParkandH.Lee,OntheEffectivenessofRoute-BasedPacketFilteringforDistributedDoSAttackPreventioninPower-LawInternets,Proc.ofACMSIG-COMM'2001,August2001. [38] S.Chen,Y.Tang,andW.Du,StatefulDDoSAttacksandTargetedFiltering,Journalofnetworkandcomputerapplications,vol.30,no.3,pp.823,2007. [39] Y.JianandS.Chen,CanCSMA/CANetworksBeMadeFair?inProc.ofthe14thACMinternationalconferenceonMobilecomputingandnetworking.ACM,2008,pp.235. 43

PAGE 44

BIOGRAPHICALSKETCH YangbaeParkwasborninBusan,SouthKoreain1982.HereceivedhisBachelorofEngineeringdegreeincomputerengineeringatAjouUniversityin2004.Upongraduation,heworkedattheThirdLogisticsSupportCommandintheRepublicofKoreaArmyasamilitaryofcer,servingthreeyears.In2009,heparticipatedinthedevelopmentofhardwaretestingalgorithmandplatformatEASTLaboratory.Since2010,hehasbeenstudyingcomputerengineeringattheUniversityofFlorida,andhehasparticularlyworkedonanonymouscommunicationwithhisadvisor,Dr.ShigangChen. 44