Algorithmic Aspects in Information and Management
Volume 4041 of the series Lecture Notes in Computer Science pp 354-366
Secure Overlay Network Design
- Li (Erran) LiAffiliated withBell Laboratories
- , Mohammad MahdianAffiliated withMicrosoft Research
- , Vahab S. MirrokniAffiliated withMIT Computer Science and Artificial Intelligence Lab
Abstract
Due to the increasing security threats in the Internet, new overlay network architectures have been proposed to secure privileged services. In these architectures, the application servers are protected by a defense perimeter where only traffic from entities called servelets are allowed to pass. End users must be authorized and can only communicate with entities called access points (APs). APs relay authorized users’ requests to servelets, which in turn pass them to the servers. The identity of APs are publicly known while the servelets are typically secret. All communications are done through the public Internet. Thus all the entities involved forms an overlay network. The main component of this distributed system consists of n APs. and m servelets. A design for a network is a bipartite graph with APs on one side, and the servelets on the other side. If an AP is compromised by an attacker, all the servelets that are connected to it are subject to attack. An AP is blocked, if all servelets connected to it are subject to attack. We consider two models for the failures: In the average case model, we assume that each AP i fails with a given probability p i . In the worst case model, we assume that there is an adversary that knowing the topology of the network, chooses at most k APs to compromise. In both models, our objective is to design the connections between APs and servelets to minimize the (expected/worst-case) number of blocked APs. In this paper, we give a polynomial-time algorithm for this problem in the average-case model when the number of servelets is a constant. We also show that if the probability of failure of each AP is at least 1/2, then in the optimal design each AP is connected to only one servelet (we call such designs star-shaped), and give a polynomial-time algorithm to find the best star-shaped design. We observe that this statement is not true if the failure probabilities are small. In the worst-case model, we show that the problem is related to a problem in combinatorial set theory, and use this connection to give bounds on the maximum number of APs that a perfectly failure-resistant design with a given number of servelets can support. Our results provide the first rigorous theoretical foundation for practical secure overlay network design.
Keywords
network design network security optimization combinatorics- Title
- Secure Overlay Network Design
- Book Title
- Algorithmic Aspects in Information and Management
- Book Subtitle
- Second International Conference, AAIM 2006, Hong Kong, China, June 20-22, 2006. Proceedings
- Pages
- pp 354-366
- Copyright
- 2006
- DOI
- 10.1007/11775096_33
- Print ISBN
- 978-3-540-35157-3
- Online ISBN
- 978-3-540-35158-0
- Series Title
- Lecture Notes in Computer Science
- Series Volume
- 4041
- Series ISSN
- 0302-9743
- Publisher
- Springer Berlin Heidelberg
- Copyright Holder
- Springer-Verlag Berlin Heidelberg
- Additional Links
- Topics
- Keywords
-
- network design
- network security
- optimization
- combinatorics
- Industry Sectors
- eBook Packages
- Editors
-
- Siu-Wing Cheng (16)
- Chung Keung Poon (17)
- Editor Affiliations
-
- 16. Department of Computer Science, Clear Water Bay, Hong Kong University of Science and Technology
- 17. Department of Computer Science
- Authors
-
- Li (Erran) Li (18)
- Mohammad Mahdian (19)
- Vahab S. Mirrokni (20)
- Author Affiliations
-
- 18. Bell Laboratories,
- 19. Microsoft Research,
- 20. MIT Computer Science and Artificial Intelligence Lab,
Continue reading...
To view the rest of this content please follow the download PDF link above.