Secure Overlay Network Design
Due to the increasing security threats in the Internet, new overlay network architectures have been proposed to secure privileged services. In these architectures, the application servers are protected by a defense perimeter where only traffic from entities called servelets are allowed to pass. End...
Saved in:
| Published in | Algorithmic Aspects in Information and Management pp. 354 - 366 |
|---|---|
| Main Authors | , , |
| Format | Book Chapter |
| Language | English |
| Published |
Berlin, Heidelberg
Springer Berlin Heidelberg
2006
|
| Series | Lecture Notes in Computer Science |
| Subjects | |
| Online Access | Get full text |
| ISBN | 3540351574 9783540351573 |
| ISSN | 0302-9743 1611-3349 |
| DOI | 10.1007/11775096_33 |
Cover
Loading…
| Abstract | Due to the increasing security threats in the Internet, new overlay network architectures have been proposed to secure privileged services. In these architectures, the application servers are protected by a defense perimeter where only traffic from entities called servelets are allowed to pass. End users must be authorized and can only communicate with entities called access points (APs). APs relay authorized users’ requests to servelets, which in turn pass them to the servers. The identity of APs are publicly known while the servelets are typically secret. All communications are done through the public Internet. Thus all the entities involved forms an overlay network. The main component of this distributed system consists of n APs. and m servelets. A design for a network is a bipartite graph with APs on one side, and the servelets on the other side. If an AP is compromised by an attacker, all the servelets that are connected to it are subject to attack. An AP is blocked, if all servelets connected to it are subject to attack. We consider two models for the failures: In the average case model, we assume that each AP i fails with a given probability pi. In the worst case model, we assume that there is an adversary that knowing the topology of the network, chooses at most k APs to compromise. In both models, our objective is to design the connections between APs and servelets to minimize the (expected/worst-case) number of blocked APs. In this paper, we give a polynomial-time algorithm for this problem in the average-case model when the number of servelets is a constant. We also show that if the probability of failure of each AP is at least 1/2, then in the optimal design each AP is connected to only one servelet (we call such designs star-shaped), and give a polynomial-time algorithm to find the best star-shaped design. We observe that this statement is not true if the failure probabilities are small. In the worst-case model, we show that the problem is related to a problem in combinatorial set theory, and use this connection to give bounds on the maximum number of APs that a perfectly failure-resistant design with a given number of servelets can support. Our results provide the first rigorous theoretical foundation for practical secure overlay network design. |
|---|---|
| AbstractList | Due to the increasing security threats in the Internet, new overlay network architectures have been proposed to secure privileged services. In these architectures, the application servers are protected by a defense perimeter where only traffic from entities called servelets are allowed to pass. End users must be authorized and can only communicate with entities called access points (APs). APs relay authorized users’ requests to servelets, which in turn pass them to the servers. The identity of APs are publicly known while the servelets are typically secret. All communications are done through the public Internet. Thus all the entities involved forms an overlay network. The main component of this distributed system consists of n APs. and m servelets. A design for a network is a bipartite graph with APs on one side, and the servelets on the other side. If an AP is compromised by an attacker, all the servelets that are connected to it are subject to attack. An AP is blocked, if all servelets connected to it are subject to attack. We consider two models for the failures: In the average case model, we assume that each AP i fails with a given probability pi. In the worst case model, we assume that there is an adversary that knowing the topology of the network, chooses at most k APs to compromise. In both models, our objective is to design the connections between APs and servelets to minimize the (expected/worst-case) number of blocked APs. In this paper, we give a polynomial-time algorithm for this problem in the average-case model when the number of servelets is a constant. We also show that if the probability of failure of each AP is at least 1/2, then in the optimal design each AP is connected to only one servelet (we call such designs star-shaped), and give a polynomial-time algorithm to find the best star-shaped design. We observe that this statement is not true if the failure probabilities are small. In the worst-case model, we show that the problem is related to a problem in combinatorial set theory, and use this connection to give bounds on the maximum number of APs that a perfectly failure-resistant design with a given number of servelets can support. Our results provide the first rigorous theoretical foundation for practical secure overlay network design. |
| Author | Li, Li (Erran) Mirrokni, Vahab S. Mahdian, Mohammad |
| Author_xml | – sequence: 1 givenname: Li (Erran) surname: Li fullname: Li, Li (Erran) email: erranlli@dnrc.bell-labs.com organization: Bell Laboratories, – sequence: 2 givenname: Mohammad surname: Mahdian fullname: Mahdian, Mohammad email: mahdian@microsoft.com organization: Microsoft Research, – sequence: 3 givenname: Vahab S. surname: Mirrokni fullname: Mirrokni, Vahab S. email: mirrokni@theory.csail.mit.edu organization: MIT Computer Science and Artificial Intelligence Lab, |
| BookMark | eNpNj01Lw0AQQEetYFpz8izk6iE6k9nNZI_S-gXFHtRz2E0mpbQkkvUD_72KCp7e4cGDN4VJP_QKcEJ4TohyQSRi0ZU18x6kTiq2BtmSrXAfEiqJcmbjDmD6J8RMIEHGIndi-AjSGDcBkZwTRk7g9EGb11Gz1ZuOO_-R3evL-zBus4XGzbo_hsPO76Kmv5zB0_XV4_w2X65u7uaXyzwSGs7FNSKtdLYh9mVnq1AE69mF0HlbhFaNfjmrru3KojSlONN603LlAwajlmdw9tONz-OmX-tYh2HYxpqw_v6u_33zJ6VyRe0 |
| ContentType | Book Chapter |
| Copyright | Springer-Verlag Berlin Heidelberg 2006 |
| Copyright_xml | – notice: Springer-Verlag Berlin Heidelberg 2006 |
| DOI | 10.1007/11775096_33 |
| DatabaseTitleList | |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9783540351580 3540351582 |
| EISSN | 1611-3349 |
| Editor | Cheng, Siu-Wing Poon, Chung Keung |
| Editor_xml | – sequence: 1 givenname: Siu-Wing surname: Cheng fullname: Cheng, Siu-Wing email: scheng@cs.ust.hk – sequence: 2 givenname: Chung Keung surname: Poon fullname: Poon, Chung Keung email: ckpoon@cs.cityu.edu.hk |
| EndPage | 366 |
| GroupedDBID | -DT -GH -~X 1SB 29L 2HA 2HV 5QI 875 AASHB ABMNI ACGFS ADCXD AEFIE ALMA_UNASSIGNED_HOLDINGS EJD F5P FEDTE HVGLF LAS LDH P2P RIG RNI RSU SVGTG VI1 ~02 |
| ID | FETCH-LOGICAL-s1043-79c77d7f5c13a6f58b2b5a39bbfa52bde4ef5c5e9df62646794da4d38ab0b4e53 |
| ISBN | 3540351574 9783540351573 |
| ISSN | 0302-9743 |
| IngestDate | Tue Jul 29 19:55:50 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-s1043-79c77d7f5c13a6f58b2b5a39bbfa52bde4ef5c5e9df62646794da4d38ab0b4e53 |
| PageCount | 13 |
| ParticipantIDs | springer_books_10_1007_11775096_33 |
| PublicationCentury | 2000 |
| PublicationDate | 2006 |
| PublicationDateYYYYMMDD | 2006-01-01 |
| PublicationDate_xml | – year: 2006 text: 2006 |
| PublicationDecade | 2000 |
| PublicationPlace | Berlin, Heidelberg |
| PublicationPlace_xml | – name: Berlin, Heidelberg |
| PublicationSeriesTitle | Lecture Notes in Computer Science |
| PublicationSubtitle | Second International Conference, AAIM 2006, Hong Kong, China, June 20-22, 2006. Proceedings |
| PublicationTitle | Algorithmic Aspects in Information and Management |
| PublicationYear | 2006 |
| Publisher | Springer Berlin Heidelberg |
| Publisher_xml | – name: Springer Berlin Heidelberg |
| RelatedPersons | Kleinberg, Jon M. Mattern, Friedemann Nierstrasz, Oscar Tygar, Dough Steffen, Bernhard Kittler, Josef Vardi, Moshe Y. Weikum, Gerhard Sudan, Madhu Naor, Moni Mitchell, John C. Terzopoulos, Demetri Pandu Rangan, C. Kanade, Takeo Hutchison, David |
| RelatedPersons_xml | – sequence: 1 givenname: David surname: Hutchison fullname: Hutchison, David organization: Lancaster University, UK – sequence: 2 givenname: Takeo surname: Kanade fullname: Kanade, Takeo organization: Carnegie Mellon University, Pittsburgh, USA – sequence: 3 givenname: Josef surname: Kittler fullname: Kittler, Josef organization: University of Surrey, Guildford, UK – sequence: 4 givenname: Jon M. surname: Kleinberg fullname: Kleinberg, Jon M. organization: Cornell University, Ithaca, USA – sequence: 5 givenname: Friedemann surname: Mattern fullname: Mattern, Friedemann organization: ETH Zurich, Switzerland – sequence: 6 givenname: John C. surname: Mitchell fullname: Mitchell, John C. organization: Stanford University, CA, USA – sequence: 7 givenname: Moni surname: Naor fullname: Naor, Moni organization: Weizmann Institute of Science, Rehovot, Israel – sequence: 8 givenname: Oscar surname: Nierstrasz fullname: Nierstrasz, Oscar organization: University of Bern, Switzerland – sequence: 9 givenname: C. surname: Pandu Rangan fullname: Pandu Rangan, C. organization: Indian Institute of Technology, Madras, India – sequence: 10 givenname: Bernhard surname: Steffen fullname: Steffen, Bernhard organization: University of Dortmund, Germany – sequence: 11 givenname: Madhu surname: Sudan fullname: Sudan, Madhu organization: Massachusetts Institute of Technology, MA, USA – sequence: 12 givenname: Demetri surname: Terzopoulos fullname: Terzopoulos, Demetri organization: University of California, Los Angeles, USA – sequence: 13 givenname: Dough surname: Tygar fullname: Tygar, Dough organization: University of California, Berkeley, USA – sequence: 14 givenname: Moshe Y. surname: Vardi fullname: Vardi, Moshe Y. organization: Rice University, Houston, USA – sequence: 15 givenname: Gerhard surname: Weikum fullname: Weikum, Gerhard organization: Max-Planck Institute of Computer Science, Saarbruecken, Germany |
| SSID | ssib001997303 ssj0000316146 ssj0002792 |
| Score | 1.2986578 |
| Snippet | Due to the increasing security threats in the Internet, new overlay network architectures have been proposed to secure privileged services. In these... |
| SourceID | springer |
| SourceType | Publisher |
| StartPage | 354 |
| SubjectTerms | combinatorics network design network security optimization |
| Title | Secure Overlay Network Design |
| URI | http://link.springer.com/10.1007/11775096_33 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1NT-MwELWgXBCHBXYR34rQ3qKgNraT-MABoSKEChwWELfKjp0tAhopza60_HpmbCctFCGWS1QlUZv4uePx-L1nQn5qdCBkqNtSjEesl-pIZImOcor4S8m5tdi4uEzObtj5Hb-bUnmtuqRWh_nzu7qSr6AK5wBXVMn-B7Ltl8IJ-Az4whEQhuOb5Pd1mdXRix9_lzCzHyG5_dgKJi211euL6oZmPM9vGThB9D0ml_2qwgpoWw24kCPsMLZMWo7k05PU7aX7qiof7A5Q4a0cSRX-OpztcLZyb8Krv1gh_IdKYuR8QUBrKSLYJmZyNPDLFpdlbdlgYbOzRBNoPqxENJXI8AOjLl9oopBFuR1MGu0WxGWY2bhTxoXiBA0WqTM09eGVOsNpP1JTt1_L3CDgeB-4Go3eNkNKF8limvEOWTrunw9up9miEBDfaFuSg_iWWCsdP5Cjt6JbhHIP56VB9uGdp-TMy3jtJ8oyZ355bn3dpi3Xq2QFpSwBakygedfIghmvk29Ncwe-ub-TPYdd4LELPHaBw-4HuTntX5-cRX7fjGjSQzJFKvI01WnB8x6VScEzFSsuqVCqkDxW2jAD17gRuoDpLIyUgmnJNM2k6ipmON0gnXE5NpskkHnCjIjTXFG4o4DZp8yLTJvYdEWcd9kWOWjeb4j_hMmwscGeaYTtz9y0Q5anfWqXdOrqj9mDfK9W-x63F2CqSis |
| linkProvider | Library Specific Holdings |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.title=Algorithmic+Aspects+in+Information+and+Management&rft.au=Li%2C+Li+%28Erran%29&rft.au=Mahdian%2C+Mohammad&rft.au=Mirrokni%2C+Vahab+S.&rft.atitle=Secure+Overlay+Network+Design&rft.series=Lecture+Notes+in+Computer+Science&rft.date=2006-01-01&rft.pub=Springer+Berlin+Heidelberg&rft.isbn=9783540351573&rft.issn=0302-9743&rft.eissn=1611-3349&rft.spage=354&rft.epage=366&rft_id=info:doi/10.1007%2F11775096_33 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0302-9743&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0302-9743&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0302-9743&client=summon |