Interaction between Routing Plane and Forwarding Plane

Routing dynamics heavily influence Internet data plane performance. Existing studies only narrowly focused on a few destinations and did not consider the predictability of the impact of routing changes on performance metrics such as reachability.  To achieve a comprehensive characterization of many diverse routing changes, we develop an efficient and novel measurement framework deployed at each vantage point with access to real-time BGP routing updates. Light-weight probing is triggered by locally observed routing updates. The probing target is an identified live IP address within the prefix associated with the routing change. We found that the data plane experienced serious performance degradation in the form of reachability loss and forwarding loops following a significant fraction of updates affecting many destination prefixes and networks across all vantage points studied. 
In another study, we studied the change in network delay and jitter properties of the stable network path after the routing event has converged relative to the delay performance prior to the routing change. We also analyze the predictability of network delay and jitter changes caused by routing events and identify network and route properties that lead to predictable delay and jitter fluctuations.

Routing Security

The Internet originated from a research network where network entities are assumed to be well-behaved. The original Internet design addresses physical failures well, but fails to address problems resulting from misbehavior and misconfigurations. Routers can misbehave due to misconfigurations, impacting network reachability. Today, the Internet has no robust defense mechanisms against misbehaving routers, leaving the routing infrastructure largely unprotected. As a first step towards defending against malicious or unintended routing misbehavior, we develop an easily deployable protection mechanism to prevent their local routing information from being polluted and forwarding decisions being
adversely impacted.

The Border Gateway Protocol (BGP), the de facto standard Internet interdomain routing protocol, uses TCP as its transport protocol. A fundamental flaw with routing protocols deployed today is that there is usually no protection in the form of priorities in using router resources for control plane packets. Thus, any attack that exploits this lack of isolation with an impact on TCP can negatively affect the functioning of BGP. We study how the recently identified low-rate TCP-targeted DoS attacks disrupt interdomain routing on today's Internet. We are the first to systematically examines the impact of this type of attack on interdomain routing, and we discovered the impact can be quite severe.

Malware Analysis

Many threats that plague today's networks (e.g., phishing, botnets, denial of service attacks) are enabled by a complex ecosystem of attack programs commonly called malware. To combat these threats, defenders of these networks have turned to the collection, analysis, and reverse engineering of malware as mechanisms to understand these programs, generate signatures, and facilitate cleanup of infected hosts. Recently, however, new malware instances have emerged with the capability to check and often thwart these defensive activities - essentially leaving defenders blind to the activities. To combat this emerging threat, we have undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods, including what layer of the OS each technique targets at, how difficult to implement each technique is, how difficult it is to thwart each technique, either to hide or immitate the fingerprint. Along the line of demonstrating the utility of this taxonomy, we made three major contributions. First, we executed 6900 real malware executable samples, characterizing the prevalence of these avoidance methods. We found that over 40% of distinguished malware samples exhibit less malicious behavior under monitoring environments. Further correlation shows that these malware can be as popular as 90% over the Internet. Secondly, we generate a novel fingerprinting method which can potentially assist malware propagation only exploiting clock skew information shown in network packets. This is the first technique available to detect monitoring systems without having access to them. We also developed methods to erase such fingerprint. Finally, we create an effective new technique to protect production systems, by installing light-weight immitated fingerprints to production systems, making them look like monitoring systems to malware and thus deter them from exhibiting malicious behavior.