Establishing a new internet security protocol

Researchers experiment with enforceable Internet routing policies.

On March 12, 2013, for the first time in history, representatives of the US intelligence community testifying to the Senate Intelligence Committee ranked the risk of cyber-attacks and cyber-espionage higher than worries about terrorism, transnational organized crime and proliferation of weapons of mass destruction. Online espionage, national security breaches, and sabotage are becoming more prominent and dangerous to countries around the world. Organizations and businesses are also increasingly contending with denial-of-service attacks that leave users unable to reach their sites. Viruses and malware continue to hinder user experiences on the Web. Leaders in industry, government and academia are calling for new solutions to alleviate these escalating concerns. The National Science Foundation’s (NSF) Future Internet Architecture (FIA) program funded select few multi-institutional teams to explore new Internet designs without the constraints imposed by its current outdated architecture.

Dr. Nicolosi with Graduate Student John Scire

Dr. Nicolosi and Grad. Student John Scire

Dr. Antonio Nicolosi, expert cryptographer and Assistant Professor of Computer Science at Stevens Institute of Technology, has spent two years re-engineering the Internet Protocol (IP) with David Mazières of Stanford University, Michael Miller and Michael Walfish of the University of Texas Austin, and Jad Naous of the Massachussets Institute of Technology. They have been coordinating their efforts with researchers at the University of Pennsylvania, Cornell University, Princeton University, Purdue University, Stanford University, the University of California, Berkeley, the University of Delaware, the University of Illinois at Urbana-Champaign, and the University of Washington as part of a larger initiative to envisage unrestricted innovations to the Internet.

"Corporations spend billions of dollars annually to prevent cyber-attacks, and estimates for the direct and indirect costs of cybercrime range in the hundreds of billions of dollars,” says Dr. Michael Bruno, Dean of the Charles V. Schaefer, Jr. School of Engineering and Science at Stevens. "This pioneering, multi-institutional collaboration establishes a new security paradigm that has the potential to alleviate the financial costs of cyber-crime.”

As its name suggests, the Internet is an interconnection of hundreds of thousands of autonomous networks.  For users to be able to reach every site, these networks must exchange information about their interconnections---what is known as their “routing policies.” Dr. Nicolosi and colleagues have examined the way that information about interconnections propagates online and believe they can fundamentally alter data transmission to create promising advances in security while retaining a reasonable level of privacy.  The team recognized that there has been considerable research into methods of expressing a routing policy, but not on the ability to enforce that policy. The team has therefore developed a system with the potential to build accountability into the infrastructure of the Internet by allowing users to make certain that a data packet followed an approved path. The prototype system that realizes this advancement is an alternative to the IP Protocol called ICING. He says, “Currently when a machine sends data, there is no guarantee that it will take an agreed path. ICING allows for considerations that go beyond taking the shortest path, like provisioning of a certain network service or avoidance of a certain network region.” This potentially creates a new level of authentication and a higher standard of security for individuals and enterprises on the Internet.

Dr. Nicolosi has also been working with Stevens graduate students Zakir Akram, Walter Krawec, and John Scire. According to John, “As you can see from the news reports every day, more and more companies are being hacked, so we have to start rethinking some of the things we take for granted on the Web. It’s exciting to be a part of this project because it creates so many advantages for users, like providing more peace of mind by routing through an antivirus, or building in accountability to help thwart cyber-attacks. It’s great to work with Dr. Nicolosi because he gives us the chance to make meaningful contributions to this research, and it is work that has immense implications.” John plans to continue working on improving cybersecurity after earning his PhD, expressing a desire to work at a government agency or private sector security firm. John adds, “The idea of working in cybersecurity at the CIA or NSA helping to prevent cyber-attacks on our countryis a great motivating factor---that would be so interesting and fulfilling.”

The Internet currently uses a simple delivery method in which a sender puts a destination address on a data packet and launches it into the network. The sender, receiver, and even the network operators have little control over the path it takes. On the other hand, ICING makes it possible, for instance, for the receiver to mandate that data sent to her pass through a machine that cleans suspect data or routes data around providers and countries from which malicious data has originated in the past.  Corporate enterprises gain the ability to ensure that all traffic is routed through a gateway machine dedicated to blocking viruses and other malicious data packets thus simplifying the process for maintenance and updates to one machine instead of hundreds.

Dr. Nicolosi and colleagues are also investigating whether the technology can serve as a line of defense against denial-of-service attacks (DDoS). These attacks generally work by saturating the target machine with requests until it fails to respond to legitimate traffic. Nodes on the Internet are currently “default-on,” meaning that users generally accept any request. ICING, on the other hand, is “default-off” except for a bootstrapping level that accepts data to grant permission for external requests. The team is exploring whether this structure can provide robust protection against DDoS.

A further added benefit of the technology is the ability to specify multiple data paths, thus creating a new layer of redundancy and reliability in addition to security. This has implications for seamlessly streaming music or video seamlessly across different network services. Currently, users of mobile phones with both Wi-Fi and GSM capabilities have two separate addresses in the same device that correspond to the type of network service. Thus, if a user streaming over Wi-Fi wanders out of range, and their device switches to a GSM data plan, it disconnects from Wi-Fi and establishes a new GSM connection. Using multiple paths with ICING allows for a seamless transition. As long as one of the services is still working, the device would be able to switch without any service interruptions.

"Dr. Nicolosi’s role in this critical research is indicative of the level of his expertise in cryptography and information assurance," says Dr. Dan Duchamp, Department Director for Computer Science at Stevens. “This project represents a tremendous advance toward a safer Internet for individuals, businesses, network operators and governments.”

An early presentation of the research at ACM CoNEXT raised a question about the implications of the project on privacy and anonymity. Knowledge of the path a packet took to reach a destination also points to the identity of the sender. According to Dr. Nicolosi, “We are trying to strike a very fine balance with regards to privacy concerns. While we are shifting the default from relative anonymity to accountability, users still have the option to employ software that maintains anonymity.”

Stevens Institute of Technology is designated a National Center of Academic Excellence in Information Assurance Research and a National Center of Academic Excellence in Information Assurance Education. These federal designations recognize the institute’s outstanding efforts in reducing the vulnerability of our national information infrastructure through research and student instruction. The Center for the Advancement of Secure Systems and Information Assurance (CASSIA) coordinates these efforts at Stevens and manages government scholarship and grant programs made possible by the designations.

Interested in learning more and finding out how you can participate in transformative research? Visit our Computer Science Department and check out the offices of Undergraduate and Graduate Admissions to enroll.