Computer Science Speaking Skills Talk July 25, 2022 4:00pm — 5:00pm Location: In Person and Virtual - ET - Gates Hillman 8102 and Zoom Speaker: NIRAV ATRE , Ph.D. Student Computer Science Department Carnegie Mellon University https://www.cs.cmu.edu/~natre/ SurgeProtector: Mitigating Temporal Algorithmic Complexity Attacks using Adversarial Scheduling Algorithmic complexity attacks (ACAs) are a class of denial-of-service (DoS) attacks where an attacker uses a small amount of adversarial traffic to induce a large amount of work in the target system, pushing the system into overload and causing it to drop packets from innocent users. ACAs are particularly dangerous because, unlike volumetric DoS attacks, ACAs don't require a significant network bandwidth investment from the attacker. Today, network functions (NFs) on the Internet must be painstakingly designed and engineered on a case-by-case basis to mitigate the debilitating impact of ACAs. Further, the resulting designs tend to be overly conservative in their attack mitigation strategy, limiting the innocent traffic that the NF can serve under common-case operation. In this talk, I will describe SurgeProtector, a general framework we designed to make any NF more resilient to ACAs without the limitations of prior approaches. SurgeProtector uses the NF's scheduler to mitigate the impact of ACAs using a very traditional scheduling algorithm: weighted-shortest-job-first (WSJF). To evaluate SurgeProtector, we propose a new metric of ACA vulnerability called the Displacement Factor (DF), which quantifies the `harm per unit effort' which an adversary can inflict on the system. We provide novel, adversarial analysis of WSJF and show that any system using this policy has a worst-case DF of only a small constant, where traditional schedulers place no upper bound on the DF. Illustrating that SurgeProtector is not only theoretically, but practically robust, we integrated SurgeProtector into an open-source intrusion detection system (IDS). Under simulated attack, the SurgeProtector-augmented IDS suffers 90-99% lower innocent traffic loss than the original system. Presented in Partial Fulfillment of the CSD Speaking Skills Requirement. In Person and Zoom Participation. See announcement. For More Information: deb@cs.cmu.edu Add event to Google Add event to iCal
