Permission-Based Sending (PBS) protocol for communication network security and traffic control
PBS signaling architecture for network traffic authorization enhances network security by protecting against unwarranted attacks by hackers (e.g. denial-of-service (DoS) attacks). The PBS design prevents unauthorized attacks -- initiated without explicit consent from the intended receiver -- by introducing a "permission" paradigm: a receiver grants a sender a permission that gives the sender the authority to send a specific quantity of data. This limited permission can prevent attacks since the attack packets that exceed the permission are dropped at a router that is aware of PBS. Beyond security, PBS has applications in network traffic management where cost reduction and failure prevention can be achieved by throttling peak traffic. The PBS architecture operates via on-path signaling to set up permission state, monitor attacks, and trigger the authentication mechanism. Other systems embedded within this technology include DoS detection for identifying the type of attack, decision point for deciding the solution against an attack, and traffic management for handing all incoming packets.
PBS is a distributed, scalable architecture that can be easily deployed on existing networks
PBS does not require a central server to control permissions; the signaling protocols can be introduced to established networks using a bottom up approach. Also contributing to its scalability, PBS operates with existing network protocols, and its function does not require all of the network’s routers to be aware of PBS. Most packets are screened for the permission state using the industry standard 5-tuple of the data packets. The widely used IPsec Authentication Header is employed for packet authentication and spoofing attack prevention when the network is compromised. Performance experiments were successfully conducted to determine the signaling message overhead, memory requirement for maintaining permission state, and maximum number of sessions that can be handled.
Lead Inventor:
Applications:
- Prevention of a variety of network cyber-attacks including DoS attacks, ICMP floods, teardrop attacks, peer-to-peer attacks, permanent DoS attacks, application level floods, nukes, distributed attacks, reflected attacks, and unintentional attacks.
- Improving network security as it relates to online credit card payments, e-commerce, secure internet data exchange, internet routers/gateways, DNS root servers, local business or government LANs/WANs, and wireless networks.
- Manage network traffic to reduce costs and prevent failures by throttling traffic during peak times.
Advantages:
- Easily deployable on existing networks.
- System is distributable and scalable.
- Does not rely on a central server to control permissions.
- Uses common network protocols, such as IPsec to prevent pocket spoofing.
- Detects and prevents both on and off-path attacks on both trusted and Byzantine networks.
- Dynamic adaption re-routes packets to avoid compromised routers.
Patent information:
Tech Ventures Reference: IR M09-001