DOCSLIB.ORG

A Multi-Resolution Approach for Worm Detection and Containment∗

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Multi-Resolution Approach for Worm Detection and Containment∗ A Multi-Resolution Approach for Worm Detection and Containment∗ Vyas Sekar Yinglian Xie Michael K. Reiter Hui Zhang [email protected] [email protected] [email protected] [email protected] Carnegie Mellon University Abstract used for detection and containment. Future attacks can evade detection mechanisms which depend on scanning Despite the proliferation of detection and contain- rates, signatures, and other attack-specific features. ment techniques in the worm defense literature, sim- Interestingly, one of the earliest known scan- ple threshold-based methods remain the most widely de- detection heuristics, threshold-based detection based on ployed and most popular approach among practitioners. the number of unique destinations contacted, is applica- This popularity arises out of the simplistic appeal, ease ble across a wide spectrum of worm attacks. Threshold- of use, and independence from attack-specific properties based mechanisms are very popular and are one of the such as scanning strategies and signatures. However, most widely-deployed worm defenses [12] due to their such approaches have known limitations: they either simplicity and ease of deployment. The strength and ro- fail to detect low-rate attacks or incur very high false bustness of the mechanism lies in its minimal set of as- positive rates. We propose a multi-resolution approach sumptions about the nature of attacks – scanners contact to enhance the power of threshold-based detection and many unique destinations. By adopting a metric which rate-limiting techniques. Using such an approach we is invariant across scanning attacks, independent of the can not only detect fast attacks with low latency, but scanning strategy and content signatures, this approach also discover low-rate attacks – several orders of mag- has the ability to be attack-agnostic. nitude less aggressive than today’s fast propagating at- However, threshold-based detection mechanisms cur- tacks – with low false positive rates. We also outline a rently lack the accuracy and effectiveness of attack- multi-resolution rate limiting mechanism for throttling specific approaches. Having only a single fixed thresh- the number of new connections a host can make, to con- old for a metric (such as the number of unique desti- tain the spread of worms. Our trace analysis and sim- nation addresses contacted), typically measured over a ulation experiments demonstrate the benefits of a multi- single time window a few seconds long, network admin- resolution approach for worm defense. istrators must make a choice in the selection of the detec- tion threshold. The choice is between a high threshold that can detect only very high-rate attacks but has low 1. Introduction false positive rates, and a low threshold that can detect low-rate stealthy attacks but that may have a very high Worms pose a significant threat to the depend- false positive rate. This fundamental inflexibility limits ability of existing and future networking infrastruc- the practical applicability of threshold-based approaches ture. Defending against such self-propagating attacks to high-rate attacks. A natural question is: can we re- in an automated fashion is a challenging task, and has tain the attack-agnostic properties of threshold-based de- sparked much interest in the research community. Ex- tection, but provide detection capabilities comparable to isting approaches for worm defense (e.g., [3, 7, 13, 18]) attack-specific approaches? have been shown to be effective for very fast, non- Our solution is a multi-resolution approach for de- polymorphic, random scanning worms. However, they tecting and containing worms, without depending on leave open to attackers opportunities to circumvent the attack-specific scanning properties and signatures. The defense mechanisms by exploiting the very assumptions key insight behind the multi-resolution approach is the ∗This work was partially supported by NSF grant number CNS- following simple yet powerful observation. While the 0433540, and by KISA and MIC of Korea. short term connection patterns of normal end-hosts may be bursty, involving a large volume of traffic and con- sumption and avoid overloading network and router re- nections to many unique destination addresses, hosts ex- sources. Second, such approaches can curb the internal hibit lower average connection rates when observed over spread of worms that exploit topological locality. longer timescales. As a result, we find that connection Chen and Tang [2] propose worm detection and con- metrics, such as the traffic volume and the number of tainment based on connection failure rates. Jung et al. distinct destinations contacted, grow as a concave func- use sequential hypothesis testing [6, 13] to detect scan- tion of the size of the time window (i.e., the second ners by tracking failed connection attempts. Our ap- derivative with respect to the time window size is nega- proach is agnostic to the scanning strategy since it does tive). This suggests that using multiple resolutions with not rely on failed connections. different detection thresholds at different time granular- Several worm containment methods have been sug- ities will be an effective solution to detect a wide range gested in the literature, including rate-limiting, quaran- of attack rates with low false positive rates. tine, and signature-based filtering. Moore et al. [11] Our traffic analysis (Section 3) confirms this intu- study the limits on the responsiveness of content- ition, and indicates the potential benefits of a multi- filtering and address-blacklisting as containment mea- resolution approach. We provide a systematic frame- sures, while Wong et al. [18] discuss the effectiveness of work (Section 4) for realizing these benefits, by bal- rate-limiting mechanisms. Zou et al. [20] present an an- ancing the inherent tradeoff between the false positive alytical framework for reasoning about worm propaga- rate and the detection latency (and hence the potential tion in the presence of defense mechanisms. Williamson damage caused by infected hosts). We define the se- proposed the virus throttle [17] based on the observa- curity cost of a system, in terms of the false positive tion that the number of connections to previously un- rates and detection latencies, and outline an optimiza- contacted hosts is fairly low. While the class of contain- tion framework for selecting parameters optimally for a ment measures we evaluate have been proposed earlier multi-resolution detection system. in these contexts, our contribution is the design and eval- Our multi-resolution approach for containment (Sec- uation of a multi-resolution approach for rate limiting. tion 5) draws upon a similar insight in the nature of end- Multi-resolution analysis in spatial and temporal di- host behavior. Locality in destination address selection mensions, using Fourier and wavelet analysis, has been suggests that throttling connections to new destinations suggested for anomaly detection (e.g., [1, 4]). Calculat- that have not been contacted previously, will achieve the ing the number of unique destinations contacted over desired containment capability without disrupting the multiple time resolutions necessarily involves taking activity of normal hosts. Our evaluations demonstrate unions of the set of destinations contacted over multiple that a multi-resolution approach achieves enhanced con- time bins. Signal analysis techniques are not suitable in tainment capabilities over traditional approaches. this context as they cannot capture the semantics of such a union operation for multi-resolution analysis. 2. Related Work 3. Motivation Prior work has focused on understanding differ- ent worm propagation models (e.g., [10, 16]). Many In threshold based anomaly detection, the traffic techniques have been proposed for detecting worm monitor identifies abnormal activity by measuring spe- outbreaks using either large-scale monitoring infras- cific traffic metrics and flagging suspicious observa- tructures (e.g., [19]) or locally deployed honeypots tions which exceed a pre-set threshold within a spe- (e.g., [5]). There are also several systems for efficient cific time window. Commonly used metrics for de- and fast worm signature generation (e.g., [3, 7, 14]). tecting abnormal host behavior include the total traffic There has been surprisingly little work on detec- volume (number of packets or flows) and the number tion of stealthy, low-rate, scanning attacks. Staniford of unique destination addresses contacted (regardless of et al. describe a mechanism for detecting stealthy port whether the connection was successful or not). Despite scans [15] arising outside the network, by using a his- their widespread deployment, threshold-based mecha- torical probability model for different types of traffic. nisms suffer from an inherent inflexibility arising from Our work focuses on detecting and throttling infected the conflicting goals in threshold selection. A large (i.e, hosts inside a local network similar to [9, 13]. There are conservative) threshold that accounts for normal traffic two compelling reasons for deploying such capabilities. bursts will not be able to detect low-rate attacks, while a First, rate limiting can reduce wasteful bandwidth con- small (i.e., aggressive) threshold will result in high false 40 40 positive rates where even small bursts of legitimate ac- Day 2 99th percentile 35 Day 4 35 99.1 percentile tivity will be flagged as potentially anomalous. Day 6 99.3 percentile 30 30 99.5 percentile With respect to worm detection, the metric of inter- 25 25 est is the number of unique destination addresses con- 20 20 tacted. If the number of unique destination addresses 15 15 contacted by a benign host grows as a linear function 10 10 Outdegree (# hosts contacted) 5 Outdegree (# hosts contacted) 5 of the time window, then a single-resolution approach 0 0 0 50 100 150 200 250 300 350 400 450 500 0 50 100 150 200 250 300 350 400 450 500 operating with a fixed threshold is sufficient, as it will Window size in seconds Window size in seconds uniquely identify the (malicious) scanning rates we can (a) Growth of 99.5th per- (b) Growth of different statis- detect.
Load more

Recommended publications
  • View Document
    Application Report Date: 2016/05/05 For Region: All Time: 10:19:28 For Application Type: All Page: 1 For Application Status: ACCEPTED For Date Range: 2016/04/01 to 2016/04/30 Region Application Type Ref. No. Registered Name Status Date EC Retail New B/2016/04/20/0002 BLACK OIL HOLDINGS (PTY) LTD ACCEPTED - PENDING DOCUMENTATION 2016/04/20 EC Site New B/2016/04/20/0001 TRAKPROPS 146 (PTY) LTD ACCEPTED - PENDING DOCUMENTATION 2016/04/20 EC Retail New (Change-of-Hands) B/2016/04/25/0002 CALANDRA TRADING 669 CC ACCEPTED - PENDING DOCUMENTATION 2016/04/25 EC Retail New (Change-of-Hands) B/2016/04/25/0001 CALANDRA TRADING 669 CC ACCEPTED - PENDING DOCUMENTATION 2016/04/25 FS Retail New (Change-of-Hands) C/2016/04/29/0001 HECTOR AUSTIN ENGINEERING (PTY) LTD ACCEPTED - PENDING DOCUMENTATION 2016/04/29 FS Retail New (Change-of-Hands) C/2016/04/21/0001 DAIZEBEL (PTY) LTD ACCEPTED - PENDING DOCUMENTATION 2016/04/21 FS Retail New (Change-of-Hands) C/2016/04/26/0001 MAJA FUELS (PTY) LTD ACCEPTED - PENDING DOCUMENTATION 2016/04/26 FS Retail New (Change-of-Hands) C/2016/04/08/0001 MINOZEST (PTY) LTD ACCEPTED - PENDING DOCUMENTATION 2016/04/08 GP Retail New D/2016/04/22/0003 LAMANI BUSINESS ENTERPRISES (PTY) LTD ACCEPTED - PENDING DOCUMENTATION 2016/04/22 GP Retail Temporary D/2006/08/17/0015/T16/1 CJ & CK (PTY) LTD ACCEPTED 2016/04/14 GP Site New D/2016/04/22/0002 TOWER PROPERTY FUND LIMITED ACCEPTED - PENDING DOCUMENTATION 2016/04/22 GP Wholesale New D/2016/04/29/0001 JUNE PETROLEUM PTY LTD ACCEPTED - PENDING DOCUMENTATION 2016/04/29 GP Wholesale New
    [Show full text]
  • AMD Geode™ LX Processors Data Book
    AMD Geode™ LX Processors Data Book February 2007 Publication ID: 33234E AMD Geode™ LX Processors Data Book © 2007 Advanced Micro Devices, Inc. All rights reserved. The contents of this document are provided in connection with Advanced Micro Devices, Inc. (“AMD”) products. AMD makes no representations or warranties with respect to the accuracy or completeness of the contents of this publication and reserves the right to make changes to specifications and product descriptions at any time without notice. No license, whether express, implied, arising by estoppel or otherwise, to any intellectual property rights is granted by this publication. Except as set forth in AMD’s Standard Terms and Conditions of Sale, AMD assumes no liability whatsoever, and disclaims any express or implied warranty, relating to its products including, but not limited to, the implied warranty of mer- chantability, fitness for a particular purpose, or infringement of any intellectual property right. AMD’s products are not designed, intended, authorized or warranted for use as components in systems intended for surgical implant into the body, or in other applications intended to support or sustain life, or in any other application in which the failure of AMD’s product could create a situation where personal injury, death, or severe property or environmental damage may occur. AMD reserves the right to discontinue or make changes to its products at any time without notice. Contacts www.amd.com Trademarks AMD, the AMD Arrow logo, AMD Athlon, AMD Geode, and combinations thereof, and 3DNow! and GeodeLink, are trademarks of Advanced Micro Devices, Inc. AMD-K6 is a registered trademark of Advanced Micro Devices, Inc.
    [Show full text]
  • System/370 Model 145 Reference Summary
    System/370 Model 145 Reference Summary S229-2239-1 IBM Corporation, Field Support Documentation, Dept 927, Rochester, Minnesota 55901 PREFACE This publication is primarily intended for customer engineers servicing System/370 Model 145. Second Edition (September 1972) This is a major revision of, and makes 8229-2239-0 obsolete. Address any comments concerning the contents of this publication to: IBM, Field Support Documentation, Dept 927, Rochester, Minnesota 55901 © International Business Machines Corporation 1972 CONTENTS Section 1 - Control Words Branch and Module Switch Word "O" . 1. 1 Branch Word . 1.2 GA Function Charts . 1.3 GA Function Charts . 1.4 GA Function Charts . 1.5 Branch and Link or Return Word . 1.6 Word Move Word Version"O" . 1. 7 Word Move Word Version "1" . 1.8 Storage Word, Non K-Addressable . 1.9 Storage Word, K-Addressable . 1.10 Arithmetic Word 10 Byte Version 1.11 Arithmetic Word, Fullword Version 1.12 Arithmetic Word, 11 Direct ByteVersion . 1.13 Arithmetic Word, 10/11 Indirect Byte Version . 1.14 ALU Entry Gating 1.15 Stat Set Symbols . 1.15 BranchSymbols . 1.15 Arithmetic Word Chart Selection 1.16 Address Formation Chart 1.16 Control Word Chart Selection 1.16 Section 2 - CPU 3145 CPU Data Flow . 2.1 I-Cycles Data Flow . 2.2 I-Cycles . 2.3 PSW Locations . 2.3 Expanded Local Storage . 2.3 I-Cycles . 2.3 I-Cycles Control Line Generation . 2.4 Control Word . 2.4 Control Register Decode . 2.4 iii ECCL Board Layout ............ 2.5 Data Bit Location Chart .......... 2.5 Common Test Points ...........
    [Show full text]
  • Prioritization 4.0
    Prioritization 4.0 NCDOT Strategic Prioritization Office of Transportation July 2015 Agenda • Background • General Overview of Changes From P3.0 To P4.0 • Scoring and Scaling • Peak ADT • In-Depth Review of P4.0 Highway Criteria, Measures and Weights • In-Depth Review of P4.0 Non-Highway Criteria, Measures and Weights • Timeline/Schedule • SPOT On!ine • Local Input Methodologies and Best Practices 2 Background NCDOT is responsible for 6 modes of transportation: • Aviation (74 publicly‐owned airports) • Bicycle and Pedestrian • Ferries –2nd largest system in US (behind Washington) • Highways – Maintains 80,000 miles of highways (2nd only to Texas) • Public Transportation • Rail Annual Budget of approx. $4.1 B (federal dollars account for 25% of total budget) 3 Background Key Partners, as shown on colorful map below, include: • 19 Metropolitan Planning Organizations (MPOs) • 18 Rural Planning Organizations (RPOs) • 14 Field Offices (Divisions) *Unifour RPO has dissolved into adjacent MPOs 4 Strategic Transportation Investment (STI) New funding formula for NCDOT’s Capital Expenditures • Focus on Mobility/Expansion and Modernization projects for all modes House Bill 817 signed into Law June 26, 2013 Most significant transportation legislation in NC since 1989 Prioritization Workgroup charged with providing recommendations to NCDOT on weights and criteria. Reps include: • MPOs • RPOs • Division Engineers • Local Government Advocacy Groups 5 STI Legislation New funding formula for all capital expenditures, regardless of mode. All modes must
    [Show full text]
  • ILK]: Driver Should Make Sure the First 3D Command After the Engine Switch from BLT Not to Be 1
    Intel® OpenSource HD Graphics PRM Volume 1 Part 5: Graphics Core - Blitter Engine For the all new 2010 Intel Core Processor Family Programmer’s Reference Manual (PRM) March 2010 Revision 1.0 Doc Ref #: IHD_OS_V1Pt5_3_10 Creative Commons License You are free: to Share — to copy, distribute, display, and perform the work Under the following conditions: Attribution. You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). No Derivative Works. You may not alter, transform, or build upon this work. INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL® PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel products are not intended for use in medical, life saving, or life sustaining applications. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The Sandy Bridge chipset family, Havendale/Auburndale chipset family, Intel® 965 Express Chipset Family, Intel® G35 Express Chipset, and Intel® 965GMx Chipset Mobile Family Graphics Controller may contain design defects or errors known as errata which may cause the product to deviate from published specifications.
    [Show full text]
  • The New Tourism Lexicon: Rewriting Our Industry's Narrative
    POLICY BRIEF THE NEW TOURISM LEXICON: REWRITING OUR INDUSTRY'S NARRATIVE Last year, Destinations International released a policy "Washington is the problem. Remind voters again and brief entitled, “Advocacy in the Face of Ideology,” which again about Washington spending, Washington waste, made the case that relying on ROI numbers to defend Washington taxation, Washington bureaucracy, the value and relevancy of a destination organization Washington rules and Washington regulations." was no longer a viable advocacy strategy. Instead, we Luntz also suggested replacing "drilling for oil" with argued, destination organizations need to support the "exploring for energy," "undocumented workers" with message of ROI in terms of dollars and cents with an "illegal aliens," and "estate tax" with "death tax." The ideological and value-based appeal to convince political substitutions often work — an Ipsos/NPR poll found that leaders that without a destination organization, these support for abolishing the estate tax jumps to 76% from returns will inevitably vanish. 65% when you call it the death tax. Our industry has unfortunately fallen for what George Lakoff, a professor of Cognitive Science and Linguistics at the University of California at Berkeley, dubs the “Enlightenment Fallacy.” According to this viewpoint, you simply need to tell people the facts in clear language and they’ll reason to the right, true conclusions. The problem, as Lakoff puts it is, “The cognitive and brain sciences have shown this is false… it’s false in every single detail.” The reality is that people tend to frame political arguments, and the facts behind them, in terms of their own values.
    [Show full text]
  • Advanced Ipv6 Security in the LAN Gilles Roy, Technical Leader BRKSEC-3003 in 2015, 55% of Attacks Are from the Inside! *
    Advanced IPv6 Security in the LAN Gilles Roy, Technical Leader BRKSEC-3003 In 2015, 55% of attacks are from the inside! * Source: 2015 IBM Cyber Security Report 3 There is a lot happening on the LAN, it can be difficult to follow everything, lets break it down. 1. Operations 2. Attacks 3. Mitigations 4. Use cases 4 Use cases Enterprise SP Access Datacenter Address Allocation ✔ ✖ ✖ Duplicate Address Detection ✔ ✔ ✔ Address Resolution ✔ ✖ ✔ Operation Neighbor Unreachability Detection ✔ ✖ ✔ Prefix Allocation ✖ ✔ ✖ Making Default Router Discovery ✔ ✖ ✔ sense of Denial of Link Operations ✔ ✖ ✔ Denial of Address Resolution ✔ ✖ ✔ YOUR Router Theft ✔ ✔ ✔ Attacks Address Theft ✔ ✖ ✔ setup. Denial of Address Configuration ✔ ✔ ✖ Denial of Address Assignment ✔ ✖ ✖ RA Guard ✔ ✔ ✔ DHCP Guard ✔ ✔ ✖ Mitigation Source Guard ✔ ✖ ✔ Destination Guard ✔ ✖ ✖ Binding Guard ✔ ✖ ✔ 5 Abstract summary and pre-requisite • This session focuses on IPv6 security within the layer-2 domain • With a multi-dimensional approach: operations, vulnerabilities, mitigations and use-cases • It introduces security features at the First Hop, such RA Guard, Source Guard, Destination guard, etc • Requirements: Knowledge of IPv6 and IPv6 Neighbor Discovery 6 Agenda • IPv6 in the layer-2 domain: operations and protocols • IPv6 in the layer-2 domain: vulnerabilities • Attack Demonstration • Mitigating Vulnerabilities • Use cases overview 7 Some background on layer-2 & IPv6 • Layer-2: what is it? • Layer-2 domain: also “broadcast domain”, link, lan, vlan, segment • Nodes: hosts, routers,
    [Show full text]
  • Report on the Most Appropriate Indicators Related to the Basic Concepts
    D 4.1 – Report on the most appropriate indicators related to the basic concepts Report on the most appropriate indicators related to the basic concepts Deliverable D4.1 This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 870708 D 4.1 – Report on the most appropriate indicators related to the basic concepts Disclaimer: The contents of this deliverable are the sole responsibility of one or more Parties of the SmartCulTour consortium and can under no circumstances be regarded as reflecting the position of the Research Executive Agency and European Commission under the European Union’s Horizon 2020 programme. Copyright and Reprint Permissions “You may freely reproduce all or part of this paper for non-commercial purposes, provided that the following conditions are fulfilled: (i) to cite the authors, as the copyright owners (ii) to cite the SmartCulTour Project and mention that the EC co-finances it, by means of including this statement “Smart Cultural Tourism as a Driver of Sustainable Development of European Regions - SmartCulTour Project no. H2020-870708 co financed by EC H2020 program” and (iii) not to alter the information.” _______________________________________________________________________________________ How to quote this document: Petrić, L., Mandić, A., Pivčević, S., Škrabić Perić, B., Hell, M., Šimundić, B., Muštra, V., Mikulić, D., & Grgić, J. (2020). Report on the most appropriate indicators related to the basic concepts. Deliverable 4.1 of the Horizon 2020 project SmartCulTour (GA number 870708), published on the project web site on September 2020: http://www.smartcultour.eu/deliverables/ D 4.1 – Report on the most appropriate indicators related to the basic concepts This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No.
    [Show full text]
  • Decnet-Plusftam and Virtual Terminal Use and Management
    VSI OpenVMS DECnet-Plus FTAM and Virtual Terminal Use and Management Document Number: DO-FTAMMG-01A Publication Date: June 2020 Revision Update Information: This is a new manual. Operating System and Version: VSI OpenVMS Integrity Version 8.4-2 VSI OpenVMS Alpha Version 8.4-2L1 VMS Software, Inc., (VSI) Bolton, Massachusetts, USA DECnet-PlusFTAM and Virtual Terminal Use and Management Copyright © 2020 VMS Software, Inc. (VSI), Bolton, Massachusetts, USA Legal Notice Confidential computer software. Valid license from VSI required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for VSI products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. VSI shall not be liable for technical or editorial errors or omissions contained herein. HPE, HPE Integrity, HPE Alpha, and HPE Proliant are trademarks or registered trademarks of Hewlett Packard Enterprise. Intel, Itanium and IA-64 are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group. The VSI OpenVMS documentation set is available on DVD. ii DECnet-PlusFTAM and Virtual
    [Show full text]
  • The (Many) Paths to “Destination X”
    Blog The (many) paths to “Destination X” Michelle Batten Head of Global Marketing, Mobile Division, Amadeus According to Amadeus’ new whitepaper, Better travel in the Live Travel Space “Get ready for Destination X,” today’s travel sellers have a golden opportunity to Destination X also offers enormous tap into destination services, a growing untapped potential to market and sell marketplace set to reach $183 billion by ancillary destination services to travelers. 2020. Drawing on survey results from It’s a place where travel agents, corporate more than a thousand CheckMyTrip by travel programs, and other providers of Amadeus mobile app users, the research flights, hotels and cars can continue identifies emerging trends about business servicing travelers at their final destination. and leisure travelers destined for Whether traveling on business, leisure or Destination X, one of the most important bleisure, mobile provides the perfect revenue-generating stops on a traveler’s platform to offer these destination services journey. on the move. Take me to travel nirvana Amadeus is helping travel providers better understand and address these challenges The Amadeus research poses questions and opportunities. Using the Amadeus such as, “Are travelers prepared as they Travel Platform, the Live Travel Space arrive to Destination X?” Are their needs aggregates all content into one platform, for add-on destination services like airport making it easier for travel sellers to find transfers, local activities and restaurant what they need, and provide the level of reservations being met? The paper personalization their travelers demand. explores eight trends regarding the challenges and opportunities travel sellers Are you ready to service customers more face in the post-booking ancillary game fully when they reach Destination X? and how you can win travelers trust in Download the whitepaper today at that arena.
    [Show full text]
  • Towards Coordinated, Network-Wide Traffic
    Towards Coordinated, Network-Wide Traffic Monitoring for Early Detection of DDoS Flooding Attacks by Saman Taghavi Zargar B.Sc., Computer Engineering (Software Engineering), Azad University of Mashhad, 2004 M.Sc., Computer Engineering (Software Engineering), Ferdowsi University of Mashhad, 2007 Submitted to the Graduate Faculty of the School of Information Sciences in partial fulfillment of the requirements for the degree of Doctor of Philosophy University of Pittsburgh 2014 UNIVERSITY OF PITTSBURGH SCHOOL OF INFORMATION SCIENCES This dissertation was presented by Saman Taghavi Zargar It was defended on June 3, 2014 and approved by James Joshi, Ph.D., Associate Professor, School of Information Sciences David Tipper, Ph.D., Associate Professor, School of Information Sciences Prashant Krishnamurthy, Ph.D., Associate Professor, School of Information Sciences Konstantinos Pelechrinis, Ph.D., Assistant Professor, School of Information Sciences Yi Qian, Ph.D., Associate Professor, College of Engineering, Dissertation Advisors: James Joshi, Ph.D., Associate Professor, School of Information Sciences, David Tipper, Ph.D., Associate Professor, School of Information Sciences ii Copyright c by Saman Taghavi Zargar 2014 iii Towards Coordinated, Network-Wide Traffic Monitoring for Early Detection of DDoS Flooding Attacks Saman Taghavi Zargar, PhD University of Pittsburgh, 2014 DDoS flooding attacks are one of the biggest concerns for security professionals and they are typically explicit attempts to disrupt legitimate users' access to services. Developing a com- prehensive defense mechanism against such attacks requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various such attacks. In this thesis, we dig into the problem of DDoS flooding attacks from four directions: (1) We study the origin of these attacks, their variations, and various existing defense mecha- nisms against them.
    [Show full text]
  • A Logical Approach to Representing and Reasoning About Interdomain Routing Policies
    A Logical Approach to Representing and Reasoning About Interdomain Routing Policies Anduo Wang and Zhijia Chen Temple University Abstract. The Internet paths connecting independently operated networks, also called domains or autonomous systems (ASes), are driven by semantically rich policies: the interdomain routing protocol that computes the Internet paths allows the ASes to influence path selection with their local policies, such as economic concerns or operational constraints. An AS can promote a policy compliant but globally longer path by carefully tweaking lower level path attributes that are used in the routing protocol. Such operational policies are notoriously complex and hard to understand. This paper takes a step back and asks whether a more principled logical approach can lead to AS policies that are easier to under- stand, reuse, evolve, and coexist. To this end, we propose to represent policies by database integrity constraints, in the form of headless datalog rules about what are the acceptable Internet paths. The simple datalog expression unifies a wide spectrum of AS policies, ranging from classic examples seen in today’s routing practice to futuristic ones proposed in various extensions to Internet routing. More importantly, by leveraging datalog’s connection to the theorem proving technique called the residue method, we developed a new technique for understanding the interactions among the policies — whether a policy can inadvertly affect another, and how to resolve the conflict. We also evaluated our logical policies, show- ing promising result with small overhead for conflict resolution on realistic large networks. 1 Introduction The Internet today is more than connecting remote hosts with valid paths.
    [Show full text]