Farnam Jahanian's research while affiliated with University of Michigan and other places

Publications (101)

Patent
A system is provided for detecting, analyzing and quarantining unwanted files in a network environment. A host agent residing on a computing device in the network environment detects a new file introduced to the computing device and sends the new file to a network service for analysis. The network service is accessible to computing devices in the n...
Conference Paper
Public clouds have become a popular platform for building Internet-scale applications. Using virtualization, public cloud services grant customers full control of guest operating systems and applications, while service providers still retain the management of their host infrastructure. Because applications built with public clouds are often highly...
Conference Paper
Full-text available
The rapid evolution of threat ecosystems and the shifting focus of adversarial actions complicate efforts to assure security of an organization's computer networks. Efforts to build a rigorous science of security, one consisting of sound and reproducible empirical evaluations, start with measures of these threats, their impacts, and the factors tha...
Conference Paper
Full-text available
Whether it happens through malware or through phishing, loss of one's online identity is a real and present danger. While many attackers seek credentials to realize financial gain, an analysis of the compromised accounts at our own institutions reveals that perpetrators often steal university credentials to gain free and unfettered access to inform...
Article
Vulnerabilities within antivirus engines deployed at a mail server represent a serious risk to the security of organizations. If a sophisticated attacker is able to re-motely probe a mail server and identify the particular antivirus engine used, he may craft a malformed mes-sage to exploit the engine with a low risk of detection. This paper explore...
Conference Paper
Full-text available
Recent exploration into the unique security challenges of cloud computing have shown that when virtual machines belonging to different customers share the same physical machine, new forms of cross-VM covert channel communication arise. In this paper, we explore one of these threats, L2 cache covert channels, and demonstrate the limits of these this...
Conference Paper
Full-text available
Modern networks are complex and hence, network operators often rely on automation to assist in assuring the security, availability, and performance of these networks. At the core of many of these systems are general-purpose anomaly-detection algorithms that seek to identify normal behavior and detect deviations. While the number and variations of t...
Conference Paper
Full-text available
Enterprise networks face a variety of threats including worms, viruses, and DDoS attacks. Development of effective defenses against these threats re- quires accurate inventories of network devices and the services they are running. Traditional vulnerability scanning systems meet these requirements by periodi- cally probing target networks to discov...
Conference Paper
Full-text available
The monitoring of packets destined for routeable, yet unused, Internet addresses has proved to be a useful technique for measuring a variety of specific Internet phenomenon (e.g., worms, DDoS). In 2004, Pang et al. stepped beyond these targeted uses and provided one of the first generic characterizations of this non-productive traffic, demonstratin...
Conference Paper
In this paper, we examine changes in Internet inter-domain traffic demands and interconnection policies. We analyze more than 200 Exabytes of commercial Internet traffic over a two year period through the instrumentation of 110 large and geographically diverse cable operators, international transit backbones, regional networks and content providers...
Conference Paper
Full-text available
Unsolicited bulk e-mail (UBE) or spam constitutes a significant fraction of all e-mail connection attempts and routinely frustrates users, consumes resources, and serves as an infection vector for malicious software. In an effort to scalably and effectively reduce the impact of these e-mails, e-mail system designers have increasingly turned to blac...
Article
Sophisticated consumer mobile devices continue to approach the capabilities and extensibility of traditional computing environments. Unfortunately, these new capabilities and applications make mobile devices an enticing target for at-tackers and malicious software. Due to such threats, the domain of mobile security has been getting a considerable a...
Conference Paper
Cloud based infrastructures are rapidly becoming a destination of choice to host a variety of applications ranging from high availability enterprise services and online TV stations, to batch oriented scientific computations. With investments of billions of dollars, the fortunes of dozens of companies, and major research initiatives staked on its su...
Conference Paper
Full-text available
Defenders of today's critical cyber-infrastructure (e.g., the Internet) are equipped with a wide array of security techniques including network-based intrusion detection systems (IDS), host-based anti-virus systems (AV), and decoy or reconnaissance systems such as host-based honeypots or network-based telescopes. While effective at detecting and mi...
Article
Full-text available
Global Internet threats have undergone a profound transformation from attacks designed solely to disable infrastructure to those that also target people and organizations. At the center of many of these attacks are collections of compromised computers, or Botnets, remotely controlled by the attackers, and whose members are located in homes, schools...
Conference Paper
Software patches are designed to have a positive ef- fect on the operation of software systems. However, these patches may cause incompatibilities, regressions, and other unintended negative impact on the reliability, performance, and security of software. In this paper, we propose PatchAdvisor, a technique to improve the manageability of the patch...
Article
Packers have long been a valuable tool in the toolbox of offensive users for evading the detection capabilities of signature-based antivirus engines. However, selecting the packer that results in the most effective evasion of antivirus engines may not be a trivial task due to diversity in the capabilities of both antivirus and packers. In this pape...
Conference Paper
Full-text available
Malicious code, or malware, executed on compromised hosts provides a platform for a wide variety of attacks against the availability of the network and the privacy and confidentiality of its users. Unfortunately, the most popular techniques for detecting and preventing malware have been shown to be significantly flawed, and it is widely believed th...
Article
This paper proposes a novel overlay architecture to improve availability and performance of end-to-end communication over the Internet. Connectivity and network availability are becoming business-critical resources as the Internet is increasingly utilized as a business necessity. For example, traditional voice and military systems are turning into...
Conference Paper
Full-text available
Modern mobile devices continue to approach the capabilities and extensibility of standard desktop PCs. Unfortunately, these devices are also beginning to face many of the same security threats as desktops. Currently, mobile security solutions mirror the traditional desktop model in which they run detection services on the device. This approach is c...
Article
As virtualization continues to become increasingly popular in enterprise and organizational networks, oper-ators and administrators are turning to live migration of virtual machines for the purpose of workload balancing and management. However, the security of live virtual machine migration has yet to be analyzed. This paper looks at this poorly ex...
Conference Paper
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host- based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing com- plexity has resulted in vulnerabilities that are being ex- ploited...
Conference Paper
Numerous attacks, such as worms, phishing, and botnets, threaten the availability of the Internet, the integrity of its hosts, and the privacy of its users. A core element of defense against these attacks is anti-virus (AV) software--a service that detects, removes, and characterizes these threats. The ability of these products to successfully char...
Conference Paper
The Student Forum at DSN provides an opportunity for students currently working in the area of dependable computing to present and discuss their research objectives, approach and preliminary results. The Forum is centered on a conference track during which the selected student research papers are presented. Student Forum research papers are brief t...
Conference Paper
Full-text available
A popular approach to detecting and characterizing threats such as worms and botnets involves the use of sac- rificial host collections called honeynets. These collections are explicitly deployed to be scanned, compromised, and used in attacks. Unfortunately, existing approaches to de- ploying honeynets largely ignore the problem of configur- ing o...
Article
Antivirus software installed on each end host in an or- ganization has become the de-facto security mechanism used to defend against unwanted executables. We argue that the executable analysis currently provided by host- based antivirus software can be more efficiently and ef- fectively provided as an in-cloud network service. In- stead of running...
Article
Several research studies have been devoted to improving the reliability and performance of the Internet by utilizing redundant communication paths between end points. Multihoming, coupled with intelligent route control, and overlay networks are two main streams in this area of research which attempt to leverage redundant connections of the Internet...
Conference Paper
Full-text available
Intrusion detection and prevention systems have become es- sential to the protection of critical networks across the Internet. Widely deployed IDS and IPS systems are based around a database of known malicious signatures. This database is growing quickly while at the same time the signatures are getting more complex. These trends place ad- ditional...
Article
Internet security systems like intrusion detection and intru-sion prevention systems are based on a simple input-output principle: they receive a high-bandwidth stream of input data and produce summaries of suspicious events. This sim-ple model has serious drawbacks, including the inability to attach context to security alerts, a lack of detailed h...
Conference Paper
Full-text available
The Internet today is beset with constant attacks targeting users and infrastructure. One popular method of detecting these attacks and the infected hosts behind them is to monitor unused network addresses. Because many Internet threats propagate randomly, infection attempts can be captured by monitoring the unused spaces between live addresses. Se...
Conference Paper
Full-text available
Internet traffic destined for unused or unreachable ad- dresses provides critically important information on ma- licious and misconfigured activity. Since Internet ad- dress allocation and policy information is distributed across many devices, applications, and administrative domains, constructing a comprehensive map of unused and unreachable ("dar...
Article
An insight to functioning of Blaster worm of 2003 that infected at least 100000 Microsoft Windows systems, is presented. The Blaster worm can be launched with a sucessful new infection or in case of a user rebooting an already infected system. Once launched the worm immediately starts the setup for further propagation by choosing an address from th...
Article
Global Internet threats are undergoing a profound transformation from attacks designed solely to disable infrastructure to those that also target people and or- ganizations. Behind these new attacks is a large pool of compromised hosts sitting in homes, schools, busi- nesses, and governments around the world. These sys- tems are infected with a bot...
Conference Paper
Recently, overlay networks have emerged as a means to enhance end-to-end application performance and availability. Overlay networks attempt to leverage the inherent redundancy of the Internet's underlying routing infrastructure to detour packets along an alternate path when the given primary path becomes unavailable or suffers from congestion. Howe...
Article
This report summarizes our work on detecting and surviving large-scale network infrastructure attacks. This work investigated several different areas of infrastructure attacks including routing protocol analysis and denial of service attacks. This work produced many significant results including several patent applications as well as the commercial...
Conference Paper
Full-text available
Threats to the privacy of users and to the availability of Internet infrastructure are evolving at a tremendous rate. To characterize these emerging threats, researchers must effectively balance monitoring the large number of hosts needed to quickly build confidence in new attacks, while still preserving the detail required to differentiate these a...
Conference Paper
As national infrastructure becomes intertwined with emerging global data networks, the stability and integrity of the two have become synonymous. This connection, while necessary, leaves network assets vulnerable to the rapidly moving threats of today's Internet, including fast moving worms, distributed denial of service attacks, and routing exploi...
Article
Long after the Blaster, Slammer/Sapphire, and CodeRedII worms caused significant worldwide disruptions, a huge number of infected hosts from these worms continue to probe the Internet today. This paper investigates hotspots (non-uniformities) in the targeting behavior of these important Internet worms. Recent data collected over the period of a mon...
Article
To provide scalable, early warning and analysis of new Internet threats like worms or automated attacks, we propose a globally distributed, hybrid monitoring architecture that can capture and analyze new vulnerabilities and exploits as they occur. To achieve this, our architectures increases the exposure of high-interaction honeypots to these threa...
Conference Paper
The monitoring of unused Internet address space has been shown to be an effective method for characterizing Internet threats including Internet worms and DDOS attacks. Because there are no legitimate hosts in an unused address block, traffic must be the result of misconfiguration, backscatter from spoofed source addresses, or scanning from worms an...
Article
This paper describes the design and implementation of protocol scrubbers. Protocol scrubbers are transparent, interposed mechanisms for explicitly removing network scans and attacks at various protocol layers. The transport scrubber supports downstream passive network-based intrusion detection systems by converting ambiguous network flows into well...
Article
this article, we describe the software architecture and application environment of the UARC system as it emerged from a six-year development effort to support this scientific community in its work. (For a complete list of contributors to the current system, see the sidebar, "The UARCTeam.") UARC APPLICATION REQUIREMENTS The base unit for space scie...
Article
This paper presents the results from a detailed, experimental study of OSPF, an intra-domain routing protocol, running on a mid-size regional Internet service provider. Using multiple, distributed probes running custom monitoring tools, we collected continuous protocol information for a full year. We use this data to analyze the health of the netwo...
Article
BA0,8DC6 A8@,E;FG2@IH@'A8;:@,8;A?4J6KA0GL%62CM,:8#N L%62COKP*8;:Q6 @JRS:84762:TRUM78TAOVA078QEO#@P*8 :W#8@,E8Q4,:O#498 :A28;3XOLU2@'A8;:Y RUO#><6 2@:OM,A2@7WUZ[S@,C2]#8^3+_`2AE.0783X2@A0,8a4,M7b7C2ETA8C8470,O#@'F@,8;AY _O:]c_`0,2E 0?8;=U0,2b,2AaL%62CO P#8;:VO#@BA0,8`O:.R,8 :O LX>?2CC238;EO#@7R,3NO#MU: 8 =,498 :2>?8;@A.6 CJ>?86 3M,:8>?8@'A3^307O_IA0...
Article
Full-text available
Simulation and verification are two conventional techniques for the analysis of specifications of real-time systems. While simulation is relatively inexpensive in terms of execution time, it only validates the behavior of a system for one particular computation path. On the other hand, verification provides guarantees over the entire set of computa...
Article
This paper examines the latency in Internet path failure, failover, and repair due to the convergence properties of interdomain routing. Unlike circuit-switched paths which exhibit failover on the order of milliseconds, our experimental measurements show that interdomain routers in the packet-switched Internet may take tens of minutes to reach a co...
Conference Paper
Group communication is a widely studied paradigm which is often used in building real-time and fault-tolerant distributed systems. RTCAST is a real-time group communication protocol which has been designed to work with commercial, non-real-time, off-the-shelf hardware and operating systems, such as Solaris, Linux and Windows NT. RTCAST makes probab...
Article
This paper describes the design and implementation of a TCP/IP stack fingerprint scrubber. The fingerprint scrubber is a new tool to restrict a remote user's ability to determine the operating system of another host on the network. Allowing entire subnetworks to be remotely scanned and characterized opens up security vulnerabilities. Specifically,...
Article
We propose a lightweight fault-tolerant multicast and membership service for real-time process groups which may exchange periodic and aperiodic messages. The service supports bounded-time message transport, atomicity, and order for multicasts within a group of communicating processes in the presence of processor crashes and communication failures....
Article
This paper presents a real-time primary-backup replication scheme to support fault-tolerant data access in a real-time environment. The main features of the system are fast response to client requests, bounded inconsistency between primary and backup, temporal consistency guarantee for replicated data, and quick recovery from failures. The paper de...
Article
Full-text available
Real-time embedded systems have evolved during the past several decades from small custom-designed digital hardware to large distributed processing systems. As these systems become more complex, their interoperability, evolvability and cost-effectiveness requirements motivate the use of commercial-off-the-shelf components. This raises the challenge...
Conference Paper
This paper examines the network routing messages exchanged between core Internet backbone routers. Internet routing instability, or the rapid fluctuation of network reachability information, is an important problem currently facing the Internet engineering community. High levels of network instability can lead to packet loss, increased network late...
Article
Full-text available
The Upper Atmospheric Research Collaboratory was actively used over a period of six years to study space weather phenomena such as magnetic storms and solar winds. The UARC software was designed as a modular system of independent services that work over a wide area network and support a complex array of data suppliers, transformation modules that p...
Conference Paper
This paper examines the problem of building scalable, fault-tolerant distributed systems from collections of communicating process groups, while maintaining well-defined end-to-end delivery semantics. We propose a new architecture which supports modular group composition by providing a distinction between intra-group and inter-group communication....
Conference Paper
In this paper, we describe an experimental study of Internet topological stability and the origins of failure in Internet protocol backbones. The stability of end-to-end Internet paths is dependent both on the underlying telecommunication switching system, as well as the higher level software and hardware components specific to the Internet's packe...
Article
In this paper, we describe an experimental study of Internet stability and the origins of failure in Internet protocol backbones. The stability of end-to-end Internet paths is dependent both on the underlying telecommunication switching system, as well as the higher level software and hardware components speci#c to the Internet's packet-switched fo...
Article
This paper examines the network interdomain routing information exchanged between backbone service providers at the major US public Internet exchange points. Internet routing instability, or the rapid fluctuation of network reachability information, is an important problem currently facing the Internet engineering community. High levels of network...
Article
This paper describes the architecture, implementation, and application of Windmill, a passive network protocol performance measurement tool. Windmill enables experimenters to measure a broad range of protocol performance metrics both by reconstructing application-level network protocols and by exposing the underlying protocol layers' events. Windmi...
Conference Paper
This paper describes the architecture and implementation of Windmill, a passive network protocol performance measurement tool. Windmill enables experimenters to measure a broad range of protocol performance metrics by both reconstructing application-level network protocols and exposing the underlying protocol layers' events. Windmill is split into...
Article
Full-text available
Upper atmospheric physics focuses on the study of the earth’s ionosphere, looking particularly at the interactions of the solar wind, the earth’s magnetic field, and the characteristics of the upper atmosphere. Observations of these phenomena are made with ground-based instruments, satellites, and rockets. In recent years, a series of computational...
Article
The Salamander distribution system is a wide-area network data dissemination substrate that has been used daily for over a year by several groupware and webcasting Internet applications. Specifically, Salamander is designed to support push-based applications using attribute-based routing. This support provides a variety of delivery semantics rangin...
Article
To effectively collaborate in Internet environments, it is critical to efficiently manage the shared state of collaboration. However, the management of shared state is highly situational; different collaboration semantics require different measures tailored to their specific needs. Hence, providing a general set of services that meet the management...
Article
This paper examines the problem of building scalable, fault-tolerant distributed systems from collections of communicating process groups while maintaining well-defined end-to-end delivery semantics. Our approach to inter-group communication takes advantage of modular group composition. We introduce a generic model which provides a distinction betw...
Article
This paper describes a set of experiments performed on six different vendor TCP implementations using ORCHESTRA,a tool for testing and fault injection of communication protocols. These experimentsuncoveredviolations of the TCP protocol specification, and illustrated differences in the philosophies of various vendors in their implementations of TCP....
Article
The transportation of prerecorded, compressed video data without loss of picture quality requires the network and video servers to support large fluctuations in bandwidth requirements. Fully utilizing a client-side buffer for smoothing bandwidth requirements can limit the fluctuations in bandwidth required from the underlying network and the video-...
Conference Paper
Full-text available
The paper provides an experimental comparison of two middleware data dissemination services: a distributed object based service, and a message based service. The paper compares these two services in the context of a common application: a wide area network collaboratory, namely the Upper Atmospheric Research Collaboratory (UARC). UARC is an example...
Article
Introduction In designing real-time systems, we often make assumptions about the behavior of the system and its environment. These assumptions take many forms, such as upper bounds on interprocess communication delay, deadlines on the execution of tasks, or minimum separations between occurrences of two events. They are often made to deal with the...
Conference Paper
The Salamander distribution system is a wide-area network data dissemination substrate that has been used daily for over a year by several groupware and webcasting Internet applications. Specifically, Salamander is designed to support push-based applications and provides a variety of delivery semantics. These semantics range from basic data deliver...
Article
Real-time systems are now being used for such applications as avionics, space projects, process control, financial market, telecommunication, and air traffic control systems. For these applications, data about the target environment must be continuously collected from the real world and processed in a timely manner to generate real-time responses....
Article
this paper focuses on application-level quality of service policies and the collaboratory's transport services. Flexible Application-Level QoS Policies Group Membership Service Group Synchronization Service Shared State Service Transport Service
Article
As software control of time-critical functions in embedded systems becomes more common, a means for the precise specification of their behavior and formal methods for analyzing system requirements become increasingly important. Modechart is a graphical specification language introduced to meet this need. The main focus of this paper is on methods a...
Article
We consider the problem of providing communication protocol support for large-scale group collaboration systems for use in environments such as the Internet which are subject to packet loss, wide variations in end-to-end delays, and transient partitions. We identify a set of requirements that are critical for the design of such group collaboration...
Article
Full-text available
This chapter illustrates the use of the Modechart specification language and the MT toolset by using them in the specification and analysis of the control rod system of a nuclear reactor. The specification language and an associated logic, RTL, are introduced, as is a tool for building specifications. Two approaches are then used to analyze the spe...
Article
Full-text available
We consider the problem of disseminating data generated in real-time to large groups of distributed users in group collaboration systems. We present an architecture based on the publish/subscribe paradigm to design communication services appropriate for large-scale group collaboration systems. In this model, one or more data sources or publishers s...
Conference Paper
Real-time applications typically operate under strict timing and dependability constraints. Although traditional data replication protocols provide fault tolerance, real-time guarantees require bounded overhead for managing this redundancy. This paper presents the design and evaluation of a window-consistent primary-backup replication service that...
Article
As software control of time-critical functions in embedded systems becomes more common, a means for the precise specification of their behavior becomes increasingly important. Modechart is a graphical specification language introduced to meet this need. This paper presents a method for verifying properties of systems specified in Modechart. The pro...
Article
As software control of time-critical functions in embedded systems becomes more common, a means for the precise specification of their behavior becomes increasingly important. Modechart is a graphical specification language introduced to meet this need. This paper presents a method for verifying properties of systems specified in Modechart. The pro...
Article
Full-text available
Present a specification language for real-time systems called Modechart. The semantics of Modechart is given in terms of real-time logic (RTL), which is especially amenable to reasoning about the absolute (real-time clock) timing of events. The semantics of Modechart has an important property that the translation of a Modechart specification into R...
Article
Embedded real-time systems often operate under strict timing and dependability constraints. To ensure responsiveness, these systems must be able to provide the expected services in a timely manner even in the presence of faults. In this paper, we describe a run-time environment for monitoring of timing constraints in distributed real-time systems....
Conference Paper
Fault-tolerance in real-time systems is defined informally as the ability of the system to deliver correct results in a timely manner even in the presence of faults. Large-scale embedded real-time systems are being built in diverse application ranging from avionics to plant automation and process control. These systems often operate under strict de...
Article
In this paper, we describe a run-time environment for monitoring distributed real-time systems. In particular, we focus on the problem of detecting violations of timing assertions in an environment in which the real-time tasks run on multiple processors, and timing constraints can be either inter-processor or intra-processor constraints. Constraint...
Article
With ever-increasing reliance on digital computers in embedded systems such as in space, avionics, manufacturing, and life-support monitoring/control applications, the need for dependable systems that deliver services in a timely manner has become crucial. Embedded systems often interact with the external environment and operate under strict timeli...
Conference Paper
The authors present a specification language called Modechart, which is especially amenable to the specification of real-time systems by graphical means. In addition to the behavioral description, Modechart permits the specification of timing constraints, an important element in real-time systems. A formal semantics for Modechart is provided in ter...
Article
This paper presents a graph-theoretic algorithm for safety analysis of a class of timing properties in real-time systems which are expressible in a subset of real time logic (RTL) formulas. Our procedure is in three parts: the first part constructs a graph representing the system specification and the negation of the safety assertion. The second pa...
Article
The authors formalize the safety analysis of timing properties in real-time systems. The analysis is based on a formal logic, RTL (real-time logic), which is especially suitable for reasoning about the timing behavior of systems. Given the formal specification of a system and a safety assertion to be analyzed, the goal is to relate the safety asser...
Article
. Ensuring that a system meets its prescribed specification is a growing challenge that confronts software developers and system engineers. Meeting this challenge is particularly important for distributed systems with strict dependability and timeliness constraints. This paper presents a technique, called script-driven probing and fault injection,...
Article
Ensuring that a distributed system with strict dependability constraints meets its prescribed specification is a growing challenge that confronts software developers and system engineers. This paper presents a technique for probing and fault injection of fault-tolerant distributed protocols. The proposed technique, called script-driven probing and...
Article
TCP, the de facto standard transport protocol in today's operating systems, is a very robust protocol that adapts to various network characteristics, packet loss, link congestion, and even significant differences in vendor implementations. This paper describes a set of experiments performed on six different vendor TCP implementations using ORCHESTR...
Article
Full-text available
Two widely-studied approaches for structuring faulttolerant services are the state-machine and the primarybackup replication schemes. For a large class of soft and hard real-time applications, the degree of consistency among servers can be exploited to design replication protocols with predictable timing behavior. This is particularly useful in app...
Article
A growing challenge confronting designers and implementors of safety-critical distributed systems is the evaluation and validation of dependability requirements. This paper address the problem of testing fault-tolerance capabilities of distributed protocols. It introduces a general framework for fault injection and testing of distributed systems an...
Article
This paper reports on orchestra, a portable fault injection environment for testing implementations of distributed protocols. The paper focuses on architectural features of orchestra that provide portability, minimize intrusiveness on target protocols, and support testing of real-time systems. orchestra is based on a simple yet powerful framework,...