Network Security

GINSU: Guaranteed Internet Stack Utilization

The goal of the GINSU project is to guarantee network accessibility by an end-host, even in the event of an attempted denial of service attack. To provide this guarantee of accessibility, we plan a paradigmatic shift in end host behavior. Formerly, the network stack acted in eager complaisance with the requests of the application program and the network; applications and network traffic were assumed to be safe and well behaved and the stack's responsibility was to merely "be liberal in receiving and conservative in sending." With the advent of Distributed Denial of Service (DDOS) attacks, Code Red type worms, and other malicious network agents, it is no longer the case that both the network and the application are well behaved. Indeed, the recent Code Red outbreak shows that a compromised application and the passive network can both be seen as malicious agents. GINSU shifts the paradigm of trusting the network and the application, to one of protecting the application and the network from each other. To this end we will re-architect an existing operating system's network stack based on a stack-slice paradigm, with flow-based, fine-grained resource monitoring and management features. We will incorporate advanced traffic categorization mechanisms early into the processing stream. We will provide tools and guidelines for administration and deployment of this system to defeat contemporary attacks, both by protecting the application from hostile network activity and by protecting the network from compromised applications. Finally, we expect to demonstrate the GINSU system as part of a collaborative experiment in DDOS defense and tolerance.

See the DARPA Quad Chart for additional information.