Research Projects

2023

Current Project 3: Device to Device Least Privilege Access Control in 5G User Plane

As enterprises move from the wired network to 5G cellular, there is a need to migrate the access control enforcement from the wired network to the 5G network. To achieve this, we define policies between enterprise end-hosts using the NGAC policy language. And develop a custom policy network function in 5G core that takes the NGAC policy, transforms the access control rules to a 5G specified format, and feeds those rule into the Network Repository Function (NRF). This work is funded by the Office of Naval Research.

Current Project 2: Security Analysis of Next Generation Access Control

To analyze NIST Next Generation Access Control, we follow the application-independent approach; later, we will expand it for particular application scenarios (like MSNetViews, and NetViews). We want to verify that the interplay among the policy classes is more restrictive than the individual policy class. We want to ensure that the dynamic policy update using obligation does not violate the access control policy’s security properties. Furthermore, we envision formalizing the multi-tenant or multi-administration policy definition of NGAC. This work is also funded by the Office of Naval Research.

2022

In-submission Project: Geographically Distributed Management of Enterprise Network Security Policy

This work (funded by the Office of Naval Research) extends a single, globally-defined and managed, enterprise network security policy to many geographically distributed sites. Each site operates independently and enforces a least-information policy slice that is dynamically parameterized with user location as employees roam between sites. We build a prototype of MSNetViews and analyze performance. As such, we demonstrate the utility of SDN towards achieving zero trust for on-premises network resources, even for organizations with many geographically distributed sites.

2021

Removing the Reliance on Perimeters for Security using Network Views

Traditional enterprise security relies on network perimeters to define and enforce network security policies. Emerging application-focused Zero Trust architectures attempt to address this long-standing challenge by moving business applications to the cloud and performing enhanced identity and access control checks within a web gateway. However, these solutions ignore the security needs of workstations, development servers, and device management interfaces. In this work, we propose Network Views (abbrev. NetViews) for least-privilege network access control where each host has a different, limited view of the other hosts and services within a network. We present an SDN-based design and demonstrate that our implementation has network latency and throughput comparable to baseline reactive forwarding. We further provide an optimization for multi-connection flows that significantly reduces both redundant access control checks and forwarding state storage in switches. As such, NetViews provides a practical primitive for removing the reliance on security perimeters within enterprise networks. This research project is funded by Office of Naval Research. This paper won the Best Student Paper award in SACMAT 2022. While completing this project I mentored three MSc and one undergraduate students.

2020

Role-Based Deception in Enterprise Networks

Historically, enterprise network reconnaissance is an active process, often involving port scanning. However, as routers and switches become more complex, they also become more susceptible to compromise. From this vantage point, an attacker can passively identify high-value hosts such as the workstations of IT administrators, C-suite executives, and finance personnel. The goal of this paper is to develop a technique to deceive and dissuade such adversaries. We propose HoneyRoles, which uses honey connections to build metaphorical haystacks around the network traffic of client hosts belonging to high-value organizational roles. The honey connections also act as network canaries to signal network compromise, thereby dissuading the adversary from acting on information observed in network flows. We design a prototype implementation of HoneyRoles an OpenFlow SDN controller and evaluate its security using the PRISM probabilistic model checker. Our performance evaluation shows that HoneyRoles has a small effect on network request completion time, and security analysis demonstrates that once an alert is raised, HoneyRoles can quickly identify the compromised switch with high probability. In doing so, we show that role-based network deception is a promising approach for defending against adversaries in compromised network devices.This project was also funded by Army Research Office.

2019

Optimizing Vulnerability-Driven Honey Traffic Using Game Theory

Enterprises are increasingly concerned about adversaries that slowly and deliberately exploit resources over the course of months or even years. A key step in this kill chain is network reconnaissance, which has historically been active (e.g., network scans) and therefore detectable. However, new networking technology increases the possibility of passive network reconnaissance, which will be largely undetectable by defenders. In this paper, we propose Snaz, a technique that uses deceptively crafted honey traffic to confound the knowledge gained through passive network reconnaissance. We present a two-player non-zero-sum Stackelberg game model that characterizes how a defender should deploy honey traffic in the presence of an adversary who is aware of Snaz. In doing so, we demonstrate the existence of optimal defender strategies that will either dissuade an adversary from acting on the existence of real vulnerabilities observed within network traffic, or reveal the adversary’s presence when it attempts to unknowingly attack an intrusion detection node. This was a collaborative effort between North Carolina State University and The University of Texas at El Paso, funded by Army Research Office.

2017

Traffic-load aware spectrum allocation in cloud assisted cognitive radio networks

With diverse technological advancements, the necessity of opportunistic spectrum usage is increasing rapidly to address the rising dearth of available spectrum. Cloud assisted Cognitive Radio Network (CCRN) offers huge computation and storage resources for handling heterogeneous spectrum usage decisions. In this paper, we develop a traffic-load aware channel allocation mechanism for secondary users with respect to their application Quality-of-Service (QoS) requirements. A historical analysis based channel ranking is also formulated recognizing both availability prediction and transmission quality. The simulation results demonstrate the effectiveness of our allocation scheme compared to the state-of-the-art works. I advised two undergraduate students at Green Networking Research (GNR) Group, University of Dhaka. They full-filled their undergraduate thesis requirement through this research effort.

Tradeoff between user quality-of-experience and service provider profit in 5G cloud radio access network

In recent years, the Cloud Radio Access Network (CRAN) has become a promising solution for increasing network capacity in terms of high data rates and low latencies for fifth-generation (5G) cellular networks. In CRAN, the traditional base stations (BSs) are decoupled into remote radio heads (RRHs) and base band units (BBUs) that are respectively responsible for radio and baseband functionalities. The RRHs are geographically proximated whereas the the BBUs are pooled in a centralized cloud named BBU pool. This virtualized architecture facilitates the system to offer high computation and communication loads from the impetuous rise of mobile devices and applications. Heterogeneous service requests from the devices to different RRHs are now sent to the BBUs to process centrally. Meeting the baseband processing of heterogeneous requests while keeping their Quality-of-Service (QoS) requirements with the limited computational resources as well as enhancing service provider profit is a challenging multi-constraint problem. In this work, a multi-objective non-linear programming solution to the Quality-of-Experience (QoE) and Profit-aware Resource Allocation problem is developed which makes a trade-off in between the two. Two computationally viable scheduling algorithms, named First Fit Satisfaction and First Fit Profit algorithms, are developed to focus on maximization of user QoE and profit, respectively, while keeping the minimum requirement level for the other one. The simulation environment is built on a relevant simulation toolkit. The experimental results demonstrate that the proposed system outperforms state-of-the-art works well across the requests QoS, average waiting time, user QoE, and service provider profit. I mentored Mahbuba Afrin in her MSc thesis requirement. I continued to work with Dr. Abdur Razzaque in Green Networking Research (GNR) Group, University of Dhaka.

2016

Medium Access Control Protocol for Coexisting Cognitive Radio Networks

Opportunistic usage selection of a licensed channel by a secondary user (SU) and its contention for data transmission is a challenging problem in coexisting cognitive radio network (CCRN). This is caused by the presence of many SUs from different CRNs in a shared environment, and the problem is further intensified when the user applications, with heterogeneous quality-of-service (QoS) requirements, require prioritized access to the opportunistic spectrum. The state-of-the-art protocols did not address the problem of efficient coexistence following both the dynamic spectrum availability and prioritized medium access. In this paper, a weighted fair medium access control protocol, namely WF-MAC, has been developed for overlay CR network that gives users proportionate accesses to the opportunistic spectrum following their application QoS requirements. The channel availability prediction using autoregression (AR) model and channel utility perception using exponentially weighted moving average (EWMA) facilitate WF-MAC to achieve more stable and fair access to the opportunistic spectrum. Our simulation experiment results depict the efficiency of the proposed WF-MAC protocol in achieving better spectrum utilization, weighted fairness, throughput, and medium access delay compared to the state-of-the-art protocols. This project was done as my graduate (MSc) thesis requirement. I worked as an graduate research assistant in Green Networking Research (GNR) Group, under the supervision of Dr. Abdur Razzaque, at the University of Dhaka. This work was funded by the Ministry of Information and Computer Technology, Bangladesh.

2013

Traffic priority and load adaptive MAC protocol for QoS provisioning in body sensor networks

Body sensor networks (BSNs) carry heterogeneous traffic types having diverse QoS requirements, such as delay, reliability and throughput. In this paper, we design a priority-based traffic load adaptive medium access control (MAC) protocol for BSNs, namely, PLA-MAC, which addresses the aforementioned requirements and maintains efficiency in power consumption. In PLA-MAC, we classify sensed data packets according to their QoS requirements and accordingly calculate their priorities. The transmission schedules of the packets are determined based on their priorities. Also, the superframe structure of the proposed protocol varies depending on the amount of traffic load and thereby ensures minimal power consumption. Our performance evaluation shows that the PLA-MAC achieves significant improvements over the state-of-the-art protocols.This project was done as my undergraduate thesis requirement, under the supervision of Dr. Abdur Razzaque. I worked as an undergraduate research assistant in Green Networking Research (GNR) Group, University of Dhaka.