WPI – Computer Science Department
Monday, December 6, 2021
Time: 10:00 a.m. – 12:00 p.m.
Location: Beckett Conference Room/ Fuller Labs
Prof. Craig A.Shue, Dissertation Advisor – WPI – Computer Science
Prof. Mark L. Claypool, WPI – Computer Science
Prof. Tian Guo, WPI – Computer Science
Dr. Kerry A. McKay
(External committee member from National Institute of Standards and Technology, NIST)
With more households subscribing to Internet services, and the growth of the Smart Home paradigm and the Internet of Things (IoT), there are more assets that need protection in home networks. However, many manufacturers produce devices with weak security. From hardware to software, these devices have attack surfaces that can be easily utilized by attackers. Attacks may cause sensitive information exposure and even physical device damage. Further, compromised devices can join a botnet to launch attacks on other targets, such as distributed denial-of-service attacks (DDoS). Those attacks, under today's Internet infrastructure, are hard to effectively track and block from the victim side, and they also harm residents' service at the origin. Finally, home network owners usually lack expert computer security knowledge. With the limited security features provided by home network gateways, home network security tools are unable to provide adequate protection.
This dissertation focuses on utilizing software-defined networking (SDN) and network function virtualization (NFV) techniques to achieve enterprise network level of security in home networks. We use those techniques to enable traffic inspection and labeling. Looking at the home network, we propose a series of methods to enhance security for IoT and roaming mobile devices and their communications. We also utilize existing devices to deploy a powerful computational platform for traffic inspection, like an enterprise-grade firewall, in residential networks.
Outside the individual home network, we use SDN and NFV to provide flow-level identifiers to allow remote application servers to accurately authenticate users from a residential network, despite shared and dynamic IP addresses with carrier-grade NAT. We study and utilize these identifiers to mitigate distributed denial-of-service (DDoS) attacks from the source, prevent residential network users from suffering from account lockout attacks, and remove the requirement on using virtual private network (VPN), which can be cumbersome, while remaining a similar level of security.