Paradigm-Based Routing & Switching System for Data Interception Attacks

In recent years, the network attacks that adversaries take advantage of router/switch vulnerabilities to perform data interception continue to be exposed, which highlights the importance of secure communication within core networks. As the most affected victims, users and Internet Service Providers have little control on router vulnerabilities, which results in such attacks always being performed in low cost, unidirectional, concealed mechanisms, and being difficult to be recognized let alone restrained. Researchers have proposed many solutions, and most of them are able to prevent or mitigate data interception attacks, however, it is our humble opinion that these solutions are either only fit for specific core networks and specific types of DIAs, or are difficult to implement. To the best of our knowledge, there are still no security complete, universal and easily implementable mechanisms for defending data interception attacks. Based on analyzing all possible abnormal behaviors that vulnerability routers and switches perform, this paper designs and implements a static routing and switching paradigm, a paradigm-based detection algorithm and detector model to recognize the paradigm-violation output-packets. It proves that the routing and switching paradigm is security complete to data interception attacks. Also all rules of the paradigm are universal applicable to TCP/IP networks, the detector is designable, and the paradigm violations are detectable. The detection algorithm is optimized to gain high performance. Based on simulations, we show that not only 100% of normal packets can pass through the optimized paradigm-based detector, but also about 99.92% of intercepting ones would be caught. In addition, the throughout put of the detected routers/switches can reach Gbps level.