The "Spread Identity (SI)" Paradigm
The SI paradigm evolved from the "Dynamic Transport Selection (DTS)"
project, which was sponsored by Aether Systems Inc; to investigate the
following problem: Given "n" multiple data transport services(channels),
how to dynamically select any "k" out of the n available channels
in order to optimize a set of goals, such as maximize the bandwidth;
minimize the overall cost (ex using using Wi-Fi whenever
possible, vs. using cell-phone service);
in data streaming scenarios (audio, video or stream of
stock quotes, weather conditions, etc.) minimize the jitter, etc...
This turns out to be an
interesting Pareto-optimization problem.
DTS naturally led to the question: How can the multiple network interfaces
and transport channels (that are widely available today) be
to enhance the security of communications?
Inspired by the spectacular success of the "Spread Spectrum" techniques at
the physical layer, I developed
the "Spread Identity" paradigm for the network layer (which is the
3rd layer of the networking stack; in the context of the Internet,
it is the "IP" layer). Since the identity of a communicating entity at the
IP layer is its IP address, SI deliberately "spreads" the identity of
a host across multiple IP addresses and vice-versa, i.e., multiple
hosts are assigned the same IP address to support multiple concurrent
data flows, as long as the peer-ends are distinguishable.
Perimeter gateways (which we call SI gateways) that perform
Double-NAT(Network Address Translation) are leveraged, together with
the DNS (Domain Name Service
which translates a string such as "linuxserver2.cs.umbc.edu" into the
corresponding IP address "188.8.131.52") for the purpose of achieving the
The mapping between host identities and IP addresses is deliberately
made to appear as many-to-may when viewed from either side of
the SI gateway (only the SI gateway knows the underlying one-to-one
The end result is an extremely robust, fully backward compatible and
therefore incrementally deployable framework which leads to the following
The dynamically created (source-address,destination-address) NAT entry
can be leveraged as a dynamic access control token or as
a flow marker. Note that a destination address cannot be
spoofed (otherwise the payload will not reach the intended target host).
Therefore leveraging the destination address as a flow marker
enormously simplifies tracking, processing and filtering of flows.
- As a result, abnormal behavior (and therefore potentially malicious
activity) can be identified extremely fast, simply by a "token-matching"
at the SI gateways. This in-turn leads to ultra-fast intrusion
detection as well as prevention in a large number of scenarios.
- SI enables multi-level, multi-pronged robust defenses and
even offenses against Denial of Service (DoS) attacks.
- SI completely resolves the problem of IPv4 address scarcity.
- SI substantially enhances network-traceback capability
- The response to a DNS query is sent to the source address
in the query. If this source address is spoofed, the DNS response will not
reach the real source of the query. As a result,
the adversary cannot learn the (dynamically
generated) destination address (i.e., cannot get an access token)
and cannot reach the
in order to learn the destination address the adversary must expose
the last hop bot (the host which sends the DNS query).
- Several other proactive traceback mechanisms are enabled by SI
for example, Identity-baiting (forcing the attackers to follow a
dynamic sequence of destination addresses), Identity-traps
herding the attackers into a corner of the name-space and
redirecting them to specially provided honey-pots, etc.
for further details, see the publication links below
- It can yield TOR (The Onion Routing) like anonymity in
hardware-box (if the SI gateway is implemented entirely in hardware
and the internal NAT entries are deleted after their use and
not exposed anywhere outside the hardware box) with all
the anonymity advantages of TOR but none of the disadvantages
(such as long connection as well as data transfer delays....)
- SI is extremely important and relevant in the huge address
space of IPv6 protocol (it helps minimize the routing-table sizes
in core routers).
- All the above unique advantages are enabled simultaneously
with other well-known benefits of "dynamic indirection", such as
load-balancing, enhanced support for host mobility, etc.
The theoretical contributions of this work are the following:
- The two well-known and fundamental principles, viz.
(a) The principle of Indirection
(b) The End-to-End principle
are conflicting attributes in many scenarios (ex: the Internet).
This happens because the End-to-End principle implies a flat organization
with all peer entities deemed to be at the same (logical) level,
the principle of indirection necessarily implies a "hierarchical"
organization of the entities.
- Our work demonstrates that the best way to reconcile these
conflicting attributes is to confine indirections to the
perimeter/edge entities, so that the End-to-End attribute
is slightly compromised and becomes an Edge-to-Edge attribute.
- The principle of Dynamic Spreading
(includes Shrinking) of Identity
(which says that whenever translating Name-Spaces, the
mappings should be deliberately made to appear many-to-many
to all entities except one or two trusted (edge) entities that do the actual
is an equally
fundamental and independent principle in its own right.
Together with the Edge-to-Edge principle and the principle of
Indirection, it forms a 3-legged foundation for
For more details see the publications below
- D. S. Phatak,
"Spread-Identity mechanisms for DOS resilience and Security",
Proceedings of the IEEE SecureComm 2005, Athens, Greece.
D. S. Phatak,
"Spread Identity Communications Architecture",
U.S. Patent No. 7,853,680 B2,   Date of
issue: 14th December 2010.
D.S. Phatak, A.T. Sherman, N. Joshi, B. Sonawane, V. Relan and A. Dhawalbhakta,
"Spread Identity : A New Dynamic Address Remapping
Mechanism for Anonymity and DDoS Defense, In the
Journal of Computer Security ,   Volume 21, Issue 2,
March 2013, pp 233-281.
D. S. Phatak,
"Spread Identity Communications Architecture",
U.S. Patent No. US 8,606,898 B1,   Date of
issue: 10th December 2013.
Last update: June, 2014