105-107 Forsyth Street
132F Nightingale Hall
Boston, MA 02115
ATTN: Alden Jackson, 202 WVH
360 Huntington Avenue
Boston, MA 02115-5000
- SDN architecture
- Network security
- PhD, University of Delaware
Alden Jackson is an Associate Clinical Professor at Northeastern University’s Khoury College of Computer Sciences. He earned his PhD at the University of Delaware.
Professor Jackson is interested in SDN architecture, network security, reliability and robustness of massively distributed systems, network protocol design and implementation, and network traffic analysis and monitoring.
Before Northeastern, Professor Jackson was a Senior Architect at Akamai Technologies where he was responsible for improving the scalability and reliability of the systems that safely distributed customer and system configuration metadata in Akamai’s production network to over 200,000 servers world-wide.
Before Akamai, he was a Senior Network Scientist at BBN Technologies and Sandia National Laboratories where he was a principal investigator or key contributor on US Government (DARPA, DHS HSARPA, AFOSR, DOE) and commercially funded R&D projects in the areas of attack traceback, network traffic analysis and monitoring, network security, Active Networking, SDN architecture, high speed network architecture, satellite packet switching, and optical network control plane.
D. Ellard, C. Jones, V. Manfredi, W. T. Strayer, B. Thapa, M. Van Welie and A. Jackson, "Rebound: Decoy routing on asymmetric routes via error messages," 2015 IEEE 40th Conference on Local Computer Networks (LCN), Clearwater Beach, FL, 2015, pp. 91-99.
Decoy routing is a powerful circumvention mechanism intended to provide secure communications that cannot be monitored, detected, or disrupted by a third party who controls the user’s network infrastructure. Current decoy routing protocols have weaknesses, however: they either make the unrealistic assumption that routes through the network are symmetric (i.e., the router implementing the decoy routing protocol must see all of the traffic, in both directions, from each connection it modifies), or their protocol requires modifying the route taken by packets in connections that use the protocol, and these route changes are detectable by a third party. We present Rebound, a decoy routing protocol that tolerates asymmetric routes without modifying the route taken by any packet that passes through the decoy router, making it more difficult to detect or disrupt than previous decoy routing protocols.
I. Baldine, A. W. Jackson, J. Jacob, W. Leland, J. Lowry, W. Milliken, P. Pal, S. Ramanathan, K. Rauschenbach, C. Santivanez, and D. Wood, “PHAROS: An Architecture for Next-generation Core Optical Networks,” in Next Generation Internet Architectures and Protocols, B. Ramamurthy, G. Rouskas, and K. Sivalingam (Eds.), Cambridge University Press, pp. 154-178, 2011.
The last decade has seen some dramatic changes in the demands placed on core networks. Data has permanently replaced voice as the dominant traffic unit. The growth of applications like file sharing and storage area networking took many by surprise. Video distribution, a relatively old application, is now being delivered via packet technology, changing traffic profiles even for traditional services.
The shift in dominance from voice to data traffic has many consequences. In the data world, applications, hardware, and software change rapidly. We are seeing an unprecedented unpredictability and variability in traffic patterns. This means network operators must maintain an infrastructure that quickly adapts to changing subscriber demands, and contain infrastructure costs by efficiently applying network resources to meet those demands.
Current core network transport equipment supports high-capacity global-scale core networks by relying on higher speed interfaces such as 40 and 100 Gb/s. This is necessary but in and of itself not sufficient. Today, it takes considerable time and human involvement to provision a core network to accommodate new service demands or exploit new resources. Agile, autonomous resource management is imperative for the next-generation network.
Today’s core network architectures are based on static point-to-point transport infrastructure. Higher-layer services are isolated within their place in the traditional Open Systems Interconnection (OSI) network stack. While the stack has clear benefits in collecting conceptually similar functions into layers and invoking a service model between them, stovepiped management has resulted in multiple parallel networks within a single network operator’s infrastructure.
J. Karlin, D. Ellard, A. W. Jackson, C. E. Jones, G. Lauer, D. P. Mankins, and W. T. Strayer. Decoy Routing: Toward Unblockable Internet Communication. In USENIX Workshop on Free and Open Communications on the Internet, Aug. 2011
We present decoy routing, a mechanism capable of circumventing common network filtering
strategies. Unlike other circumvention techniques, decoy routing does not require a client to
connect to a specific IP address (which is easily blocked) in order to provide circumvention.
We show that if it is possible for a client to connect to any unblocked host/service, then decoy
routing could be used to connect them to a blocked destination without cooperation from the
host. This is accomplished by placing the circumvention service in the network itself–where a single device could proxy traffic between a significant fraction of hosts – instead of at the edge.
A. Jackson, D. Lapsley, C. Jones, M. Zatko, C. Golubitsky, and W. T. Strayer, “SLINGbot: A System for Live Investigation of Next Generation Botnets”, Proceedings of 3rd IEEE Symposium on Cybersecurity Applications and Technology for Homeland Security (CATCH 2009), Washington, DC, March 3-4, 2009.
There is an urgent need for a pro-active approach to botnet detection and mitigation that will enable computer network defenders to characterize emerging and future botnet threats and design effective defense techniques before these threats materialize. To this end, we have developed a system for live investigation of next generation bots (SLINGbot). SLINGbot is an extensible, composable bot framework that enables researchers to construct benign bots for the purposes of generating and characterizing botnet command and control (C2) traffic. This enables researchers to simulate current and potential future botnet traffic, characterize it, and design effective defense techniques. In this paper, we describe the SLINGbot system and how it can be used for the pro-active development of botnet defenses.
A. W. Jackson, W. Milliken, C. A. Santivanez, M. Condell and W. T. Strayer, “A Topological Analysis of Monitor Placement,” Proceedings of the 6th IEEE International Symposium on Network Computing and Applications (IEEE NCA07), Cambridge, MA, July 12-14, 2007.
The Internet is an extremely complex system, and it is essential that we be able to make accurate measurements in order to understand its underlying behavior or to detect improper behavior (e.g., attacks). The reality, however, is that it is impractical to fully instrument anything but relatively small networks and impossible to even partially instrument many parts of the Internet. This paper analyzes a subset of the general monitor placement problem where the goal is to maximize the coverage of the entire universe of potential communication pairs (i.e., source and destination are randomly distributed in the routable Internet address space). This issue arises, for example, when trying to detect/track a distributed attack. We present results from a simulation, seeded with data from skitter and RouteViews, that indicate we can monitor a packet with a high probability by monitoring relatively few points in the Internet. Our analysis suggests that the preferred strategy to place monitors should be to instrument one or two specific inter-AS links per AS for many ASes rather than deeply instrumenting a subset of the largest ASes.
W. Timothy Strayer, Christine Jones, Beverly Schwartz, Sarah Edwards, Walter Milliken, and Alden Jackson, “Efficient Multi-Dimensional Flow Correlation,” Proceedings of the 32nd IEEE Conference on Local Computer Networks (LCN 2007), Dublin, Ireland, October 15-18, 2007.
Flow correlation algorithms compare flows to determine similarity, and are especially useful and well studied for detecting flow chains through “stepping stone” hosts. Most correlation algorithms use only one characteristic and require all values in the correlation matrix (the correlation value of all flows to all other flows) to be updated on every event. We have developed an algorithm that tracks multiple (n) characteristics per flow, and requires updating only the flow’s n values upon an event, not all the values for all the flows. The n correlation values are used as coordinates for a point in n-space; two flows are considered correlated if there is a very small Euclidean distance between them. Our results show that this algorithm is efficient in space and compute time, is resilient against anomalies in the flow, and has uses outside of stepping stone detection.
Partridge, C., D. B. Cousins, A. W. Jackson, R. Krishnan, T. Saxena, and W. Timothy Strayer, "Using Signal Processing to Analyze Wireless Data Traffic," Proceedings of the 1st ACM Workshop on Wireless Security (WiSe), Atlanta, GA, USA, September 28, 2002.
Experts have long recognized that theoretically it was possible to perform traffic analysis on encrypted packet streams by analyzing the timing of packet arrivals (or transmissions). We report on experiments to realize this possibility using basic signal processing techniques taken from acoustics to perform traffic analysis on encrypted transmissions over wireless networks. While the work discussed here is preliminary, we are able to demonstrate two very interesting results. First, we can extract timing information, such as round-trip times of TCP connections, from traces of aggregated data traffic. Second, we can determine how data is routed through a network using coherence analysis. These results show that signal processing techniques may prove to be valuable network analysis tools in the future.
B. Schwartz, A.W. Jackson, W.T. Strayer, W. Zhou, D. Rockwell, and C. Partridge. Smart Packets: Applying Active Networks to Network Management. ACM Transactions on Computing Systems, 18(1), February 2000.
Smart Packets is a DARPA-funded Active Networks project focusing on applying active networks technology to network management and monitoring without placing undue burden on the nodes in the network. Messages in active networks are programs that are executed at nodes on the path to one or more target hosts. Smart Packets programs are written in a tightly-encoded, safe language specifically designed to support network management and avoid dangerous constructs and accesses. Smart Packets improves the management of large complex networks by (1) moving management decision points closer to the node being managed, (2) targeting specific aspects of the node for information rather than exhaustive collection via polling, and (3) abstracting the management concepts to language constructs, allowing nimble network control. This paper introduces Smart Packets and describes the Smart Packet architecture, the packet formats, the language and its design goals, and security considerations.
C.Partridge, A.W. Jackson, W.T. Strayer, and B. Schwartz. Active Networking and End-to-End Arguments. IEEE Network, 12(3), July/August 1998.
This article is a collection of short commentaries by recognized networking experts offering their perspectives on the relation between active networks and “end-to-end arguments”. The first commentary, by Bhattacharjee, Calvert, and Zegura, frames the question and makes a case arguing that active networking does not conflict with end-to-end argument principles. These authors are leading a research group at Georgia Institute of Technology working on the CANEs (composable active network elements) project, which focuses on service composition and applications for active networking. They also participate in the DARPA active network community’s efforts to define network/node and service composition architectures. The second commentary, by Partridge, Strayer, Schwartz, and Jackson, claims that end-to-end arguments discourage active networking in the Internet layer, but encourage active networking at all other layers except perhaps the transport layer. The BBN Technologies (part of GTE Corp.) team has completed a DARPA project called Smart Packets, where concisely encoded active packets are used for network management and diagnostics in IP. Reed, Saltzer, and Clark reexamine their original end-to-end arguments specifically within the context of active networks.
T.Chen and A.W. Jackson, ed. Special Issue on Active and Programmable Networks. IEEE Network, 12(3), July/August 1998.