Craig Shue - Research Interests and Publications

Contact	Publications	Instruction	Education
Research Interests My research interests are broadly in computer networks and security. My Ph.D. dissertation focused on new Internet architecture design. In my graduate career, I performed large-scale measurements on the Web, routing, and DNS infrastructure. I am now examining network security and efforts to combat the insider attack threat. In my work, I use an experimental approach to solve practical problems. In graduate school, I worked in the Networking Research Group with my research advisor, Professor Minaxi Gupta. I now work as a Cyber Security Research Scientist at the Oak Ridge National Laboratory. Publications Book Chapters Minaxi Gupta, Craig A. Shue, "Spoofing and Countermeasures," Book chapter in Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, edited by Jakobsson and Myers published by Wiley, ISBN: 0-471-78245-9, 2006. Journal Articles Craig A. Shue, Minaxi Gupta, Matthew P. Davy, "Packet Forwarding with Source Verification," Computer Networks, vol. 52, issue 8, pages 1567-1582, Jun. 2008. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Routers in the Internet do not perform any verification of the source IP address contained in the packets, leading to the possibility of IP spoofing. The lack of such verification opens the door for a variety of vulnerabilities, including denial-of-service (DoS) and man-in-the-middle attacks. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. With incremental deployability in mind, this paper presents two complementary hop-wise packet tagging approaches that equip the routers to drop spoofed packets close to their point of origin. Our simulations show that these approaches dramatically reduce the amount of spoofing possible even under partial deployment. Conferences and Workshops Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "A Unified Approach to Intra-Domain Security," IEEE International Symposium on Secure Computing (SecureCom), Aug. 2009. [ BibTeX Citation ] [ Abstract ] While a variety of mechanisms have been developed for securing individual intra-domain protocols, none address the issue in a holistic manner. In this work, we develop a unified framework to secure prominent networking protocols within a single domain. We begin with a secure version of the DHCP protocol, which has the additional feature of providing each host with a certificate. We then leverage these certificates to secure ARP, prevent spoofing within the domain, and secure SSH and VPN connections between the domain and hosts which have previously interacted with it locally. In doing so, we also develop an incrementally deployable public key infrastructure which can later be leveraged to support inter-domain authentication. Craig A. Shue, Minaxi Gupta, John J. Lubia, Chin Hua Kong, and Asim Yuksel, "Spamology: A Study of Spam Origins," Conference on Email and Anti Spam (CEAS), 2009. [ BibTeX Citation ] [ Abstract ] The rise of spam in the last decade has been staggering, with the rate of spam exceeding that of legitimate email. While conjectures exist on how spammers gain access to email addresses to spam, most work in the area of spam containment has either focused on better spam filtering methodologies or on understanding the botnets commonly used to send spam. In this paper, we aim to understand the origins of spam. We post dedicated email addresses to record how and where spammers go to obtain email addresses. We find that posting an email address on public Web pages yields immediate and high-volume spam. Surprisingly, even simple email obfuscation approaches are still sufficient today to prevent spammers from harvesting emails. We also find that attempts to find open relays continue to be popular among spammers. The insights we gain on the use of Web crawlers used to harvest email addresses and the commonalities of techniques used by spammers open the door for radically different follow-up work on spam containment and even systematic enforcement of spam legislation at a large scale. Craig A. Shue, Minaxi Gupta, "Sensitive Data Requests: Do Sites Ask Correctly?," IEEE International Conference on Communications (ICC), June 2009. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] To ensure the security of sensitive Web content, an organization must use TLS and do so correctly. However, little is known about how TLS is actually used on the Web. In this work, we perform large-scale Internet-wide measurements to determine if Web sites use TLS when needed and when they do, if they use it correctly. We find hundreds of thousands of pages where TLS is either not used when it should be or is used improperly, putting sensitive data at risk. Andrew J. Kalafut, Craig A. Shue, Minaxi Gupta, "Understanding the Implications of DNS Server Provisioning," ACM/USENIX Internet Measurement Conference (IMC), 2008. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] The DNS is a critical component of the Internet. This paper takes a comprehensive look at the provisioning of Internet domains and its impact on the availability of various services. To gather data, we sweep 60% of the Internet’s domains for zone transfers. 6.6% of them allow us to transfer their complete information. We ﬁnd that carelessness in handling DNS records can lead to reduced availability of name servers, email, and Web servers. It also undermines anti-spam efforts and the efforts to shut down phishing sites or to contain malware infections. Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "Exploitable Redirects on the Web: Identification, Prevalence, and Defense," USENIX Workshop on Offensive Technologies (WOOT), Jul. 2008. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Web sites on the Internet often use redirection. Unfortunately, without additional security, many of the redirection links can be manipulated and abused to mask phishing attacks. In this paper, we prescribe a set of heuristics to identify redirects that can be exploited. Using these heuristics, we examine the prevalence of exploitable redirects present in today's Web. Finally, we propose techniques for Web servers to secure their redirects and for clients to protect themselves from being misled by manipulated redirects. Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "The Web is Smaller than it Seems," ACM/USENIX Internet Measurement Conference (IMC), San Diego, CA, Oct. 2007. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] The Web has grown beyond anybody's imagination. While significant research has been devoted to understanding aspects of the Web from the perspective of the documents that comprise it, we have little data on the relationship among servers that comprise the Web. In this paper, we explore the extent to which Web servers are co-located with other Web servers in the Internet. In terms of the location of servers, we find that the Web is surprisingly smaller than it seems. Our work has important implications for the availability of Web servers in case of DoS attacks and blocklisting. Craig A. Shue, Minaxi Gupta, "Projecting IPv6 Forwarding Characteristics Under Internet-wide Deployment," ACM SIGCOMM 2007 IPv6 Workshop, Kyoto, Japan, Aug. 2007. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] While routing table growth, its impact, and causes have been examined extensively for IPv4, little work in this direction exists for IPv6. This paper is the first step at examining performance aspects of IPv6 packet forwarding. We do so by using a software implementation of various packet forwarding algorithms used by routers and running them against IPv6 tables. In the lack of a wide deployment of IPv6, we generate IPv6 routing entries based on IAB allocation recommendations. We simulate growth of routing tables due to new prefix allocations and under partial deployment scenarios. Additionally, we consider factors that inflate routing table sizes artificially. These include load balancing, multi-homing, and failure to aggregate aggregatable prefixes. We conclude that if modern routers were to simply replace their IPv4 prefixes with an equivalent number of IPv6 prefixes, without changing anything else, an average lookup in the routing table will be 67% more expensive. Further, the IPv6 routing table will require at least 4.5 times more memory to store the same number of prefixes. Craig A. Shue, Minaxi Gupta, Steven A. Myers, "IPSec: Performance Analysis and Enhancements," IEEE International Conference on Communications (ICC), Glasgow, Scotland, June 2007. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Internet Protocol Security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). In previous work, we examined the overheads incurred by an IPSec server in a single client setting. In this paper, we extend that work by examining the scaling of a VPN server in a multiple client environment and by evaluating the effectiveness of connection credential caching. Motivated by the potential benefits of caching, we also propose a cryptographically secure cache resumption protocol for IPSec connections to reduce the connection establishment overheads. Craig A. Shue, Minaxi Gupta, "Packet Forwarding: Name-based Vs. Prefix-Based," IEEE INFOCOM Global Internet (GI) Symposium, Anchorage, AK, May 2007. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Using domain names for routing, instead of IP prefixes, has the potential to address many of the core outstanding issues in today's Internet. To initiate research in that direction, this paper compares the performance of name-based routing in the core of the Internet with that of IPv4 routing. Our analysis concludes that name-based routing is well within the scope of feasibility. Jonathan Mills, Matt Parker, Bryce Himebaugh, Craig A. Shue, Brian Kopecky, Chris Weilemann, "'Empty Space' Computes: The Evolution of an Unconventional Supercomputer," ACM International Conference on Computing Frontiers, May 2006. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Lee A. Rubel defined the extended analog computer to avoid the limitations of Shannon's general purpose analog computer. Partial differential equation solvers were a "quintessential" part of Rubel's theoretical machine. These components have been implemented with "empty space," or VLSI circuits without transistors, as well as conductive plastic. For the past decade research at Indiana University has explored the design and applications of extended analog computers. The machines have become increasingly sophisticated and flexible. The "empty" computational area is devoted to solving partial differential equations. The rest of the space includes fuzzy logic elements, configuration memory and input/output channels. This paper describes the theoretical definition, architecture and implementation of these unconventional computers. Two parallel applications are described in detail. Rubel's model can be viewed as an abstract specification for a distributed supercomputer. We close with a description of an inexpensive 64-node processor that was designed using our current single processor. The next step is to return to VLSI with an improved understanding of the architecture -- and seek computation speeds approaching trillions of partial differential equations per second. Craig A. Shue, Youngsang Shin, Minaxi Gupta, Jong Youl Choi, "Analysis of IPSec Overheads for VPN Servers," IEEE International Conference on Network Protocols (ICNP) Network Protocol Security (NPSec) Workshop, Boston, MA, Nov. 2005. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Internet Protocol Security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). This paper evaluates the performance overheads associated with IPSec. We use Openswan, an open source implementation of IPSec, and measure the running times of individual security operations and also the speedup gained by replacing various IPSec components with no-ops. The main findings of this study include: VPN connection establishment and maintenance overheads for short sessions could be significantly higher than those incurred while transferring data, and cryptographic operations contribute 32-60% of the total IPSec overheads. Posters Craig A. Shue, Minaxi Gupta, "Freeing the Internet from the DNS," Indiana University Computer Science and Informatics Poster Session, Bloomington, IN, Mar. 2007. [ Poster ] Craig A. Shue, Minaxi Gupta, "Spoofing Resistant Packet Routing," Poster at IEEE International Conference on Networking Protocols (ICNP), Nov. 2005. [ Poster ] Technical Reports Craig A. Shue, Joshua Hursey, Arun Chauhan, "MPI over Scripting Languages: Usability and Performance Tradeoffs," IUCS Technical Report TR631, Feb. 2006. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] We present a comparative study of two popular implementations that make the MPI available on MATLAB-MatlabMPI and MPI-TB. We evaluate their performance through micro-benchmarks on a high-performance Linux cluster and compare those to their corresponding implementations on Octave as well as to the LAM/MPI library accessed through a C API. We have discovered that there are significant performance advantages to using an implementation of the MPI that utilizes highly tuned libraries built for high-speed interconnects, such as the Myrinet. However, a price must be paid in terms of higher installation and setup times and a more complicated API. We conclude that even though there are advantages to using the MPI within a high-level scripting language, such as MATLAB or Octave, there are important philosophical differences between the programming models of scripting languages and a relatively low-level communication library interface, such as the MPI. This points to the need for a more sophisticated long-term support for parallel programming from the language compiler and runtime system. Craig A. Shue, Brian Kopecky, Chris Weilemann, "Denial of Service Attack Detection Using Extended Analog Computers," IUCS Technical Report TR624, Jan. 2006. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Denial of Service (DoS) attacks, a damaging assault on computer networking infrastructure, have been extensively examined by the digital computing community. However, no work has been done to examine the ability of Extended Analog Computers (EAC) to detect DoS attacks. In this paper, we discuss how EACs could be used in DoS detection.

Book Chapters

Minaxi Gupta, Craig A. Shue, "Spoofing and Countermeasures," Book chapter in Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, edited by Jakobsson and Myers published by Wiley, ISBN: 0-471-78245-9, 2006.

Journal Articles

Craig A. Shue, Minaxi Gupta, Matthew P. Davy, "Packet Forwarding with Source Verification," Computer Networks, vol. 52, issue 8, pages 1567-1582, Jun. 2008.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Routers in the Internet do not perform any verification of the source IP address contained in the packets, leading to the possibility of IP spoofing. The lack of such verification opens the door for a variety of vulnerabilities, including denial-of-service (DoS) and man-in-the-middle attacks. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. With incremental deployability in mind, this paper presents two complementary hop-wise packet tagging approaches that equip the routers to drop spoofed packets close to their point of origin. Our simulations show that these approaches dramatically reduce the amount of spoofing possible even under partial deployment.

Conferences and Workshops

Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "A Unified Approach to Intra-Domain Security," IEEE International Symposium on Secure Computing (SecureCom), Aug. 2009.
[ BibTeX Citation ] [ Abstract ]
While a variety of mechanisms have been developed for securing individual intra-domain protocols, none address the issue in a holistic manner. In this work, we develop a unified framework to secure prominent networking protocols within a single domain. We begin with a secure version of the DHCP protocol, which has the additional feature of providing each host with a certificate. We then leverage these certificates to secure ARP, prevent spoofing within the domain, and secure SSH and VPN connections between the domain and hosts which have previously interacted with it locally. In doing so, we also develop an incrementally deployable public key infrastructure which can later be leveraged to support inter-domain authentication.
Craig A. Shue, Minaxi Gupta, John J. Lubia, Chin Hua Kong, and Asim Yuksel, "Spamology: A Study of Spam Origins," Conference on Email and Anti Spam (CEAS), 2009.
[ BibTeX Citation ] [ Abstract ]
The rise of spam in the last decade has been staggering, with the rate of spam exceeding that of legitimate email. While conjectures exist on how spammers gain access to email addresses to spam, most work in the area of spam containment has either focused on better spam filtering methodologies or on understanding the botnets commonly used to send spam. In this paper, we aim to understand the origins of spam. We post dedicated email addresses to record how and where spammers go to obtain email addresses. We find that posting an email address on public Web pages yields immediate and high-volume spam. Surprisingly, even simple email obfuscation approaches are still sufficient today to prevent spammers from harvesting emails. We also find that attempts to find open relays continue to be popular among spammers. The insights we gain on the use of Web crawlers used to harvest email addresses and the commonalities of techniques used by spammers open the door for radically different follow-up work on spam containment and even systematic enforcement of spam legislation at a large scale.
Craig A. Shue, Minaxi Gupta, "Sensitive Data Requests: Do Sites Ask Correctly?," IEEE International Conference on Communications (ICC), June 2009.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
To ensure the security of sensitive Web content, an organization must use TLS and do so correctly. However, little is known about how TLS is actually used on the Web. In this work, we perform large-scale Internet-wide measurements to determine if Web sites use TLS when needed and when they do, if they use it correctly. We find hundreds of thousands of pages where TLS is either not used when it should be or is used improperly, putting sensitive data at risk.
Andrew J. Kalafut, Craig A. Shue, Minaxi Gupta, "Understanding the Implications of DNS Server Provisioning," ACM/USENIX Internet Measurement Conference (IMC), 2008.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
The DNS is a critical component of the Internet. This paper takes a comprehensive look at the provisioning of Internet domains and its impact on the availability of various services. To gather data, we sweep 60% of the Internet’s domains for zone transfers. 6.6% of them allow us to transfer their complete information. We ﬁnd that carelessness in handling DNS records can lead to reduced availability of name servers, email, and Web servers. It also undermines anti-spam efforts and the efforts to shut down phishing sites or to contain malware infections.
Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "Exploitable Redirects on the Web: Identification, Prevalence, and Defense," USENIX Workshop on Offensive Technologies (WOOT), Jul. 2008.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Web sites on the Internet often use redirection. Unfortunately, without additional security, many of the redirection links can be manipulated and abused to mask phishing attacks. In this paper, we prescribe a set of heuristics to identify redirects that can be exploited. Using these heuristics, we examine the prevalence of exploitable redirects present in today's Web. Finally, we propose techniques for Web servers to secure their redirects and for clients to protect themselves from being misled by manipulated redirects.
Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "The Web is Smaller than it Seems," ACM/USENIX Internet Measurement Conference (IMC), San Diego, CA, Oct. 2007.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
The Web has grown beyond anybody's imagination. While significant research has been devoted to understanding aspects of the Web from the perspective of the documents that comprise it, we have little data on the relationship among servers that comprise the Web. In this paper, we explore the extent to which Web servers are co-located with other Web servers in the Internet. In terms of the location of servers, we find that the Web is surprisingly smaller than it seems. Our work has important implications for the availability of Web servers in case of DoS attacks and blocklisting.
Craig A. Shue, Minaxi Gupta, "Projecting IPv6 Forwarding Characteristics Under Internet-wide Deployment," ACM SIGCOMM 2007 IPv6 Workshop, Kyoto, Japan, Aug. 2007.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
While routing table growth, its impact, and causes have been examined extensively for IPv4, little work in this direction exists for IPv6. This paper is the first step at examining performance aspects of IPv6 packet forwarding. We do so by using a software implementation of various packet forwarding algorithms used by routers and running them against IPv6 tables. In the lack of a wide deployment of IPv6, we generate IPv6 routing entries based on IAB allocation recommendations. We simulate growth of routing tables due to new prefix allocations and under partial deployment scenarios. Additionally, we consider factors that inflate routing table sizes artificially. These include load balancing, multi-homing, and failure to aggregate aggregatable prefixes. We conclude that if modern routers were to simply replace their IPv4 prefixes with an equivalent number of IPv6 prefixes, without changing anything else, an average lookup in the routing table will be 67% more expensive. Further, the IPv6 routing table will require at least 4.5 times more memory to store the same number of prefixes.
Craig A. Shue, Minaxi Gupta, Steven A. Myers, "IPSec: Performance Analysis and Enhancements," IEEE International Conference on Communications (ICC), Glasgow, Scotland, June 2007.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Internet Protocol Security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). In previous work, we examined the overheads incurred by an IPSec server in a single client setting. In this paper, we extend that work by examining the scaling of a VPN server in a multiple client environment and by evaluating the effectiveness of connection credential caching. Motivated by the potential benefits of caching, we also propose a cryptographically secure cache resumption protocol for IPSec connections to reduce the connection establishment overheads.
Craig A. Shue, Minaxi Gupta, "Packet Forwarding: Name-based Vs. Prefix-Based," IEEE INFOCOM Global Internet (GI) Symposium, Anchorage, AK, May 2007.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Using domain names for routing, instead of IP prefixes, has the potential to address many of the core outstanding issues in today's Internet. To initiate research in that direction, this paper compares the performance of name-based routing in the core of the Internet with that of IPv4 routing. Our analysis concludes that name-based routing is well within the scope of feasibility.
Jonathan Mills, Matt Parker, Bryce Himebaugh, Craig A. Shue, Brian Kopecky, Chris Weilemann, "'Empty Space' Computes: The Evolution of an Unconventional Supercomputer," ACM International Conference on Computing Frontiers, May 2006.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Lee A. Rubel defined the extended analog computer to avoid the limitations of Shannon's general purpose analog computer. Partial differential equation solvers were a "quintessential" part of Rubel's theoretical machine. These components have been implemented with "empty space," or VLSI circuits without transistors, as well as conductive plastic. For the past decade research at Indiana University has explored the design and applications of extended analog computers. The machines have become increasingly sophisticated and flexible. The "empty" computational area is devoted to solving partial differential equations. The rest of the space includes fuzzy logic elements, configuration memory and input/output channels. This paper describes the theoretical definition, architecture and implementation of these unconventional computers. Two parallel applications are described in detail. Rubel's model can be viewed as an abstract specification for a distributed supercomputer. We close with a description of an inexpensive 64-node processor that was designed using our current single processor. The next step is to return to VLSI with an improved understanding of the architecture -- and seek computation speeds approaching trillions of partial differential equations per second.
Craig A. Shue, Youngsang Shin, Minaxi Gupta, Jong Youl Choi, "Analysis of IPSec Overheads for VPN Servers," IEEE International Conference on Network Protocols (ICNP) Network Protocol Security (NPSec) Workshop, Boston, MA, Nov. 2005.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Internet Protocol Security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). This paper evaluates the performance overheads associated with IPSec. We use Openswan, an open source implementation of IPSec, and measure the running times of individual security operations and also the speedup gained by replacing various IPSec components with no-ops. The main findings of this study include: VPN connection establishment and maintenance overheads for short sessions could be significantly higher than those incurred while transferring data, and cryptographic operations contribute 32-60% of the total IPSec overheads.

Posters

Craig A. Shue, Minaxi Gupta, "Freeing the Internet from the DNS," Indiana University Computer Science and Informatics Poster Session, Bloomington, IN, Mar. 2007.
[ Poster ]
Craig A. Shue, Minaxi Gupta, "Spoofing Resistant Packet Routing," Poster at IEEE International Conference on Networking Protocols (ICNP), Nov. 2005.
[ Poster ]

Technical Reports

Craig A. Shue, Joshua Hursey, Arun Chauhan, "MPI over Scripting Languages: Usability and Performance Tradeoffs," IUCS Technical Report TR631, Feb. 2006.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
We present a comparative study of two popular implementations that make the MPI available on MATLAB-MatlabMPI and MPI-TB. We evaluate their performance through micro-benchmarks on a high-performance Linux cluster and compare those to their corresponding implementations on Octave as well as to the LAM/MPI library accessed through a C API. We have discovered that there are significant performance advantages to using an implementation of the MPI that utilizes highly tuned libraries built for high-speed interconnects, such as the Myrinet. However, a price must be paid in terms of higher installation and setup times and a more complicated API.

We conclude that even though there are advantages to using the MPI within a high-level scripting language, such as MATLAB or Octave, there are important philosophical differences between the programming models of scripting languages and a relatively low-level communication library interface, such as the MPI. This points to the need for a more sophisticated long-term support for parallel programming from the language compiler and runtime system.
Craig A. Shue, Brian Kopecky, Chris Weilemann, "Denial of Service Attack Detection Using Extended Analog Computers," IUCS Technical Report TR624, Jan. 2006.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Denial of Service (DoS) attacks, a damaging assault on computer networking infrastructure, have been extensively examined by the digital computing community. However, no work has been done to examine the ability of Extended Analog Computers (EAC) to detect DoS attacks. In this paper, we discuss how EACs could be used in DoS detection.