List of published academic papers:

• Título: Uma Plataforma para Gestão de Configurações em Redes de Banda Larga
• Resumo: Este artigo apresenta uma plataforma de gestão de perfis e configurações concebida na óptica do operador, para gestão remota do cadastro e das configurações de dispositivos de redes domésticas de banda larga fornecidos pelo operador (routers domésticos, telefones VoIP, set-top-boxes, etc.). A plataforma proposta inclui mecanismos bastante flexíveis de administração, de modo a suportar a grande diversidade de equipamentos e serviços típica destes ambientes. A plataforma permite também incorporar no processo os perfis dos utilizadores (serviços contratados, perfil típico de uso, etc.), de modo a assegurar um processo de gestão de configurações mais eficiente.

• Title: How to Cooperatively Improve Broadband Security
• Abstract: The growth in the number of domestic and Small Office/Home Office (SOHO) environments served by broadband connections (cable, xDSL), together with the emergence of a digital convergence paradigm, with the integration of services over a single medium, created a new set of security concerns . These concerns arise from the specific characteristics of the broadband medium itself, in the form of potential security threats, for ISPs, customers and third parties, due to three factors: high bandwidth, availability to a very large customer basis and the permanent nature of the connections. The traditional segmentation between the ISP and customer networks, relying on the customer technical skills to effectively manage its own network, is no longer effective, since nowadays each ISP serves a large number of customers that lack the required expertise. On the other hand, these customers own powerful network and computational resources which can be used, with or without their knowledge, to launch massive attacks to third parties. The security model currently adopted by ISPs is based in a relatively reduced number of traffic barriers deployed in strategic places of their own backbone networks. However, the amount of network traffic these barriers need to process is substantially increasing over time, as a consequence of the ever growing customer base served by broadband, raising both severe cost and scalability constraints that might turn this approach unsuitable at all in the future. In response to this problem, we propose a new security architecture for broadband services, which takes advantage of the specific role and location of “home gateways” – as devices standing between the ISP and the customer network – to build a distributed IDS/IPS (“Intrusion Detection System/Intrusion Protection System”). This solution changes the current paradigm, presenting a novel approach to security in broadband service environments by redefining the frontier between Internet Service Providers and their customers. Close cooperation between ISPs and customer resources provides a shared security framework with improved scalability, granularity, flexibility and efficiency while shifting the frontier between ISP and customer networks and, thus, raising a number of ethical and technical issues. The proposed distributed IDS/IPS is based on a hierarchic architecture, with a central orchestrator at the ISP level managing each gateway’s behaviour in a coordinated way. Besides performing monitoring and attack prevention/detection functions autonomously, each gateway can also notify the central IDS of relevant events. Selected events generated by each gateway are sent to the central IDS in order to provide a macroscopic perspective of the whole network, thus identifying threat patterns whose detection would be impossible for a standalone device. This approach allows the ISP to deploy sophisticated, granular and scalable security mechanisms directly at the gateway level, which becomes the first defense layer of its own network. While developing the solution, the ethical issues raised by the approach were also a matter of concern carefully discussed, concluding that the controlled transference of some security functions from the ISP to the client’s own equipment brings considerable advantages to both, without significant ethical risks.

{phocadownload view=file|id=5}

• Title: Scalable Approach to Data Collection in Broadband Access Networks
• Abstract: In this paper we present a scalable, massively distributed monitoring architecture that integrates the broadband routers of domestic subscribers into the monitoring platform of the operators. Extending a number of technologies already available, these routers cooperate with the provider in the collection and processing of valuable monitoring data. Each router – remotely managed by the operator – works in a automated way, possessing inference and filtering abilities of its own and being capable of selecting specific data to be sent to the central coordination point. This coordinated operation model allows the monitoring system to access and infer information at two distinct infrastructure levels: microscopic (subscriber) level and macroscopic (operator) level, making it capable of detecting trends otherwise impossible for a device operating autonomously (like standalone probes, in the classic model). This paper will also address issues such as the correlation of data gathered from each probe, in order to produce the macroscopic view of the network, ethical issues (such as subscriber privacy), system performance – when compared with classic approaches – and manageability.

{phocadownload view=file|id=4}

• Título: Um IDS Cooperativo para Redes de Acesso de Banda Larga
• Resumo: O crescimento do número de clientes servidos por redes de acesso de banda larga (cabo, xDSL) acarreta um novo conjunto de preocupações ao nível da segurança, com potenciais consequências para os operadores de telecomunicações, para os seus clientes e para terceiros. O elevado número de clientes domésticos e tecnicamente impreparados que são actualmente servidos por conexões de elevado débito e natureza permanente constitui um cenário de risco para o qual o modelo tradicional de segurança dos operadores, centrado na sua infra-estrutura interna, é incapaz de dar resposta. Como alternativa a este cenário, propõe-se um modelo baseado no conceito de segurança partilhada, envolvendo a estreita cooperação entre os recursos de rede do operador e dos próprios clientes, procurando tirar partido do posicionamento que as gateways domésticas possuem no contexto das infra-estruturas de banda larga – como mediadores de fronteira entre as redes do operador e do cliente – para implementar um IDS/IPS (Intrusion Detection System/Intrusion Protection System) distribuído e escalável.

{phocadownload view=file|id=3}

• Título: Segurança em Redes de Acesso Triple-Play
• Resumo: O S3P é um projecto de investigação levado a cabo pelo grupo de Comunicações e Telemática do Centro de Informática e Sistemas da Universidade de Coimbra e pela PT Inovação. Este projecto tem por objectivo a identificação de novos riscos de segurança, introduzidos pela crescente disseminação de redes domésticas ligadas à Internet por banda larga (ADSL, cabo, fibra, 3G), e a investigação de soluções para neutralizar esses riscos. Apresenta-se aqui a arquitectura de gestão distribuída para ambientes “triple-play” que foi desenvolvida no âmbito deste projecto. Esta arquitectura, especificamente orientada para as questões da segurança nestes ambientes, caracteriza-se pelo seu carácter fortemente distribuído (melhorando assim a escalabilidade do sistema) e pela forma como integra nas soluções de segurança do operador dispositivos presentes nas redes dos clientes e na fronteira entre as redes dos clientes e a rede de acesso do operador.

{phocadownload view=file|id=6}