The SI paradigm evolved from the "Dynamic Transport Selection (DTS)" project, which was sponsored by Aether Systems Inc; to investigate the following problem: Given "n" multiple data transport services(channels), how to dynamically select any "k" out of the n available channels in order to optimize a set of goals, such as maximize the bandwidth; minimize the overall cost (ex using using Wi-Fi whenever possible, vs. using cell-phone service); in data streaming scenarios (audio, video or stream of stock quotes, weather conditions, etc.) minimize the jitter, etc...
This turns out to be an interesting   Pareto-optimization   problem.

DTS naturally led to the question: How can the multiple network interfaces and transport channels (that are widely available today) be leveraged
to enhance the security of communications?
Inspired by the spectacular success of the "Spread Spectrum" techniques at the physical layer, I developed the "Spread Identity" paradigm for the network layer (which is the 3rd layer of the networking stack; in the context of the Internet, it is the "IP" layer). Since the identity of a communicating entity at the IP layer is its IP address, SI deliberately "spreads" the identity of a host across multiple IP addresses and vice-versa, i.e., multiple hosts are assigned the same IP address to support multiple concurrent data flows, as long as the peer-ends are distinguishable. Perimeter gateways (which we call SI gateways) that perform Double-NAT(Network Address Translation) are leveraged, together with the DNS (Domain Name Service which translates a string such as "linuxserver2.cs.umbc.edu" into the corresponding IP address "130.85.36.73") for the purpose of achieving the "spreading". The mapping between host identities and IP addresses is deliberately made to appear as many-to-may when viewed from either side of the SI gateway (only the SI gateway knows the underlying one-to-one mapping). The end result is an extremely robust, fully backward compatible and therefore incrementally deployable framework which leads to the following unique capabilities:

1. The dynamically created (source-address,destination-address) NAT entry can be leveraged as a dynamic access control token or as a flow marker. Note that a destination address cannot be spoofed (otherwise the payload will not reach the intended target host). Therefore leveraging the destination address as a flow marker enormously simplifies tracking, processing and filtering of flows.
2. As a result, abnormal behavior (and therefore potentially malicious activity) can be identified extremely fast, simply by a "token-matching" at the SI gateways. This in-turn leads to ultra-fast intrusion detection as well as prevention in a large number of scenarios.
3. SI enables multi-level, multi-pronged robust defenses and even offenses against Denial of Service (DoS) attacks.
4. SI completely resolves the problem of IPv4 address scarcity.
5. SI substantially enhances network-traceback capability
   • The response to a DNS query is sent to the source address in the query. If this source address is spoofed, the DNS response will not reach the real source of the query. As a result, the adversary cannot learn the (dynamically generated) destination address (i.e., cannot get an access token) and cannot reach the destination. Therefore, in order to learn the destination address the adversary must expose the last hop bot (the host which sends the DNS query).
   • Several other proactive traceback mechanisms are enabled by SI for example, Identity-baiting (forcing the attackers to follow a dynamic sequence of destination addresses), Identity-traps herding the attackers into a corner of the name-space and redirecting them to specially provided honey-pots, etc.
     for further details, see the publication links below
6. It can yield TOR (The Onion Routing) like anonymity in hardware-box (if the SI gateway is implemented entirely in hardware and the internal NAT entries are deleted after their use and not exposed anywhere outside the hardware box) with all the anonymity advantages of TOR but none of the disadvantages (such as long connection as well as data transfer delays....)
7. SI is extremely important and relevant in the huge address space of IPv6 protocol (it helps minimize the routing-table sizes in core routers).
8. All the above unique advantages are enabled simultaneously with other well-known benefits of "dynamic indirection", such as load-balancing, enhanced support for host mobility, etc.
   
   

• The two well-known and fundamental principles, viz.    (a) The principle of Indirection    and    (b) The End-to-End principle  
  are conflicting attributes in many scenarios (ex: the Internet).
  This happens because the End-to-End principle implies a flat organization with all peer entities deemed to be at the same (logical) level,     whereas;
  the principle of indirection necessarily implies a "hierarchical" organization of the entities.



• Our work demonstrates that the best way to reconcile these conflicting attributes is to confine indirections to the perimeter/edge entities, so that the End-to-End attribute is slightly compromised and becomes an Edge-to-Edge attribute.



•   The principle of Dynamic Spreading (includes Shrinking) of Identity  
  (which says that whenever translating Name-Spaces, the mappings should be deliberately made to appear many-to-many to all entities except one or two trusted (edge) entities that do the actual name-translations)
  
  is an equally fundamental and independent principle in its own right.
  Together with the Edge-to-Edge principle and the principle of Indirection, it forms a 3-legged foundation for robust communications

For more details see the publications below  

• D. S. Phatak,   "Spread-Identity mechanisms for DOS resilience and Security",   Proceedings of the IEEE SecureComm 2005, Athens, Greece.



• D. S. Phatak,   "Spread Identity Communications Architecture",   U.S. Patent No. 7,853,680 B2,   Date of issue: 14th December 2010.
  



• D.S. Phatak, A.T. Sherman, N. Joshi, B. Sonawane, V. Relan and A. Dhawalbhakta,   "Spread Identity : A New Dynamic Address Remapping Mechanism for Anonymity and DDoS Defense,   In the  
  Journal of Computer Security ,   Volume 21, Issue 2, March 2013, pp 233-281.



• D. S. Phatak,   "Spread Identity Communications Architecture",   U.S. Patent No. US 8,606,898 B1,   Date of issue: 10th December 2013.