by Ashraf Matrawy, P. C. Van Oorschot, Anil Somayaji
In: Proceedings of the 3 rd International Conference on Applied Cryptography and Network Security (ACNS
http://www.scs.carleton.ca/~paulv/papers/acns05.pdf
Add To MetaCart
Abstract:
Abstract. In this paper we explore the feasibility of mitigating network denial-of-service (NDoS) attacks (attacks that consume network bandwidth) by dynamically regulating learned classes of network traffic. Our classification technique clusters packets based on the similarity of their contents—both headers and payloads—using a variation of n-grams which we call (p,n)-grams. We then allocate shares of bandwidth to each of these clusters using an adaptive traffic management technique. Our design intent is that excessive bandwidth consumers (e.g. UDP worms, flash crowds) are segregated so that they cannot consume bandwidth to the exclusion of other network traffic. Because this strategy, under congestion conditions, increases the packet drop rate experienced by sets of similar flows and thus reduces the relative drop rate of other, dissimilar flows, we characterize this strategy as diversity-based traffic management. We explain the approach at a high level and report on preliminary results that indicate that network traffic can be quickly and concisely learned, and that this classification can be used to regulate the bandwidth allocated to both constant packet and polymorphic flash UDP worms.
Citations
|
1681
|
Random Early Detection Gateways for Congestion Avoidance
– Floyd, Jacobson
- 1993
|
|
594
|
Promoting the Use of End-to-End Congestion Control in the Internet
– Floyd, Fall
- 1999
|
|
578
|
An architecture for differentiated services
– Blake, Black, et al.
- 1998
|
|
416
|
TCP and Explicit Congestion Notification
– Floyd
- 1994
|
|
314
|
How to Own the Internet in Your Spare Time
– Staniford, Paxson, et al.
- 2002
|
|
297
|
Explicit Allocation of Best Effort Packet Delivery Service”, http:// www.ietf.org/html.charters/diffserv-charter.html
– Clark
|
|
162
|
Implementing Pushback: Router-Based Defense Against DDoS Attacks
– Ioannidis, Bellovin
- 2002
|
|
161
|
Efficient network QoS provisioning based on per node traffic shaping
– Georgiadis, Guerin, et al.
- 1996
|
|
152
|
Autograph: Toward automated, distributed worm signature detection
– Kim, Karp
- 2004
|
|
140
|
Automated worm fingerprinting
– Singh, Estan, et al.
- 2004
|
|
118
|
Fingerprinting by random polynomials
– Rabin
- 1981
|
|
96
|
A Network Security Monitor
– Heberlein, Dias, et al.
- 1990
|
|
86
|
Anomalous payload-based network intrusion detection
– Wang, Stolfo
- 2004
|
|
79
|
Honeycomb: creating intrusion detection signatures using honeypots
– Kreibich, Crowcroft
|
|
75
|
Automatically Inferring Patterns of Resource Consumption in Network Traffic
– Estan, Savage, et al.
- 2003
|
|
72
|
A survey on TCP-friendly congestion control
– Widmer, Denda, et al.
- 2001
|
|
59
|
An immunological model of distributed detection and its application to computer security
– Hofmeyr
- 1999
|
|
55
|
On the generalized distance in statistics
– Mahalanobis
- 1936
|
|
51
|
The top speed of flash worms
– STANIFORD, AL
- 2004
|
|
47
|
SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks
– Yaar, Song
- 2004
|
|
44
|
The spread of the Sapphire/Slammer worm
– Moore, Paxson, et al.
- 2003
|
|
43
|
New directions in traffic measurement and accounting: Focusing on the Elephants, Ignoring the Mice
– Estan, Varghese
- 2003
|
|
38
|
The EarlyBird System for Real-time Detection of Unknown Worms
– Singh, Estan, et al.
|
|
11
|
Traffic shaping at a network node: theory, optimum design, admission control
– Elwalid, Mitra
- 1997
|
|
5
|
A Survey of Congestion Control Schemes for Multicast Video Applications
– Matrawy, Lambadaris
- 2003
|
|
1
|
Oorschot, P.: The Threat of Attacker Innovation to Flash Worm Defenses
– Matrawy, Somayaji, et al.
|
|
1
|
The threat of attacker innovation to flash worm defenses
– Anonymous
- 2005
|
