Results 1 - 10
of
49
A learning-based approach for IP geolocation
- In Proceedings of the Passive and Active Measurement Conference (PAM
, 2010
"... Abstract. The ability to pinpoint the geographic location of IP hosts is compelling for applications such as on-line advertising and network attack diagnosis. While prior methods can accurately identify the location of hosts in some regions of the Internet, they produce erroneous results when the de ..."
Abstract
-
Cited by 22 (4 self)
- Add to MetaCart
(Show Context)
Abstract. The ability to pinpoint the geographic location of IP hosts is compelling for applications such as on-line advertising and network attack diagnosis. While prior methods can accurately identify the location of hosts in some regions of the Internet, they produce erroneous results when the delay or topology measurement on which they are based is limited. The hypothesis of our work is that the accuracy of IP geolocation can be improved through the creation of a flexible analytic framework that accommodates different types of geolocation information. In this paper, we describe a new framework for IP geolocation that reduces to a machine-learning classification problem. Our methodology considers a set of lightweight measurements from a set of known monitors to a target, and then classifies the location of that target based on the most probable geographic region given probability densities learned from a training set. For this study, we employ a Naive Bayes framework that has low computational complexity and enables additional environmental information to be easily added to enhance the classification process. To demonstrate the feasibility and accuracy of our approach, we test IP geolocation on over 16,000 routers given ping measurements from 78 monitors with known geographic placement. Our results show that the simple application of our method improves geolocation accuracy for over 96 % of the nodes identified in our data set, with on average accuracy 70 miles closer to the true geographic location versus prior constraintbased geolocation. These results highlight the promise of our method and indicate how future expansion of the classifier can lead to further improvements in geolocation accuracy. 1
Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks
, 2009
"... Internet Protocol (IP) traceback is the enabling technology to control Internet crime. In this paper, we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking pa ..."
Abstract
-
Cited by 14 (0 self)
- Add to MetaCart
(Show Context)
Internet Protocol (IP) traceback is the enabling technology to control Internet crime. In this paper, we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. The motivation of this traceback system is from DDoS defense. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic. It has a wide array of applications for other security systems.
On the State of IP Spoofing Defense
- ACM Transactions on Internet Technology
"... IP source address spoofing has plagued the Internet for many years. Attackers spoof source addresses to mount attacks and redirect blame. Researchers have proposed many mechanisms to defend against spoofing, with varying levels of success. With the defense mechanisms available today, where do we sta ..."
Abstract
-
Cited by 13 (1 self)
- Add to MetaCart
IP source address spoofing has plagued the Internet for many years. Attackers spoof source addresses to mount attacks and redirect blame. Researchers have proposed many mechanisms to defend against spoofing, with varying levels of success. With the defense mechanisms available today, where do we stand? How do the various defense mechanisms compare? This article first looks into the current state of IP spoofing, then thoroughly surveys the current state of IP spoofing defense. It evaluates data from the Spoofer Project, and describes and analyzes host-based defense methods, router-based defense methods, and their combinations. It further analyzes what obstacles stand in the way of deploying those modern solutions and what areas require further research.
CBF: A packet filtering method for DDoS attack defense in cloud environment
- in Dependable, Autonomic and Secure Computing (DASC
"... Abstract—Distributed Denial-of-Service attack (DDoS) is a major threat for cloud environment. Traditional defending approaches cannot be easily applied in cloud security due to their relatively low efficiency, large storage, to name a few. In view of this challenge, a Confidence-Based Filtering meth ..."
Abstract
-
Cited by 7 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Distributed Denial-of-Service attack (DDoS) is a major threat for cloud environment. Traditional defending approaches cannot be easily applied in cloud security due to their relatively low efficiency, large storage, to name a few. In view of this challenge, a Confidence-Based Filtering method, named CBF, is investigated for cloud computing environment, in this paper. Concretely speaking, the method is deployed by two periods, i.e., non-attack period and attack period. More specially, legitimate packets are collected at non-attack period, for extracting attribute pairs to generate a nominal profile. With the nominal profile, the CBF method is promoted by calculating the score of a particular packet at attack period, to determine whether to discard it or not. At last, extensive simulations are conducted to evaluate the feasibility of the CBF method. The result shows that CBF has a high scoring speed, a small storage requirement and an acceptable filtering accuracy, making it suitable for real-time filtering in cloud environment.
Discriminating DDoS Flows from Flash Crowds Using Information Distance
- in Proceedings of the 3rd IEEE International Conference on Network and System Security (NSS
, 2009
"... ©2009 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other ..."
Abstract
-
Cited by 6 (1 self)
- Add to MetaCart
(Show Context)
©2009 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other
Remote Peering: More Peering without Internet Flattening
"... The trend toward more peering between networks is com-monly conflated with the trend of Internet flattening, i.e., reduction in the number of intermediary organizations on Internet paths. Indeed, direct peering interconnections by-pass layer-3 transit providers and make the Internet flat-ter. This p ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
The trend toward more peering between networks is com-monly conflated with the trend of Internet flattening, i.e., reduction in the number of intermediary organizations on Internet paths. Indeed, direct peering interconnections by-pass layer-3 transit providers and make the Internet flat-ter. This paper studies an emerging phenomenon that sepa-rates the two trends: we present the first systematic study of remote peering, an interconnection where remote networks peer via a layer-2 provider. Our measurements reveal sig-nificant presence of remote peering at IXPs (Internet eX-change Points) worldwide. Based on ground truth traffic, we also show that remote peering has a substantial potential to offload transit traffic. Generalizing the empirical results, we analytically derive conditions for economic viability of remote peering versus transit and direct peering. Because remote-peering services are provided on layer 2, our results challenge the traditional reliance on layer-3 topologies in modeling the Internet economic structure. We also discuss broader implications of remote peering for reliability, secu-rity, accountability, and other aspects of Internet research.
Packet resonance strategy: a spoof attack detection and prevention mechanism in cloud computing environment
- International Journal of Communication Networks and Information Security
, 2012
"... Abstract: Distributed Denial of Service (DDoS) is a major threat to server availability. The attackers hide from view by impersonating their IP addresses as the legitimate users. This Spoofed IP helps the attacker to pass through the authentication phase and to launch the attack. Surviving spoof det ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Abstract: Distributed Denial of Service (DDoS) is a major threat to server availability. The attackers hide from view by impersonating their IP addresses as the legitimate users. This Spoofed IP helps the attacker to pass through the authentication phase and to launch the attack. Surviving spoof detection techniques could not resolve different styles of attacks. Packet Resonance Strategy (PRS) armed to detect various types of spoof attacks that destruct the server resources or data theft at Datacenter. PRS ensembles to any Cloud Service Provider (CSP) as they are exclusively responsible for any data leakage and sensitive information hack. PRS uses two-level detection scheme, allows the clients to access Datacenter only when they surpass initial authentication at both levels. PRS provides faster data transmission and time sensitiveness of cloud computing tasks to the authenticated clients. Experimental results proved that the proposed methodology is a better light-weight solution and deployable at server-end.
Novel Scheme for Detecting and Preventing Spoofed IP Access on Network using IP2HP Filter,”
- ARPN Journal of Engineering and Applied Sciences,
, 2011
"... ABSTRACT Denial of Service (DoS) attacks presents a serious problem for internet communications. It simply floods the link of the victim server with a large amount of packets leading to a high rate of packet drops for legitimate users. In general, DoS attacks are not exposed but the threat is commo ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
(Show Context)
ABSTRACT Denial of Service (DoS) attacks presents a serious problem for internet communications. It simply floods the link of the victim server with a large amount of packets leading to a high rate of packet drops for legitimate users. In general, DoS attacks are not exposed but the threat is common. The problem is aggravated when the attackers spoof their IP addresses. Defense against IP spoofing is a dominant and many approaches that could diminished the spoofing problem. Since the destination based forwarding paradigm of the Internet Protocol, IP address spoofing is both simple and very effective in evading both prevention and detection. The straightforward method of installing simple filters without proper validation at border routers is rendered inefficient by IP spoofing. The attacker can choose randomly an IP address as the source for different packets and thus make the detection method infeasible. Therefore, detecting and preventing packets with spoofed source address has been actively pursued in the research community. Many existing solutions to this problem are IP trace back, packet marking, authentication methods etc. Among these, this paper proposes a solution based on request verification cum filtering technique near the victim server. An experimental result shows that the proposed method eliminates most of the spoofed packets with moderate memory and time consumption.
Can We Beat Legitimate Cyber Behavior Mimicking Attacks from Botnets?
"... Abstract—Botnets are the engine for malicious activities in cyber space. In order to sustain their botnets and disguise their illegal actions, botnet owners are exhausting their strength to mimic legitimate cyber behavior to fly under the radar, e.g. flash crowd mimicking attacks on popular websites ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Abstract—Botnets are the engine for malicious activities in cyber space. In order to sustain their botnets and disguise their illegal actions, botnet owners are exhausting their strength to mimic legitimate cyber behavior to fly under the radar, e.g. flash crowd mimicking attacks on popular websites. It is an open and challenging problem: can we beat mimicking attacks or not? We use web browsing on popular websites as an example to explore the issue. In our previous work, we discovered that it is almost impossible to detect mimicking attacks from statistics if the number of active bots of a botnet is sufficient (no less than the number of active legitimate users). In this paper, we pointed out that it is usually hard for botnet owners to have sufficient number of active bots in practice. Therefore, we can discriminate mimicking attacks when the sufficient number condition is not met. We prove our claim theoretically and confirm it with simulations. Our findings can also be applied to a large number of other detection related cases. Index Terms—mimicking attack; flash crowd attack; botnet; detection. I.
Energy Attack on Server Systems
"... Power management has become increasingly important for server systems. Numerous techniques have been proposed and developed to optimize server power consumption and achieve energy proportional computing. However, the security perspective of server power management has not yet been studied. In this p ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
(Show Context)
Power management has become increasingly important for server systems. Numerous techniques have been proposed and developed to optimize server power consumption and achieve energy proportional computing. However, the security perspective of server power management has not yet been studied. In this paper, we investigate energy attacks, a new type of malicious exploits on server systems. Targeted solely at abusing server power consumption, energy attacks exhibit very different attacking behaviors and cause very different victim symptoms from conventional cyberspace attacks. First, we unveil that today’s server systems with improved power saving technologies are more vulnerable to energy attacks. Then, we demonstrate a realistic energy attack on a standalone server system in three steps: (1) by profiling energy cost of an open Web service under different operation conditions, we identify the vulnerabilities that subject a server to energy attacks; (2) exploiting the discovered attack vectors, we design an energy attack that can be launched anonymously from remote; and (3) we execute the attack and measure the extent of its damage in a systematic manner. Finally, we highlight the challenges in defending against energy attacks. 1
