Towards trapping wily intruders in the large

Mansfield, Glenn; Ohta, Kiminori; Takei, Yohsuke; Kato, Nei; Nemoto, Y.

doi:10.1016/s1389-1286(00)00135-3

Cited by 31 publications

(16 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…2. The characteristics may be of use in differentiating traffic that is 'not natural', which may be due to the intruders 22 in networks or an 'abnormal' traffic situation in a busy city. The change of nature of traffic will probably result in a change of its characteristics.…”

mentioning

confidence: 99%

Self‐similar and fractal nature of Internet traffic

Chakraborty

Ahmed²,

Suganuma

et al. 2004

Int J Network Mgmt

View full text Add to dashboard Cite

The self-similar bursty Internet traffic is usually characterized by the Hurst parameter (H). Such a process is also seen to possess fractal characteristics in time described by a parameter (b), with multifractals in most cases. We observe that these highly stochastic traffics have fractals in flow density too, described by a fractal dimension (D), also with the possibiliy of multifractals as in the former. This requires another parameter for the description of Internet traffic, besides the usual selfsimilarity parameter b or H and the different simulations or models worked out to understand the Internet traffic to reproduce the characteristics as found in the present work. We also find a notable selfsimilarity feature of the autocorrelations in the data and its aggregates, in all the cases studied.

show abstract

mentioning

confidence: 99%

Self‐similar and fractal nature of Internet traffic

Chakraborty

Ahmed²,

Suganuma

et al. 2004

Int J Network Mgmt

View full text Add to dashboard Cite

show abstract

“…To determine the similarity of the traffic on the communication links, we make use of traffic-flow pattern matching (Kim and Helmy, 2005;Mansfield et al, 2000). There are two separate procedures in pattern matching: trend-pattern matching and volume-pattern matching.…”

Section: Tracebackmentioning

confidence: 99%

DDoS Detection and Traceback with Decision Tree and Grey Relational Analysis

Tseng

Yang

et al. 2009

2009 Third International Conference on Multimedia and Ubiquitous Engineering

View full text Add to dashboard Cite

Abstract:In Distributed Denial-of-Service (DDoS) Attack, an attacker breaks into many innocent computers (called zombies). Then, the attacker sends a large number of packets from zombies to a server, to prevent the server from conducting normal business operations. We design a DDoS-detection system based on a decision-tree technique and, after detecting an attack, to trace back to the attacker's locations with a traffic-flow pattern-matching technique. Our system could detect DDoS attacks with the false positive ratio about 1.2-2.4%, false negative ratio about 2-10%, and find the attack paths in traceback with the false negative rate 8-12% and false positive rate 12-14%.

show abstract

“…To characterize attack traffic, we use traffic pattern [11] and traffic volume. Traffic pattern and traffic volume represent abnormal characteristics of attack traffic.…”

Section: Swat Architecture Overviewmentioning

confidence: 99%

“…There are several IP traceback schemes proposed for the Internet such as packet marking [14], logging [11], ICMP traceback [6,13], and others [5]. Such traceback schemes developed for the fixed networks are not directly applicable to MANETs due to the following reasons.…”

Section: Introductionmentioning

confidence: 99%

“…By finding neighbor nodes of victim that observe similar attack traffic signature within a given timeframe and performing the process recursively to attack origin, we can track down attacker(s). To define the similarity of traffic signature, we use Traffic Pattern Matching, TPM [11], and traffic volume matching, TVM. TPM is the process to check the similarity of traffic pattern and TVM is the process to check the similarity of traffic volume.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

SWAT: small world-based attacker traceback in ad-hoc networks

Kim

2005

The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services

View full text Add to dashboard Cite

Mobile Ad hoc NETworks (MANETs) provide a lot of promise for many practical applications. However, MANETs are vulnerable to a number of attacks due to its autonomous nature. DoS/DDoS attacker traceback is especially challenging in MANETs for the lack of infrastructure. In this paper, we propose an efficient on-the-fly search technique, SWAT, to trace back DoS and DDoS attackers in MANETs. Our scheme borrows from small worlds, utilizes the concept of Contacts, and use Traffic Pattern Matching (TPM) and Traffic Volume Matching (TVM) techniques. We also propose multi-directional search, in-network processing and query suppression to reduce communication overhead in energyconstrained MANETs and increase traceback robustness against spoofing and collusion. Simulation results show that SWAT successfully traces back DoS and DDoS attacker under reasonable background traffic. In addition, SWAT incurs low communication overhead (22% compared to flooding-based search). IntroductionFlooding-type/direct DoS [1][2][3][4] and DDoS [8] attacks consume the resources of a remote host or network, thereby denying or degrading service to legitimate users. There are several characteristics of such attacks: (I) Traffic volume abnormally increases during the attack period. (II) Attackers routinely disguise their location using incorrect/spoofed addresses. (III) It is reported that such attacks may persist for tens of minutes and in some case for several days [1].IP traceback in the Internet, which tracks down attacker(s), is a useful technique for forensics and to discourage attackers. There are several IP traceback schemes proposed for the Internet such as packet marking [14], logging [11], ICMP traceback [6,13], and others [5]. Such traceback schemes developed for the fixed networks are not directly applicable to MANETs due to the following reasons.In MANETs, there is no fixed infrastructure. Each node acts as an autonomous terminal, acting as both host and router. Node mobility frequently changes network topology.In general, network bandwidth and battery power are limited.To perform efficient DoS/DDoS attacker traceback under such a harsh environment in MANETs, we propose an efficient on-the-fly taceback technique. For that, we leverage the small world model. The concept of small worlds was studied in the 60's in the context of social networks [12], during which experiments of mail delivery using acquaintances resulted in an average of 'six degrees of separation', i.e., on average a letter needed six acquaintances to be delivered. Recent research by Watts [16] has shown that in relational graphs adding a few number of random links to regular graphs results in graphs with low average path length and high clustering. Such graphs are called small world graphs. Helmy [9][10] established the applicability of small world graphs to MANETs. Helmy found that path length of wireless networks is drastically reduced by adding a few random links (resembling a small world). Establishing a small world reduces the degrees of separation be...

show abstract

Towards trapping wily intruders in the large

Cited by 31 publications

References 5 publications

Self‐similar and fractal nature of Internet traffic

Self‐similar and fractal nature of Internet traffic

DDoS Detection and Traceback with Decision Tree and Grey Relational Analysis

SWAT: small world-based attacker traceback in ad-hoc networks

Contact Info

Product

Resources

About