SlideShare a Scribd company logo

Mitigating Active Attacks Using Bitmap Filter

Academia Sinica
Academia Sinica

With the emergence of active worms, the targets of attacks have been moved from well-known Internet servers to generic Internet hosts, and since the rate at which patches can be applied is always much slower than the spread of a worm, an Internet worm can usually attack or infect millions of hosts in a short time. It is difficult to eliminate Internet attacks globally; thus, protecting client networks from being attacked or infected is a relatively critical issue. In this paper, we propose a method that protects client networks from being attacked by people who try to scan, attack, or infect hosts in local networks via unpatched vulnerabilities. Based on the symmetry of network traffic in both temporal and spatial domains, a bitmap filter is installed at the entry point of a client network to filter out possible attack traffic. Our evaluation shows that with a small amount of memory (less than 1 megabyte), more than 95% of attack traffic can be filtered out in a small- or medium-scale client network.

TechnologyNews & Politics
1 of 56
Download to read offline
Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Mitigating Active Attacks Towards Client Networks Using the Bitmap Filter Chun-Ying Huang Kuan-Ta Chen Chin-Laung Lei Distributed Computing and Network Security Lab Department of Electrical Engineering National Taiwan University June 26, 2006 C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 1/31
Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 2/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 3/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. Motivations The popularity of Internet worms moves the victims. Most defense mechanisms are required to deploy globally. How does an ISP prevent customers/clients from attacks? C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. Motivations The popularity of Internet worms moves the victims. Most defense mechanisms are required to deploy globally. How does an ISP prevent customers/clients from attacks? Construct an efficient stateful packet inspection (SPI) filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection Attacker A Client C SPI Filter Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 .... .... .... .... Attacker A Request: C:1234 S:80 Client C SPI Filter Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 .... .... .... .... Attacker A Request: C:1234 S:80 Client C SPI Filter R e s S:80 p on s e : C :1 23 4 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 C : 1: 67 .... .... .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p on s e : C :1 23 4 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection (cont’d) The Problem The linearly increased costs on both storage spaces and computations. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 6/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 7/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Client Network Traffic Characteristics Observations 1 Connection/Session lifetime 2 Out-In packet delay C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Client Network Traffic Characteristics Observations 1 Connection/Session lifetime 2 Out-In packet delay Data source: aggregated six class-C campus client networks A 6-hour TCP and UDP packet trace. Collected between 10AM and 4PM in a weekday. 96.25% are TCP packets; and 3.75% are UDP packets. Average packet rate: 24.63K packets per second. Average bandwidth utilization: 138.55 Mbps. Average packet size: 720 bytes. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Connection/Session Lifetime Definition Given a TCP connection, measure the time between the last TCP-SYN and the first TCP-FIN packet. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Connection/Session Lifetime Definition a. Connection Lifetime Given a TCP connection, measure the time between the last TCP-SYN 1e+06 319 99% connections are shorter than and the first TCP-FIN packet. 515 seconds Number of connections 1e+04 Result summary 1e+02 90%: < 76 seconds. 95%: < 6 minutes. 1e+00 99%: < 515 seconds. 76 515 0 2000 4000 6000 8000 10000 Lifetime is short. Lifetime (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Out-In Packet Delay Definition of the Out-In Packet Delay A connection contains several outgoing and incoming packets. We measure the elapsed time between the outgoing packet and the successive incoming packets in each connection. Outgoing Packets A B C D Incoming Packets 1 2 3 4 5 6 LAN A-1 A-2 B-4 B-5 D-6 WAN A-3 C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 10/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Out-In Packet Delay (cont’d) Result summary Observed port-reuse effect. 99% < 2.8 seconds, implies that Internet traffic is bi-directional and has high locality in the temporal domain. b. Out−In Packet Delay c. Out−In Packet Delay (CDF) 1.00 1e+08 99% out−in packet delays are shorter than 2.8 seconds 1e+06 0.95 Packet Count 60 95% out−in packet delays Peaks are interleaved with are shorter than 30 CDF 1e+04 120 intervals of roughly 30 or 60 seconds 0.8 seconds 100 160 220 290 350 420 480 540 0.90 150 190 1e+02 1e+00 0.85 0 100 200 300 400 500 600 0 5 10 15 20 Delay (in seconds) Delay (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 11/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Construct the Bitmap Filter With the previous observations: 1 Connection/Session lifetime is short. 2 Out-in packet delays are short. 3 Internet traffic is bi-directional. A stateful packet inspection (SPI) filter can be modified. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 12/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion A Na¨ Method to Modify an SPI Filter ıve Expire connection state information with timers. State Table Connection Info. Timer .. .. C:1234 S:80 10 C : 1: 67 .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p o n s e : C :1 234 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion A Na¨ Method to Modify an SPI Filter ıve Expire connection state information with timers. State Table Connection Info. Timer .. .. C:1234 S:80 10 C : 1: 67 .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p o n s e : C :1 234 Server S However: Still linear complexities on storages and computations. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. Definition A bitmap filter is a composition of k bloom filters of equal size N (=2n -bit), denoted as a {k × N}-bitmap filter. The i th bloom filter is denoted as bit-vector [i] in the algorithms. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. 1 2 3 ... k Definition H1(t) 1 1 1 ... 1 A bitmap filter is a composition of k H2(t) bloom filters of equal size N ... (=2n -bit), denoted as a Hm(t) 2n bits {k × N}-bitmap filter. n-bit 1 1 1 ... 1 The i th bloom filter is denoted as 1 1 1 ... 1 bit-vector [i] in the algorithms. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms Initialization A {k × N}-bitmap filter is initialized to all bits zero. All the k bloom filters are configured to share the same m hash functions. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms Initialization A {k × N}-bitmap filter is initialized to all bits zero. All the k bloom filters are configured to share the same m hash functions. The concept: Time-rotated bloom filters C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 1 2 3 ... K ... ... ... current eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 At time = t0 + ∆t 1 2 3 ... K 1 2 3 ... K ... ... ... ... ... ... current current eldest eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 At time = t0 + ∆t At time = t0 + 2∆t 1 2 3 ... K 1 2 3 ... K 1 2 3 ... K ... ... ... ... ... ... ... ... ... current current current eldest eldest eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms (cont’d) Algorithm I: Periodically reset the eldest bloom filter Rotate one time unit, then reset the eldest bloom filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms (cont’d) Algorithm I: Periodically reset the eldest bloom filter Rotate one time unit, then reset the eldest bloom filter. Algorithm II: Test and set the bloom filters Outgoing packets: Mark all corresponding bits on all bloom filters. Incoming packets: Reject if not all corresponding bits are marked on the current bloom filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk, a snapshot of the current bitmap status. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+∆t, all columns are reduced by 1. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+2∆t, all columns are reduced by 1, again. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+2∆t, with an occurrence of a new connection. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Parameter Decisions Parameter List Name Meaning Te The expired time of a state. ∆t The time unit to rotate the bitmap. k The number of used bloom filters. N The size of each bloom filter. The real size is 2n -bit. m The number of used hash functions for the bloom filters. Guidelines 1 Recall the observed port-reuse effect. Te should not be too large. 2 ∆t should be set properly. Small ∆t increases system loads; large ∆t reduces system granularity (and precision). 3 Te k is roughly ∆t . 4 N and m depends on the scale of the network and the required precision. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 18/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 19/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Positives and False Negatives Definition False positive: Normal behavior is rejected. False negative: Attacks are accepted. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Positives and False Negatives Definition False positive: Normal behavior is rejected. False negative: Attacks are accepted. False positives Since the lifetime of a state is Te seconds, a false positive occurs only when the out-in packet delay is longer than Te seconds. As the statistics show, when Te is greater than 2.8 seconds, the false positive rates should be lower than 1%. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Negatives Estimating on False Negative Rates 1 Given the expected max number of active connections c in Te and the bitmap size N, the false negative rate can be estimated by N p ≤ exp(− ). (1) e·c 2 In contrast, given N and a tolerable maximum value of p, the expected max number of active connections c should satisfy N c≤− . (2) e ln p C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 21/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Examples For a small- or medium-scale network A bitmap filter is constructed using the following configuration Parameters: k = 4, ∆t = 5, (Te = 20), m = 3 k×2n Required memory space: 8 = 512 K bytes. Given the tolerable penetration probability of 10%, 5%, and 1%, the bitmap filter provides capacity of 167K, 125K, and 83K active connections in Te , respectively. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Examples For a small- or medium-scale network A bitmap filter is constructed using the following configuration Parameters: k = 4, ∆t = 5, (Te = 20), m = 3 k×2n Required memory space: 8 = 512 K bytes. Given the tolerable penetration probability of 10%, 5%, and 1%, the bitmap filter provides capacity of 167K, 125K, and 83K active connections in Te , respectively. Compare with the campus network traffic Only 15K active connections within a Te of 20 seconds. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Performance Summary Packet Processing: For an outgoing packet: O(m) hashes +O(m × k) marks. For an incoming packet: O(m) hashes +O(m) checks. Bitmap Rotation: Reset a bit vector: constant according to the given bitmap size. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Performance Summary Packet Processing: For an outgoing packet: O(m) hashes +O(m × k) marks. For an incoming packet: O(m) hashes +O(m) checks. Bitmap Rotation: Reset a bit vector: constant according to the given bitmap size. Since the bitmap is designed to have fixed size and continuous memory space and the components used in the algorithms are easy to implement as hardware, these algorithms can be completely implemented as a hardware easily. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Compare with Similar Implementations Hash + link-list AVL-tree Bitmap filter (Linux) Storage space - Complexity O(n) O(n) O(c) Storage space - Handle 2.55M active 77M bytes 77M bytes 8M bytes connections Computation Complexity - Insert a new state O(1) O(log n) O(1) Computation Complexity - Search for a state O(n) O(log n) O(1) Computation Complexity - Garbage collection O(n) O(n) O(c) Hardware acceleration Possible Expensive Cheap C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 24/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation I: Drop Rate Comparison Compare the drop rate of BF and SPI-filter Environments Implement an SPI filter (expire idle state after 240 seconds). The bitmap filter: n = 20, k = 4, ∆t = 5, Te = 20 (512K bytes). Drop rates measure in a 5-second time unit. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation I: Drop Rate Comparison Compare the drop rate of BF and SPI-filter Environments 3.5 Implement an SPI filter (expire idle Drop rate of the bitmap filter (%) 3.0 state after 240 seconds). 2.5 The bitmap filter: n = 20, k = 4, 2.0 ∆t = 5, Te = 20 (512K bytes). 1.5 Drop rates measure in a 5-second time unit. 1.0 1.0 1.5 2.0 2.5 3.0 Drop rate of the SPI filter (%) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation II: Filter Rate Environments The same bitmap filter used in simulation I. Attack rate: spoofed addresses, 500K packets per second. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation II: Filter Rate Environments The same bitmap filter used in simulation I. Attack rate: spoofed addresses, 500K packets per second. a. Filter Performance b. Attack Filtering Rate 100.01 4e+05 Filtering rate (%) Packet Count 99.99 2e+05 99.97 0e+00 99.95 0 5000 10000 15000 20000 12000 14000 16000 18000 20000 22000 Time (in seconds) Time (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 27/31
Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. 2 Attack from Insiders An inside attacker may quickly increase the bitmap utilization when attacking outsiders. It hence increase the false negative rate. An administrator may increase n or Te to tolerate such attacks. However, it would be better to identify and eliminate inside attackers. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. 2 Attack from Insiders An inside attacker may quickly increase the bitmap utilization when attacking outsiders. It hence increase the false negative rate. An administrator may increase n or Te to tolerate such attacks. However, it would be better to identify and eliminate inside attackers. 3 Adaptive Packet Dropping For bandwidth attacks only, the bitmap filter may consider to adopt adaptive packet dropping to increase the compatibility. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 29/31
Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Conclusion We propose the bitmap filter, an alternative implementation to replace the stateful packet inspection (SPI) filter, to stop malicious traffic for client networks. The bitmap filter successful reduces the complexities of both storage and computation to constants. Analyses and simulations show that with limited resources, the bitmap filter can filter 90% even 99% attack traffic. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 30/31
Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Thanks for your attention. Comments or questions? C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 31/31

Recommended

Analysis Of Films Horror Slasher and research
Analysis Of Films Horror Slasher and researchAnalysis Of Films Horror Slasher and research
Analysis Of Films Horror Slasher and researchJordan
 
Think New Think Change
Think New Think ChangeThink New Think Change
Think New Think ChangeKannan Rajarathnam
 
Analysis Of Films - Horror Pp and research
Analysis Of Films - Horror Pp and researchAnalysis Of Films - Horror Pp and research
Analysis Of Films - Horror Pp and researchJordan
 
Digipak Evaluation sheet
Digipak Evaluation sheetDigipak Evaluation sheet
Digipak Evaluation sheetJordan
 
Dubstep presentation1
Dubstep presentation1Dubstep presentation1
Dubstep presentation1Jordan
 
India - Growth Options
India - Growth OptionsIndia - Growth Options
India - Growth OptionsKannan Rajarathnam
 
Indian Economy 21May2010
Indian Economy 21May2010Indian Economy 21May2010
Indian Economy 21May2010Kannan Rajarathnam
 
Identifying MMORPG Bots: A Traffic Analysis Approach
Identifying MMORPG Bots: A Traffic Analysis ApproachIdentifying MMORPG Bots: A Traffic Analysis Approach
Identifying MMORPG Bots: A Traffic Analysis ApproachAcademia Sinica
 

Recommended

Analysis Of Films Horror Slasher and research
Analysis Of Films Horror Slasher and researchAnalysis Of Films Horror Slasher and research
Analysis Of Films Horror Slasher and researchJordan
 
Think New Think Change
Think New Think ChangeThink New Think Change
Think New Think ChangeKannan Rajarathnam
 
Analysis Of Films - Horror Pp and research
Analysis Of Films - Horror Pp and researchAnalysis Of Films - Horror Pp and research
Analysis Of Films - Horror Pp and researchJordan
 
Digipak Evaluation sheet
Digipak Evaluation sheetDigipak Evaluation sheet
Digipak Evaluation sheetJordan
 
Dubstep presentation1
Dubstep presentation1Dubstep presentation1
Dubstep presentation1Jordan
 
India - Growth Options
India - Growth OptionsIndia - Growth Options
India - Growth OptionsKannan Rajarathnam
 
Indian Economy 21May2010
Indian Economy 21May2010Indian Economy 21May2010
Indian Economy 21May2010Kannan Rajarathnam
 
Identifying MMORPG Bots: A Traffic Analysis Approach
Identifying MMORPG Bots: A Traffic Analysis ApproachIdentifying MMORPG Bots: A Traffic Analysis Approach
Identifying MMORPG Bots: A Traffic Analysis ApproachAcademia Sinica
 
Computational Social Science:The Collaborative Futures of Big Data, Computer ...
Computational Social Science:The Collaborative Futures of Big Data, Computer ...Computational Social Science:The Collaborative Futures of Big Data, Computer ...
Computational Social Science:The Collaborative Futures of Big Data, Computer ...Academia Sinica
 
Games on Demand: Are We There Yet?
Games on Demand: Are We There Yet?Games on Demand: Are We There Yet?
Games on Demand: Are We There Yet?Academia Sinica
 
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...Academia Sinica
 
Cloud Gaming Onward: Research Opportunities and Outlook
Cloud Gaming Onward: Research Opportunities and OutlookCloud Gaming Onward: Research Opportunities and Outlook
Cloud Gaming Onward: Research Opportunities and OutlookAcademia Sinica
 
Quantifying User Satisfaction in Mobile Cloud Games
Quantifying User Satisfaction in Mobile Cloud GamesQuantifying User Satisfaction in Mobile Cloud Games
Quantifying User Satisfaction in Mobile Cloud GamesAcademia Sinica
 
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值Academia Sinica
 
On The Battle between Online Gamers and Lags
On The Battle between Online Gamers and LagsOn The Battle between Online Gamers and Lags
On The Battle between Online Gamers and LagsAcademia Sinica
 
Understanding The Performance of Thin-Client Gaming
Understanding The Performance of Thin-Client GamingUnderstanding The Performance of Thin-Client Gaming
Understanding The Performance of Thin-Client GamingAcademia Sinica
 
Quantifying QoS Requirements of Network Services: A Cheat-Proof Framework
Quantifying QoS Requirements of Network Services: A Cheat-Proof FrameworkQuantifying QoS Requirements of Network Services: A Cheat-Proof Framework
Quantifying QoS Requirements of Network Services: A Cheat-Proof FrameworkAcademia Sinica
 
Online Game QoE Evaluation using Paired Comparisons
Online Game QoE Evaluation using Paired ComparisonsOnline Game QoE Evaluation using Paired Comparisons
Online Game QoE Evaluation using Paired ComparisonsAcademia Sinica
 
GamingAnywhere: An Open Cloud Gaming System
GamingAnywhere: An Open Cloud Gaming SystemGamingAnywhere: An Open Cloud Gaming System
GamingAnywhere: An Open Cloud Gaming SystemAcademia Sinica
 
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic Approach
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic ApproachAre All Games Equally Cloud-Gaming-Friendly? An Electromyographic Approach
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic ApproachAcademia Sinica
 
Forecasting Online Game Addictiveness
Forecasting Online Game AddictivenessForecasting Online Game Addictiveness
Forecasting Online Game AddictivenessAcademia Sinica
 
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay Nodes
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay NodesToward an Understanding of the Processing Delay of Peer-to-Peer Relay Nodes
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay NodesAcademia Sinica
 
Inferring Speech Activity from Encrypted Skype Traffic
Inferring Speech Activity from Encrypted Skype TrafficInferring Speech Activity from Encrypted Skype Traffic
Inferring Speech Activity from Encrypted Skype TrafficAcademia Sinica
 
Game Bot Detection Based on Avatar Trajectory
Game Bot Detection Based on Avatar TrajectoryGame Bot Detection Based on Avatar Trajectory
Game Bot Detection Based on Avatar TrajectoryAcademia Sinica
 
Improving Reliability of Web 2.0-based Rating Systems Using Per-user Trustiness
Improving Reliability of Web 2.0-based Rating Systems Using Per-user TrustinessImproving Reliability of Web 2.0-based Rating Systems Using Per-user Trustiness
Improving Reliability of Web 2.0-based Rating Systems Using Per-user TrustinessAcademia Sinica
 
A Collusion-Resistant Automation Scheme for Social Moderation Systems
A Collusion-Resistant Automation Scheme for Social Moderation SystemsA Collusion-Resistant Automation Scheme for Social Moderation Systems
A Collusion-Resistant Automation Scheme for Social Moderation SystemsAcademia Sinica
 
Tuning Skype’s Redundancy Control Algorithm for User Satisfaction
Tuning Skype’s Redundancy Control Algorithm for User SatisfactionTuning Skype’s Redundancy Control Algorithm for User Satisfaction
Tuning Skype’s Redundancy Control Algorithm for User SatisfactionAcademia Sinica
 
Network Game Design: Hints and Implications of Player Interaction
Network Game Design: Hints and Implications of Player InteractionNetwork Game Design: Hints and Implications of Player Interaction
Network Game Design: Hints and Implications of Player InteractionAcademia Sinica
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

More Related Content

More from Academia Sinica

Computational Social Science:The Collaborative Futures of Big Data, Computer ...
Computational Social Science:The Collaborative Futures of Big Data, Computer ...Computational Social Science:The Collaborative Futures of Big Data, Computer ...
Computational Social Science:The Collaborative Futures of Big Data, Computer ...Academia Sinica
 
Games on Demand: Are We There Yet?
Games on Demand: Are We There Yet?Games on Demand: Are We There Yet?
Games on Demand: Are We There Yet?Academia Sinica
 
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...Academia Sinica
 
Cloud Gaming Onward: Research Opportunities and Outlook
Cloud Gaming Onward: Research Opportunities and OutlookCloud Gaming Onward: Research Opportunities and Outlook
Cloud Gaming Onward: Research Opportunities and OutlookAcademia Sinica
 
Quantifying User Satisfaction in Mobile Cloud Games
Quantifying User Satisfaction in Mobile Cloud GamesQuantifying User Satisfaction in Mobile Cloud Games
Quantifying User Satisfaction in Mobile Cloud GamesAcademia Sinica
 
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值Academia Sinica
 
On The Battle between Online Gamers and Lags
On The Battle between Online Gamers and LagsOn The Battle between Online Gamers and Lags
On The Battle between Online Gamers and LagsAcademia Sinica
 
Understanding The Performance of Thin-Client Gaming
Understanding The Performance of Thin-Client GamingUnderstanding The Performance of Thin-Client Gaming
Understanding The Performance of Thin-Client GamingAcademia Sinica
 
Quantifying QoS Requirements of Network Services: A Cheat-Proof Framework
Quantifying QoS Requirements of Network Services: A Cheat-Proof FrameworkQuantifying QoS Requirements of Network Services: A Cheat-Proof Framework
Quantifying QoS Requirements of Network Services: A Cheat-Proof FrameworkAcademia Sinica
 
Online Game QoE Evaluation using Paired Comparisons
Online Game QoE Evaluation using Paired ComparisonsOnline Game QoE Evaluation using Paired Comparisons
Online Game QoE Evaluation using Paired ComparisonsAcademia Sinica
 
GamingAnywhere: An Open Cloud Gaming System
GamingAnywhere: An Open Cloud Gaming SystemGamingAnywhere: An Open Cloud Gaming System
GamingAnywhere: An Open Cloud Gaming SystemAcademia Sinica
 
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic Approach
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic ApproachAre All Games Equally Cloud-Gaming-Friendly? An Electromyographic Approach
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic ApproachAcademia Sinica
 
Forecasting Online Game Addictiveness
Forecasting Online Game AddictivenessForecasting Online Game Addictiveness
Forecasting Online Game AddictivenessAcademia Sinica
 
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay Nodes
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay NodesToward an Understanding of the Processing Delay of Peer-to-Peer Relay Nodes
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay NodesAcademia Sinica
 
Inferring Speech Activity from Encrypted Skype Traffic
Inferring Speech Activity from Encrypted Skype TrafficInferring Speech Activity from Encrypted Skype Traffic
Inferring Speech Activity from Encrypted Skype TrafficAcademia Sinica
 
Game Bot Detection Based on Avatar Trajectory
Game Bot Detection Based on Avatar TrajectoryGame Bot Detection Based on Avatar Trajectory
Game Bot Detection Based on Avatar TrajectoryAcademia Sinica
 
Improving Reliability of Web 2.0-based Rating Systems Using Per-user Trustiness
Improving Reliability of Web 2.0-based Rating Systems Using Per-user TrustinessImproving Reliability of Web 2.0-based Rating Systems Using Per-user Trustiness
Improving Reliability of Web 2.0-based Rating Systems Using Per-user TrustinessAcademia Sinica
 
A Collusion-Resistant Automation Scheme for Social Moderation Systems
A Collusion-Resistant Automation Scheme for Social Moderation SystemsA Collusion-Resistant Automation Scheme for Social Moderation Systems
A Collusion-Resistant Automation Scheme for Social Moderation SystemsAcademia Sinica
 
Tuning Skype’s Redundancy Control Algorithm for User Satisfaction
Tuning Skype’s Redundancy Control Algorithm for User SatisfactionTuning Skype’s Redundancy Control Algorithm for User Satisfaction
Tuning Skype’s Redundancy Control Algorithm for User SatisfactionAcademia Sinica
 
Network Game Design: Hints and Implications of Player Interaction
Network Game Design: Hints and Implications of Player InteractionNetwork Game Design: Hints and Implications of Player Interaction
Network Game Design: Hints and Implications of Player InteractionAcademia Sinica
 

More from Academia Sinica (20)

Computational Social Science:The Collaborative Futures of Big Data, Computer ...
Computational Social Science:The Collaborative Futures of Big Data, Computer ...Computational Social Science:The Collaborative Futures of Big Data, Computer ...
Computational Social Science:The Collaborative Futures of Big Data, Computer ...
 
Games on Demand: Are We There Yet?
Games on Demand: Are We There Yet?Games on Demand: Are We There Yet?
Games on Demand: Are We There Yet?
 
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...
 
Cloud Gaming Onward: Research Opportunities and Outlook
Cloud Gaming Onward: Research Opportunities and OutlookCloud Gaming Onward: Research Opportunities and Outlook
Cloud Gaming Onward: Research Opportunities and Outlook
 
Quantifying User Satisfaction in Mobile Cloud Games
Quantifying User Satisfaction in Mobile Cloud GamesQuantifying User Satisfaction in Mobile Cloud Games
Quantifying User Satisfaction in Mobile Cloud Games
 
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值
 
On The Battle between Online Gamers and Lags
On The Battle between Online Gamers and LagsOn The Battle between Online Gamers and Lags
On The Battle between Online Gamers and Lags
 
Understanding The Performance of Thin-Client Gaming
Understanding The Performance of Thin-Client GamingUnderstanding The Performance of Thin-Client Gaming
Understanding The Performance of Thin-Client Gaming
 
Quantifying QoS Requirements of Network Services: A Cheat-Proof Framework
Quantifying QoS Requirements of Network Services: A Cheat-Proof FrameworkQuantifying QoS Requirements of Network Services: A Cheat-Proof Framework
Quantifying QoS Requirements of Network Services: A Cheat-Proof Framework
 
Online Game QoE Evaluation using Paired Comparisons
Online Game QoE Evaluation using Paired ComparisonsOnline Game QoE Evaluation using Paired Comparisons
Online Game QoE Evaluation using Paired Comparisons
 
GamingAnywhere: An Open Cloud Gaming System
GamingAnywhere: An Open Cloud Gaming SystemGamingAnywhere: An Open Cloud Gaming System
GamingAnywhere: An Open Cloud Gaming System
 
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic Approach
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic ApproachAre All Games Equally Cloud-Gaming-Friendly? An Electromyographic Approach
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic Approach
 
Forecasting Online Game Addictiveness
Forecasting Online Game AddictivenessForecasting Online Game Addictiveness
Forecasting Online Game Addictiveness
 
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay Nodes
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay NodesToward an Understanding of the Processing Delay of Peer-to-Peer Relay Nodes
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay Nodes
 
Inferring Speech Activity from Encrypted Skype Traffic
Inferring Speech Activity from Encrypted Skype TrafficInferring Speech Activity from Encrypted Skype Traffic
Inferring Speech Activity from Encrypted Skype Traffic
 
Game Bot Detection Based on Avatar Trajectory
Game Bot Detection Based on Avatar TrajectoryGame Bot Detection Based on Avatar Trajectory
Game Bot Detection Based on Avatar Trajectory
 
Improving Reliability of Web 2.0-based Rating Systems Using Per-user Trustiness
Improving Reliability of Web 2.0-based Rating Systems Using Per-user TrustinessImproving Reliability of Web 2.0-based Rating Systems Using Per-user Trustiness
Improving Reliability of Web 2.0-based Rating Systems Using Per-user Trustiness
 
A Collusion-Resistant Automation Scheme for Social Moderation Systems
A Collusion-Resistant Automation Scheme for Social Moderation SystemsA Collusion-Resistant Automation Scheme for Social Moderation Systems
A Collusion-Resistant Automation Scheme for Social Moderation Systems
 
Tuning Skype’s Redundancy Control Algorithm for User Satisfaction
Tuning Skype’s Redundancy Control Algorithm for User SatisfactionTuning Skype’s Redundancy Control Algorithm for User Satisfaction
Tuning Skype’s Redundancy Control Algorithm for User Satisfaction
 
Network Game Design: Hints and Implications of Player Interaction
Network Game Design: Hints and Implications of Player InteractionNetwork Game Design: Hints and Implications of Player Interaction
Network Game Design: Hints and Implications of Player Interaction
 

Recently uploaded

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Mitigating Active Attacks Using Bitmap Filter

  • 1. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Mitigating Active Attacks Towards Client Networks Using the Bitmap Filter Chun-Ying Huang Kuan-Ta Chen Chin-Laung Lei Distributed Computing and Network Security Lab Department of Electrical Engineering National Taiwan University June 26, 2006 C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 1/31
  • 2. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 2/31
  • 3. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 3/31
  • 4. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
  • 5. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. Motivations The popularity of Internet worms moves the victims. Most defense mechanisms are required to deploy globally. How does an ISP prevent customers/clients from attacks? C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
  • 6. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. Motivations The popularity of Internet worms moves the victims. Most defense mechanisms are required to deploy globally. How does an ISP prevent customers/clients from attacks? Construct an efficient stateful packet inspection (SPI) filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
  • 7. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection Attacker A Client C SPI Filter Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 8. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 .... .... .... .... Attacker A Request: C:1234 S:80 Client C SPI Filter Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 9. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 .... .... .... .... Attacker A Request: C:1234 S:80 Client C SPI Filter R e s S:80 p on s e : C :1 23 4 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 10. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 C : 1: 67 .... .... .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p on s e : C :1 23 4 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 11. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection (cont’d) The Problem The linearly increased costs on both storage spaces and computations. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 6/31
  • 12. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 7/31
  • 13. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Client Network Traffic Characteristics Observations 1 Connection/Session lifetime 2 Out-In packet delay C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
  • 14. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Client Network Traffic Characteristics Observations 1 Connection/Session lifetime 2 Out-In packet delay Data source: aggregated six class-C campus client networks A 6-hour TCP and UDP packet trace. Collected between 10AM and 4PM in a weekday. 96.25% are TCP packets; and 3.75% are UDP packets. Average packet rate: 24.63K packets per second. Average bandwidth utilization: 138.55 Mbps. Average packet size: 720 bytes. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
  • 15. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Connection/Session Lifetime Definition Given a TCP connection, measure the time between the last TCP-SYN and the first TCP-FIN packet. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
  • 16. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Connection/Session Lifetime Definition a. Connection Lifetime Given a TCP connection, measure the time between the last TCP-SYN 1e+06 319 99% connections are shorter than and the first TCP-FIN packet. 515 seconds Number of connections 1e+04 Result summary 1e+02 90%: < 76 seconds. 95%: < 6 minutes. 1e+00 99%: < 515 seconds. 76 515 0 2000 4000 6000 8000 10000 Lifetime is short. Lifetime (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
  • 17. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Out-In Packet Delay Definition of the Out-In Packet Delay A connection contains several outgoing and incoming packets. We measure the elapsed time between the outgoing packet and the successive incoming packets in each connection. Outgoing Packets A B C D Incoming Packets 1 2 3 4 5 6 LAN A-1 A-2 B-4 B-5 D-6 WAN A-3 C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 10/31
  • 18. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Out-In Packet Delay (cont’d) Result summary Observed port-reuse effect. 99% < 2.8 seconds, implies that Internet traffic is bi-directional and has high locality in the temporal domain. b. Out−In Packet Delay c. Out−In Packet Delay (CDF) 1.00 1e+08 99% out−in packet delays are shorter than 2.8 seconds 1e+06 0.95 Packet Count 60 95% out−in packet delays Peaks are interleaved with are shorter than 30 CDF 1e+04 120 intervals of roughly 30 or 60 seconds 0.8 seconds 100 160 220 290 350 420 480 540 0.90 150 190 1e+02 1e+00 0.85 0 100 200 300 400 500 600 0 5 10 15 20 Delay (in seconds) Delay (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 11/31
  • 19. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Construct the Bitmap Filter With the previous observations: 1 Connection/Session lifetime is short. 2 Out-in packet delays are short. 3 Internet traffic is bi-directional. A stateful packet inspection (SPI) filter can be modified. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 12/31
  • 20. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion A Na¨ Method to Modify an SPI Filter ıve Expire connection state information with timers. State Table Connection Info. Timer .. .. C:1234 S:80 10 C : 1: 67 .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p o n s e : C :1 234 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
  • 21. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion A Na¨ Method to Modify an SPI Filter ıve Expire connection state information with timers. State Table Connection Info. Timer .. .. C:1234 S:80 10 C : 1: 67 .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p o n s e : C :1 234 Server S However: Still linear complexities on storages and computations. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
  • 22. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
  • 23. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. Definition A bitmap filter is a composition of k bloom filters of equal size N (=2n -bit), denoted as a {k × N}-bitmap filter. The i th bloom filter is denoted as bit-vector [i] in the algorithms. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
  • 24. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. 1 2 3 ... k Definition H1(t) 1 1 1 ... 1 A bitmap filter is a composition of k H2(t) bloom filters of equal size N ... (=2n -bit), denoted as a Hm(t) 2n bits {k × N}-bitmap filter. n-bit 1 1 1 ... 1 The i th bloom filter is denoted as 1 1 1 ... 1 bit-vector [i] in the algorithms. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
  • 25. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms Initialization A {k × N}-bitmap filter is initialized to all bits zero. All the k bloom filters are configured to share the same m hash functions. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 26. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms Initialization A {k × N}-bitmap filter is initialized to all bits zero. All the k bloom filters are configured to share the same m hash functions. The concept: Time-rotated bloom filters C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 27. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 1 2 3 ... K ... ... ... current eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 28. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 At time = t0 + ∆t 1 2 3 ... K 1 2 3 ... K ... ... ... ... ... ... current current eldest eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 29. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 At time = t0 + ∆t At time = t0 + 2∆t 1 2 3 ... K 1 2 3 ... K 1 2 3 ... K ... ... ... ... ... ... ... ... ... current current current eldest eldest eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 30. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms (cont’d) Algorithm I: Periodically reset the eldest bloom filter Rotate one time unit, then reset the eldest bloom filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
  • 31. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms (cont’d) Algorithm I: Periodically reset the eldest bloom filter Rotate one time unit, then reset the eldest bloom filter. Algorithm II: Test and set the bloom filters Outgoing packets: Mark all corresponding bits on all bloom filters. Incoming packets: Reject if not all corresponding bits are marked on the current bloom filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
  • 32. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk, a snapshot of the current bitmap status. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 33. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+∆t, all columns are reduced by 1. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 34. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+2∆t, all columns are reduced by 1, again. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 35. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+2∆t, with an occurrence of a new connection. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 36. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Parameter Decisions Parameter List Name Meaning Te The expired time of a state. ∆t The time unit to rotate the bitmap. k The number of used bloom filters. N The size of each bloom filter. The real size is 2n -bit. m The number of used hash functions for the bloom filters. Guidelines 1 Recall the observed port-reuse effect. Te should not be too large. 2 ∆t should be set properly. Small ∆t increases system loads; large ∆t reduces system granularity (and precision). 3 Te k is roughly ∆t . 4 N and m depends on the scale of the network and the required precision. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 18/31
  • 37. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 19/31
  • 38. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Positives and False Negatives Definition False positive: Normal behavior is rejected. False negative: Attacks are accepted. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
  • 39. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Positives and False Negatives Definition False positive: Normal behavior is rejected. False negative: Attacks are accepted. False positives Since the lifetime of a state is Te seconds, a false positive occurs only when the out-in packet delay is longer than Te seconds. As the statistics show, when Te is greater than 2.8 seconds, the false positive rates should be lower than 1%. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
  • 40. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Negatives Estimating on False Negative Rates 1 Given the expected max number of active connections c in Te and the bitmap size N, the false negative rate can be estimated by N p ≤ exp(− ). (1) e·c 2 In contrast, given N and a tolerable maximum value of p, the expected max number of active connections c should satisfy N c≤− . (2) e ln p C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 21/31
  • 41. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Examples For a small- or medium-scale network A bitmap filter is constructed using the following configuration Parameters: k = 4, ∆t = 5, (Te = 20), m = 3 k×2n Required memory space: 8 = 512 K bytes. Given the tolerable penetration probability of 10%, 5%, and 1%, the bitmap filter provides capacity of 167K, 125K, and 83K active connections in Te , respectively. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
  • 42. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Examples For a small- or medium-scale network A bitmap filter is constructed using the following configuration Parameters: k = 4, ∆t = 5, (Te = 20), m = 3 k×2n Required memory space: 8 = 512 K bytes. Given the tolerable penetration probability of 10%, 5%, and 1%, the bitmap filter provides capacity of 167K, 125K, and 83K active connections in Te , respectively. Compare with the campus network traffic Only 15K active connections within a Te of 20 seconds. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
  • 43. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Performance Summary Packet Processing: For an outgoing packet: O(m) hashes +O(m × k) marks. For an incoming packet: O(m) hashes +O(m) checks. Bitmap Rotation: Reset a bit vector: constant according to the given bitmap size. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
  • 44. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Performance Summary Packet Processing: For an outgoing packet: O(m) hashes +O(m × k) marks. For an incoming packet: O(m) hashes +O(m) checks. Bitmap Rotation: Reset a bit vector: constant according to the given bitmap size. Since the bitmap is designed to have fixed size and continuous memory space and the components used in the algorithms are easy to implement as hardware, these algorithms can be completely implemented as a hardware easily. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
  • 45. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Compare with Similar Implementations Hash + link-list AVL-tree Bitmap filter (Linux) Storage space - Complexity O(n) O(n) O(c) Storage space - Handle 2.55M active 77M bytes 77M bytes 8M bytes connections Computation Complexity - Insert a new state O(1) O(log n) O(1) Computation Complexity - Search for a state O(n) O(log n) O(1) Computation Complexity - Garbage collection O(n) O(n) O(c) Hardware acceleration Possible Expensive Cheap C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 24/31
  • 46. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation I: Drop Rate Comparison Compare the drop rate of BF and SPI-filter Environments Implement an SPI filter (expire idle state after 240 seconds). The bitmap filter: n = 20, k = 4, ∆t = 5, Te = 20 (512K bytes). Drop rates measure in a 5-second time unit. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
  • 47. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation I: Drop Rate Comparison Compare the drop rate of BF and SPI-filter Environments 3.5 Implement an SPI filter (expire idle Drop rate of the bitmap filter (%) 3.0 state after 240 seconds). 2.5 The bitmap filter: n = 20, k = 4, 2.0 ∆t = 5, Te = 20 (512K bytes). 1.5 Drop rates measure in a 5-second time unit. 1.0 1.0 1.5 2.0 2.5 3.0 Drop rate of the SPI filter (%) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
  • 48. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation II: Filter Rate Environments The same bitmap filter used in simulation I. Attack rate: spoofed addresses, 500K packets per second. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
  • 49. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation II: Filter Rate Environments The same bitmap filter used in simulation I. Attack rate: spoofed addresses, 500K packets per second. a. Filter Performance b. Attack Filtering Rate 100.01 4e+05 Filtering rate (%) Packet Count 99.99 2e+05 99.97 0e+00 99.95 0 5000 10000 15000 20000 12000 14000 16000 18000 20000 22000 Time (in seconds) Time (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
  • 50. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 27/31
  • 51. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
  • 52. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. 2 Attack from Insiders An inside attacker may quickly increase the bitmap utilization when attacking outsiders. It hence increase the false negative rate. An administrator may increase n or Te to tolerate such attacks. However, it would be better to identify and eliminate inside attackers. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
  • 53. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. 2 Attack from Insiders An inside attacker may quickly increase the bitmap utilization when attacking outsiders. It hence increase the false negative rate. An administrator may increase n or Te to tolerate such attacks. However, it would be better to identify and eliminate inside attackers. 3 Adaptive Packet Dropping For bandwidth attacks only, the bitmap filter may consider to adopt adaptive packet dropping to increase the compatibility. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
  • 54. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 29/31
  • 55. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Conclusion We propose the bitmap filter, an alternative implementation to replace the stateful packet inspection (SPI) filter, to stop malicious traffic for client networks. The bitmap filter successful reduces the complexities of both storage and computation to constants. Analyses and simulations show that with limited resources, the bitmap filter can filter 90% even 99% attack traffic. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 30/31
  • 56. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Thanks for your attention. Comments or questions? C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 31/31