<%BANNER%>

Securing Computer Networks

Permanent Link: http://ufdc.ufl.edu/UFE0022764/00001

Material Information

Title: Securing Computer Networks Access Control Management and Attack Source Identification
Physical Description: 1 online resource (121 p.)
Language: english
Creator: Yoon, Myung
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2008

Subjects

Subjects / Keywords: algorithm, anomaly, computer, datastructure, detection, firewall, intrusion, network, security, spread, streaming, traffic
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: We study the problem of securing computer networks. We mainly focus on two issues: managing access control lists of multiple firewalls and identifying attack sources. As the number of firewalls increases in computer networks, it is crucial to deploy the firewalls and to build an efficient access control list on each of them. Multiple firewalls cooperate to implement the access control by filtering out unwanted packets. The source address of a packet is a decisive parameter when the filtering is carried out. For example, edge firewalls between the intranet and the Internet may use dynamic filters, which can block packets of suspicious source addresses in order to defeat denial of service attacks. However, wily attackers may play tricks to give false information about their source addresses. Therefore, attack sources should be exactly identified before the filtering is applied. In this dissertation, we propose three novel techniques. First, we study the problem of placing multiple firewalls in an enterprise network. A firewall's complexity is known to increase with the size of its access control list (i.e., rule set). When designing a security-sensitive network, it is critical to construct the network topology and its routing structure carefully in order to reduce the firewall rule sets, which helps lower the chance of security loopholes and prevent performance bottleneck. We study the problems of how to place the firewalls in a topology during network design and how to construct the routing tables during operation, such that the maximum firewall rule set can be minimized. Second, we study the problem of identifying attack sources on the Internet. It is crucial to find out attacker's unique address before the corresponding filtering rule is activated at the edge firewalls. On the current Internet, not only is a host free to send packets to any destination address, but also it is free to forge any source address that it does not own. This freedom creates a huge security problem. The victims under attack do not know where the malicious packets are actually from and which sources should be blocked because, with forged source addresses, the malicious packets may appear to come from all over the Internet. We propose a path address scheme to identify attackers even when they use spoofed source addresses. Under this scheme, each path on the Internet is assigned a path address. IP addresses are owned by the end hosts; path addresses are owned by the network, which is beyond the reach of the hosts. Third, we study the problems of spread estimation and spreader detection. The spread of a source host is the number of distinct destinations that it has sent packets to during a measurement period. A spread estimator is a software/hardware module on a router that inspects the arrival packets and estimates the spread of each source. It has important applications in detecting port scans and DDoS attacks, measuring the infection rate of a worm, assisting resource allocation in a server farm, determining popular web contents for caching, to name a few. We design a new spread estimator that delivers good performance in tight memory space where all existing estimators no longer work. We also study the problem of detecting spreaders. We call an external source address a spreader if it connects to more than a threshold number of distinct internal destination addresses during a period of time (such as a day). We note that none of the current intrusion detection systems can identify spreaders in real-time if the attacker slows down in sending attack packets. We call such an attacker an invisible spreader. We observe that normal traffic has strong skewness especially in an enterprise (or university campus) network. We propose a new scheme to detect invisible spreaders by exploiting the traffic skewness.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Myung Yoon.
Thesis: Thesis (Ph.D.)--University of Florida, 2008.
Local: Adviser: Chen, Shigang.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2008
System ID: UFE0022764:00001

Permanent Link: http://ufdc.ufl.edu/UFE0022764/00001

Material Information

Title: Securing Computer Networks Access Control Management and Attack Source Identification
Physical Description: 1 online resource (121 p.)
Language: english
Creator: Yoon, Myung
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2008

Subjects

Subjects / Keywords: algorithm, anomaly, computer, datastructure, detection, firewall, intrusion, network, security, spread, streaming, traffic
Computer and Information Science and Engineering -- Dissertations, Academic -- UF
Genre: Computer Engineering thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: We study the problem of securing computer networks. We mainly focus on two issues: managing access control lists of multiple firewalls and identifying attack sources. As the number of firewalls increases in computer networks, it is crucial to deploy the firewalls and to build an efficient access control list on each of them. Multiple firewalls cooperate to implement the access control by filtering out unwanted packets. The source address of a packet is a decisive parameter when the filtering is carried out. For example, edge firewalls between the intranet and the Internet may use dynamic filters, which can block packets of suspicious source addresses in order to defeat denial of service attacks. However, wily attackers may play tricks to give false information about their source addresses. Therefore, attack sources should be exactly identified before the filtering is applied. In this dissertation, we propose three novel techniques. First, we study the problem of placing multiple firewalls in an enterprise network. A firewall's complexity is known to increase with the size of its access control list (i.e., rule set). When designing a security-sensitive network, it is critical to construct the network topology and its routing structure carefully in order to reduce the firewall rule sets, which helps lower the chance of security loopholes and prevent performance bottleneck. We study the problems of how to place the firewalls in a topology during network design and how to construct the routing tables during operation, such that the maximum firewall rule set can be minimized. Second, we study the problem of identifying attack sources on the Internet. It is crucial to find out attacker's unique address before the corresponding filtering rule is activated at the edge firewalls. On the current Internet, not only is a host free to send packets to any destination address, but also it is free to forge any source address that it does not own. This freedom creates a huge security problem. The victims under attack do not know where the malicious packets are actually from and which sources should be blocked because, with forged source addresses, the malicious packets may appear to come from all over the Internet. We propose a path address scheme to identify attackers even when they use spoofed source addresses. Under this scheme, each path on the Internet is assigned a path address. IP addresses are owned by the end hosts; path addresses are owned by the network, which is beyond the reach of the hosts. Third, we study the problems of spread estimation and spreader detection. The spread of a source host is the number of distinct destinations that it has sent packets to during a measurement period. A spread estimator is a software/hardware module on a router that inspects the arrival packets and estimates the spread of each source. It has important applications in detecting port scans and DDoS attacks, measuring the infection rate of a worm, assisting resource allocation in a server farm, determining popular web contents for caching, to name a few. We design a new spread estimator that delivers good performance in tight memory space where all existing estimators no longer work. We also study the problem of detecting spreaders. We call an external source address a spreader if it connects to more than a threshold number of distinct internal destination addresses during a period of time (such as a day). We note that none of the current intrusion detection systems can identify spreaders in real-time if the attacker slows down in sending attack packets. We call such an attacker an invisible spreader. We observe that normal traffic has strong skewness especially in an enterprise (or university campus) network. We propose a new scheme to detect invisible spreaders by exploiting the traffic skewness.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Myung Yoon.
Thesis: Thesis (Ph.D.)--University of Florida, 2008.
Local: Adviser: Chen, Shigang.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2008
System ID: UFE0022764:00001


This item has the following downloads:


Full Text

PAGE 1

1

PAGE 2

2

PAGE 3

3

PAGE 4

Firstofall,IwouldliketoexpressmydeepestgratitudetoProf.ShigangChen,myadvisor,forhistirelessguidanceandencouragementthroughoutmygraduatestudies.MyspecialthanksalsogotoProf.SartajSahni,Prof.JoseFortes,Prof.YeXiaandProf.DapengWufortheirinstructivecommentsandsupportduringmyyearsattheUniversityofFlorida(UF).IwouldliketothankallmycolleaguesinProf.Chen'sresearchgroup,includingYongTang,ZhanZhang,LiangZhang,YingJian,MingZhang,TaoLiandParbatiKumarManna,forprovidingahighlevelofresearchsupport.Lastbutnotleast,Iwanttothankmyfamilyfortheirsupport,love,understandingandmanysacricestheyhadtomakethroughoutmygraduatestudies.IwouldliketosaythatIloveJoon-Sup,Joon-HoandespeciallyHye-Jung. 4

PAGE 5

page ACKNOWLEDGMENTS ................................. 4 LISTOFTABLES ..................................... 8 LISTOFFIGURES .................................... 9 ABSTRACT ........................................ 12 CHAPTER 1INTRODUCTION .................................. 14 2MINIMIZINGTHEMAXIMUMFIREWALLRULESETINANETWORKWITHMULTIPLEFIREWALLS .......................... 18 2.1Motivation .................................... 18 2.2RelatedWorks .................................. 21 2.3ProblemDenition ............................... 22 2.3.1NetworkModel ............................. 22 2.3.2Notations ................................ 22 2.3.3Problems ................................. 24 2.3.4RuleGraphandTopologyGraph ................... 25 2.3.5Robustness ................................ 27 2.4NP-Completeness ................................ 27 2.4.1k-FirewallDecisionProblem2NP ................... 28 2.4.2NP-Hardness ............................... 28 2.5HAF:AHeuristicAlgorithmforFPP,PartialFPP,FRP,PartialFRP,andWeightedFPP/FRP ............................ 30 2.5.1Overview ................................. 30 2.5.2AugmentedGraphGhx;yitandMinMaxPath ............. 31 2.5.3FindtheMinMaxPathinGhx;yit 32 2.5.4InserttheMinMaxPathtoGt 34 2.5.5EnsuringConnectivity ......................... 34 2.5.6ComplexityAnalysis .......................... 37 2.5.7ModifyingHAFforFRP,partialFRP,andWeightedFPP/FRP .. 37 2.6Simulation .................................... 37 3ANOVELINCREMENTALLY-DEPLOYABLEPATHADDRESSSCHEMEFORTHEINTERNET ............................... 49 3.1Motivation .................................... 49 3.2RelatedWork .................................. 52 3.3PathAddressScheme .............................. 55 3.3.1Objectives ................................ 55 3.3.2DenitionofPathAddress ....................... 56 5

PAGE 6

............ 57 3.3.4NewFieldsinPacketHeaderandPathAddressVerication ..... 59 3.3.5AlternativeVersionofPathAddressagainstRouterCompromise .. 62 3.3.6Self-CompletenessofPASforIncrementalDeployment ........ 64 3.4Evaluation .................................... 66 3.4.1Analysis ................................. 66 3.4.1.1Analyticalmodel ....................... 66 3.4.1.2False-positiveprobabilityandfalse-negativeprobabilityofPAS .............................. 67 3.4.1.3False-positiveprobabilityandfalse-negativeprobabilityofPi ............................... 68 3.4.2Simulations ............................... 69 3.4.2.1Simulationsetup ....................... 69 3.4.2.2Performanceevaluationwithrespecttoattackerratio ... 71 3.4.2.3Performanceevaluationwithrespecttonetworktopology 71 3.4.2.4Performancecomparisonwithrespecttor 72 3.4.2.5Performanceevaluationunderincrementaldeployment .. 72 4FITASPREADESTIMATORINASMALLMEMORY ............. 78 4.1Motivation .................................... 78 4.2ExistingSpreadEstimators .......................... 81 4.3DesignofCompactSpreadEstimator(CSE) ................. 83 4.3.1MotivationforVirtualVectors ..................... 83 4.3.2CSE:StoringContactsinVirtualVectors ............... 84 4.3.3CSE:SpreadEstimation ........................ 85 4.3.4SystemArchitecture ........................... 88 4.4Analysis ..................................... 89 4.4.1MeanandVarianceof^k1and^k2 89 4.4.2EstimationBiasandStandardDeviation ............... 92 4.5Experiments ................................... 93 4.5.1ExperimentSetup ............................ 94 4.5.2AccuracyofSpreadEstimation ..................... 95 4.5.3ImpactofDierentsValuesonPerformanceofCSE ......... 96 4.5.4ImpactofDierentColumnSizesonPerformanceofOSM ...... 97 4.5.5AnApplication:DetectingAddressScan ............... 97 5REAL-TIMEDETECTIONOFINVISIBLESPREADERS ............ 103 5.1Motivation .................................... 103 5.2Invisible-SpreaderDetection .......................... 105 5.2.1Invisible-SpreaderDetectionFilter(ISD) ............... 106 5.2.2ParameterConguration ........................ 107 5.3Experiment ................................... 109 5.3.1TracTraceandImplementationDetails ............... 110 5.3.2ExperimentalResults .......................... 111 6

PAGE 7

.................................... 115 REFERENCES ....................................... 116 BIOGRAPHICALSKETCH ................................ 121 7

PAGE 8

Table page 2-1Frequently-usednotations .............................. 41 2-2Defaultsimulationparameters ............................ 41 4-1Biaswithrespecttosandk ............................. 99 4-2Falsepositiveratioandfalsenegativeratiowithrespecttomemorysize. .... 102 4-3With"=10%,falsepositiveratioandfalsenegativeratiowithrespecttomemorysize. .......................................... 102 4-4With"=20%,falsepositiveratioandfalsenegativeratiowithrespecttomemorysize. .......................................... 102 5-1Parametercongurationexamples(c=10) ..................... 113 8

PAGE 9

Figure page 2-1Twotopologiesthatconnectdomains,x,u,vandy,viarewalls,f1,f2andf3,whosenumbersofinterfacesare2,3and2,respectively. ............. 41 2-2Rulematrix,rulegraph,andtopologygraph .................... 42 2-3High-availabilitysolutions .............................. 42 2-4PseudocodeofHAF ................................. 43 2-5PseudocodeofHAF Dijkstra ............................ 44 2-6(a)AugmentedgraphGhx;yit,wheref2hasonefreeinterfaceandtwovirtuallinks;(b)ShortestpathreturnedbyShortest Path(Ghx;yit;x;y),wheretherelaxationisperformedfromyalongthepathtox;(c)ShortestpathreturnedbyShortest Path(Ghx;yit;y;x),wheretherelaxationisperformedfromxalongthepathtoy.Thebestpathis(x;f1;v1;f2;y). .................................... 45 2-7Shortestpathwhenf2hastwofreeinterfaces. ................... 45 2-8Shortestpathwhenf2andf3eachhaveonefreeinterface. ............ 45 2-9PseudocodeofInsert Optimal Path ........................ 46 2-10Sizeofmaximumrulesetwithrespecttonumbernofdomains.10n120,m=40, ....................... 47 2-11Sizeofmaximumrulesetwithrespecttonumbermofrewalls.n=100,35m59, ....................... 47 2-12Sizeofmaxrulesetwithrespecttoavgnumber .......... 47 2-13Sizeofmaximumrulesetwithrespecttoavgnumber ............ 47 2-14Sizeofmaximumrulesetwithrespecttoprobabilityp.n=100,m=40, ......................... 48 2-15Sizeofmaximumrulesetinsparsenetwork.10n120,m=(n1)=( .......................... 48 3-1Picannotbeusedforpathaddress. ......................... 73 3-2Localnumbersoftheinterdomainrouters. ..................... 74 9

PAGE 10

..................... 74 3-4Receivedvaluesofthepaddrandvericationeldsareshownbesideeachrouter.Thetwoeldsaresettozerosbythesender.Therstinterdomainroutersetstheseeldswithappropriatevalues.Thepathaddresseldstaysunchangedatthesubsequenthops,butthevericationeldisXORedbythelocalnumberateachhop.Thevericationeldshouldbezerowhenthepacketreachesitsreceiver. ........................................ 74 3-5MalicioushostinAS4setsthepaddr/vericationeldsarbitrarilywiththePagbeingone.AslongasitdoesnotknowR6:paddr(AS1),theattackpacketstoAS1willbeclassiedasabnormal,whichisindicatedbyacrossbelowVinthegure. ....................................... 75 3-6PathaddressbetweenAS3andAS1shouldbearticiallymadedierentfromtheaddressbetweenAS6andAS1. ......................... 75 3-7Left:falsepositiveratioswithrespecttoattackerratio.Right:falsenegativeratioswithrespecttoattackerratio. ........................ 76 3-8Left:falsepositiveratioswithrespecttofractionofdegree-onenodes.Right:falsenegativeratioswithrespecttofractionofdegree-onenodes. ......... 76 3-9Left:falsepositiveratioswithrespecttor.Right:falsenegativeratioswithrespecttor. .......................................... 76 3-10Left:falsepositiveratioswithrespecttodeploymentratio.Right:falsenegativeratioswithrespecttodeploymentratio. ...................... 77 4-1Theapproximationerrorisverysmallwhensisreasonablylarge. ........ 99 4-2Tracdistribution:eachpointshowsthenumberofsourceshavingacertainspreadvalue. ..................................... 99 4-3m=0.5MB.Eachpointintherstplot(CSE)orthesecondplot(OSM)representsasource,whosexcoordinateisthetruespreadkandycoordinateistheestimatedspread^k.ThethirdplotshowsthebiasofCSEandOSM,whichisthemeasuredE(^kk)withrespecttok.Thefourthplotshowsthestandarddeviation,whichisthemeasuredp 4{26 )and( 4{24 ). ............. 100 4-4m=1M.SeethecaptionofFig. 4-3 forexplanation. ............... 100 4-5m=2MB.SeethecaptionofFig. 4-3 forexplanation. ............... 100 4-6m=4M.SeethecaptionofFig. 4-3 forexplanation. ................ 100 10

PAGE 11

........................................ 101 4-8LeftplotshowsthebiasofOSM,whichisthemeasuredE(^kk)withrespecttok.RightplotshowsthestandarddeviationofOSM,whichisthemeasuredp ........................................ 101 4-9Leftplotshowsthedistributionof(k;^k)forallsourcesunderOSMwhenr=64,wherekand^karethetruespreadandtheestimatedspread,respectively.Rightplotshowsthedistributionof(k;^k)underOSMwhenr=256. ...... 101 5-1Cumulativeratiosofthenumbersofdistinctsourcesanddistinctsource/destinationtupleswithrespecttosourcespread ......................... 113 5-2Cumulativeratiosofthenumbersofdistinctdestinationsanddistinctsource/destinationtupleswithrespecttodestinationspread ...................... 113 5-3NumberoffalsenegativeswhenM=256KB ..................... 114 5-4NumberoffalsepositiveswhenM=256KB ..................... 114 5-5NumberoffalsenegativeswhenM=1MB ...................... 114 5-6NumberoffalsepositiveswhenM=1MB ...................... 114 11

PAGE 12

Westudytheproblemofsecuringcomputernetworks.Wemainlyfocusontwoissues:managingaccesscontrollistsofmultiplerewallsandidentifyingattacksources.Asthenumberofrewallsincreasesincomputernetworks,itiscrucialtodeploytherewallsandtobuildanecientaccesscontrollistoneachofthem.Multiplerewallscooperatetoimplementtheaccesscontrolbylteringoutunwantedpackets.Thesourceaddressofapacketisadecisiveparameterwhenthelteringiscarriedout.Forexample,edgerewallsbetweentheintranetandtheInternetmayusedynamiclters,whichcanblockpacketsofsuspicioussourceaddressesinordertodefeatdenialofserviceattacks.However,wilyattackersmayplaytrickstogivefalseinformationabouttheirsourceaddresses.Therefore,attacksourcesshouldbeexactlyidentiedbeforethelteringisapplied.Inthisdissertation,weproposethreenoveltechniques. First,westudytheproblemofplacingmultiplerewallsinanenterprisenetwork.Arewall'scomplexityisknowntoincreasewiththesizeofitsaccesscontrollist,i.e.ruleset.Whendesigningasecurity-sensitivenetwork,itiscriticaltoconstructthenetworktopologyanditsroutingstructurecarefullyinordertoreducetherewallrulesets,whichhelpslowerthechanceofsecurityloopholesandpreventperformancebottleneck.Westudytheproblemsofhowtoplacetherewallsinatopologyduringnetworkdesignandhowtoconstructtheroutingtablesduringoperation,suchthatthemaximumrewallrulesetcanbeminimized. 12

PAGE 13

Third,westudytheproblemsofspreadestimationandspreaderdetection.Thespreadofasourcehostisthenumberofdistinctdestinationsthatithassentpacketstoduringameasurementperiod.Aspreadestimatorisasoftware/hardwaremoduleonarouterthatinspectsthearrivalpacketsandestimatesthespreadofeachsource.IthasimportantapplicationsindetectingportscansandDDoSattacks,measuringtheinfectionrateofaworm,assistingresourceallocationinaserverfarm,determiningpopularwebcontentsforcaching,tonameafew.Wedesignanewspreadestimatorthatdeliversgoodperformanceintightmemoryspacewhereallexistingestimatorsnolongerwork. Wealsostudytheproblemofdetectingspreaders.Wecallanexternalsourceaddressaspreaderifitconnectstomorethanathresholdnumberofdistinctinternaldestinationaddressesduringaperiodoftime(suchasaday).Wenotethatnoneofthecurrentintrusiondetectionsystemscanidentifyspreadersinreal-timeiftheattackerslowsdowninsendingattackpackets.Wecallsuchanattackeraninvisiblespreader.Weobservethatnormaltrachasstrongskewnessespeciallyinanenterprise(oruniversitycampus)network.Weproposeanewschemetodetectinvisiblespreadersbyexploitingthetracskewness. 13

PAGE 14

Ascomputernetworksplayvitalrolesincompaniesorinstitutions,securingthemiscrucial.Onceanenterprisenetworkiscompromised,itcausesaseverenanciallossandadeclineofpublictrust.Ontheotherhand,enterprisenetworksaregoodtargetsofwilyattackerswhowillinglysparenopainsinbreakingintothenetworks.Therefore,enterprisenetworksrequireahighlevelofsecurity.Itmeansthatpeoplearewillingtotradeoeciencyforenhancedsecurityunlesstheeciencydegradationissignicant. Anenterprisenetworkconsistsofdomains(subnets)thatareconnectedwitheachotherthroughrewalls.Eachrewallhasaninterdomainaccesscontrollist,i.e.ruleset,whichpreventsunwantedpacketsfromtraversingdierentdomains.AtleastoneoftherewallsconnectstotheInternetforprovidingInternetservices.Asenterprisenetworksevolve,thenumberofdomainsandrewallsincreases.Arewall'scomplexityisknowntoincreasewiththesizeofitsruleset.Empiricalstudiesshowthat,astherulesetgrowslarger,thenumberofcongurationerrorsonarewallincreasessharply,whiletheperformanceoftherewalldegrades.Whendesigningasecurity-sensitivenetwork,itiscriticaltoconstructthenetworktopologyanditsroutingstructurecarefullyinordertoreducetherewallrulesets,whichhelpslowerthechanceofsecurityloopholesandpreventperformancebottleneck.InChapter 2 ,westudytheproblemsofhowtoplacetherewallsinatopologyduringnetworkdesignandhowtoconstructtheroutingtablesduringoperation,suchthatthemaximumrewallrulesetcanbeminimized.Theseproblemshavenotbeenstudiedadequatelydespitetheirimportance.Wehavetwomajorcontributions.First,weprovethattheproblemsareNP-complete.Second,weproposeaheuristicsolutionanddemonstratetheeectivenessofthealgorithmbysimulations.Theresultsshowthattheproposedalgorithmreducesthemaximumrewallrulesetby25timeswhencomparingwithotheralgorithms. 14

PAGE 15

OnthecurrentInternet,notonlyisahostfreetosendpacketstoanydestinationaddress,butalsoitisfreetoforgeanysourceaddressthatitdoesnotown.Thisfreedomcreatesahugesecurityproblem.Thevictimsunderattackdonotknowwherethemaliciouspacketsareactuallyfromandwhichsourcesshouldbeblockedbecause,withforgedsourceaddresses,themaliciouspacketsmayappeartocomefromallovertheInternet.Oneimportantquestionis,ifthesourceaddressesfromtheattackpacketsarenotreliable,whatotherkindofinformationisnecessary.InChapter 3 ,weproposeapathaddressschemetoidentifyattackersevenwhentheyusespoofedsourceaddresses.Underthisscheme,eachpathontheInternetisassignedapathaddress.IPaddressesareownedbytheendhosts;pathaddressesareownedbythenetwork,whichisbeyondthereachofthehosts.Thepathaddresscarriedinapacketissetbythenetworkandreliablypointsoutwherethepacketisfrom.Blockingapathaddressltersoutthepacketsfromanattacksource.Thevictimsmayevenrequirepath-addressbasedlterstobepushedintothenetworkandallthewaytotheattacksource.Thepathaddressschemehasdesirablefeaturesthatthepreviousworksdonothave.First,itcansimultaneouslykeepfalse-positive(normalhostsmisclassiedasattackers)andfalse-negative(attackersmisclassiedasnormalhosts)ratiostoalmostzero.Second,maliciouspacketscanbeblockedneartheattackers.Third,attackerscannotgainanyadvantagebyresidingnearthevictims.Byanalysisandsimulations,weshowthatthepathaddressschemeisveryeectiveinlteringoutmaliciouspackets. 15

PAGE 16

Thespreadofasourcehostisthenumberofdistinctdestinationsthatithassentpacketstoduringameasurementperiod.Aspreadestimatorisasoftware/hardwaremoduleonarouterthatinspectsthearrivalpacketsandestimatesthespreadofeachsource.IthasimportantapplicationsindetectingportscansandDDoSattacks,measuringtheinfectionrateofaworm,assistingresourceallocationinaserverfarm,determiningpopularwebcontentsforcaching,tonameafew.Themaintechnicalchallengeistotaspreadestimatorinafastbutsmallmemory(suchasSRAM)inordertooperateitatthelinespeedinahigh-speednetwork.InChapter 4 ,wedesignanewspreadestimatorthatdeliversgoodperformanceintightmemoryspacewhereallexistingestimatorsnolongerwork.Thenewestimatornotonlyachievesspacecompactnessbutoperatesmoreecientlythantheexistingones.Itsaccuracyandeciencycomefromanewmethodfordatastorage,calledvirtualvectors,whichallowustomeasureandremovetheerrorsinspreadestimation.WeperformexperimentsonrealInternettracestoverifytheeectivenessofthenewestimator. Wecallanexternalsourceaddressaspreaderifitconnectstomorethanathresholdnumberofdistinctinternaldestinationaddressesduringaperiodoftime(suchasaday).Detectingspreadershelpsintrusiondetectionsystemsidentifypotentialattackers.Theexistingworkcanonlydetectaggressivespreadersthatscanalargenumberofdistinctaddressesinashortperiodoftime.However,stealthyspreadersmayperform 16

PAGE 17

5 ,weproposeanewstreamingschemetodetectstealthyspreadersthatareinvisibletothecurrentsystems.Thenewschemestoresinformationaboutnormaltracwithinalimitedportionoftheallocatedmemory,sothatitwillnotinterferewithspreaders'informationstoredelsewhereinthememory.Theproposedschemeislightweight;itcandetectinvisiblespreadersinhigh-speednetworkswhileresidinginSRAM.ThroughexperimentsusingrealInternettractraces,wedemonstratethatournewschemedetectsinvisiblespreadersecientlywhilekeepingbothfalse-positives(normalsourcesmisclassiedasspreaders)andfalse-negatives(spreadersmisclassiedasnormalsources)tolowlevel. 17

PAGE 18

Arewall'scomplexityisknowntoincreasewiththesizeofitsruleset.Empiricalstudiesshowthat,astherulesetgrowslarger,thenumberofcongurationerrorsonarewallincreasessharply,whiletheperformanceoftherewalldegrades.Whendesigningasecurity-sensitivenetwork,itiscriticaltoconstructthenetworktopologyanditsroutingstructurecarefullyinordertoreducetherewallrulesets,whichhelpslowerthechanceofsecurityloopholesandpreventperformancebottleneck.Thischapterstudiestheproblemsofhowtoplacetherewallsinatopologyduringnetworkdesignandhowtoconstructtheroutingtablesduringoperation,suchthatthemaximumrewallrulesetcanbeminimized.Theseproblemshavenotbeenstudiedadequatelydespitetheirimportance.Wehavetwomajorcontributions.First,weprovethattheproblemsareNP-complete.Second,weproposeaheuristicsolutionanddemonstratetheeectivenessofthealgorithmbysimulations.Theresultsshowthattheproposedalgorithmreducesthemaximumrewallrulesetby25timeswhencomparingwithotheralgorithms. 1 ].Arewall'scongurationcontainsalargesetofaccesscontrolrules,eachspecifyingsourceaddresses,destinationaddresses,sourceports,destinationports,oneormultipleprotocolids,andanappropriateaction.Theactionistypically\accept"or\deny."Somerewallscansupportothertypesofactionssuchassendingalogmessage,applyingaproxy,andpassingthematchedpacketsintoaVPNtunnel[ 2 ].Formostrewalls,therulesetisorder-sensitive[ 3 ].Anincomingpacketwillbecheckedagainsttheorderedlistofrules.Therulethatmatchesrstdecideshowtoprocessthepacket.Otherrewalls(suchasearlyversionsofCisco'sPIX)usethebest-matchingruleinstead. 18

PAGE 19

4 ].Acomplexrulesetcaneasilyleadtomistakesandmal-conguration.Afteranalyzingtherewallrulesetsfrommanyorganizationsincludingtelecommunicationcompaniesandnancialinstitutes,Wool[ 4 ]quantiedthecomplexityofarulesetasR+O+I(I1) 2,whereRisthenumberofrulesintheset,Oisthenumberofnetworkobjectsreferencedbytherules,andIisthenumberofnetworkinterfacesontherewall.Thenumberofnetworkobjectsandthenumberofinterfacesarenormallymuchsmallerthanthenumberofrules.Therefore,itisveryimportanttokeeparewall'srulesetassmallaspossibleinordertolowerthechanceofsecurityloopholes[ 4 ].Inanetworkwithmultiplerewalls,reducingthenumberofrulesrequiresnotonlylocaloptimizationatindividualrewallsbutalsoglobaloptimizationacrossallrewalls.Thischapterstudieshowtominimizethemaximumrulesetamongallrewallsinthenetwork,whichhasnotbeenadequatelystudieddespiteitsimportanceinpractice. Weinvestigateafamilyofrelatedproblems.Therstoneisabouthowtoplacetherewallsinatopologyduringnetworkdesign.Theso-calledrewallplacementproblem(FPP)istondtheoptimalplacementofrewallsthatconnectsasetofdomainsinsuchawaythatminimizesthemaximumnumberofrulesonanyrewall.Thesecondproblem,calledpartialFPP,istoexpandanexistingtopologywithnewrewallsanddomainssuchthatthemaximumrulesetremainsminimized.Thisproblemarisesduringincrementaldeploymentorincasethatapartialnetworktopologyhasbeendeterminedbasedonmoreimportantperformancecriteriabeforerewallrulesetsareconsidered.FPPisaspecialcaseofpartialFPP(withanemptyexistingtopology). 19

PAGE 20

OurfourthandfthproblemsarecalledweightedFPP/FRP.Weassigneachruleaweight(possiblyrepresentingthevolumeoftraccoveredbythisrule),andassigneachrewallaweight(possiblyrepresentingthecapacityoftherewall).Thegoalistondtheoptimalnetworktopologyand/orroutingpathsthatminimizethemaximumweightednumberofrulesatanyrewall.Thesolutionstotheweightedproblemstakenotonlythenumberofrulesbutalsotracdistribution,rewallperformanceandpossiblyotherfactorsintoconsideration. Wehavetwomajorcontributions.First,byreducingthewell-knownset-partitionproblemtotheaboveproblems,weprovethattheyareNP-complete.Second,weproposeaheuristicalgorithmtosolvetheFPPproblemapproximately.Notonlydoesitconstructanetworktopologyamongdomainsandrewalls,butalsoidentifyroutingpathsthatminimizethemaximumrewallruleset.ThealgorithmcanbeeasilymodiedtosolvepartialFPP,FRP,partialFRP,weightedFPP,andweightedFRP.Hence,thealgorithmcanbeusedtoconstructanewtopology,completeatopologythathasbeenpartiallyconstructed(basedonotherperformancecriteria),expandanexistingtopology,orworkonanestablishedtopologytobuildanewroutingstructureorcompleteanexisting 20

PAGE 21

Therestofthechapterisorganizedasfollows.Section 3.2 denesthenetworkmodelandtheproblemstobesolved.Section 2.4 provesthattheproblemsareNP-complete.Section 5.2 proposesaheuristicalgorithm.Section 3.4.2 presentsthesimulationresults.Section 2.2 surveystherelatedwork. 5 ].Theyalsoproposedamethodfordiverserewalldesignandpresentedalgorithmstodetectdiscrepanciesbetweentworulesets[ 6 ].RecentlyLiuetal.proposedanovelalgorithmforminimizingsecuritypoliciesofarewall[ 7 ]. Woolinvestigatedthedirection-basedlteringinrewalls[ 8 ].Fulpstudiedtheproblemofreducingtheaveragenumberofrulesthatmustbeexaminedforeachpacket[ 9 ].Al-ShaerandHamedidentiedanomaliesthatexistinasingle-ormulti-rewallenvironment,andpresentedasetoftechniquestodiscovercongurationanomaliesincentralizedanddistributedlegacyrewalls[ 10 ].Smithetal.studiedtheproblemofhowtoplaceasetofrewallsinacomplexnetworktominimizecostanddelay[ 11 ]andtheproblemofhowtoincreasecomprehensivenessandlevelofcondenceinprotection[ 12 ].El-Atawyetal.proposedtooptimizepacketlteringperformancebytracstatisticalmatching[ 13 ].Hamedetal.designedalgorithmsthatmaximizeearlyrejectionofunwantedpacketsandutilizetraccharacteristicstominimizetheaveragepacketmatchingtime[ 14 ]. Packetlteringcanbeviewedasaspecialcaseofpacketclassication[ 15 ],whichistodeterminetherstmatchingruleforeachincomingpacketatarouter.Muchworkhas 21

PAGE 22

16 { 19 ].Otherworkproposedalgorithmsforremovingredundancyinpacketclassiers[ 20 21 ]. 2.3.1NetworkModel 22

PAGE 23

Eachdomainhasoneaddressprex.Staticroutesaredenedtorouteinterdomaintrac,whichensuresthateachtracowhasaspecicpathgoingthroughcertainrewall(s)wherethesecuritypolicygoverningthisowwillbeenforced.Inordertosupportstatefulinspection,routingsymmetryisassumed.Itmeansthattheroutingpathfromdomainxtodomainyisthesameasthepathfromytox,8x;y2N.ThisassumptionismadetocomplywithCisco'sCBAC(context-basedaccesscontrol)andotherrewalls'statefulinspectionmechanisms,whichallowthesystemadministratortoonlyspecifytherulesfortracfromclientstoservers,whiletherewallautomaticallyinsertstherulesforthereturntraconthey.CBACrequiresthataconnectionusesthesame(interdomain)pathfortwo-waycommunication.Wewanttostressthatthisassumptionismadeonlyforpracticalreasons.Ouranalysisandalgorithmdesigncanbeeasilymodiedtoworkforasymmetricrouting. Foreachpairofdomainsx;y2N,thereisasetR(x;y)ofaccesscontrolrules,deningthetracowsthatarepermittedfromdomainxtodomainy.Theoptimizationoftherulesetisbeyondthescopeofthisdissertation.Letr(x;y)=jR(x;y)j.Similarlythenumberofrulesfromytoxisdenotedasr(y;x).Thetotalnumberofrulesbetweenthetwodomainsisr(x;y)+r(y;x).Oncetheroutingpathbetweenxandyisdetermined,theseruleswillbeenforcedontherewallsalongthepath.Eachrewallmaysitintheroutingpathsbetweenmanypairsofdomains,anditsrulesetwillbetheaggregateofallrulesbetweenthosedomains.Wewanttoconstructthenetworktopologyand/orlayouttheroutingpathstoavoidcreatinglargerewallrulesetsinthenetwork.Weassumethatwild-cardrulesareprocessedseparately.Forexample,ifadomainrequirestodenyall 23

PAGE 24

Foranyrewallf2M,letW(f)bethesetofaccesscontrolrulestobeenforcedbyf.Letw(f)=jW(f)j.Iffsitsintheroutingpathfromdomainxtodomainy,thenitenforcesallrulesbetweenthemandthusR(x;y)W(f);otherwise,itdoesnotenforcethoserulesandthusR(x;y)TW(f)=;.Let(f)bethesetofdomainpairs,hx;yi,withtheroutingpathfromxtoypassingthroughf.Wehave Somefrequently-usednotationsarelistedinTable 2-1 forquickreference. 2-1 shows,therearemanywaystoconnectasetofdomainsviaasetofrewalls.Foranynetworktopology,therearedierentwaystolayouttheroutingpaths.Ingeneral,therulesetstobeenforcedontherewallswillbedierentwhenwechangethenetworktopologyortheroutingpaths. 24

PAGE 25

WewillprovethatalltheaboveproblemsareNP-complete,andwewilldesignaheuristicalgorithmforthem.Insteadofenumeratingoverallproblems,ourpresentationwillfocusonFPPforanalysisandalgorithmdesign.Wewillshowthattheresultscanbetriviallyextendedtootherproblems.FocusingonFPPisonlyapresentationchoicebecauseitiseasiertoextendthesolutionforFPPtootherproblems.Thispresentationchoicedoesnotmeanthatoursolutionisonlydesignedfortopologyconstructioninthenetworkdesignphase.Thesolutioncanalsobeusedfortopologyexpansionandroutingoptimizationintheoperationphase,whichisprobablythemorecommonscenarioofapplication. 2-2 toillustrateafewconcepts.Thereareeightdomainswithidsfrom1to8.Therulematrix,(r(x;y);x;y2N),isshowninFig. 2-2 (a).Weconstructa 25

PAGE 26

2-2 (b),whereeachnodeisadomainandthereisanundirectededgehx;yiifr(x;y)+r(y;x)>0.Thenumberofaccesscontrolrulestobeenforcedbetweenthetwodomains,i.e.,r(x;y)+r(y;x),isshownbesidethelink.Grisagraphicalrepresentationoftherulematrix,specifyingthesecurityrequirement.ItwillbetheinputtothealgorithmthatsolvesFPPandotherproblems(approximatelybecausetheyareNP-complete). Fortheoutputofthealgorithm,wedeneatopologygraph(denotedasGt),whichconsistsofanetworktopologyandaroutingstructure.AnodeinGtiseitheradomainorarewall.Anundirectedlink(x;f)representsaphysicalconnectionbetweenadomainxandarewallf.Notethatweusetheterm\link(x;f)"inGt,incontrasttotheterm\edgehx;yi"inGr.Eachnodehasaroutingtableconsistingofroutingentries,eachspecifyingthenexthopforadestinationdomain. Supposethereareverewalls,eachhavingthreenetworkinterfaces.Fig. 2-2 (c)showsthetopologygraphreturnedbythealgorithmtobeproposedinthisdissertation.Thenumberofaccesscontrolrulesenforcedonarewallisshowninsidetheboxthatrepresentstherewall.Theroutingtablesareinterpretedasfollows.\rt(1;2)=f3"meanstheroutingtableatdomain1hasanentryfordestinationdomain2withthenexthopbeingrewallf3.Inreality,thegatewayindomain1whichconnectstorewallf3mustadvertisewithinthedomainthatitcanreachdomain2.Consequently,theroutingtablesattheinternalrouterswilleachhaveanentryfordomain2,pointingtowardsthatgateway.\rt(f1;1)=1"meansthattheroutingtableatrewallf1hasanentryfordomain1withthenexthopbeingdomain1.Itimpliesthatf1isdirectlyconnectedtoagatewayindomain1.Ofcourse,theactualroutingentryusesthatgatewayasthenexthop.\rt(f1;2)=3"meansthattheroutingtableatrewallf1hasanentryfordomain2withthenexthopbeingdomain3.Itimpliesthatf1isdirectlyconnectedtoagatewayindomain3.Theactualroutingentryusesthatgatewayasthenexthopandtheaddress 26

PAGE 27

GivenarulegraphGrandasetMofrewalls,foreachfeasibletopologygraphGt,wecancalculatew(f);8f2M.Thetopologygraphthatminimizesmaxf2Mfw(f)gisthesolution.FPPhasthelargestsetoffeasibletopologygraphs;partialFPPhasasmallersetduetotherestrictionofagivenpartialtopology.FRPhasonlyonefeasibletopologywithmanypossibleroutingstructures,whilepartialFRPgiveslessfreedominconstructingaroutingstructure. 22 { 24 ]areprevalentinpractice.Fig. 2-3 showsoneexampleforeachapproach.Inbothcases,rewallsinparalleldispositionhavethesamerulesetsothatoneofthemcancontinuetheservicewhentheotherfails.Identicalco-locatedrewallscanbelogicallytreatedasoneinoursolution.Therefore,wewillnotexplicitlydiscusstheuseofdualrewallsinthesequel. FPPisanoptimizationproblem.Wedenethecorrespondingdecisionproblemasfollows:Givenarulegraphandasetofrewalls,thek-rewalldecisionproblemistodecidewhetherthereexistsatopologygraphsuchthatw(f)k,8f2M,wherekisanarbitrary,positiveinteger.ToprovetheNP-completenessofFPP,itissucienttoproveitsdecisionproblemisNP-complete. 27

PAGE 28

25 ])tothek-rewalldecisionprobleminpolynomialtime. 25 ],thek-rewalldecisionproblemisalsoNP-hard. GivenanitesetAofpositiveintegers,theset-partitionproblemistodeterminewhetherthereexistsasubsetA0AsuchthatPa2A0a=Pa2AA0a.Wereduceittothek-rewalldecisionproblemasfollows. First,foreachmembera2A,weassociateitwithapairoftwodomainshxa;yai,andletthenumberofaccesscontrolrulesfromxatoyabea.Intotal,thereare2jAjdomains.N=fxa;yaja2Ag.Fordomainpairshxa;yai,8a2A,r(xa;ya)=a,andforallotherdomainpairshx;yi,r(x;y)=0. Second,weusetworewalls,denotedasf1andf2.Thenumberofnetworkinterfacesofeachrewallis2jAj.kissettobePa2Aa 28

PAGE 29

Next,weprovethattheset-partitionproblemissatisableifandonlyifthecorrespondingk-rewalldecisionproblemissatisable. First,supposetheset-partitionproblemissatisable,i.e.,thereexistsasubsetA0AsuchthatPa2A0a=Pa2AA0a=Pa2Aa Therefore,thek-rewalldecisionproblemisalsosatisable. Second,supposethek-rewalldecisionproblemissatisable,i.e.,thereexistsatopologygraphsuchthatw(f1)kandw(f2)k.Recallthatk=Pa2Aa Eachrulehastobeenforcedbyf1,f2,orboth.Therefore, By( 4{11 )and( 2{4 ),wehave 29

PAGE 30

2{5 ),wehavew(f1)=w(f2)=Pa2Aa LetA0=fajhxa;yai2(f1)g.Theaboveequationcanberewrittenasfollows. Therefore,theset-partitionproblemisalsosatisable. 2.3.3 .OurdescriptionofthealgorithmcentersaroundFPP.InSection 2.5.7 ,weshowthatthealgorithmcanbeusedtosolveotherproblems. WehaveshownthattheglobaloptimizationproblemofFPP,whichistondtheoptimaltopologyandroutingpathsthatminimizethemaximumrewallrulesetinthenetwork,isNP-complete.However,constructinganoptimalroutingpathbetweenonepairofdomainsisapolynomialproblem.ThebasicideabehindHAFistoprocessthedomainpairsoneattimeanditerativelyinserttheoptimalroutingpathforeachdomainpairintoatopologygraphGt.Afterthepathsforalldomainpairsareinserted, 30

PAGE 31

ThepseudocodeoftheHAFalgorithmisgiveninFig. 2-4 .ForFPP,Gtisinitiallyatopologygraphofndomainnodesandmrewallnodeswithnolink.Foreachedgehx;yiinGr,thesubroutineInsert Optimal Path(Gt;x;y)iscalledtoperformthefollowingthreetasks. 1. Denethesetoffeasibleroutingpathsbetweendomainxanddomainy. 2. Findtheoptimalroutingpathbetweenxandythatminimizesthemaximumrulesetamongallfeasibleroutingpaths. 3. InserttheoptimalroutingpathtoGt. TheloopofLines2-3processesthesetofedgeshx;yiinGrinthedescendingorderof(r(x;y)+r(y;x)),whichisthetotalnumberofrulesbetweendomainxanddomainy.ThetopologygraphGtkeepsgrowingastheloopinsertsoneroutingpathtoGtineachiteration.Inthefollowing,weshowhowtoimplementtheabovethreetasksofInsert Optimal Path. 31

PAGE 32

Inotherwords,apathisfeasibleifwecanturnitintoaphysicalpathwithoutviolatingthecurrentroutingstructureinGt,exceedingtheinterfacelimitationofanyrewall,orrenderingGtnotconnectable. 2{1 ).Thecostofadomainiszero.Thecostofapathisthemaximumcost(insteadofthesumofthecosts)ofallnodesonthepath.Onepathis 32

PAGE 33

Wedesignanalgorithm,calledHAF Dijkstra,tondtheshortestpathbetweenxandyinGhx;yit.Itisanall-sourcesingle-destinationvariantofDijkstra'salgorithm,designedforagraphwith1)virtuallinks(subjecttotheinterfaceconditionstatedintheprevioussubsection),2)routingrestrictions,3)nodecostsinsteadoflinkcosts,and4)pathlengthdenedasthemaximumnodecostinsteadofthesumofthenodecostsonthepath.Satisfyingtheconnectivityconditionisarathercomplextask,whichwillbeignoredfornowandaddressedinthenextsubsection,wherewewillmodifytheconstructionofGhx;yittoincludeonlythosevirtuallinksthatdonotmakeGtunconnectable. Beforegivingthepseudocodeofthealgorithm,wedenethefollowingvariables.rt[v;d]istheroutingtableentryatnodevfordestinationd.ItsvalueisinheritedfromGt.IfGtdoesnothavesucharoutingentry,thevalueofrt[v;d]isNIL.c[v]isthecostofnodev.cost[v;d]istheestimatedcostoftheshortestpathfromvtod.hops[v;d]istheestimatednumberofhopsontheshortestpathfromvtod.Thesetwovariablesareinitializedto1andthenimprovedbythealgorithmuntilreachingtheoptimalvalues.next[v;d]storesthenexthopaftervontheshortestpathtod.Qisthesetofnodeswhoseshortestpathstodhavebeenfound.Extract Min(Q)andRelax(v,u)aretwostandardsubroutinesinDijkstra'salgorithm.Extract Min(Q)ndsthenodeuinQthathasthesmallestcost[u;d]valueand,whenthereisatie,hasthesmallesthops[u;d]value.Aftertheshortestpathfromutodisfound,Relax(v,u)propagatesthisinformationtoalladjacentnodesv.ThepseudocodeoftheHAF DijkstraalgorithmisgiveninFig. 2-5 .\:="istheassignmentsign.sisthesourcenode,anddisthedestinationnode. Routing Condition(v,u,d)andInterface Condition(v,u,s,d)makesurethattheRelaxsubroutineisperformedonlink(v,u)onlywhenboththeroutingconditionandtheinterfaceconditionaresatised.BytheconstructionofShortest Path(Ghx;yit;s;d),the 33

PAGE 34

ConditionandInterface Conditionsubroutinesareexecutediterativelyforalllinksoftheshortestpath,andtherefore,thereturnedshortestpathmustbefeasible. HAF DijkstrarstusesxasthesourcenodeandyasthedestinationnodetondtheshortestpathbycallingShortest Path(Ghx;yit;x;y).ThenitusesyasthesourcenodeandxasthedestinationnodetondtheshortestpathbycallingShortest Path(Ghx;yit;y;x).Finallyitreturnstheshorteronebetweenthesetwopaths.ThereasonforcallingtheShortest Pathsubroutinetwiceisduetotheasymmetrycausedbyvirtuallinks,whichisillustratedinFig. 2-6 ,assumingeachnodeonlyhasroutingentriesfordirectlyconnectednodes.Theclouds,blocks,solidlines,dashedlines,andboldlinesrepresentdomains,rewalls,physicallinks,virtuallinks,andtheshortestpaths,respectively.Iff2hastwofreeinterfaces,theshortestpathisshowninFig. 2-7 .AnothermorecomplicatedexampleisshowninFig. 2-8 ,wheref2andf3eachhaveonefreeinterface. 34

PAGE 35

Nextweprovec1isasucientcondition.First,weconsiderasimplecasewherealldomainsbelongtoonecomponent.Theremainingcomponentsmustbesinglerewalls,eachhavingatleasttwofreeinterfaces.Toformaconnectedgraph,wecansimplyconnecttheserewallstoanydomains. Second,considerthecasewherethedomainsbelongtoatleasttwocomponents.c11.Theremustbearewallwithafreeinterface.Therewallbelongstoacomponent.Theremustbeanothercomponentthathasadomain.Connecttherewallandthedomain,whichusesonefreeinterfaceandreducesthenumberofcomponentsbyone.Therefore,theconditionc1remainstrue.Repeattheaboveprocessuntilalldomainsbelongtoonecomponent.Forthiscase,wehavealreadyprovedthatthegraphcanbemadeconnected. Therefore,c1isanecessaryandsucientconditionforGttobeturnedintoaconnectedgraph.r 35

PAGE 36

Inordertoenforcetheaboverestrictions,wehavetocarefullyredesignthesubroutineofInsert Optimal Path,whichisLine3oftheHAFalgorithm.LetCom(x)bethecomponentinGtthatcontainsx.ThepseudocodeofInsert Optimal PathisgiveninFig. 2-9 .Wegiveabriefexplanationbelow. Dijkstraalgorithmontheaugmentedgraphtondtheshortestpath. Because=cinGt,weareallowedtoconsumeonefreeinterfacewithoutreducingthenumberofcomponents.Inotherwords,theMinMaxpathisallowedtouseavirtuallinkwithinthecomponentthatcontainsx,oravirtuallinkwithinthecomponentthatcontainsy,butnotboth.Lines13-16ndtheshortestpaththatmayuseavirtuallinkwithinthecomponentofx's.Lines17-20ndtheshortestpaththatmayuseavirtuallinkwithinthecomponentofy's.Line21returnsthebetterofthetwopaths. 36

PAGE 37

PathsubroutineisthesameasthecomplexityofDijkstra'salgorithm,whichisO(e+(n+m)log(n+m)).ThecomplexitiesoftheHAF DijkstraandInsert Optimal PathsubroutinesarethesameasthatofShortest Path.HAFexecutestheInsert Optimal PathsubroutineforatmostO(n2)times.Therefore,thetotaltimecomplexityisO(n2e+n2(n+m)log(n+m)). 2.3.2 ,r(x;y)shouldnowbethesumoftheweightsofallrulesinR(x;y).Insteadofw(f)=Phx;yi2(f)r(x;y)asin( 2{1 ),w(f)shouldnowbeinterpretedastheweightoftherulesetatfanddenedasw(f)=Phx;yi2(f)r(x;y) theweightofrewallf 37

PAGE 38

TheFULLalgorithmrstconstructsatreetopologyinthesamewayastheTREEalgorithmdoes.Itthenfullyutilizesallremainingfreeinterfacesontherewallsbymakingalinkfromeachfreeinterfacetoanarbitrarydomain.Afterthat,werunashortest-pathalgorithmtondtheleast-hopsroutingpathbetweeneachpairofdomains.Thetreetopologywithcross-linksareoftenseeninorganizationswithhierarchicaladministrativestructures. ThedefaultsimulationparametersareshowninTable 2-2 .Thesimulationswillchangethedefaultvaluesoftheparametersoneatatime.nisthenumberofdomains.misthenumberofrewalls.Lete(f)bethenumberofnetworkinterfacesonrewallf. Fig. 2-10 2-15 showthesimulationresults.Inallgures,theyaxisisthesizeofthemaximumruleset(maxf2Mfw(f)g)atanyrewall.Weabbreviate\thesizeofthemaximumrewallruleset"as\theMFRSsize".Thexaxisisoneoftheparameters. 38

PAGE 39

InFig. 2-10 ,wevarythenumbernofdomainsinthesimulation.Whennisverysmall,thenumbersofrewallsandinterfacesarerelativelyplentifulsuchthatmostdomainpairsareonerewallawayfromeachotherandtherulesarewellspreadontherewalls.TheMFRSsizeissmallforallthreealgorithms.Asnincreases,HAFperformsfarbetterthanothers.Whenn=120,theMFRSsizeachievedbyHAFisjust35.06%ofthatachievedbyFULL,and24.78%ofthatachievedbyTREE. InFig. 2-11 ,wevarythenumbermofrewallsinthesimulation.TREEisinsensitivetothevalueofmbecausethetreetopologycannottakefulladvantageoftheincreasednumberofrewalls.HAFperformsmuchbetterthanTREEandFULL.Whenm=35,theMFRSsizeachievedbyHAFis35.31%ofthatachievedbyFULL,and24.90%ofthatachievedbyTREE. InFig. 2-12 ,wevarytheaveragenumber InFig. 2-13 ,wevarytheaveragenumber InFig. 2-14 ,wevarytheprobabilitypforadomainpairhx;yitohaveoneormorerules.ThevalueofpdeterminesthedensityoftherulegraphGr.Aspincreases,theMFRSsizeincreasesforallthreealgorithms.HAFperformsbetterthantheothertwoalgorithmsforallpvaluesusedinthesimulation.Whenp=1,theMFRSsizeachievedbyHAFis37.37%ofthatachievedbyFULL,and18.19%ofthatachievedbyTREE. InFig. 2-15 ,westudysparsenetworktopologieswithm=(n1)=( 39

PAGE 40

40

PAGE 41

Frequently-usednotations thenumberofaccesscontrolrulesforowsfromdomainxtodomainy w(f) thenumberofaccesscontrolrulestobeenforcedonarewallf Twotopologiesthatconnectdomains,x,u,vandy,viarewalls,f1,f2andf3,whosenumbersofinterfacesare2,3and2,respectively. Table2-2. Defaultsimulationparameters m e(f) 40 4 10 0:7 41

PAGE 42

Rulematrix,rulegraph,andtopologygraph Figure2-3. High-availabilitysolutions 42

PAGE 43

Optimal Path(Gt;x;y)3.returnGt PseudocodeofHAF 43

PAGE 44

Condition(v,u,d)1.ifrt[v;d]=NILorrt[v;d]=uthen2.returntrue3.else4.returnfalseInterface Condition(v,u,s,d)1.ifv=s^next[u;d]=dandboth(s;u)and(u;d)arevirtuallinksbutuhasonlyonefreeinterfacethen2.returnfalse3.else4.returntrueRelax(v,u,d)1.ifmaxfc[v];cost[u;d]g
PAGE 45

(a)AugmentedgraphGhx;yit,wheref2hasonefreeinterfaceandtwovirtuallinks;(b)ShortestpathreturnedbyShortest Path(Ghx;yit;x;y),wheretherelaxationisperformedfromyalongthepathtox;(c)ShortestpathreturnedbyShortest Path(Ghx;yit;y;x),wheretherelaxationisperformedfromxalongthepathtoy.Thebestpathis(x;f1;v1;f2;y). Figure2-7. Shortestpathwhenf2hastwofreeinterfaces. Figure2-8. Shortestpathwhenf2andf3eachhaveonefreeinterface. 45

PAGE 46

Optimal Path(Gt;x;y)1.ifc+1inGtthen2.initializeGhx;yittobeGt3.foreachrewallfwithafreeinterfacedo4.addavirtuallinkinGhx;yitbetweenfandx(ory)iftheyarenotalreadyconnected5.p:=HAF Dijkstra(Ghx;yit;x;y)6.elseif=cinGtthen7.initializeG0ttobeGt8.ifCom(x)6=Com(y)then9.foreachrewallfwithafreeinterface,Com(f)6=Com(x)do10.addavirtuallinkinG0tbetweenfandx11.foreachrewallfwithafreeinterface,Com(f)6=Com(y)do12.addavirtuallinkinG0tbetweenfandy13.initializeGhx;yittobeG0t14.foreachrewallfwithafreeinterface,Com(f)=Com(x)do15.addavirtuallinkinGhx;yitbetweenfandx16.p1:=HAF Dijkstra(Ghx;yit;x;y)17.initializeGhx;yittobeG0t18.foreachrewallfwithafreeinterface,Com(f)=Com(y)do19.addavirtuallinkinGhx;yitbetweenfandy20.p2:=HAF Dijkstra(Ghx;yit;x;y)21.p:=thebetteronebetweenp1andp222.elseif=c1inGtthen23.initializeGhx;yittobeGt24.ifCom(x)6=Com(y)then25.foreachrewallfwithafreeinterface,Com(f)6=Com(x)do26.addavirtuallinkinGhx;yitbetweenfandx27.foreachrewallfwithafreeinterface,Com(f)6=Com(y)do28.addavirtuallinkinGhx;yitbetweenfandy29.p:=HAF Dijkstra(Ghx;yit;x;y)30.InsertptoGt PseudocodeofInsert Optimal Path 46

PAGE 47

Sizeofmaximumrulesetwithrespecttonumbernofdomains.10n120,m=40, Figure2-11. Sizeofmaximumrulesetwithrespecttonumbermofrewalls.n=100,35m59, Figure2-12. Sizeofmaxrulesetwithrespecttoavgnumber Figure2-13. Sizeofmaximumrulesetwithrespecttoavgnumber 47

PAGE 48

Sizeofmaximumrulesetwithrespecttoprobabilityp.n=100,m=40, Figure2-15. Sizeofmaximumrulesetinsparsenetwork.10n120,m=(n1)=( 48

PAGE 49

26 { 34 ],eachdealingwithaspecicprobleminitsownuniqueway.Thevastsolutionspace,ifviewedasawhole,seemsabletohandlemanysecurityproblems,butdeployingallthesesolutionscanbepracticallyinfeasible.Amajorobstacleisthatindividualsolutionsoftensharelittlecommongroundintheirdesign.ManysolutionsheuristicallyworkaroundthelimitationsimposedbythelegacyInternetprotocolsanddemandorthogonalchangesonrouters.TheircombinedcomplexityaddedtotheInternetwillbeexceedinglyhigh.Inthisdissertation,wetakeadierentangleto 49

PAGE 50

Whatisthecriticalinformationthatthenetworkcanprovidetoassistthedevelopmentofsecurityapplications?Therecanbemany.Theoneweproposehereiscalledpathad-dresses.AhostontheInternetisidentiedbyanIPaddress;aroutingpathontheInternetwillbeidentiedbyapathaddress.Thebigquestionis,canpathaddresseshelpusinwaysthatIPaddressescannot?Belowweuseafewexamplestoillustratetheirdierences. Intherstexample,supposeaserverunderdenial-of-service(DoS)attackattemptstoidentifytheIPaddressesofoodingsourcesandblockthepacketscarryingthoseaddresses.However,thisapproachwillfailifmaliciouspacketscarryforgedsourceaddressesorareectionattackisusedtocoverthetruesources.Inthesecondexample,imagineaserverunderdenial-of-quality(DoQ)attacktriestodistributeitsprocessingcapacityfairlyamongtheclients.ItcannotperformsuchdistributionbasedonIPaddressesbecausetherearetoomanyofthem.Acertainkindofaggregationwillbenecessary.Inthelastexample,supposeavictimhasmanagedtocaptureanattackpacket(say,containingavirus).Basedonthissinglepacket,howcanthevictimtraceacrosstheInternetbacktotheattacker,giventhatthesourceaddressinthepacketmaybeaforgedone?AllaboveproblemscannotbereliablysolvedbasedonIPaddressesinthepacketheader,whicharesetbythesenderandmaynotbegenuine.Weneedaddressinformationthatisbeyondthereachofendhosts.Thisnewaddressshouldbesetandveriedbytheroutersinthenetwork.Ifeachroutingpathisassignedapathaddress,whichiscarriedintheheaderofpacketsroutedonthepath,thenaserverunderDoSattackcanblock 50

PAGE 51

Weproposeanincrementally-deployablepathaddressscheme(PAS)thatmeetsthefollowingrequirements:(1)Eachroutingpathtoacertaindestinationhasauniquepathaddress(withveryhighprobability),whichiscalledtheuniquenessrequirement.Itensuresthatpathaddressesaccuratelypointoutwherepacketsarecomingfrom.Blockingapathaddressltersoutthepacketsfromanattacksourcewithoutcausingsignicantcollateraldamage.(2)Eachpacketcarriestheaddressofthepathittraverses;thepackethastocarrythataddressfromtherstrouterallthewaytothedestination,whichiscalledthecompletenessrequirement.Itgivestheexibilityofclassifyingorblockingpacketsofagivenpathaddressanywherealongthepath.(3)Thepathaddressinapacket'sheadercanonlybecorrectlysetbytheroutersinthenetwork;ahostwillnotbeabletoforgethepathaddresscarriedinitspacketswithoutbeingcaught,whichiscalledthesafetyrequirement.(4)AnyviablepathaddressschememustsupportincrementaldeploymentontheexistingInternet.Itshouldbringbenetwhenonlyaportionofroutersareupgradedforpathaddresses,whichiscalledtheincrementally-deployablerequirement.ThischapterdescribesindetailshowtheInternetprotocolsmaybeenhancedtoincludepathaddressesbasedontheaboverequirements.WedemonstratethattheproposedPASschemesatisestheself-completenesspropertyforincrementaldeployment.WeevaluatetheperformanceofPASbothanalyticallyandbysimulations. TheadditionofpathaddressesrequiresrelativelysmallchangesinInternetprotocols.Ontheotherhand,itmaypotentiallyhavealargeimpactonhowsecuritysystemswillbedesigned.Whenavictim'sintrusiondetectionsystemidentiesmaliciouspackets,itmayextractthepathaddressesfromthepacketsandpayspecialattentiontofuturepacketscarryingthesamepathaddresses,orevenblocksuchpackets.Ifthevictimhasamapping 51

PAGE 52

35 ]morepowerful.Afterthevictimidentiesasetofpathaddressesfrommaliciouspackets,itmaypushtheseaddressesintothenetworkforblocking.Whentherst-hoprouterreceivesapacketfromaneighborrouterandndsthatthepacketcarriesablockedpathaddress,itdropsthepacketandthenpushestheaddresstotheneighbor.Eventuallytheaddresseswillbepushedallthewaybacktotheedgeofthedomainswheretheattackhostsreside. Whilethefocusofthisdissertationisonnetworksecurity,thepathaddressschemecanbeusedinothernetworkfunctions,suchaspacketclassication,resourcereservation,andservicedierentiation.Forexample,insteadofper-owqueueing,packetqueuescanbequeuedbasedonpathaddresses,allowingtrunkresourcereservationtobemadeforallowssharingthesamepathbetweentwoASes. Therestofthechapterisorganizedasfollows.Section 3.2 discussestherelatedwork.Section 3.3 presentsthedesignofourpathaddressscheme.Section 4.4 andSection 3.4.2 evaluatePASbyanalysisandsimulations,respectively. 52

PAGE 53

36 ]allowaservertostaystatelessuntiltheaddressofaclientisveried.ExamplesareSYNcookies[ 27 ]andhttpredirectioncookies[ 37 ].Oneproblemisthatitismoreexpensivefortheservertogenerate/verifycookiesthantheattackertoforgerequestpackets.Theclient-puzzlesolutions[ 28 38 { 40 ]requireclientstosolvecryptographicpuzzlesbeforetheirconnectionsareestablished.However,signicantcomputationoverheadisplacednotonlyonmalicioushostsbutalsoonlegitimateclients.Theroute-basedpacketlteringscheme[ 29 ]requireseachroutertodroppacketsthatarenotsupposedtopassalink.Asthepaperpointsout,itisverydiculttoreliablydeterminethesetofsource-destinationpairswhosepacketswillpassalink.Thespoongpreventionmethod(SPM)[ 30 ]requirespairwisesecurecommunicationchannelsamongASestosynchronizetheirkeys.Ingressltering[ 31 ]requirestheedgeroutersofstubnetworkstoinspectoutboundpacketsanddiscardthosepacketswhosesourceaddressesdonotbelongtothelocalnetworks.ThisapproachrequirestheparticipationofalledgeroutersontheInternet;itdoesnotworkwellforincrementaldeployment,whichwillbeelaboratedinSection 3.3.6 ManysystemshavebeenproposedtomitigateDoSattacks.SOS[ 32 ]isasecureoverlayservicedesignedtoprotectemergencyservicesfromDoSattacks.Mayday[ 41 ]isageneralizationofSOS.Theybothassumeaclosedgroupoftrustedclients.WebSOS[ 42 ]appliestheSOSarchitecturetothewebserviceusinggraphicturingtests[ 43 ].CenterTrack[ 44 ]isanIPoverlayformedamongameshofspecialtrackingrouterstotracetheoodingsources. Inrecentyears,theIPtracebackproblemisintensivelystudied[ 26 33 45 { 47 ].Thegoalistondtheoriginsofthepacketswithspoofedsourceaddresses.Manytracebackschemesincurconsiderablecomputationoverhead[ 26 ],storageoverhead[ 47 ],orcommunicationoverhead[ 46 ]inordertokeeptrackoftheroutersthatthepackets 53

PAGE 54

ThemostrelatedworkisPi[ 34 45 ],whichrequireseachroutertoinsertann-bitmarkintheIPidenticationeld,wherenistypically2.ThemarksinsertedbyPiinthepacketheaderisnotsuitabletoserveaspathaddress.Particularly,Pidoesnotsatisfytheuniqueness,completenessandsafetyrequirements(denedinSection 3.1 ).First,inFigure 3-1 (a),forpacketscomingfromalongpath,marksinsertedbyremoterouterswillbeoverwrittenduetothelimitsizeofthepathidentier.Consequently,allpacketsarrivingatR8,eventhoughtheymaycomefromdierentpathsfurtherupstream, 3-1 (b),ifarouter(suchasR8)hasmorethan2nlinks,thentherewillnotbeenoughmarkvaluestouniquelydistinguishwherepacketsarefrom.Ontheotherhand,ifarouterhaslessthan2nlinks,itwillleavesomemarkvaluesunused.Fourth,inFigure 3-1 (c),ifazombiehostisclosetothereceiver,onlyafewbitsinthepathidentierwillbemarkedbyrouters,andtherestbitswillcarryarbitraryvaluessetbytheattacker,whichviolatesthesafetyrequirement.Toblocktheattacker,thereceiverhastoblockallpathidentiersthatcarrythesamevalueinthosefewbits,whichmeansonesixteenthofallnormaltracwillbemistakenlyblockedinthisexample.Ifthezombieisonehopawayfromthereceiver,thenonefourthofallnormaltracwillhavetobe 54

PAGE 55

Weproposeapathaddressscheme(PAS),whichassignseachpathanaddress.ThereisaninherentdierencebetweenIPaddressesandpathaddresses.TheIPaddressesareownedbythehosts,whicharegiventhefullresponsibilityofsettingthesourceaddressesintheirpackets.Thepathaddressesareownedbyinterdomainroutersandkeptsecrettothehosts.Therefore,onlyroutersareabletosetpathaddressesappropriatelyinthepacketheader. Wewillanswerthefollowingquestions:Howtodenetheaddressofaroutingpath?Howtoextendtheroutingprotocolstokeeptrackofthepathaddresses?Whatneweldsshouldbeintroducedinthepacketheaderforpathaddresses?Howcanthereceiververifytheauthenticityofthepathaddresscarriedinapacket? Apacketcarryingtheauthenticaddressofitsroutingpathiscalledanormalpacket;apacketcarryingafalsepathaddressiscalledanabnormalpacket.Ourgoalistoenable 55

PAGE 56

Thesecondobjectiveneedsmoreexplanation.Anattackhostmayinjectmaliciouspacketsintoaroutingpath.Ithastwochoices,falsifyingornotfalsifyingpathaddressesinthepacketheader.Iftheattackhostsetsfalsepathaddressesinitspackets,thefalseaddresseswillbedetectedandthepacketswillbeclassiedasabnormalones.Iftheattackhostletstheroutersettheauthenticpathaddress,allitspacketswillshareacommoncharacteristic:thesamepathaddresscanbeusedfortracebackorpacketltering. 3-2 and 3-3 ,whereonlytherst8bitsofthelocalnumbersareshown.Figure 3-2 showstheAS-leveltopologyandthelocalnumbersofnineinterdomainrouters.WedenotethelocalnumberofarouterRx,x2[1::9],asRx:loc.Figure 3-3 showstheaddressesoftheroutingpathstoAS1.WedenotetheaddressoftheroutingpathfromRxtoadomainyasRx:paddr(y),whichiscalledthepathaddressfromRxtoy. InFigure 3-3 ,thepathfromR1toAS1containsonlyonerouter,R1.Hence,R1:paddr(AS1)=R1:loc=10101101.ThepathfromR2toAS1containstworouters,R2andR1.Hence,R2:paddr(AS1)=R1:locR2:loc=1010110100010111=10111010.ThepathaddressesofallotherroutingpathstoAS1aresimilarlydetermined. 56

PAGE 57

3-3 ,whereR1:paddr(AS1)throughR9:paddr(AS1)arealldierent. Becausethepathaddresswillbecarriedinthepacketheader,itslengthrepresentsaperformance/overheadtradeo.Letpbethenumberofbitsinapathaddress.Theprobabilityfortwopathstohavethesameaddressis1 2p,whichdiminishesrapidlyaspincreases.ThecurrentnumberofdomainsontheInternetislessthan216becausetheASidentieris16bitslong.Therefore,therearenomorethan216interdomainroutingpathstoagivendestinationdomain.SupposeavictimserverdecidestotemporarilyblockapathaddresscarriedbyidentiedmaliciouspacketsinaSYN-oodattack.Theexpectednumberofotherdomainswhoseroutingpathstothevictimhappentohavethesameaddressisboundedby216p,andtheexpectedfractionoflegitimatepacketsthataremistakenlyblockedis216p 57

PAGE 58

48 49 ].Wealsowanttopointoutthattheabovedistributedcomputationofpathaddressesdoesnotassumesymmetricrouting. Theadditionaloverhead(oneintegerforeachroutingentry)isverysmall,comparingwithwhattoday'sBGPalreadystores:thewholeinterdomainpathtoadestinationdomainforeachroutingentry. Incrementaldeploymentcanbeachievedasfollows:DeneanewoptionaltransitivepathattributeinBGPforpathaddress.ForaBGProuterthatisupgradedtosupportPAS,whenitadvertisesitsroutestoneighborsviaUPDATEmessages,itinsertsthenewtransitiveattributeinUPDATEtocarrythepathaddressofeachroute.WhenaBGProuterthatdoesnotsupportPASreceivessuchUPDATEmessages,accordingtotheprotocolofBGP[ 50 ],itwillpassthereceivedtransitiveattribute(i.e.,pathaddresses)toitsneighborswhenthereceivedroutesareadvertised.WhenaBGProuterthatsupportsPASreceivesUPDATEmessageswiththenewtransitiveattribute,itwillextractthepathaddresses,updatetheroutingtablefornewroutesandnewpathaddresses(byXORingthereceivedpathaddresseswiththelocalnumber).Whenitadvertisesthenewroutes,itinsertstheirpathaddressesastransitiveattribute.Underincrementaldeployment,the 58

PAGE 59

Amulti-homingdomainhasmorethanonepathtoeachdestination.EachofitsBGProutersstoresadierentsetofroutes.ThetracfromthisdomainmaybesplitamongthoseBGProuters,carryingdierentpathaddressesandfollowingdierentroutestoadestination.Ifanattack(suchasDoS)islaunchedfromthisdomain,thevictimwillidentifymorethanone(mostfrequentlyappearing)pathaddressassociatedwiththeattack. BGPstabilityisofprimaryimportancetotheoverallstabilityoftheInternet[ 51 ].Routeapdampingtechniqueshavebeenproposedandimplementedtostabilizeinter-domainroutes[ 52 ].AlthoughroutechangeisinfrequentamongBGProutersoverall,itdoeshappenoccasionallyduetolinkfailureorotherreasons.Beforenewroutesarestabilized,somepathaddressesmaybetemporarilyout-of-sync,causingaburstofpacketstobeclassiedasabnormal.Therefore,notallabnormalpacketsshouldbedroppedautomatically.Onlywhenavictimisunderattackandtheneedtoimmediatelyblockoutmaliciouspacketsoutweightsthecollateraldamageduetothesmallpossibilityofongoinginter-domainroutechange,thevictimmaydecidetoblockoutallabnormalpackets.Evenwhensuchmisblockinghappens,itistemporary.WewanttopointoutthatroutechangealsoposessimilarchallengetoPi[ 45 ],IPtrackback[ 26 45 { 47 ],andotherrelatedwork[ 29 ]. 3-3 ,thepacketsfromAS5toAS1willcarry01001010inthepaddreldiftheyareroutedviaR8.Torouters,thePagindicateswhetherthepaddreldhasbeenappropriatelysetornot.Thepurposeoftheverication 59

PAGE 60

3-3 ,amalicioushostinAS4mayforgepacketswith01001010inthepaddreldandpretendthatthepacketsarecomingfromAS5.WhentheforgedpacketsarriveatR6,theyaremixedwiththelegitimatepacketsfromAS5,R6mustbeabletoclassifytheforgedonesasabnormalpackets.Thisisaccomplishedwiththehelpofthevericationeld.Wewillexplaintheactualoperationsshortly.Theproblemsofwheretoplacetheseeldsandhowtooperateunderincrementaldeploymentwillbeaddressedattheendofthissubsection. Thesourcehostdoesnotknowthepathaddressofitsroutingpath.ItsetsthePagtozero,andsendsthepacket,whicharrivesattherstinterdomainrouter.Whentherouterreceivesapacket,ifthePagiszero,therouterknowsthatitisthersthoponthepathandisresponsibletoassigntheappropriatevaluesforthepaddr/vericationelds.Afterthatisdone,therouterwillchangethePagtoonesothatthesubsequentrouterswillnotchangethepathaddresscarriedinthepacket,whichsatisesthecompletenessproperty. AnexampleisgiveninFigure 3-4 ,wherethereceivedpacketisshownbesidetherouter.Whentherstinterdomainrouter,R8,receivesthepacket,itndsthatthePagiszero.R8setsthepaddreldtobeR8:paddr(AS1),whichisthepathaddressfromitselftothedestination.ItsetsthevericationeldtobeR8:paddr(AS1)R8:loc,whichgivesthepathaddressfromthenexthoproutertothedestination.FinallyitsetsthePagtoonebeforeforwardingthepacket.Whenthenext-hoprouter,R7,receivesthepacket,itkeepsthepathaddresseldintactbutupdatesthevericationeldbyXORingitwiththelocalnumber.Thenewvalueofthevericationeldisthepathaddressfromtheyetnexthop(R6)tothedestination.Consequently,eachintermediaterouterRxisabletoverifytheauthenticityofthepathaddressinthepaddreldbymatchingthereceivedvalueinthevericationeldagainstRx:paddr(AS1),whichcanbefoundintheroutingtable.Ifthetwomatches,thenthepacketisanormalone.Otherwise,itisclassiedas 60

PAGE 61

Whenapacketreachesthereceiver,thevericationeldiszeroifitisanormalpacketandnon-zeroifitisanabnormalpacket.Becausethepathaddressshouldbekeptsecretfromtheendhost,thelasthoprouterwilldisguisethepathaddressbyperformingakeyedhashonthepaddreld.Allnormalpacketstraversedthesameroutingpathwillhavethesamehashvalueinthepaddreldwhenreachingthereceiver. Sofarwehavedescribedthenormalbehavior.Next,westudywhatamalicioushostcando.InFigure 3-5 ,amalicioushostresidesinAS4.Whenproducingattackpackets,ithastwochoices,eithersettingthePagtozeroortoone.(1)IfitsetsthePagtozero,R6willinsertthepathaddressinthepacketheader.Becausethepacketscarrythecorrectpathaddress,theywillbeclassiedasnormal(bydenition)allthewaytothereceiver.Whenthereceiverndsitselfisunderattack,ittriestomitigatetheattackbylteringoutthemaliciouspackets.Recallthatthelasthoprouterwillhashthepaddreld.Withoutknowingtheactualpathaddress,thereceiverperformslteringbasedonthehashedpathaddresscarriedinthosepackets.(2)Tohideitself,amalicioushostmaysetthePagtooneandthepaddreldtoanarbitraryvalue.However,itdoesnotknowthecorrectvalueforthevericationeld,whichmustbethepathaddressfromR6tothedestination.Ifitsetsthisvaluewrong,allintermediaterouterswillclassifythepacketsasabnormal.AnexampleisgiveninFigure 3-5 ,wherebothpaddrandvericationeldsofanattackpacketareinitiallysetto01001010,representingafalsesourceofAS5.Thepacketisclassiedasabnormalbyallroutersonthepath. TheneweldscanbeeasilyincorporatedintoIPv6byaddinganextensionheader.TheneweldsmayalsobeembeddedintheIPv4headerforbackwardcompatibilitybycreatinganewIPoptionorusingthe16bitsfromtheIPidenticationeld,1bitfromtheageld,and13bitsfromtheoseteld,asmanyotherworks[ 26 45 { 47 ]do.Thevericationeldcanbemadeshorterthanthepaddreld,whichprovidesexibilityof 61

PAGE 62

Duringincrementaldeployment,someroutersareupgradedtosupportPAS,whileothersarenot.Theformerwillprocessthepacketsasdescribedabove.ThelatterwillsimplyforwardthepacketswithoutPAS-relatedoperations.BecausethepathaddressistheXORofthelocalnumberoftheupgradedrouters,thevericationprocesswillbeperformedsuccessfully. 3-5 ,ifthemalicioushostcompromisesR6,itknowsthekeyandlearnsthepathaddressesfromR6toalldestinations.ThemalicioushostcaninstructR6toforgepacketswitharbitraryvaluesinthepaddreldbutcorrectvaluesinthevericationeld,whichallowsthepacketstopassthevericationalongtheroutingpaths.RoutercompromiseposessimilarchallengetoPi[ 45 ],IPtrackback[ 26 45 { 47 ],andotherrelatedwork[ 29 ],eventhoughmostdidnotconsiderthisissue.ThereisnowayonecansavethelegitimatepacketsarrivingatthecompromisedR6becauseR6cancorruptorevendropthem.ButitispossibleforustoenhancethedesignofpathaddressessothatpacketsfromR6canbeseparatedfrompacketsforwardedonotherpaths.Thebasicintuitionisthat,ifthesubsequentroutersafterR6arenotcompromised,theyshouldconstructaportionofthepathaddressthatisbeyondthecontrolofR6.Ifnecessary,thisportionoftheaddresscanbeusedbythereceivertoclassifythepacketsfromR6. ThenewwayofconstructingapathaddressperformsshiftedXOR,insteadofXOR,onthelocalnumbersoftherouters.LettheroutingpathfromRxtoadestinationdomain 62

PAGE 63

(3{1) whereistherightshiftoperator.ItiseasyforaroutingprotocoltokeeptrackofthenewpathaddressifRxknowsitsdistancetoadestinationyandknowsthepathaddressfromitsnexthop(denotedasR[x1])toy.BelowwegiveafewexamplesbasedonthelocalnumbersinFigure 3-2 .Letd=2.R1:paddr(y)=R1:loc=10101101:::R2:paddr(y)=R1:paddr(y)(R2:loc2)=10101101:::0000010111:::=10101000:::R3:paddr(y)=R2:paddr(y)(R3:loc4)=10101000:::000011010011:::=10100101:::::: Theprocedureforsettingthevaluesinthepaddr/vericationeldsissimilartowhathasbeendescribedinSection 3.3.4 ,exceptthatshiftedXORisused.Thevericationis 63

PAGE 64

IfamalicioushostcompromisesRi,itcannotsettheleftmost(i1)dbitsinthepaddreldtoarbitraryvaluesbecausetheyhavetomatchthoseinR[i1]:paddr(y)inordertopassthevericationofthenexthop.Consequently,allattackpacketsfromRiwillcarrythesame(i1)dbitsinthepaddreld.Adefensesystemmaybedesignedbasedonthisproperty.WhatabouttheattackercompromisesR1,thelasthoproutertothedestination?BecausethepacketsfromallovertheInternetarefullymixedthere,itisnolongerpossibletoseparatethelegitimatepacketsfromthemaliciousonesifthatrouteriscompromised,unlessthelegitimatepacketsareprotectedbyend-to-endcryptographicschemes. ShiftedXORsharessupercialsimilaritywiththeoperationofPi[ 45 ].InPi,eachroutercanonlyset2bitsintheIPidenticationeld.Amalicioushostthatisonehopawayfromthevictimcanarbitrarilysetotherbitsinthateld.InshiftedXOR,eachrouterhasmuchmoreimpact.Forexample,thelasthoprouterwillinuenceallbitsinthepathaddress.Themalicioushostonehopawaycannotsetanybitinthepathaddresswithoutbeingdetected. Manyexistingdefensesystemsarenotself-complete.Takeingressltering[ 31 ]asanexample.SupposeallnetworksinCperformingresslteringandthoseinC0donot. 64

PAGE 65

53 ]isnotself-completebyasimilaranalysis.ItcanbeshownthattheIPtracebacksystems[ 26 45 { 47 ]arealsonotself-complete. WhenanASdeploysasystemthatisnotself-complete,itessentiallytakesagood-citizenstrategytohelpinaglobaleortfordefeatingacertainnetworkthreat.ButthebenetsforitselfarrivesonlyafterotherorganizationsontheInternetarealsogoodcitizensand,moreover,implementingthesamedefense.Onthecontrary,ifanASjoinsaself-completesystemsuchasPAS,itimmediatelyreceivesthefulldefensefunctionfortracbetweenitselfandotherASesthatalsodeployedthesystem.Thishasasignicantpracticalimpact:ImmediatebenetduringincrementaldeploymentgivesincentiveforASestodeploysuchasystem. AnASisPAS-awareifitdeploysPASonallitsBGPborderrouters;otherwise,itisPAS-unaware.WearenotconcernedwiththeuniquenessfortheaddressofapathwhosesourceordestinationisPAS-unaware.However,forourschemetobeself-complete,wemustensurethatthepathaddressfromaPAS-awaresourceAStoaPAS-awaredestinationAS(denotedasx)musthaveanegligiblysmallprobabilitytobethesameastheaddressfromanothersourceAStox,regardlessofwhetherthatsourceASisPAS-awareornot.Thisisgenerallytrue,asillustratedinFig. 3-6 ,whereblackcirclesarerouterssupportingPASandwhitecirclesareroutersnotsupportingPAS.ThepathaddressfromAS3toAS1isR3:paddr(AS1)=R3:locR1:loc.ItisdierentfromthepathaddressesfromotherdomainstoAS1,withoneexception:theaddressfromthePAS-unawareAS6toAS1isalsoR3:locR1:loc.Tosolvethisproblem,whenR3receivesapacketfromanexternalinterface(connectingAS6)withthePagbeingzero,itwillsetthepaddreldtobeR3:paddr(AS1)R3:locr=R1:locr,whererisarandomnumberassociatedwiththeexternalinterface.Itsetsthevericationeldtobethepaddr 65

PAGE 66

Thereisoneadditionaloperation.BeforearouterforwardsapacketdestinedtoanotherAS,iftherouter'spathaddresstothedestinationASisequaltoitslocalnumber,therouterknowsthatitisthelastAS-awarerouteronthepath.Inthiscase,itshoulddisguisethepaddreldbyhashingbeforeforwardingthepacket. 45 ]. Whenanormalhostsendsalegitimatepackettothevictim,ifthepacketismistakenlyltered,wecalltheeventafalsepositive.Theprobabilityforthattohappeniscalledfalse-positiveprobability.Clearly,itisequaltothepercentageofalllegitimatepacketsthatareltered,traditionallycalledfalse-positiveratio. 66

PAGE 67

LethbethenumberofroutersthathavebeenupgradedtosupportPAS(orPi)onthepathfromthemalicioushosttothevictim.Intheanalysis,weignoreroutersthatdonotsupportPAS(orPi).LetmbethenumberofbitsusedtostorethepathidentierinPiorthepaddr/vericationeldsandthePaginPAS.ForPi,letnbethenumberofbitsinanymarkinsertedtothepathidentierbyarouter.ForPAS,letpbethenumberofbitsinthepaddreldandvthenumberofbitsinthevericationeld.p+v=m1.Ifvischosensmallerthanp,thenonlyvbitsinthepaddreldareveried. Consideralegitimatepacketfromanormalhost.ThedesignofPASiscompletelydierentfromthatofPi.Eachroutercontributesafullp-bitlocalnumbertothepathaddress.Aslongastheroutingpathfromthenormalhosttothevictimhasonerouterthatisnotinthepathfromthemalicioushosttothevictim,theaddressesofthetwopathsmaydierinanyofthepbits.Hence,thechanceforthesetwopathaddressestobethesame,i.e.,thefalse-positiveprobability,is 2p(3{2) Next,consideranattackpacketfromthemalicioushost.Ifthemalicioushostdoesnotfalsifythepathaddresscarriedinthepacketandletstheroutersonthepathsettheaddress,thentheaddresswillbetheauthenticone,matchingtheblockedpath 67

PAGE 68

2v(3{3) Becausep+v=m1,ifmisxed,wecantunethevaluesofpandvtomaketradeobetweenthefalse-positiveprobabilityandthefalse-negativeprobability.However,weareabletolowerbothprobabilitiesifmcanbeincreased.Ifmislargeenough(e.g.,30),wecanlowerbothtoalmostzero.Finally,by( 3{2 )-( 3{3 ),neitherfalse-positivenorfalse-negativeprobabilitiesdependsonthedistancehfromthemalicioushosttothenormalhost. Consideralegitimatepacketfromanormalhost.Supposetheroutingpathfromthenormalhosttothevictimsharesthelastchopswiththeroutingpathfromthemalicioushost.Thepathidentiercarriedinthelegitimatepacketmustsharecncommonbitswiththeblockedidentier.Thepacketwillbemistakenlylterediftheother(mcn)bitshappentoalsohavethesamevalueastheblockedidentier.Hence,thefalse-positiveprobabilityis 2mncifnc
PAGE 69

2mnhifnh
PAGE 70

54 ]. Theattackmodelusedinoursimulationsissimilartothatin[ 45 ].Therearetwophases.Therstiscalledthelearningphase,andthesecondiscalledtheat-tackphase.Inthelearningphase,weassumethatanintrusiondetectionsystemidentiestheattackpacketsandextractsthepathidentiersorpathaddresses(e.g.,themost-frequently-receivedonesunderaDoSattack)forblocking.Howtodesignanintrusiondetectionsystemingeneralisbeyondthescopeofthischapter.Suppose,afterthisphase,thevictimlearnsthepathaddressfromeachmaliciousnodetothevictim,orifPiisused,itlearnsuptorpathidentiersforeachmaliciousnode.InFigure 3-1 (c),wehaveshowedthattherecanbemultiplepathidentiersfromanattackerifitresidesnearthevictim.Thedefaultvalueforrisone,butwewillvaryitinthesimulation. Intheattackphase,thevictimltersallpacketscarryingthepathidentifersorpathaddresseslearnedinthepreviousphase.ForPi,themaliciousnodesgenerateattackpacketswithrandominitialvaluesinthepath-identiereld.ForPAS,themaliciousnodesgenerateattackpacketswithrandominitialvaluesinthepaddr/vericationeldsandoneforthePag.Wemeasurethefalse-positiveratio,whichisthefractionoflegitimatepacketsfromallsourcesthataremistakenlyltered,andthefalse-negativeratio,whichisthefractionofattackpacketsthatarenotlteredinthisphase. SincePiusesnomorethan30bitsinthepacketheaderforitspathidentier,including16bitsfromtheIPidenticationeld,1bitfromtheageld,and13bitsfromtheoseteld.WeallowthesamenumberofbitsforPASinoursimulationsforfaircomparison.PASuses16bitsforthepaddreld,1bitforthePag,and13forthevericationeld.Piusesall30bitsforthepathidentier.Wehavelearnedfrom 70

PAGE 71

4.4 that,inPi,thenumbernofbitsforamarkrepresentsatradeobetweenthefalse-positiveratioandthefalsenegativeratio.Weletnbe2,3,5,or6inthesimulations.PiwiththesenvaluesaredenotedasPi(2),Pi(3),Pi(5)andPi(6),respectively. 3-7 showsthefalse-positiveratiosandthefalse-negativeratios,respectively.Bothfalse-positiveratioandfalse-negativeratioofPASarenearzero,varyingbetween0and0.0002.TheattackerratiohashardlyanyimpactonPAS.NoneofPi(2)-Pi(6)hasalowfalse-positiveratioandalowfalse-negativeratioatthesametime.Thefalse-positiveratiosofPi(2)andPi(3)areclosetozero,buttheirfalse-negativeratiosarealmostone.Notethatthesimulationin[ 45 ]didnotincludemaliciousnodesclosetothevictim,butthesimulationinthisdissertationdoes,whichrevealstheaboveseriousperformanceproblem.Figure 3-7 alsoconrmsouranalyticalresultinSection 4.4 thatincreasingnreducesthefalse-negativeratioofPibutincreasesthefalse-positiveratio.Forthesamevalueofn,astheattackerratioincreases,thefalse-positiveratioincreaseswhilethefalse-negativeratiodecreases.Thereasonisthat,themoretheattackers,themorethenumberofblockedpathidentiers(identiedinthelearningphase),thehigherthechanceofmisblockingnormalpackets,andthelowerthechanceofnotblockingattackpackets. 3-8 showsthefalse-positiveratiosandthefalse-negativeratios,respectively.PAShasverysmallfalse-positiveandfalse-negativeratios,rangingbetween0:0001and0:0002.Topologyvariationhaslittleimpactonitsperformance.ForPi,however,asthefractionofdegree-onenodesincreases,thefalse-positiveratiosincreasewhilethefalse-negativeratiosdecrease.Thereasonisthat 71

PAGE 72

3{4 )inSection 4.4 .Second,itincreasesthepathlength(denotedash)andthusincreasesthefalse-negativeratiodueto( 3{5 ). 3-9 showsthefalse-positiveratiosandthefalse-negativeratios,respectively.ItisaparameterforPi,andthushasnoimpactonPAS.Thelargerthevalueofr,thelargerthenumberofblockedpathidentiersinthesecondphase,thehigherthechanceofmisblockingnormalpackets,andthelowerthechanceofnotblockingattackpackets.Therefore,asrincreases,thefalse-positiveratioofPiincreasesandthefalse-negativeratiodecreases. WealsoruntheabovesimulationsonshiftedXOR.ItsperformanceisveryclosebutslightworsethanPAS.WedonotplotitintheguresbecauseitalmostcompletelyoverlapswiththecurveofPASexceptfortheleftplotofFigure 3-9 ,wherethefalse-positiveratioofshiftedXORwouldbehalfapercentagehigherthanthatofPAS. 3-10 showsthefalse-positiveratiosandthefalse-negativeratiosforpacketsfromallPAS/Pi-awareASestoaPAS/Pi-awarevictim.Thefalse-negativeandpositiveratiosofPASarenearzeroduetoPAS'sself-completeness(Section 3.3.6 ).Tothecontrary,thefalsenegativeratioofPiisveryhighwhenthedeploymentratioissmall. 72

PAGE 73

Picannotbeusedforpathaddress. 73

PAGE 74

Localnumbersoftheinterdomainrouters. Figure3-3. AddressesfortheroutingpathsfromtherouterstoAS1.Forexample,R8:paddr(AS1)=01001010.ItistheXORofalllocalnumbersontheroutingpathR8!R7!R6!R5!R4!R3!R2!R1.AlternativelyitcanbeviewedastheXORofR8'slocalnumberandR7:paddr(AS1). Figure3-4. Receivedvaluesofthepaddrandvericationeldsareshownbesideeachrouter.Thetwoeldsaresettozerosbythesender.Therstinterdomainroutersetstheseeldswithappropriatevalues.Thepathaddresseldstaysunchangedatthesubsequenthops,butthevericationeldisXORedbythelocalnumberateachhop.Thevericationeldshouldbezerowhenthepacketreachesitsreceiver. 74

PAGE 75

MalicioushostinAS4setsthepaddr/vericationeldsarbitrarilywiththePagbeingone.AslongasitdoesnotknowR6:paddr(AS1),theattackpacketstoAS1willbeclassiedasabnormal,whichisindicatedbyacrossbelowVinthegure. Figure3-6. PathaddressbetweenAS3andAS1shouldbearticiallymadedierentfromtheaddressbetweenAS6andAS1. 75

PAGE 76

Figure3-8. Figure3-9. 76

PAGE 77

77

PAGE 78

Thespreadofasourcehostisthenumberofdistinctdestinationsthatithassentpacketstoduringameasurementperiod.Aspreadestimatorisasoftware/hardwaremoduleonarouterthatinspectsthearrivalpacketsandestimatesthespreadofeachsource.IthasimportantapplicationsindetectingportscansandDDoSattacks,measuringtheinfectionrateofaworm,assistingresourceallocationinaserverfarm,determiningpopularwebcontentsforcaching,tonameafew.Themaintechnicalchallengeistotaspreadestimatorinafastbutsmallmemory(suchasSRAM)inordertooperateitatthelinespeedinahigh-speednetwork.Inthischapter,wedesignanewspreadestimatorthatdeliversgoodperformanceintightmemoryspacewhereallexistingestimatorsnolongerwork.Thenewestimatornotonlyachievesspacecompactnessbutoperatesmoreecientlythantheexistingones.Itsaccuracyandeciencycomefromanewmethodfordatastorage,calledvirtualvectors,whichallowustomeasureandremovetheerrorsinspreadestimation.WeperformexperimentsonrealInternettracestoverifytheeectivenessofthenewestimator. 55 { 59 ].Inthischapter,westudytheproblemofspreadestimation,whichistoestimatethenumberofdistinctdestinationstowhicheachsourcehassentpacketsthatareofallorcertainspecictypes. Wedeneacontactasapairofsourceanddestination,forwhichthesourcehassentapackettothedestination.Inthemostgeneralterms,thesourceordestinationcanbeanIPaddress,aportnumber,oracombinationofthemtogetherwithothereldsinthepacketheader.Thespreadofasourceisthenumberofdistinctdestinationscontactedbythesourceduringameasurementperiod.Aspreadestimatorisasoftware/hardwaremoduleonarouter(orrewall)thatinspectsthearrivalpacketsandestimatesthespread 78

PAGE 79

Aspreadestimatorhasmanyimportantapplicationsinpractice.Intrusiondetectionsystemscanuseittodetectportscans[ 60 ],inwhichanexternalhostattemptstoestablishtoomanyconnectionstodierentinternalhostsordierentportsofthesamehost.ItcanbeusedtodetectDDoSattackswhentoomanyhostssendtractoareceiver[ 61 ],i.e.,thespreadofadestinationisabnormallyhigh.Itcanbeusedtoestimatetheinfectionrateofawormbymonitoringhowmanyaddressestheinfectedhostswilleachcontactoveraperiodoftime.Alargeserverfarmmayuseittoestimatethespreadofeachserver(asadestination)inordertoassesshowpopulartheserver'scontentis,whichprovidesaguidanceforresourceallocation.Aninstitutionalgatewaymayuseittomonitoroutboundtracanddeterminethespreadofeachexternalwebserverthathasbeenaccessedrecently.Thisinformationcanalsobeusedasanindicationoftheserver'spopularity,whichhelpsthelocalproxytodeterminethecachepriorityofthewebcontent. Themajortechnicalchallengeishowtotaspreadestimatorinasmallhigh-speedmemory.Today'scoreroutersforwardmostpacketsonthefastforwardingpathbetweennetworkinterfacesthatbypassestheCPUandmainmemory.Tokeepupwiththelinespeed,itisdesirabletooperatethespreadestimatorinfastbutexpensive,size-limitedSRAM[ 62 ].Becausemanyotheressentialrouting/security/performancefunctionsmayalsorunfromSRAM,itisexpectedthattheamountofhigh-speedmemoryallocatedforspreadestimationwillbesmall.Moreover,dependingontheapplications,themeasurementperiodcanbelong,whichrequirestheestimatortostoreanenormousnumberofcontacts.Forexample,tomeasurethepopularityofwebservers,the 79

PAGE 80

Thepastresearchmeetstheabovechallengewithseveralspreadestimators[ 62 { 64 ]thatprocessalargenumberofcontactsinaneversmallerspace.Thisdissertationaddsanewmemberthatnotonlyrequiresfarlessmemorythanthebestknownonebutalsooperatesmuchmoreeciently.Itisabletoprovidegoodestimationaccuracyinatightspacewhereallexistingestimatorsfail.Ourmajorcontributionisanewmethodologyforcontactstorageandspreadestimationbasedonvirtualvectors,whichusetheavailablememorymoreecientlyfortrackingthecontactsofdierentsources. Doweneedanewspreadestimatorwhentherearealreadyseveral?Considerthefollowingscenario.CollectedfromthemaingatewayattheUniversityofFloridaonadayin2005,theInternettractracethatweusedinourexperimentshasaround10milliondistinctcontactsfrom3.5milliondistinctexternalsourcestointernaldestinations.Weexpectthattoday'stracontheInternetcorerouterswillexceedtheseguresbyfar.Nowassumetheroutercanonlyallocate1MBSRAMforthespreadestimator.Onaveragethereareonly2.3bitsallocatedfortrackingthecontactsfromeachsource.Weclassifytheexistingestimatorsintoseveralcategoriesbasedonhowtheystorethecontactinformation:1)storingper-owinformation,suchasSnort[ 65 ]andFlowScan[ 61 ],2)storingper-sourceinformation,suchasBitmapAlgorithms[ 64 ]andOne-level/Two-levelAlgorithms 63 ],and3)mappingsourcestothecolumnsofabitmatrix,whereeachcolumnstorescontactsfromallsourcesthataremappedtoit,suchasOn-lineStreamingModule(OSM)[ 62 ].Obviouslythersttwocategorieswillnotworkherebecause2.3bits 63 ]usedaprobabilisticsamplingtechniquetoreducethenumberofcontactsthatareinputtotheestimator(attheexpenseofestimationaccuracy).Naturally,italsoreducesthenumberofsourcesappearingininputcontacts.Thistechniquecanbeequallyappliedtootherestimatorssuchasthosein[ 64 ]andtheonetobeproposedinthisdissertation.Whenwesayper-sourcestate,werefertosourcesthatappearinthecontactsaftersampling(ifthesamplingtechniqueisused). 80

PAGE 81

65 ]maintainsarecordforeachactiveconnectionandaconnectioncounterforeachsourceIP.Keepingper-owstateistoomemory-intensiveforahigh-speedrouter,particularlywhenthefastmemoryallocatedtothefunctionofspreadestimationissmall. One-Level/Two-LevelAlgorithms[ 63 ]maintaintwohashtables.Onestoresalldistinctcontactsoccurredduringthemeasurementperiod,includingthesourceanddestinationaddressesofeachcontact.Theotherhashtablestoresthesourceaddressesandacontactcounterforeachsourceaddress.Aprobabilisticsamplingtechniqueisusedtoreducethenumberofcontactstobestored.However,insteadofstoringtheactualsource/destinationaddressesineachsampledcontact,onecanusebitmaps[ 64 ]tosavespace.Eachsourceisassignedabitmapwhereabitissetforeachdestinationthatthesourcecontacts.Onecanestimatethenumberofcontactsstoredinabitmapbasedonthenumberofbitsset[ 64 ].Anindexstructureisneededtomapasourcetoitsbitmap.Itistypicallyahashtablewhereeachentrystoresasourceaddressandapointertothecorrespondingbitmap.However,suchaspreadestimatorcannottinatightspacewhereonlyafewbitsareavailableforeachsource|notenoughforabitmaptoworkappropriately. 81

PAGE 82

Theinformationstoredforonesourceinacolumnisthenoiseforothersthatareassignedtothesamecolumn.Onemustremovethenoiseinordertoestimatethespreadcorrectly.Tosolvethisproblem,OSM(OnlineStreamingModule)[ 62 ]assignseachsourcerandomlytol(typicallythree)columnsthroughlhashfunctions,anditsetsonebitineachcolumnwhenstoringacontact.Asourcewillshareeachofitscolumnswithadierentsetofothersources.Consequentlythenoise(i.e.,thebitssetbyothersources)ineachcolumnwillbedierent.Basedonsuchdierence,amethodwasdevelopedtoremovethenoiseandestimatethespreadofthesource[ 62 ]. OSMalsohasproblems.Notonlyitincreasestheoverheadbyperformingl+1hashoperations,makinglmemoryaccessesandusinglbitsforstoringeachcontact,butthenoisecanbetoomuchtoberemovedinacompactmemoryspacewhereasignicantfractionofallbits(e.g.,above50%)areset.Thecolumnsthathigh-spreadsourcesareassignedtohavemostlyones;theyarecalleddensecolumns,whichpresentahighlevelofnoiseforothersources. 82

PAGE 83

4.5 Alsorelatedisthedetectionofstealthyspreadersusingonlineoutdegreehistogramsin[ 66 ],whichdetectstheeventofcollaborativeaddressscanbyalargenumberofsources,eachscanningatalowrate.Itisabletoestimatethenumberofparticipatingsourcesandtheaveragescanningrate,butitcannotperformthetaskofestimatingthespreadofeachindividualsourceinthearrivalpackets. Oursolutionistocreateavirtualbitvectorforeachsourcebytakingbitsuniformlyatrandomfromacommonpoolofavailablebits.Inthepreviousestimators,twobitmapsdonotshareanybit.Twosourceseitherdonotcausenoisetoeachother,orcauseseverenoisewhentheyshareacommonbitmap|theyshareallbitsinthebitmap.Eachsourceexperiencesadierentlevelofnoisethatcannotbepredicted.Inourestimator,twovirtualvectorsmayshareoneormore(whichisveryunlikely)commonbits.Whileeachsourcehasitsownvirtualvectortostoreitscontacts,noisestilloccursthroughthecommonbitbetweentwovectors.However,thereisaveryniceproperty:Becausethebits 83

PAGE 84

CSEusesabitarrayBofsizem,whichisinitializedtozerosatthebeginningofeachmeasurementperiod.TheithbitinthearrayisdenotedasB[i].WedeneavirtualvectorX(src)ofsizesforeachsourceaddresssrc,wheresm.Itconsistsofsbitspseudo-randomlyselectedfromB. whereHi,0is1,aredierenthashfunctionswhoserangeis[0::m1].TheycanbegeneratedfromasinglemasterhashfunctionHM. whereRisanarrayofsdierentrandomnumbersandistheXORoperator. Whenacontact(src;dst)isreceived,CSEsetsonebitinBandthelocationofthebitisdeterminedbybothsrcanddst.Morespecically,thesourceaddresssrcisusedtoidentifyavirtualvectorX(src),andthedestinationaddressdstisusedtodetermineabitlocationiinthevirtualvector. 84

PAGE 85

4{2 and 4{3 ,weknowthattheithbitinvectorX(src)isatthefollowingphysicallocationinB:Hi(src)=HM(srcR[i])=HM(srcR[HM(dst)mods]):Hence,tostorethecontact(src;dst),CSEperformsthefollowingassignment: Westressthatsettingonebitbyequation 4{4 istheonlythingthatCSEdoeswhenstoringacontact.Ittakestwohashoperationsandonememoryaccess.Thesource'svirtualvector,asdenedinequation 4{1 ,isneverexplicitlycomputeduntilthespreadestimationisperformedonanoinemachine(tobedescribedshortly).Thebit,whichisphysicallyatlocationHM(srcR[HM(dst)mods])inB,islogicallyconsideredasabitatlocation(HM(dst)mods)inthevirtualvectorX(src).NotethatduplicatecontactswillbeautomaticallylteredbecausetheyaresettingthesamebitandhencehavenoimpactontheinformationstoredinB.Multipledierentcontactsmaysetthesamephysicalbit.Thisisembodiedintheprobabilisticanalysiswhenwederivethespreadestimationformula. ^k=sln(Vm)sln(Vs)(4{5) whereVmisthefractionofbitsinBwhosevaluesarezerosandVsisthefractionofbitsinX(src)whosevaluesarezeros.ThevalueofVmandVscanbeeasilyfoundbycountingzerosinBandX(src),respectively.Therstitem,(sln(Vm)),capturesthenoise,whichisuniformlydistributedinBandthusdoesnotchangefordierentsources.Thesecond 85

PAGE 86

WeexpectthatqueriesareperformedafterBiscopiedfromtherouter'shigh-speedmemorytoanoinecomputerinordertoavoidinterferingwiththeonlineoperations.Belowwewillderiveequation 4{5 mathematically.Itsaccuracyandvariancewillbeanalyzedinthenextsection. Someadditionalnotationsaregivenasfollows.Letnbethenumberofdistinctcontactsfromallsourcesduringthemeasurementperiod,Umbetherandomvariableforthenumberof`0'bitsinB,andUsbetherandomvariableforthenumberof`0'bitsinthevirtualvectorX(src).Clearly,Vm=Um LetAjbetheeventthatthejthbitinX(src)remains`0'attheendofthemeasurementperiodand1Ajbethecorrespondingindicatorrandomvariable.WerstderivetheprobabilityforAjtooccurandtheexpectedvalueofUs.ForanarbitrarybitinX(src),eachofthekcontactsmadebysrchasaprobabilityof1 SinceUsisthenumberof`0'bitsinthevirtualvector,Us=Ps1j=01Aj:Hence,E(Vs)=1 mek s;as(nk);m;k;s!1'en mk saskm 86

PAGE 87

msln(E(Vs)): SincethebitsinanyvirtualvectorareselectedfromBuniformlyatrandom,theprocessofstoringncontactsinthevirtualvectorsistosetnbitsrandomlyselected(withreplace-ment)fromapoolofmbits.Themathematicalrelationbetweennandmhasbeengivenin[ 67 ](inadatabasecontext)asfollows.n'mln(E(Vm)) (4{9)whereE(Vm)=(11 Hence,equation 4{8 canbewrittenask'sln(E(Vm))sln(E(Vs)): Wehaveafewapproximationstepsabove.Inpractice,nandmarelikelytobeverylargenumbers,thespreadvalues(k)thatareofinterestarelikelytobelarge,andswillbechosenlarge.Theapproximationerrorsthatareaccumulatedinequation 4{11 canbemeasuredasjsln(E(Vm))sln(E(Vs))kj 4-1 ,theerrorisonly0.25%whensis200. Letk1=sln(E(Vm))andk2=sln(E(Vs)).Eq( 4{11 )isrewrittenas ^k1=sln(Vm)(4{12) 87

PAGE 88

^k=^k1+^k2(4{14) AccordingtoTheoremA4in[ 67 ],^k1isthemaximumlikelihoodestimator(MLE)ofk1.Followingasimilaranalysis,itisstraightforwardtoseethat^k2and^karethemaximumlikelihoodestimatorsofk2andk,respectively.^k1isthenoise,theestimatednumberofcontactsmadebyothersbutinsertedinX(src)duetobitsharingbetweenvirtualvectors,and^k2estimatesthetotalnumberofcontactsstoredinX(src),includingthenoise. ThesamplingmoduleisusedtohandlethemismatchbetweenthelinespeedandtheprocessingspeedofCSE-SC.IncasethatCSE-SCcannotkeepupwiththelinespeed,thesource/destinationaddressesofeacharrivingpacketwillbehashedintoanumberinarange[0;N).OnlyifthenumberisgreaterthanathresholdT(
PAGE 89

ForCSE-SEtowork,mandsshouldbechosenlargeenoughsuchthatthenoiseintroducedbyothersourcesdoesnotsetall(ormost)bitsinavirtualvector.Hence,itisunlikelythattheaddressofahigh-spreadsourcewillnotbestoredinSSA.Forexample,evenwhenonly10%ofthebitsinavirtualvectorarenotsetbynoise,forasourcemaking100distinctcontacts,theprobabilityfornoneofitscontactsbeingmappedtothose10%bitsismerely(110%)100=2:65105. 67 ]uses^n=mlnVmtoestimatethevalueofnandgivesthefollowingresults.E(^n)=E(mlnVm)'n+en mn m1 2Var(^n)=Var(mlnVm)'m(en mn m1) Since^k1=sln(Vm),wehaveE(^k1)'s m(n+en mn m1 2) (4{15)Var(^k1)'s2 mn m1): 89

PAGE 90

mn m1isnegligiblewhencomparingwithn,thenE(^k1)'sn m,whichisindeedtheaveragenoisethatavirtualvectorofsizeswillreceivewhenallncontactsareevenlydistributedacrossthespaceofmbits.Whenmislarge,thestandarddeviation,whichisthesquarerootofVar(^k1),isinsignicantwhencomparingwiththemean. Nextwestudy^k2.Let=n m+k s.Equation 4{7 canberewrittenasE(Vs)'e: WederiveVar(Vs),anditisVar(Vs)'1 se2):

PAGE 91

m2k s(k s2)'1 se2): 4{13 ,^k2isafunctionofVs.Weexpandtheright-handsideofequation 4{13 byitsTaylorseriesaboutq=E(Vs)'e.^k2(Vs)=s(Vsq q+(Vsq)2 (4{19) Sinceq=E(Vs),themeanofthesecondterminequation 4{19 is0.Therefore,wekeeptherstthreetermswhencomputingtheapproximatedvalueforE(^k2).E(^k2)'s(+1 2q2E((Vsq)2))E((Vsq)2))=Var(Vs)bydenition.Applyingequation 4{18 ,wehaveE(^k2)=s(+e1k s (4{20) Ifsislargeenoughsuchthate1k s m+k.RecallthatE(^k1)'sn m.Hence,E(^k)=E(^k1)+E(^k2)'k.Inthenextsubsection,wewillcharacterizemorepreciselythemeanof^kandhowmuchitdeviatesfromthetruevalueofk. 91

PAGE 92

4{19 .Var(^k2)'s2Var(Vsq q)=s2 s1) (4{21) ThecombinedimpactofV(^k1)andV(^k2)onthevarianceof^kwillbestudiednext. s m(n+en mn m1 2) (4{22) Theestimationbiasis s)s(en mn m1) 2m(4{23) Asanexample,forn=10;000;000,m=2MB,ands=400,600or800,thebiaswithrespecttokisshowninTable 4-1 .Itisverysmallwhencomparingwiththetruespreadk. Thevarianceof^kisVar(^k)=Var(^k1)+Var(^k2)2Cov(^k1;^k2)=Var(^k1)+Var(^k2)+2hE(^k1)E(^k2)E(^k1^k2)i: 92

PAGE 93

mandq=e,respectively.E(^k1^k2)=s2E((ln(Vm))(ln(Vs)))=s2E((n mVmp p+(Vmp)2 q+(Vsq)2 mE(Vsq q+(Vsq)2 mVmp p+(Vmp)2 mi=s2hn m(+e1k s m(n+en mn m1 2)n mi=s2hn m+n m(e1k s) 2s+(en mn m1) 2mi 4{15 4{16 4{20 4{21 4{24 and 4{25 ,wecanobtaintheclosed-formapproximationofVar(^k),whichweomit.Thestandarddeviation,dividedbyktoshowtherelativevalue,is k)=q Wehavemadeanumberofapproximations,particularly,thetruncationoflesssignicantitemsintheTaylerserieswhenderivingVar(^k1);Var(^k2);E(^k1)andE(^k2)andE(^k1^k2).Thestandarddeviationembodiesallthoseapproximations.InSection 4.5 ,Fig. 4-3 4-6 ,wewillshowthenumericalvaluesofthestandarddeviationcalculatedfromequation 4{26 andcomparethemwiththevaluesmeasuredfromtheexperiments.Theresultdemonstratesthattheanalyticalapproximationsonlyintroduceminorerrorwhenthesourcespreadisnottoosmall. 93

PAGE 94

63 64 ]willnotworkhereaswehaveexplainedinSection 4.2 .TheonlyrelatedworkthatcanstillbeimplementedinsuchasmallmemoryisOSM(OnlineStreamingModule)[ 62 ];however,astheexperimentalresultswilldemonstrate,itdoesnotworkwell.Hence,CSEisvaluableinthesensethatitsubstantiallyextendsthelowendofmemoryrequirementforthefunctionofspreadestimationinpractice. ItshouldbenotedthatCSEmakestwohashoperationsandonememoryaccessforstoringeachcontact,whereasOSMmakesl+1hashoperationsandlmemoryaccesses,wherelistypicallythree.WhileCSE'secientonlineoperationsareclearlyadvantageousforhigh-speedrouters,ourevaluationwillfocusontheareathatislessquantiedsofar|theaccuracyofspreadestimation. Inourexperiments,thesourceofacontactistheIPaddressofthepacketsender,andthedestinationistheIPaddressofthereceiver.ThetractraceonApril1has3,558,510distinctsourceIPaddresses,56,234distinctdestinationaddresses,and10,048,129distinctcontacts.Theaveragespreadpersourceis2.84;namely,eachsourcemakes2.84distinctcontactsonaverage.Fig. 4-2 showsthenumberofsourcesateachspreadvalueinlogscale.Thenumberofsourcesdecreasesexponentiallyasthespreadvalueincreasesfrom1toaround500.Afterthat,thereiszero,oneorafewsourcesforeachspreadvalue. WealwaysallocatethesameamountofmemorytoCSEandOSMforfaircomparison.Ineachexperiment,wefeedthecontactsextractedfromthetractracetoCSEorOSM,whichstoresthecontactinformationinitsdatastructure(locatedinSRAMorhigh-speed 94

PAGE 95

4.3.4 ).Afterallcontactsareprocessed,weuseCSEorOSMtoestimatethespreadofeachrecordedsource(whichshouldbeperformedonanoinecomputersuchasthenetworkmanagementcenterinpractice). 4{26 atk=250,whichisthemiddlepointoftherange(0..500)inwhichthespreadsofmostsourcesfall(Fig. 4-2 ). OSMalsohastwocongurableparameters:thememorysizemandthecolumnsize(thenumberofrowsinthebitmatrix).Theoriginalpaperdoesnotprovideameanstodeterminethebestcolumnsize,butitsuggeststhat64bitsaretypical.Wetriedmanyothersizes,andtheperformanceofOSMunderdierentcolumnsizeswillbepresentedshortly.Aftercomparison,wechoosethecolumnsizetobe128,whichwebelieveisbetterthanorcomparablewithothersizesforourexperiments. Figs. 4-3 4-6 presenttheexperimentalresultswhenthememoryallocatedis0.5MB,1MB,2MBand4MB,respectively.Eachgurehasfourplotsfromlefttoright.Eachpointintherstplot(CSE)orthesecondplot(OSM)representsasource,whosexcoordinateisthetruespreadkandycoordinateistheestimatedspread^k.Thelineof^k=kisalsoshown.Thecloserapointistotheline,themoreaccuratethespreadestimationis.Tomakethegurelegible,whentherearetoomanysourceshavingacertainspreadk,werandomlypickvetoshowinthersttwoplots.Thethirdandfourthplotspresentthebias,E(^kk),andthestandarddeviation,Var(^k) 95

PAGE 96

4.4 ,wealsoshowthestandarddeviationnumericallycalculatedfrom( 4{26 )and( 4{24 )asthecurveundertitle\CSE std cal"inthefourthplot.Wehavethefollowingexperimentalresults. std cal",matcheswellwiththeexperimentally-measuredvalue,whichisthecurvetitled\CSE std dev".Itshowsthattheapproximationsmadeintheanalysisdonotintroducesignicanterror. 4-7 presentsthebiasandthestandarddeviationofCSE.Theexperimentalresults 4-5 ,thesvalue,whichminimizesthestandarddeviationatk=250ascalculatedfrom( 4{26 ),is286. 96

PAGE 97

4-8 presentsthebiasandthestandarddeviationofOSM.NoneofthervaluesmakesOSManon-biasestimator.Whenristoolarge(suchas512),bothbiasandstandarddeviationarelarge.Whenristoosmall(suchas64),itsestimatedspreaddoesnotgobeyond267,asshownintheleftplotofFig. 4-9 .Comparingr=256andr=128,theformerleadstoamuchlargerstandarddeviation,asshownintherightplotofFig. 4-8 .TheimpactoflargerdeviationcanalsobeseenbycomparingtherightplotofFig. 4-9 wherer=256andthesecondplotinFig. 4-4 wherer=128. 4-2 .Clearly,CSEoutperformsOSMbyawidemarginwhenwetakebothFPRandFNRintoconsideration.TheFNRiszeroforOSMwhenm=0.5MB.ThatisbecauseOSMisabiasestimatorinsuchasmallmemory.ItsFPRis66.2% 97

PAGE 98

4-3 ,andthosefor"=20%areshowninTable 4-4 ,wheretheFPRandFNRforCSEaremerely0.1%and0.6%respectivelywhenm=1MB. 98

PAGE 99

Theapproximationerrorisverysmallwhensisreasonablylarge. Table4-1. Biaswithrespecttosandk k=100 200 300 400 500 600 700 800 s=400 0.54 0.77 1.05 1.47 2.04 2.82 3.85 5.21 s=600 0.49 0.60 0.75 0.93 1.17 1.47 1.83 2.28 s=800 0.47 0.54 0.63 0.75 0.88 1.05 1.24 1.47 Figure4-2. Tracdistribution:eachpointshowsthenumberofsourceshavingacertainspreadvalue. 99

PAGE 100

4{26 )and( 4{24 ). Figure4-4. 4-3 forexplanation. Figure4-5. 4-3 forexplanation. Figure4-6. 4-3 forexplanation. 100

PAGE 101

LeftplotshowsthebiasofCSE,whichisthemeasuredE(^kk)withrespecttok.RightplotshowsthestandarddeviationofCSE,whichisthemeasuredp Figure4-8. LeftplotshowsthebiasofOSM,whichisthemeasuredE(^kk)withrespecttok.RightplotshowsthestandarddeviationofOSM,whichisthemeasuredp Figure4-9. Leftplotshowsthedistributionof(k;^k)forallsourcesunderOSMwhenr=64,wherekand^karethetruespreadandtheestimatedspread,respectively.Rightplotshowsthedistributionof(k;^k)underOSMwhenr=256. 101

PAGE 102

Falsepositiveratioandfalsenegativeratiowithrespecttomemorysize. OSM CSE m(MB) FPR FNR FPR FNR 0.5 0.662 0.000 0.164 0.123 1 0.424 0.008 0.097 0.094 2 0.116 0.236 0.073 0.056 4 0.108 0.115 0.053 0.062 Table4-3. With"=10%,falsepositiveratioandfalsenegativeratiowithrespecttomemorysize. OSM CSE m(MB) FPR FNR FPR FNR 0.5 0.532 0.000 0.077 0.057 1 0.251 0.006 0.031 0.027 2 0.041 0.193 0.005 0.014 4 0.023 0.064 0.001 0.002 Table4-4. With"=20%,falsepositiveratioandfalsenegativeratiowithrespecttomemorysize. OSM CSE m(MB) FPR FNR FPR FNR 0.5 0.401 0.000 0.023 0.022 1 0.135 0.002 0.001 0.006 2 0.013 0.146 0.000 0.002 4 0.006 0.030 0.000 0.000 102

PAGE 103

Detectingspreaderscanhelpanintrusiondetectionsystemidentifypotentialattackers.Theexistingworkcanonlydetectaggressivespreadersthatscanalargenumberofdistinctaddressesinashortperiodoftime.However,stealthyspreadersmayperformscanningdeliberatelyatalowrate.Weobservethatthesespreaderscaneasilyevadethedetectionbecausetheirsmalltracfootprintwillbecoveredbythelargeamountofbackgroundnormaltracthatfrequentlyushesanyspreaderinformationoutoftheintrusiondetectionsystem'smemory.Weproposeanewstreamingschemetodetectstealthyspreadersthatareinvisibletothecurrentsystems.Thenewschemestoresinformationaboutnormaltracwithinalimitedportionoftheallocatedmemory,sothatitwillnotinterferewithspreaders'informationstoredelsewhereinthememory.Theproposedschemeislightweight;itcandetectinvisiblespreadersinhigh-speednetworkswhileresidinginSRAM.ThroughexperimentsusingrealInternettractraces,wedemonstratethatournewschemedetectsinvisiblespreadersecientlywhilekeepingbothfalse-positives(normalsourcesmisclassiedasspreaders)andfalse-negatives(spreadersmisclassiedasnormalsources)tolowlevel. 68 ].Theselogscanbelow-levelpackettracegeneratedfromroutersorhigh-levelauditrecordsfromnetwork/hostintrusiondetectionsystems.Inhigh-speednetworks,suchlogscancomeinlargevolume.Toprocesstheminrealtime,afastandlightweightstreamingalgorithmisrequired,whichshouldbeabletoworkwithlimitedmemoryandcontiguouslyprocessincominglogs. Thischapterstudiestheproblemofdetectingspreadersbasedonincominglogsthataretuplesofsource/destinationaddresses.Wecallanexternalsourceaddressaspreaderifitconnectstomorethanathresholdnumberofdistinctinternaldestinationaddresses 103

PAGE 104

Thereasonfordetectingspreadersisthatattackersoftenbeginwithareconnaissancephaseofndingvulnerablesystemsbeforelaunchingtheactualattack.Supposeanattackerknowshowtocompromiseaspecictypeofwebservers.ItsrststepistolocatesuchwebserversontheInternet.TheattackermayprobeTCPport80onalladdressesinatargetnetworkbyusingNmap.Toobtainmorespecicinformation,theymayrunanapplication-levelvulnerabilityscannersuchasNessusorParos.Anintrusiondetectionsystemcaninspecttheincomingtracandcatchthereconnaissancepackets,fromwhichthespreadersareidentiedaspotentialattackersthatdemandextraattention. Itisnotpossibleforanetworksecurityadministratortomanuallyanalyzethehugevolumeoflogsproducedbyroutersandintrusiondetectionsystemsinordertondspreaders.Anautomaticlog-analyzingsystemisrequired.Infact,someintrusiondetectionsystemshavealreadyimplementedfunctionsforidentifyingspreaders.Forexample,Snort[ 65 ]keepstrackofthedistinctdestinationseachsourcecontactsinarecentperiod,andthelengthoftheperiodisconstrainedbytheamountofmemoryallocatedtothisfunction.Theproblemisthattheexistingsystemsaredesignedtocatch\elephants"|aggressivespreaderswhosecardinalitiesaresolargethattheyeasilystandoutfromthebackgroundofnormaltrac.Inresponse,awilyattackerwillslowdowntherateofitsreconnaissancepacketsandletthenormaltracdilutethefootprintofitsactivity.IntheSnortcase,thepastrecordsmustbedeletedtofreememoryoncetheallocatedspaceislledupbylogs.Iftheattackercontactsaless-than-thresholdnumberofdestinationsineachperiodduringwhichlogsofnormaltracwilllluptheallocatedspace,itwillstayundetected. Wenotethatevenstate-of-the-artintrusiondetectionsystemscannotdetectstealthyspreadersiftheysendtheirpacketsatalowrate.Thesespreadersarecalledinvisible

PAGE 105

Todesignournewreal-timedetectorforinvisiblespreaders,weobserve(basedonrealInternettractraces)thatnormaltrachasstrongskewnessespeciallyinanenterprise(oruniversitycampus)network.Inparticular,mostinboundtracisheadedtoasmallnumberofserversforweb,DNS,email,andbusinessapplicationservices.Utilizingsuchskewness,weproposeanewspreaderdetectionschemethatisabletolargelysegregatethespaceusedtostorenormal-traclogsfromthespaceusedtostorelogsofpotentialspreaders.Duetosuchsegregation,alargevolumeofnormal-traclogswillnotcausethelogsofspreaderstobeushedoutofthememory.Furthermore,withacompacttwo-dimensionalbitarraybasedonBloomlters,thenewschemecanstoreamuchlargeramountofinformationaboutthespreaders,allowingpreviouslyinvisiblespreaderstobedetected.WeperformexperimentsbasedonrealInternettractraces,andtheresultsshowthattheproposedschemeisabletodetectspreadersthatareinvisibletotheexistingdetectionsystemsand,atthemeantime,keepbothfalsepositives(normalsourcesmisclassiedasspreadersources)andfalsenegatives(spreadersourcesmisclassiedasnormalsources)tolowlevel. 105

PAGE 106

62 ]). Ourinvisible-spreaderdetectionlter(ISD)usesannmbitarrayasitsmaindatastructure,whichisinitializedtobeallzeros.EachbitB(x;y)inthearrayisreferencedbyarowindexxandacolumnindexy.Bitswillbesettoonestorecordtheincomingconnectionsmadefromexternalsourcestointernaldestinations.Arowisempty(ornon-empty)ifithaszerobit(oratleastonebit)thatissettobeone.Thereisarowcounterc(x)foreachrowx,storingthenumberofbitsintherowthataresetasone.ThefullnessratioRofthelterisdenedasPc(x) NextwedescribetheoperationsofISD.Whenreceivinganinputsource/destinationtuple(a;b),theltercomputeskrowindexes,x1=h1(a),...,xk=hk(a),andonecolumnindex,y=hk+1(b),whereh1;:::;hkarehashfunctionswhoserangesare[0::n1]andhk+1isahashfunctionwhoserangeis[0::m1].Theltersetskbits,B(x1;y),...,B(xk;y),tobeone.NotethateachcolumnisactuallyaBloomlter[ 69 ][ 70 ].ThecolumnindexyselectsaBloomlterandtherowindicesspecifythebitsthattogetherrepresentthetuple(a;b). Foreachi2[1::k],ifB(xi;y)wassetfromzerotoone,thelterincreasestherowcounterc(x)byone.Rowsindexedbyx1throughxkarecalledtherepresentativerowsofsourceainthelter.BitsB(x1;y)throughB(xk;y)arecalledtherepresentativebits

PAGE 107

1. Forthejthcolumn,letIjbeoneifB(xi;j)=1foralltherepresentativerowsofa.Otherwise,Ij=0.Wedenear=m1Xj=0Ij Thespreadofa,denotedas^ac,canbeestimatedbasedonthefollowingformulagivenin[ 71 ]. ^ac=mln(m mar) (5{1) 3. If^acisabove,weconsidersourceatobeaspreader. Ourcolumnindex,y=hk+1(b),isdierentfrom[ 62 ],whichusesy=hk+1(ajb).ThissubtleyetcriticaldierencehelpsISDminimizethedilutingeectofnormaltracoverthesmalltracfootprintofinvisiblespreaders.Supposeadestinationaddressbrepresentsabusywebserverinanenterprisenetwork,andmillionsofclientusersconnecttob.Ify=hk+1(ajb)isused,theseclientswillllupthewholebitarraywithonessincethesourceaddressesarandomizesthecolumnindexy.Tothecontrary,onlyonecolumnofthebitarraywillbesettoonesify=hk+1(b)isused.OurInternettraceshowsthatthevastmajorityofnormaltracisdirectedtoasmallnumberofservers.Ourschemeconcentratessuchnormaltractoasmallnumberofcolumnsinthebitarray,leavingtherestofthearrayfordetectingspreaders.Hashcollisionsmaycausefalsepositives.Bytuningthesystemparameters,wecancontroltheleveloffalsepositive,aswellastheleveloffalsenegative. 107

PAGE 108

1)Werstsetthevaluesforandm.Accordingtotheprevioussubsection,aspreaderwillbedetectedwhenthefollowingconditionissatised. 1ar Basedontheirdenitions,wecanapproximateasar 5{2 ),wehavethefollowingformulaforsettingthevalueofandm. m: Recallthattheparameterisusedtotriggertheprocedurefordeterminingapossiblespreader.Whenthevalueofissetbytheaboveformula,oncetriggeredtheprocedureislikelytondaspreader. Theproblemisthattherearetwoundecidedparametersintheformula.WeobservethatsmallmisdesirableforISD.Thisisbecausesmallmallowslargen,whichreduceshashcollisionsamongrowindices.Consequently,largeispreferable.However,ifisveryclosetoone,ISDmaysuerfromhashcollisionsamongcolumnindices.Inthisdissertation,wechoosetobebelow0.95,butitcanbeadjustedaccordingtoanyspecicapplicationordeploymentenvironment.Onceischosen,mcanbesetbasedon( 5{2 ).Alternatively,wemayalsosetmrstandthencalculatefrom( 5{2 ).Forexample,itisnaturaltochoosemasamultipleofwords,whichmakesiteasytotthebitarrayinmemory.Foreachm(=32;64;:::),wecomputeandchoosethelargestbelow0.95.Table 5-1 showssomeexamplesforparameterconguration.Itshowshowandmaredeterminedforfrom100to900.Aftermisdetermined,niscalculatedasM m. 2)Wenowdeterminethevalueof.Firstweexaminehowaectsthedetectionofspreaders.Whenistoolarger,thebitarrayofISDwillbeoverlypopulatedwithones,causingfrequenthashcollisionsandresultinginfalsepositives|anon-spreaderis 108

PAGE 109

SupposeISDonlyreceivesnormaltracforaperiodoftimeanditsbitarrayismostlysetbythenormaltrac.LetYbearandomvariablethatrepresentsc(x)forrowxinthebitarray.TheexpectationandthevarianceofYaregivenbelow.Weomitthederivationprocessduetopagelimit. (5{5) FromE(Y)andV(Y),wecandeneastatisticalupperboundforYasfollows: (5{6) wherestatisticalerrorwillbesmalliftheconstantcislarge.Eq.( 5{6 )meansthatthereisahighprobabilitythatc(x)isbelowU(Y)ifxisarepresentativerowforonlynormaltrac.Onthecontrary,ifxisarepresentativerowforanyspreader,c(x)shouldbelargerthanU(Y).Hence,basedontheaboveequations,wecansetthevalueofasfollows. Table 5-1 showsasaresultoftheproposedheuristicmethodtocongure,mandwhenc=10. 62 ],whichwecallonlinestreamingmodule(OSM)asinthepreviouschapter.Wecomparetheirfalsepositivesandfalsenegatives. 109

PAGE 110

62 ]. WeusepacketheadertracesgatheredatthegatewayroutersoftheUniversityofFlorida.Thetracewascollectedfor24hoursandwetakeonlytheinboundsessionfromtheInternet.Itcontains751,286distinctsourceIPaddresses,120,916distinctdestinationIPaddressesand2,427,327distinctsource/destinationtuples.NotethatwedenotethesourceIPaddressofapacketasaandthedestinationIPaddressasbinournotationofpacket(a;b).Inthissense,thegoaloftheexperimentistondheavyspreadersofhorizontalnetworkscans[ 60 ]. Figure 5-1 ( 5-2 )illustratesthetracpatternwithrespecttosource(destination)spread.Thex-axisisthenumberofsources(destinations)whosespreadliesbetweenxand2x1.Eachgurehastwographsofcumulativeratiosforthenumberofdistinctsources(destinations)andthenumberofdistinctsource/destinationtuples.Ingure 5-1 ,weseethat86%ofthetotalsourcescontactlessthan4distinctdestinationsand99%ofthemcontactlessthan32distinctdestinations.Figure 5-1 showsthatthenumberofsource/destinationtuplesincreasesjustasthenumberofsourcesdoes.Therefore,wecannotseeastrongskewnessinthegure.However,wecanseeadierentpatterningure 5-2 .Thegureshowsthatonlysomeofthedestinationsoccupymostofthesource/destinationtuples.Forexample,atx=8,theaccumulatednumberofdestinationsisabove97%,buttheiraggregatedsource/destinationtuplesarebelow27%.Itmeansthatlessthantop3%serversoccupymorethan73%ofthetotalsource/destinationtuples.Exploitingthisskewness,ISDhastheedgeonotherintrusiondetectionsystems. 110

PAGE 111

5{3 and 5{7 Forcomparison,wealsoimplementedOSM[ 62 ].Forafaircomparison,bothbittablesofOSMandISDhavethesamememorysizeM.TooptimizeOSM,themaximumnumberofone-bitsforOSMissettoO,whichisdierentfrom.Throughtheexperiments,weobservethatOSMdegradesifOissettoolargeortoosmall.ThedefaultvalueofOis0.4.Oncetheratioofone-bitsisaboveO,thedecodingprocessrunsandOSMrestartsinacleanstate. Foreachexperiment,wecomparefalsenegative(positive)setsofOSMandISD.WeuseFNO(FNR)todenotethefalsenegativesetofOSM(ISD).Similarly,weuseFPO(FPR)todenotefalsepositivesets.LetRSbeasetofrealspreaders,whichhas95sources(75spreadersfromtheoriginaltractraceand20articialscansources).LetDO(DR)beasetofdetectedsourcesbyOSM(ISD).WedeneFNO,FNR,FPOandFPRasfollows:FNO=RSDO,FNR=RSDR,FPO=DORS,FPR=DRRS. 5-3 5-6 comparethenumbersoffalsenegatives(positives)betweenISDandOSM.Thex-axisofeachgureis,thenumberofnormalsource/destinationtuplesbetweentwoslowscanpackets.Alargevalueofimpliesthattheattackerfurtherslows 111

PAGE 112

5-3 ,wehavefourcurves.OSM(total)isthenumberoffalsenegativesofOSM,soitequalsjFNOjwithfrom128to16,384.OSM(slowscans)isthenumberoffalsenegatives,butweonlycountthearticialslowscansourcesthatarenotdetected.Therefore,itsmaximumvalueis20aswehave20articialslowscansources.ThesamenotationsareusedforISDsuchasISD(total)andISD(slowscans).NotethatISD(total)plotsjFNRj. Figure 5-3 showsthatISDcatchesmostspreadersuntilbecomes4,096.Evenwhen=16;384,ISDcatches17articialspreadersoutof20.Tothecontrary,OSMmissesmuchmorespreadersthanOSM.Evenwhen=128,itmisses7non-articialspreaders.Itstartsmissingarticialscansourcesat=256.Atm=8;192,OSMcannotdetectanyslowscansourceswhileISDdetects16outof20.NotethatwetradefalsepositiveswithfalsenegativeswhendesigningISD,butfalsepositivesshouldbecontrolledbysettingtobetight.Figure 5-4 showsit.Evenat=16;384,ISDonlytriggers9falsepositives.Consideringthatthenumberofsource/destinationtuplesisabovetwomillions,thisfalsepositivesmaybeacceptedinmostapplications. Werepeatthesameexperimentwithdierentn.Figures 5-5 and 5-6 showtheresultwithn=32;768,whichmeansM=1MB.Inthisexperiment,ISDdoesnotmissanyspreadersincludingslowscansourcesexceptoneat=16;384.NotethatbothISD(total)andISD(slowscans)remainzerountil=8;192.Tothecontrary,OSMstillmissessomespreadersasshowninthegure.Itcannotdetect8outof20slowscansourcesat=16;384eventhoughthememorysizehasquadrupled.ItisencouragingthatISDaccomplishesbetterdetectionaccuracyevenwhenMisassmallas256KB.Figure 5-6 showsthatISDtriggersonlysmallfalsepositives. 112

PAGE 113

Parametercongurationexamples(c=10) 200 300 400 500 600 700 800 900 0.790 0.904 0.790 0.858 0.904 0.935 0.790 0.828 128 128 256 256 256 256 512 512 0.365 0.463 0.478 0.547 0.598 0.634 0.571 0.612 Figure5-1. Cumulativeratiosofthenumbersofdistinctsourcesanddistinctsource/destinationtupleswithrespecttosourcespread Figure5-2. Cumulativeratiosofthenumbersofdistinctdestinationsanddistinctsource/destinationtupleswithrespecttodestinationspread 113

PAGE 114

NumberoffalsenegativeswhenM=256KB Figure5-4. NumberoffalsepositiveswhenM=256KB Figure5-5. NumberoffalsenegativeswhenM=1MB Figure5-6. NumberoffalsepositiveswhenM=1MB 114

PAGE 115

Thisdissertationdiscussesseveralnoveltechniquesthatsecurecomputernetworks. First,westudytherewallplacementproblemanditsvariations.Theproblemistoplacetherewallsinanetworktopologyandndtheroutingstructuresuchthatthemaximumsizeoftherewallrulesetsinthenetworkisminimized.WeprovetheproblemisNP-completeandproposeaheuristicalgorithm,calledHAF,tosolvetheproblemapproximately.Thealgorithmcanalsobeusedtosolvetherewallroutingproblemaswellasweightedrewallplacement/routingproblems. Second,weproposeanovelpathaddressscheme(PAS)toaddressthesource-addressspoongproblemontheInternet.Withacompletelynewdesign,PASavoidstheperformanceproblemsofthebest-knownscheme,Pi.Wediscusshowtoconstructaddressesforpaths,howtoverifyifpathaddressesareauthentic,howtostorepathaddressesintheIPv4header,howtoprotectPASagainsteavesdropping,andhowtodealwithroutercompromise.OuranalysisandsimulationsdemonstratethatPAScansimultaneouslykeepthefalse-positiveratioandfalse-negativeratiotoalmostzero.Thepathaddressschememaypotentiallybeusedforothernetworkapplications.Examplesincludepacketclassicationandservicedierentiationbasedonpathaddresses. Third,westudytheproblemsofspreaderdetectionandspreadestimation.Theproposedspreaderdetectionschemedetectsinvisiblespreadersandmitigatesthenegativeeectsofnormaltrac.Ourspreadestimatornotonlyachievesspacecompactnessbutalsooperatesmoreecientlythantheexistingwork.Ourmaintechnicalcontributionsincludeanoveldatastructurebasedonvirtualvectors,itsoperationprotocol,andthecorrespondingformulaforspreadestimation,whichisstatisticallyanalyzedandexperimentallyveried. 115

PAGE 116

[1] A.Rubin,D.Geer,andM.Ranum,\WebSecuritySourcebook,"WileyComputerPublishing,1997. [2] J.Wack,K.Cutler,andJ.Pole,\GuidelinesonFirewallsandFirewallPolicy,"NationalInstituteofStandardsandTechnology,January2002. [3] K.N.Y.Bartal,A.MayerandA.Wool,\Firmato:anovelrewallmanagementtoolkit,"ACMTransactionsOnComputerSystems,vol.22,no.4,pp.381{420,November2004. [4] A.Wool,\AQuantitativeStudyofFirewallCongurationErrors,"IEEEComputer,vol.37,no.6,pp.62{67,June2004. [5] M.G.GoudaandA.X.Liu,\FirewallDesign:Consistency,CompletenessandCompactness,"Proc.ofICDCS'04,pp.320{327,March2004. [6] A.X.LiuandM.G.Gouda,\DiverseFirewallDesign,"Proc.ofIEEEInternationalConferenceonDependableSystemsandNetworks(DSN'04),pp.595{604,June2004. [7] A.X.Liu,E.Torng,andC.Meiners,\FirewallCompressor:AnAlgorithmforMinimizingFirewallPolicies,"Proc.ofIEEEINFOCOM'08,pp.595{604,April2008. [8] A.X.Liu,E.Torng,andC.Meiners,\Theuseandusabilityofdirection-basedlteringinrewalls,"Computers&Security,vol.6,no.23,pp.459{468,April2004. [9] A.X.Liu,E.Torng,andC.Meiners,\OptimizationofNetworkFirewallPoliciesUsingOrderedSetsandDirectedAcyclicalGraphs,"Proc.ofIEEEInternetManage-mentConference,2005. [10] E.S.Al-ShaerandH.H.Hamed,\DiscoveryofPolicyAnomaliesinDistributedFirewalls,"Proc.ofIEEEINFOCOM'04,March2004. [11] R.N.Smith,Y.Chen,andS.Bhattacharya,\CascadeofDistributedandCooperatingFirewallsinaSecureDataNetwork,"IEEETrans.OnKnowledgeandDataEngineering,vol.15,no.5,2003. [12] R.N.SmithandS.Bhattacharya,\FirewallPlacementinaLargeNetworkTopology,"Proc.ofIEEEFTDCS'97,1997. [13] A.El-Atawy,T.Samak,E.Al-Shaer,andH.Li,\OnUsingOnlineTracStatisticalMatchingforOptimizingPacketFilteringPerformance,"Proc.ofIEEEINFO-COM'2007,May2007. [14] H.Hamed,A.El-Atawy,andE.Al-Shaer,\OnDynamicOptimizationofPacketMatchinginHighSpeedFirewalls,"IEEEJournalonSelectedAreasinCommunica-tions,vol.24,no.10,Oct2006. 116

PAGE 117

[15] P.GuptaandN.McKeown,\AlgorithmsforPacketClassication,"IEEENetwork,vol.15,no.2,pp.24{32,March2001. [16] P.GuptaandN.McKeown,\PacketClassicationonMultipleFields,"Proc.ofACMSIGCOMM'99,1999. [17] T.LakshmanandD.Stiliadis,\High-SpeedPolicy-basedPacketForwardingUsingEcientMulti-dimensionalRangeMatching,"Proc.ofACMSIGCOMM'98,1998. [18] A.Hari,S.Suri,andG.Parulkar,\DetectingandResolvingPacketFilterConicts,"Proc.ofIEEEInfocom'00,March2000. [19] V.Srinivasan,G.Varghese,S.Suri,andM.Waldvogel,\FastandScalableLayerFourSwitching,"Proc.ofACMSIGCOMM'98,1998. [20] P.Gupta,\AlgorithmsforRoutingLookupsandPacketClassication,"PhDThesis,StanfordUniversity,2000. [21] A.X.LiuandM.G.Gouda,\RemovingRedundancyfromPacketClassiers,"PosterSession,ACMSIGCOMM'04,2004. [22] H.Court,Knutsford,andCheshire,\High-Availability:technologybriefrewallloadbalancing,"http://www.High-Availability.Com,2008. [23] N.Networks,\Firewallloadbalancing,"www.nortel.com,2008. [24] C.Point,\CheckPointFirewall-1Guide,"www.checkpoint.com,2008. [25] T.H.Cormen,C.E.Leiserson,R.L.Rivest,,andC.Stein,\IntroductiontoAlgorithms,"TheMITPress,2003. [26] S.Savage,D.Wetherall,A.Karlin,andT.Anderson,\PracticalNetworkSupportforIPTraceback,"Proc.ofACMSIGCOMM'00,August2000. [27] D.J.Bernstein,\SYNcookies,"http://cr.yp.to/syncookies.html,1997. [28] A.JuelandJ.Brainard,\ClientPuzzles:ACryptographicCountermeasureAgainstConnectionDepletionAttacks,"Proc.ofNetworkandDistributedSystemSecuritySymposium(NDSS'99),February1999. [29] K.ParkandH.Lee,\OntheEectivenessofRoute-BasedPacketFilteringforDistributedDoSAttackPreventioninPower-LawInternets,"Proc.ofACMSIG-COMM'01,August2001. [30] A.Bremler-BarrandH.Levy,\SpoongPreventionMethod,"Proc.ofINFO-COM'05,March2005. [31] P.FergusonandD.Senie,\NetworkIngressFiltering:DefeatingDenialofServiceAttacksWhichEmployIPSourceAddressSpoong,"IETF,RFC2267,Janurary1998.

PAGE 118

[32] A.D.Keromytis,V.Misra,andD.Rubenstein,\SOS:SecureOverlayServices,"Proc.ofACMSIGCOMM'02,August2002. [33] A.Yaar,A.Perrig,andD.Song,\FIT:FastInternetTraceback,"Proc.ofIEEEINFOCOM,Miami,Florida,March2005. [34] A.Yaar,A.Perrig,andD.Song,\StackPi:NewPacketMarkingandFilteringMechanismsforDDoSandIPSpoongDefense,"IEEEJournalonSelectedAreasinCommunications,vol.24,no.10,October2006. [35] P.Mahajan,S.M.Bellovin,S.Floyd,J.Ioannidis,V.Paxson,andS.Shenker,\ControllingHighBandwidthAggregatesintheNetwork,"ComputerCommunica-tionsReview,vol.32,no.3,pp.62{73,July2002. [36] C.Kaufman,R.Perlman,andM.Speciner,\NetworkSecurity-PrivateCommunicationinaPublicWorld(2ndEdition),"PrenticeHallPTR,2002. [37] J.XuandW.Lee,\SustainingAvailabilityofWebServicesunderDistributedDenialofServiceAttacks,"IEEETransactionsonComputers,vol.52,no.2,pp.195{208,2003. [38] T.Aura,P.Nikander,andJ.Leiwo,\DoS-ResistantAuthenticationwithClientPuzzles,"CambridgeSecurityProtocolsWorkshop2000.LNCS,Springer-Verlag,2000. [39] D.DeanandA.Stubbleeld,\UsingClientPuzzlestoProtectTLS,"10thAnnualUSENIXSecuritySymposium,2001. [40] X.WangandM.K.Reiter,\DefendingAgainstDenial-of-ServiceAttackswithPuzzleAuctions,"2003IEEESymposiumonSecurityandPrivacy,May2003. [41] D.G.Andersen,\Mayday:DistributedFilteringforInternetServices,"Proc.of4thUSENIXSymposiumonInternetTechnologiesandSystems,March2003. [42] W.G.Morein,A.Stavrou,D.L.Cook,A.D.Keromytis,V.Misra,andD.Rubenstein,\UsingGraphicTuringTeststoCounterAutomatedDDoSAttacksAgainstWebServers,"Proc.ofthe10thACMInternationalConferenceonComputerandCommunicationsSecurity(CCS),October2003. [43] L.vonAhn,M.Blum,N.J.Hopper,andJ.Langford,\CAPTCHA:UsingHardAIProblemsForSecurity,"Proc.ofEUROCRYPT'03,2003. [44] R.Stone,\CenterTrack:AnIPOverlayNetworkforTrackingDoSFloods,"Proc.ofthe9thUSENIXSecuritySymposium,August2000. [45] A.Yaar,A.Perrig,andD.Song,\Pi:APathIdenticationMechanismtoDefendagainstDDoSAttacks,"IEEESymposiumonSecurityandPrivacy,May2003.

PAGE 119

[46] S.M.Bellovin,\ICMPTracebackMessages,"InternetDraft:draft-bellovin-itrace-00.txt,March2000. [47] A.C.Snoren,C.Partridge,L.A.Sanchez,C.E.Jones,F.Tchakountio,S.T.Kent,andW.T.Strayer,\Hash-BasedIPTraceback,"Proc.ofACMSIGCOMM'01,August2001. [48] B.R.SmithandJ.J.Garcia-Luna-Aceves,\SecuringtheBorderGatewayRoutingProtocol,"Proc.ofGlobalInternet'96,November1996. [49] S.Kent,C.Lynn,andK.Seo,\SecureBorderGatewayProtocol(Secure-BGP),"IEEEJournalonSelectedAreasinCommunications,vol.18,no.4,April2000. [50] Y.RekhterandT.Li,\ABorderGatewayProtocol4(BGP-4),"IETFNetworkWorkingGroup,RFC1771,March1995. [51] T.LiandG.Huston,\BGPStabilityImprovements,"IETFInternet-DomainRouting,Internet-Draft,draft-li-bgp-stability-01,June2007. [52] C.Villamizar,R.Chandra,andR.Govindan,\BGPRouteFlapDamping,"IETFNetworkWorkingGroup,RFC2439,November1998. [53] H.Wang,D.Zhang,andK.G.Shin,\SYN-dog:SningSYNFloodingSources,"Proc.of22ndInternationalConferenceonDistributedComputingSystems(ICDCS'02),July2002. [54] M.Faloutsos,P.Faloutsos,andC.Faloutsos,\OnPower-LawRelationshipsoftheInternetTopology,"Proc.ofACMSIGCOMM'99,1999. [55] C.EstanandG.Varghese,\NewDirectionsinTracMeasurementandAccounting,"Proc.ofACMSIGCOMM'02,October2002. [56] B.Krishnamurthy,S.Sen,Y.Zhang,andY.Chen,\Sketch-BasedChangeDetection:Methods,Evaluation,andApplications,"Proc.ofIMC'03,pp.234{247,2003. [57] A.Kumar,M.Sung,J.Xu,andJ.Wang,\DataStreamingAlgorithmsforEcientandAccurateEstimationofFlowSizeDistribution,"Proc.ofACMSIGMETRICS,2004. [58] A.Kumar,J.Xu,J.Wang,O.Spatschek,andL.Li,\Space-CodeBloomFilterforEcientPer-FlowTracMeasurement,"Proc.ofIEEEINFOCOM,March2004. [59] Y.Zhang,S.Singh,S.Sen,N.Dueld,andC.Lundn,\OnlineIdenticationofHierarchicalHeavyHitters:Algorithms,Evaluation,andApplication,"Proc.ofACMSIGCOMMIMC,October2004. [60] S.Staniford,J.Hoagland,andJ.McAlerney,\PracticalAutomatedDetectionofStealthyPortscans,"JournalofComputerSecurity,vol.10,pp.105{136,2002.

PAGE 120

[61] D.Plonka,\FlowScan:ANetworkTracFlowReportingandVisualizationTool,"Proc.ofUSENIXLISA,2000. [62] Q.Zhao,J.Xu,andA.Kumar,\DetectionofSuperSourcesandDestinationsinHigh-SpeedNetworks:Algorithms,AnalysisandEvaluation,"IEEEJSAC,vol.24,no.10,October2006. [63] S.Venkatataman,D.Song,P.Gibbons,andA.Blum,\NewStreamingAlgorithmsforFastDetectionofSuperspreaders,"Proc.ofNDSS'05,Feb.2005. [64] C.Estan,G.Varghese,andM.Fish,\BitmapAlgorithmsforCountingActiveFlowsonHigh-SpeedLinks,"IEEE/ACMTrans.onNetworking,vol.14,no.5,October2006. [65] M.Roesch,\Snort{LightweightIntrusionDetectionforNetworks,"Proc.of13thSystemsAdministrationConference,USENIX,1999. [66] Y.Gao,Y.Zhao,R.Schweller,S.Venkataraman,Y.Chen,D.Song,andM.Kao,\DetectingStealthySpreadersUsingOnlineOutdegreeHistograms,"Proc.ofIEEEInternationalWorkshoponQualityofService'07,pp.145{153,June2007. [67] K.Whang,B.Vander-Zanden,andH.Taylor,\ALinearTimeProbabilisticCountingAlgorithmforDatabaseApplications,"ACMTransactionsonDatabaseSystems,June1990. [68] B.Schneier,\SIMS:Solution,orPartoftheProblem?,"IEEESecurityandPrivacy,vol.2,no.5,October2004. [69] B.H.Bloom,\Space/TimeTrade-osinHashCodingwithAllowableErrors,"CommunicationsoftheACM,vol.13,no.7,pp.422{426,1970. [70] A.BroderandM.Mitzenmacher,\NetworkApplicationsofBloomFilters:ASurvey,"InternetMathematics,vol.1,no.4,June2002. [71] K.Hwang,B.Vander-Zanden,andH.Taylor,\Alinear-timeprobabilisticcountingalgorithmfordatabaseapplications,"ACMTransactionsonDatabaseSystems,vol.15,no.2,June1990.

PAGE 121

MyungKeunYoonwasborninSeoul,RepublicofKorea,in1973.HereceivedhisBSandMSdegreesincomputerscienceatYonseiUniversityinKoreain1996and1998,respectively.Afterreceivinghismasterdegree,heworkedfortheKoreaFinancialTelecommunicationsandClearingsInstitute,wherehetooktheleadinmanysecurityrelatedprojects.Since2004,hehasbeenconductingresearchwithDr.ShigangCheninthedepartmentofComputerandInformationScienceandEngineeringattheUniversityofFlorida.Hisresearchinterestsarenetworksecurityandmobilenetwork. 121