article

An IP Traceback Protocol using a Compressed Hash Table, a Sinkhole Router and Data Mining based on Network Forensics against Network Attacks

Authors:

Byungkwan LeeAuthors Info & Claims

Future Generation Computer Systems, Volume 33

Pages 42 - 52

https://doi.org/10.1016/j.future.2013.10.023

Published: 01 April 2014 Publication History

Abstract

The Source Path Isolation Engine (SPIE) is based on a bloom filter. The SPIE is designed to improve the memory efficiency by storing in a bloom filter the information on packets that are passing through routers, but the bloom filter must be initialized periodically because of its limited memory. Thus, there is a problem that the SPIE cannot trace back the attack packets that passed through the routers earlier. To address this problem, this paper proposes an IP Traceback Protocol (ITP) that uses a Compressed Hash Table, a Sinkhole Router and Data Mining based on network forensics against network attacks. The ITP embeds in routers the Compressed Hash Table Module (CHTM), which compresses the contents of a Hash Table and also stores the result in a database. This protocol can trace an attack back not only in real time using a hash table but also periodically using a Compressed Hash Table (CHT). Moreover, the ITP detects a replay attack by attaching time-stamps to the messages and verifies its integrity by hashing it. This protocol also strengthens the attack packet filtering function of routers for the System Manager to update the attack list in the routers periodically and improves the Attack Detection Rate using the association rule among the attack packets with an Apriori algorithm.

References

[1]

Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Schwartz, B., Kent, S.T. and Strayer, W.T., Single-packet IP traceback. IEEE/ACM Transactions on Networking. v10 i6. 721-734.

[2]

John, A. and Sivakumar, T., DDoS: survey of traceback methods. International Journal of Recent Trends in Engineering. v1 i2. 241-245.

[3]

U.K. Tupakula, V. Varadharajan, Analysis of traceback techniques, in: Proceeding ACSW Frontiers'06 Proceedings of the 2006 Australasian Workshops on Grid Computing and e-Research, January 16-19, Hobart, Australasia, 2006.

[4]

Meghanathan, N., Allam, S.R. and Moore, L.A., Tools and techniques for network forensics. International Journal of Network Security & its Applications (IJNSA). v1 i1. 14-25.

[5]

T. Kai, A. Hashiguchi, H. Nakatani, Proposal for and evaluation of improved method of hash-based IP traceback system, in: CSA'09, 2nd International Conference, 10-12 December 2009, pp. 1-7.

[6]

http://www.ir.bbn.com/documents/articles/spielcn04.pdf

[7]

Hazeyama, H., Oe, M. and Kadobayshi, Y., A layer-2 extension to hash-based IP traceback. IEICE Transactions on Information and Systems. vE86-D i11. 1-9.

[8]

H. Burch, B. Cheswick, Tracing anonymous packets to their approximate source, in: Proceedings of Usenix LISA'00, December 3-8, New Orleans, Louisiana, USA, 2000.

[9]

S. Savage, D. Wetherall, A. Karlin, T. Anderson, Practical network support for IP traceback, in: Proceedings of ACM SIGCOMM 2000, August 2000, pp. 295-306.

[10]

M. Adler, Tradeoffs in probabilistic packet marking for IP traceback, in: STOC'02, Montreal, Quebec, Canada, May 19-21, 2002, pp. 407-418.

Digital Library

[11]

A more practical approach for single-packet IP traceback using packet logging and marking. IEEE Transactions on Parallel and Distributed Systems. v19 i10. 1310-1324.

[12]

Bloom, B.H., Space/time trade-offs in Hash coding with allowable errors. Communications of the ACM. v13 i7. 422-426.

[13]

Mullin, J.K., Optimal semi-joins for distributed database systems. IEEE Transactions on Software Engineering. v16 i5. 558-560.

[14]

Kubiatowicz, J., Bindel, D., Chen, Y., Czerwinski, S., Eaton, P. and Geels, D., OceanStore: an architecture for global-scale persistent storage. ACM SIGPLAN Notices. v35 i11. 190-201.

[15]

J. Li, J. Taylor, L. Serban, M. Seltzer, Self-organization in peer-to-peer systems, in: Proc. the 10th ACM SIGOPS European Workshop, Saint-Emilion, France, September 2002, pp. 125-132.

[16]

F.M. Cuena-Acuna, C. Peery, R.P. Martin, T.D. Nguyen, Plantp: using gossiping to build content addressable peer-to-peer information sharing communities, in: Proc. the 12th IEEE International Symposium on High Performance Distributed Computing, Seattle, WA, USA, June 2003, pp. 236-249.

[17]

S.C. Rhea, J. Kubiatowicz, Probabilistic location and routing, in: Proc. IEEE INFOCOM, New York, NY, United States, June 2004, pp. 1248-1257.

[18]

Hodes, T.D., Czerwinski, S.E. and Zhao, B.Y., An architecture for secure wide-area service discovery. Wireless Networks. v8 i2-3. 213-230.

[19]

P. Reynolds, A. Vahdat, Efficient peer-to-peer keyword searching, in: Proc. ACM International Middleware Conference, Rio de Janeiro, Brazil, June 2003, pp. 21-40.

[20]

D. Bauer, P. Hurley, R. Pletka, M. Waldvogel, Bringing efficient advanced queries to distributed hash tables, in: Proc. IEEE Conference on Local Computer Networks, Tampa, FL, United States, November 2004, pp. 6-14.

[21]

Fan, L., Cao, P., Almeida, J. and Broder, A., Summary Cache: a scalable wide-area web cache sharing protocol. IEEE/ACM Transactions on Networking. v8 i3. 281-293.

[22]

Analysis and management of streaming data: a survey. Journal of Software. v15 i8. 1172-1181.

[23]

C.D. Peter, M. Panagiotis, Bloom filters in probabilistic verification, in: Proc. the 5th International Conference on Formal Methods in Computer-Aided Design, Austin, Texas, USA, November 2004, pp. 367-381.

[24]

Mitzenmacher, M., Compressed bloom filters. IEEE/ACM Transactions on Networking. v10 i5. 604-612.

[25]

A. Kirsch, M. Mitzenmacher, Distance-sensitive bloom filters, January 2006. http://www.eecs.harvard.edu/michaelm/postscripts/lsbf.ps.

[26]

A. Kirsch, M. Mitzenmacher, Building a better bloom filter, January 2006. http://www.eecs.harvard.edu/michaelm/postscripts/tr-02-05.pdf.

[27]

A. Kumar, J. Xu, J. Wang, O. Spatschek, L. Li, Space-code bloom filter for efficient per-flow traffic measurement, in: Proc. IEEE INFOCOM, Hongkong, China, March 2004, pp. 1762-1773.

[28]

S. Cohen, Y. Matias, Spectral bloom filters, in: Proc. ACM International Conference on Management of Data, SIGMOD, San Diego, CA, United States, June 2003, pp. 241-252.

Digital Library

[29]

Broder, A. and Mitzenmacher, M., Network applications of bloom filters: a survey. Internet Mathematics. v1 i4. 485-509.

[30]

E.H. Jeong, B.K. Lee, I.N. Jung, A forensic based IITN(Improved IP traceback against network attacks) Protocol, IST, in: Proceedings International Conference, IST2012, Shanghai, China, 2012, pp. 361-364.

[31]

M. Hegland, The Apriori algorithm-a tutorial, March 30, 2005. http://www2.ims.nus.edu.sg/preprints/2005-29.pdf.

[32]

R. Agrawal, R. Srikant, Fast algorithms for mining association rules, in: Proceedings of the 20th VLDB Conference, Santiago, Chile, 1994. http://rakesh.agrawal-family.com/papers/vldb94apriori.pdf.

[33]

Park, J.S., Chen, M.S. and Yu, P.S., Using a Hash-based method with transaction trimming for mining association rules. The IEEE Transactions on Knowledge and Data Engineering. v9 i5. 813-825.

[34]

Srikant, R. and Agrawal, R., Mining generalized association rule. Future Generation Computer Systems. v13 i2-3. 161-180.

[35]

Y. Liu, Study on application of apriori algorithm in data mining, in: Computer Modeling and Simulation, ICCMS'10, January 22-24, 2010, pp. 111-114.

[36]

Angeline, D.M.D. and James, I.S.P., Association rule generation using apriori Mend algorithm for student's placement. International Journal of Emerging Sciences. v2 i1. 78-86.

[37]

A. Said, Introduction to arithmetic coding-theory and practice, Imaging Systems Laboratory, HP Laboratories Palo Alto HPL-2004-76, April 21, 2004.

[38]

Shahbahrami, A., Bahrampour, R., Rostami, M.S. and Mobarhan, M.A., Evaluation of Huffman and arithmetic algorithms for multimedia compression standards. International Journal of Computer Science, Engineering and Applications (IJCSEA). v1 i4. 34-47.

[39]

DARPA Intrusion Detection Data Set, http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/index.html.

[40]

T. Huirong, R. Brackney, H.Y. Youm, Draft text of Rec. X.tb-ucr: traceback use cases and capabilities, TD4158, ITU-T SG17, 2008.

[41]

H.B. Yim, Probabilistic route selection algorithm to trace DDoS Attack Traffic Source, Hanyang University, Korea, 2011.

[42]

Savage, S., Wetherall, D., Karlin, A. and Anderson, T., Practical network support for IP traceback. ACM SIGCOMM Computer Communication Review. v30 i4. 295-306.

[43]

Network Simulator (ns-2). http://www.isi.edu/nsnam/ns.

[44]

Henry C.J. Lee, Vrizlynn L.L. Thing, Y. Xu, M. Ma, ICMP traceback with cumulative path, an efficient solution for IP trace back, https://users.cs.jmu.edu/aboutams/Public/IP%20TraceBack/ICMP%20Traceback%20with%20Cumulative%20Path.pdf.

Cited By

Qureshi SLi JAkhtar FTunio SKhand ZWajahat A(2021)Analysis of Challenges in Modern Network Forensic FrameworkSecurity and Communication Networks10.1155/2021/88712302021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/8871230
Patil RDevane SShekhawat RGaur MElci AVaidya JMakarevich OPoet ROrgun MDhaka VBohra MSingh VBabenko LSheykhkanloo NRahnama B(2017)Unmasking of source identity, a step beyond in cyber forensicProceedings of the 10th International Conference on Security of Information and Networks10.1145/3136825.3136870(157-164)Online publication date: 13-Oct-2017
https://dl.acm.org/doi/10.1145/3136825.3136870
(2016)Network forensicsJournal of Network and Computer Applications10.1016/j.jnca.2016.03.00566:C(214-235)Online publication date: 1-May-2016
https://dl.acm.org/doi/10.1016/j.jnca.2016.03.005
Show More Cited By

Recommendations

A Study of Defense DDoS Attacks Using IP Traceback
IPC '07: Proceedings of the The 2007 International Conference on Intelligent Pervasive Computing

DDoS(Distributed Denial of Service) attack is a critical threat to current Internet. Recently too many technologies of the detection and prevention have developed, but it is difficult that the IDS distinguishes normal traffic from the DDoS attack. ...
Implementation of single‐packet hybrid IP traceback for IPv4 and IPv6 networks

The Internet and other computing technologies have seen rapid growth in the recent years; the malicious users continue to look for vulnerabilities in the Internet infrastructure to perform various types of attacks. Distributed denial‐of‐service attack is ...
A table-driven approach for IP traceback based on network statistic analysis
ICACT'09: Proceedings of the 11th international conference on Advanced Communication Technology - Volume 3

IP-spoofed DDoS attack is a serious security problem in Internet. Thus, an IP traceback approach is essential. In this paper, a fast IP traceback approach (FTA) based on network statistic analysis is proposed. By maintaining the Branch Label Table (BLT) ...

Comments

Information & Contributors

Information

Published In

cover image Future Generation Computer Systems

Future Generation Computer Systems Volume 33, Issue

April, 2014

91 pages

ISSN:0167-739X

Issue’s Table of Contents

Copyright © Elsevier B.V. © 2013.

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 01 April 2014

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Qureshi SLi JAkhtar FTunio SKhand ZWajahat A(2021)Analysis of Challenges in Modern Network Forensic FrameworkSecurity and Communication Networks10.1155/2021/88712302021Online publication date: 1-Jan-2021
https://dl.acm.org/doi/10.1155/2021/8871230
Patil RDevane SShekhawat RGaur MElci AVaidya JMakarevich OPoet ROrgun MDhaka VBohra MSingh VBabenko LSheykhkanloo NRahnama B(2017)Unmasking of source identity, a step beyond in cyber forensicProceedings of the 10th International Conference on Security of Information and Networks10.1145/3136825.3136870(157-164)Online publication date: 13-Oct-2017
https://dl.acm.org/doi/10.1145/3136825.3136870
(2016)Network forensicsJournal of Network and Computer Applications10.1016/j.jnca.2016.03.00566:C(214-235)Online publication date: 1-May-2016
https://dl.acm.org/doi/10.1016/j.jnca.2016.03.005
Liu ALiu XLiu Y(2016)A comprehensive analysis for fair probability marking based traceback approach in WSNsSecurity and Communication Networks10.1002/sec.15159:14(2448-2475)Online publication date: 25-Sep-2016
https://dl.acm.org/doi/10.1002/sec.1515
Lzak D(2014)EditorialFuture Generation Computer Systems10.1016/j.future.2013.10.02233(19-20)Online publication date: 1-Apr-2014
https://dl.acm.org/doi/10.1016/j.future.2013.10.022

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents