TY - GEN
T1 - Reconstruction of malicious internet flows
AU - Demir, Omer
AU - Khan, Bilal
AU - Al-Fuqaha, Ala
PY - 2010
Y1 - 2010
N2 - We describe a general-purpose distributed system capable of traceback of malicious flow trajectories in the wide area despite possible source IP spoofing. Our system requires the placement of agents on a subset of the inter-autonomous system (AS) links of the Internet. Agents are instrumented with a uniform notion of attack criterion. Deployed, these agents implement a self-organizing, decentralized mechanism that is capable of reconstructing topological and temporal information about malicious flows. For example, when the attack criterion is taken to be based on excessive TCP connection establishment traffic to a destination, the system becomes a traceback service for distributed denial of service (DDoS) attacks. As another special case, when the attack criterion is taken to be based on malicious payload signature match as defined by an intrusion detection system (IDS), the agents provide a service for tracing malware propagation pathways. The main contribution of this paper, is to demonstrate that the proposed system is effective at recovering malicious flow structure even at moderate levels of deployment in large networks, including within the present Internet topology.
AB - We describe a general-purpose distributed system capable of traceback of malicious flow trajectories in the wide area despite possible source IP spoofing. Our system requires the placement of agents on a subset of the inter-autonomous system (AS) links of the Internet. Agents are instrumented with a uniform notion of attack criterion. Deployed, these agents implement a self-organizing, decentralized mechanism that is capable of reconstructing topological and temporal information about malicious flows. For example, when the attack criterion is taken to be based on excessive TCP connection establishment traffic to a destination, the system becomes a traceback service for distributed denial of service (DDoS) attacks. As another special case, when the attack criterion is taken to be based on malicious payload signature match as defined by an intrusion detection system (IDS), the agents provide a service for tracing malware propagation pathways. The main contribution of this paper, is to demonstrate that the proposed system is effective at recovering malicious flow structure even at moderate levels of deployment in large networks, including within the present Internet topology.
KW - Distributed denial of service
KW - Flow reconstruction
UR - https://www.scopus.com/pages/publications/77955132747
U2 - 10.1145/1815396.1815667
DO - 10.1145/1815396.1815667
M3 - Conference contribution
AN - SCOPUS:77955132747
SN - 9781450300629
T3 - IWCMC 2010 - Proceedings of the 6th International Wireless Communications and Mobile Computing Conference
SP - 1182
EP - 1187
BT - IWCMC 2010 - Proceedings of the 6th International Wireless Communications and Mobile Computing Conference
T2 - 6th International Wireless Communications and Mobile Computing Conference, IWCMC 2010
Y2 - 28 June 2010 through 2 July 2010
ER -