SlideShare a Scribd company logo

Mitigating Active Attacks Towards Client Networks Using the Bitmap Filter

Academia Sinica, profile picture
Academia Sinica

The document discusses methods for mitigating active attacks on client networks using a bitmap filter approach, specifically exploring stateful packet inspection (SPI) techniques. It examines client network traffic characteristics, proposing a modified SPI filter to efficiently handle connection states and improve performance by reducing storage and computation complexities. The proposed bitmap filter significantly enhances security measures while maintaining low complexity in processing network traffic.

TechnologyNews & Politics
1 of 56
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Mitigating Active Attacks Towards Client Networks Using the Bitmap Filter Chun-Ying Huang Kuan-Ta Chen Chin-Laung Lei Distributed Computing and Network Security Lab Department of Electrical Engineering National Taiwan University June 26, 2006 C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 1/31
Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 2/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 3/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. Motivations The popularity of Internet worms moves the victims. Most defense mechanisms are required to deploy globally. How does an ISP prevent customers/clients from attacks? C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. Motivations The popularity of Internet worms moves the victims. Most defense mechanisms are required to deploy globally. How does an ISP prevent customers/clients from attacks? Construct an efficient stateful packet inspection (SPI) filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection Attacker A Client C SPI Filter Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 .... .... .... .... Attacker A Request: C:1234 S:80 Client C SPI Filter Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 .... .... .... .... Attacker A Request: C:1234 S:80 Client C SPI Filter R e s S:80 p on s e : C :1 23 4 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 C : 1: 67 .... .... .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p on s e : C :1 23 4 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection (cont’d) The Problem The linearly increased costs on both storage spaces and computations. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 6/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 7/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Client Network Traffic Characteristics Observations 1 Connection/Session lifetime 2 Out-In packet delay C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Client Network Traffic Characteristics Observations 1 Connection/Session lifetime 2 Out-In packet delay Data source: aggregated six class-C campus client networks A 6-hour TCP and UDP packet trace. Collected between 10AM and 4PM in a weekday. 96.25% are TCP packets; and 3.75% are UDP packets. Average packet rate: 24.63K packets per second. Average bandwidth utilization: 138.55 Mbps. Average packet size: 720 bytes. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Connection/Session Lifetime Definition Given a TCP connection, measure the time between the last TCP-SYN and the first TCP-FIN packet. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Connection/Session Lifetime Definition a. Connection Lifetime Given a TCP connection, measure the time between the last TCP-SYN 1e+06 319 99% connections are shorter than and the first TCP-FIN packet. 515 seconds Number of connections 1e+04 Result summary 1e+02 90%: < 76 seconds. 95%: < 6 minutes. 1e+00 99%: < 515 seconds. 76 515 0 2000 4000 6000 8000 10000 Lifetime is short. Lifetime (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Out-In Packet Delay Definition of the Out-In Packet Delay A connection contains several outgoing and incoming packets. We measure the elapsed time between the outgoing packet and the successive incoming packets in each connection. Outgoing Packets A B C D Incoming Packets 1 2 3 4 5 6 LAN A-1 A-2 B-4 B-5 D-6 WAN A-3 C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 10/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Out-In Packet Delay (cont’d) Result summary Observed port-reuse effect. 99% < 2.8 seconds, implies that Internet traffic is bi-directional and has high locality in the temporal domain. b. Out−In Packet Delay c. Out−In Packet Delay (CDF) 1.00 1e+08 99% out−in packet delays are shorter than 2.8 seconds 1e+06 0.95 Packet Count 60 95% out−in packet delays Peaks are interleaved with are shorter than 30 CDF 1e+04 120 intervals of roughly 30 or 60 seconds 0.8 seconds 100 160 220 290 350 420 480 540 0.90 150 190 1e+02 1e+00 0.85 0 100 200 300 400 500 600 0 5 10 15 20 Delay (in seconds) Delay (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 11/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Construct the Bitmap Filter With the previous observations: 1 Connection/Session lifetime is short. 2 Out-in packet delays are short. 3 Internet traffic is bi-directional. A stateful packet inspection (SPI) filter can be modified. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 12/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion A Na¨ Method to Modify an SPI Filter ıve Expire connection state information with timers. State Table Connection Info. Timer .. .. C:1234 S:80 10 C : 1: 67 .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p o n s e : C :1 234 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion A Na¨ Method to Modify an SPI Filter ıve Expire connection state information with timers. State Table Connection Info. Timer .. .. C:1234 S:80 10 C : 1: 67 .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p o n s e : C :1 234 Server S However: Still linear complexities on storages and computations. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. Definition A bitmap filter is a composition of k bloom filters of equal size N (=2n -bit), denoted as a {k × N}-bitmap filter. The i th bloom filter is denoted as bit-vector [i] in the algorithms. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. 1 2 3 ... k Definition H1(t) 1 1 1 ... 1 A bitmap filter is a composition of k H2(t) bloom filters of equal size N ... (=2n -bit), denoted as a Hm(t) 2n bits {k × N}-bitmap filter. n-bit 1 1 1 ... 1 The i th bloom filter is denoted as 1 1 1 ... 1 bit-vector [i] in the algorithms. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms Initialization A {k × N}-bitmap filter is initialized to all bits zero. All the k bloom filters are configured to share the same m hash functions. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms Initialization A {k × N}-bitmap filter is initialized to all bits zero. All the k bloom filters are configured to share the same m hash functions. The concept: Time-rotated bloom filters C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 1 2 3 ... K ... ... ... current eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 At time = t0 + ∆t 1 2 3 ... K 1 2 3 ... K ... ... ... ... ... ... current current eldest eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 At time = t0 + ∆t At time = t0 + 2∆t 1 2 3 ... K 1 2 3 ... K 1 2 3 ... K ... ... ... ... ... ... ... ... ... current current current eldest eldest eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms (cont’d) Algorithm I: Periodically reset the eldest bloom filter Rotate one time unit, then reset the eldest bloom filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms (cont’d) Algorithm I: Periodically reset the eldest bloom filter Rotate one time unit, then reset the eldest bloom filter. Algorithm II: Test and set the bloom filters Outgoing packets: Mark all corresponding bits on all bloom filters. Incoming packets: Reject if not all corresponding bits are marked on the current bloom filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk, a snapshot of the current bitmap status. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+∆t, all columns are reduced by 1. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+2∆t, all columns are reduced by 1, again. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+2∆t, with an occurrence of a new connection. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Parameter Decisions Parameter List Name Meaning Te The expired time of a state. ∆t The time unit to rotate the bitmap. k The number of used bloom filters. N The size of each bloom filter. The real size is 2n -bit. m The number of used hash functions for the bloom filters. Guidelines 1 Recall the observed port-reuse effect. Te should not be too large. 2 ∆t should be set properly. Small ∆t increases system loads; large ∆t reduces system granularity (and precision). 3 Te k is roughly ∆t . 4 N and m depends on the scale of the network and the required precision. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 18/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 19/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Positives and False Negatives Definition False positive: Normal behavior is rejected. False negative: Attacks are accepted. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Positives and False Negatives Definition False positive: Normal behavior is rejected. False negative: Attacks are accepted. False positives Since the lifetime of a state is Te seconds, a false positive occurs only when the out-in packet delay is longer than Te seconds. As the statistics show, when Te is greater than 2.8 seconds, the false positive rates should be lower than 1%. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Negatives Estimating on False Negative Rates 1 Given the expected max number of active connections c in Te and the bitmap size N, the false negative rate can be estimated by N p ≤ exp(− ). (1) e·c 2 In contrast, given N and a tolerable maximum value of p, the expected max number of active connections c should satisfy N c≤− . (2) e ln p C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 21/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Examples For a small- or medium-scale network A bitmap filter is constructed using the following configuration Parameters: k = 4, ∆t = 5, (Te = 20), m = 3 k×2n Required memory space: 8 = 512 K bytes. Given the tolerable penetration probability of 10%, 5%, and 1%, the bitmap filter provides capacity of 167K, 125K, and 83K active connections in Te , respectively. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Examples For a small- or medium-scale network A bitmap filter is constructed using the following configuration Parameters: k = 4, ∆t = 5, (Te = 20), m = 3 k×2n Required memory space: 8 = 512 K bytes. Given the tolerable penetration probability of 10%, 5%, and 1%, the bitmap filter provides capacity of 167K, 125K, and 83K active connections in Te , respectively. Compare with the campus network traffic Only 15K active connections within a Te of 20 seconds. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Performance Summary Packet Processing: For an outgoing packet: O(m) hashes +O(m × k) marks. For an incoming packet: O(m) hashes +O(m) checks. Bitmap Rotation: Reset a bit vector: constant according to the given bitmap size. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Performance Summary Packet Processing: For an outgoing packet: O(m) hashes +O(m × k) marks. For an incoming packet: O(m) hashes +O(m) checks. Bitmap Rotation: Reset a bit vector: constant according to the given bitmap size. Since the bitmap is designed to have fixed size and continuous memory space and the components used in the algorithms are easy to implement as hardware, these algorithms can be completely implemented as a hardware easily. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Compare with Similar Implementations Hash + link-list AVL-tree Bitmap filter (Linux) Storage space - Complexity O(n) O(n) O(c) Storage space - Handle 2.55M active 77M bytes 77M bytes 8M bytes connections Computation Complexity - Insert a new state O(1) O(log n) O(1) Computation Complexity - Search for a state O(n) O(log n) O(1) Computation Complexity - Garbage collection O(n) O(n) O(c) Hardware acceleration Possible Expensive Cheap C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 24/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation I: Drop Rate Comparison Compare the drop rate of BF and SPI-filter Environments Implement an SPI filter (expire idle state after 240 seconds). The bitmap filter: n = 20, k = 4, ∆t = 5, Te = 20 (512K bytes). Drop rates measure in a 5-second time unit. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation I: Drop Rate Comparison Compare the drop rate of BF and SPI-filter Environments 3.5 Implement an SPI filter (expire idle Drop rate of the bitmap filter (%) 3.0 state after 240 seconds). 2.5 The bitmap filter: n = 20, k = 4, 2.0 ∆t = 5, Te = 20 (512K bytes). 1.5 Drop rates measure in a 5-second time unit. 1.0 1.0 1.5 2.0 2.5 3.0 Drop rate of the SPI filter (%) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation II: Filter Rate Environments The same bitmap filter used in simulation I. Attack rate: spoofed addresses, 500K packets per second. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation II: Filter Rate Environments The same bitmap filter used in simulation I. Attack rate: spoofed addresses, 500K packets per second. a. Filter Performance b. Attack Filtering Rate 100.01 4e+05 Filtering rate (%) Packet Count 99.99 2e+05 99.97 0e+00 99.95 0 5000 10000 15000 20000 12000 14000 16000 18000 20000 22000 Time (in seconds) Time (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 27/31
Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. 2 Attack from Insiders An inside attacker may quickly increase the bitmap utilization when attacking outsiders. It hence increase the false negative rate. An administrator may increase n or Te to tolerate such attacks. However, it would be better to identify and eliminate inside attackers. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. 2 Attack from Insiders An inside attacker may quickly increase the bitmap utilization when attacking outsiders. It hence increase the false negative rate. An administrator may increase n or Te to tolerate such attacks. However, it would be better to identify and eliminate inside attackers. 3 Adaptive Packet Dropping For bandwidth attacks only, the bitmap filter may consider to adopt adaptive packet dropping to increase the compatibility. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 29/31
Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Conclusion We propose the bitmap filter, an alternative implementation to replace the stateful packet inspection (SPI) filter, to stop malicious traffic for client networks. The bitmap filter successful reduces the complexities of both storage and computation to constants. Analyses and simulations show that with limited resources, the bitmap filter can filter 90% even 99% attack traffic. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 30/31
Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Thanks for your attention. Comments or questions? C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 31/31

More Related Content

PPTX
Analysis Of Films Horror Slasher and research
Jordan
 
DOC
Think New Think Change
Kannan Rajarathnam
 
PPTX
Analysis Of Films - Horror Pp and research
Jordan
 
PPTX
Digipak Evaluation sheet
Jordan
 
PPTX
Dubstep presentation1
Jordan
 
DOC
India - Growth Options
Kannan Rajarathnam
 
PPT
Indian Economy 21May2010
Kannan Rajarathnam
 
PDF
Identifying MMORPG Bots: A Traffic Analysis Approach
Academia Sinica
 
Analysis Of Films Horror Slasher and research
Jordan
 
Think New Think Change
Kannan Rajarathnam
 
Analysis Of Films - Horror Pp and research
Jordan
 
Digipak Evaluation sheet
Jordan
 
Dubstep presentation1
Jordan
 
India - Growth Options
Kannan Rajarathnam
 
Indian Economy 21May2010
Kannan Rajarathnam
 
Identifying MMORPG Bots: A Traffic Analysis Approach
Academia Sinica
 

More from Academia Sinica (20)

PDF
Computational Social Science:The Collaborative Futures of Big Data, Computer ...
Academia Sinica
 
PDF
Games on Demand: Are We There Yet?
Academia Sinica
 
PDF
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...
Academia Sinica
 
PDF
Cloud Gaming Onward: Research Opportunities and Outlook
Academia Sinica
 
PPTX
Quantifying User Satisfaction in Mobile Cloud Games
Academia Sinica
 
PDF
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值
Academia Sinica
 
PPTX
On The Battle between Online Gamers and Lags
Academia Sinica
 
PPTX
Understanding The Performance of Thin-Client Gaming
Academia Sinica
 
PPT
Quantifying QoS Requirements of Network Services: A Cheat-Proof Framework
Academia Sinica
 
PPT
Online Game QoE Evaluation using Paired Comparisons
Academia Sinica
 
PPTX
GamingAnywhere: An Open Cloud Gaming System
Academia Sinica
 
PPT
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic Approach
Academia Sinica
 
PPT
Forecasting Online Game Addictiveness
Academia Sinica
 
PDF
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay Nodes
Academia Sinica
 
PDF
Inferring Speech Activity from Encrypted Skype Traffic
Academia Sinica
 
PDF
Game Bot Detection Based on Avatar Trajectory
Academia Sinica
 
PDF
Improving Reliability of Web 2.0-based Rating Systems Using Per-user Trustiness
Academia Sinica
 
PDF
A Collusion-Resistant Automation Scheme for Social Moderation Systems
Academia Sinica
 
PDF
Tuning Skype’s Redundancy Control Algorithm for User Satisfaction
Academia Sinica
 
PDF
Network Game Design: Hints and Implications of Player Interaction
Academia Sinica
 
Computational Social Science:The Collaborative Futures of Big Data, Computer ...
Academia Sinica
 
Games on Demand: Are We There Yet?
Academia Sinica
 
Detecting In-Situ Identity Fraud on Social Network Services: A Case Study on ...
Academia Sinica
 
Cloud Gaming Onward: Research Opportunities and Outlook
Academia Sinica
 
Quantifying User Satisfaction in Mobile Cloud Games
Academia Sinica
 
量化「樂趣」-以心理生理量測探究數位娛樂商品之市場價值
Academia Sinica
 
On The Battle between Online Gamers and Lags
Academia Sinica
 
Understanding The Performance of Thin-Client Gaming
Academia Sinica
 
Quantifying QoS Requirements of Network Services: A Cheat-Proof Framework
Academia Sinica
 
Online Game QoE Evaluation using Paired Comparisons
Academia Sinica
 
GamingAnywhere: An Open Cloud Gaming System
Academia Sinica
 
Are All Games Equally Cloud-Gaming-Friendly? An Electromyographic Approach
Academia Sinica
 
Forecasting Online Game Addictiveness
Academia Sinica
 
Toward an Understanding of the Processing Delay of Peer-to-Peer Relay Nodes
Academia Sinica
 
Inferring Speech Activity from Encrypted Skype Traffic
Academia Sinica
 
Game Bot Detection Based on Avatar Trajectory
Academia Sinica
 
Improving Reliability of Web 2.0-based Rating Systems Using Per-user Trustiness
Academia Sinica
 
A Collusion-Resistant Automation Scheme for Social Moderation Systems
Academia Sinica
 
Tuning Skype’s Redundancy Control Algorithm for User Satisfaction
Academia Sinica
 
Network Game Design: Hints and Implications of Player Interaction
Academia Sinica
 
Ad

Recently uploaded (20)

PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Approach and Philosophy of On baking technology
30anthuong17
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Teaching material agriculture food technology
LiaRayya
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Ad

Mitigating Active Attacks Towards Client Networks Using the Bitmap Filter

  • 1. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Mitigating Active Attacks Towards Client Networks Using the Bitmap Filter Chun-Ying Huang Kuan-Ta Chen Chin-Laung Lei Distributed Computing and Network Security Lab Department of Electrical Engineering National Taiwan University June 26, 2006 C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 1/31
  • 2. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 2/31
  • 3. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 3/31
  • 4. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
  • 5. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. Motivations The popularity of Internet worms moves the victims. Most defense mechanisms are required to deploy globally. How does an ISP prevent customers/clients from attacks? C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
  • 6. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. Motivations The popularity of Internet worms moves the victims. Most defense mechanisms are required to deploy globally. How does an ISP prevent customers/clients from attacks? Construct an efficient stateful packet inspection (SPI) filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
  • 7. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection Attacker A Client C SPI Filter Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 8. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 .... .... .... .... Attacker A Request: C:1234 S:80 Client C SPI Filter Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 9. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 .... .... .... .... Attacker A Request: C:1234 S:80 Client C SPI Filter R e s S:80 p on s e : C :1 23 4 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 10. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 C : 1: 67 .... .... .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p on s e : C :1 23 4 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 11. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection (cont’d) The Problem The linearly increased costs on both storage spaces and computations. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 6/31
  • 12. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 7/31
  • 13. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Client Network Traffic Characteristics Observations 1 Connection/Session lifetime 2 Out-In packet delay C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
  • 14. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Client Network Traffic Characteristics Observations 1 Connection/Session lifetime 2 Out-In packet delay Data source: aggregated six class-C campus client networks A 6-hour TCP and UDP packet trace. Collected between 10AM and 4PM in a weekday. 96.25% are TCP packets; and 3.75% are UDP packets. Average packet rate: 24.63K packets per second. Average bandwidth utilization: 138.55 Mbps. Average packet size: 720 bytes. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
  • 15. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Connection/Session Lifetime Definition Given a TCP connection, measure the time between the last TCP-SYN and the first TCP-FIN packet. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
  • 16. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Connection/Session Lifetime Definition a. Connection Lifetime Given a TCP connection, measure the time between the last TCP-SYN 1e+06 319 99% connections are shorter than and the first TCP-FIN packet. 515 seconds Number of connections 1e+04 Result summary 1e+02 90%: < 76 seconds. 95%: < 6 minutes. 1e+00 99%: < 515 seconds. 76 515 0 2000 4000 6000 8000 10000 Lifetime is short. Lifetime (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
  • 17. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Out-In Packet Delay Definition of the Out-In Packet Delay A connection contains several outgoing and incoming packets. We measure the elapsed time between the outgoing packet and the successive incoming packets in each connection. Outgoing Packets A B C D Incoming Packets 1 2 3 4 5 6 LAN A-1 A-2 B-4 B-5 D-6 WAN A-3 C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 10/31
  • 18. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Out-In Packet Delay (cont’d) Result summary Observed port-reuse effect. 99% < 2.8 seconds, implies that Internet traffic is bi-directional and has high locality in the temporal domain. b. Out−In Packet Delay c. Out−In Packet Delay (CDF) 1.00 1e+08 99% out−in packet delays are shorter than 2.8 seconds 1e+06 0.95 Packet Count 60 95% out−in packet delays Peaks are interleaved with are shorter than 30 CDF 1e+04 120 intervals of roughly 30 or 60 seconds 0.8 seconds 100 160 220 290 350 420 480 540 0.90 150 190 1e+02 1e+00 0.85 0 100 200 300 400 500 600 0 5 10 15 20 Delay (in seconds) Delay (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 11/31
  • 19. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Construct the Bitmap Filter With the previous observations: 1 Connection/Session lifetime is short. 2 Out-in packet delays are short. 3 Internet traffic is bi-directional. A stateful packet inspection (SPI) filter can be modified. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 12/31
  • 20. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion A Na¨ Method to Modify an SPI Filter ıve Expire connection state information with timers. State Table Connection Info. Timer .. .. C:1234 S:80 10 C : 1: 67 .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p o n s e : C :1 234 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
  • 21. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion A Na¨ Method to Modify an SPI Filter ıve Expire connection state information with timers. State Table Connection Info. Timer .. .. C:1234 S:80 10 C : 1: 67 .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p o n s e : C :1 234 Server S However: Still linear complexities on storages and computations. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
  • 22. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
  • 23. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. Definition A bitmap filter is a composition of k bloom filters of equal size N (=2n -bit), denoted as a {k × N}-bitmap filter. The i th bloom filter is denoted as bit-vector [i] in the algorithms. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
  • 24. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. 1 2 3 ... k Definition H1(t) 1 1 1 ... 1 A bitmap filter is a composition of k H2(t) bloom filters of equal size N ... (=2n -bit), denoted as a Hm(t) 2n bits {k × N}-bitmap filter. n-bit 1 1 1 ... 1 The i th bloom filter is denoted as 1 1 1 ... 1 bit-vector [i] in the algorithms. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
  • 25. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms Initialization A {k × N}-bitmap filter is initialized to all bits zero. All the k bloom filters are configured to share the same m hash functions. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 26. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms Initialization A {k × N}-bitmap filter is initialized to all bits zero. All the k bloom filters are configured to share the same m hash functions. The concept: Time-rotated bloom filters C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 27. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 1 2 3 ... K ... ... ... current eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 28. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 At time = t0 + ∆t 1 2 3 ... K 1 2 3 ... K ... ... ... ... ... ... current current eldest eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 29. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 At time = t0 + ∆t At time = t0 + 2∆t 1 2 3 ... K 1 2 3 ... K 1 2 3 ... K ... ... ... ... ... ... ... ... ... current current current eldest eldest eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 30. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms (cont’d) Algorithm I: Periodically reset the eldest bloom filter Rotate one time unit, then reset the eldest bloom filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
  • 31. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms (cont’d) Algorithm I: Periodically reset the eldest bloom filter Rotate one time unit, then reset the eldest bloom filter. Algorithm II: Test and set the bloom filters Outgoing packets: Mark all corresponding bits on all bloom filters. Incoming packets: Reject if not all corresponding bits are marked on the current bloom filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
  • 32. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk, a snapshot of the current bitmap status. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 33. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+∆t, all columns are reduced by 1. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 34. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+2∆t, all columns are reduced by 1, again. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 35. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+2∆t, with an occurrence of a new connection. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 36. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Parameter Decisions Parameter List Name Meaning Te The expired time of a state. ∆t The time unit to rotate the bitmap. k The number of used bloom filters. N The size of each bloom filter. The real size is 2n -bit. m The number of used hash functions for the bloom filters. Guidelines 1 Recall the observed port-reuse effect. Te should not be too large. 2 ∆t should be set properly. Small ∆t increases system loads; large ∆t reduces system granularity (and precision). 3 Te k is roughly ∆t . 4 N and m depends on the scale of the network and the required precision. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 18/31
  • 37. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 19/31
  • 38. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Positives and False Negatives Definition False positive: Normal behavior is rejected. False negative: Attacks are accepted. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
  • 39. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Positives and False Negatives Definition False positive: Normal behavior is rejected. False negative: Attacks are accepted. False positives Since the lifetime of a state is Te seconds, a false positive occurs only when the out-in packet delay is longer than Te seconds. As the statistics show, when Te is greater than 2.8 seconds, the false positive rates should be lower than 1%. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
  • 40. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Negatives Estimating on False Negative Rates 1 Given the expected max number of active connections c in Te and the bitmap size N, the false negative rate can be estimated by N p ≤ exp(− ). (1) e·c 2 In contrast, given N and a tolerable maximum value of p, the expected max number of active connections c should satisfy N c≤− . (2) e ln p C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 21/31
  • 41. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Examples For a small- or medium-scale network A bitmap filter is constructed using the following configuration Parameters: k = 4, ∆t = 5, (Te = 20), m = 3 k×2n Required memory space: 8 = 512 K bytes. Given the tolerable penetration probability of 10%, 5%, and 1%, the bitmap filter provides capacity of 167K, 125K, and 83K active connections in Te , respectively. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
  • 42. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Examples For a small- or medium-scale network A bitmap filter is constructed using the following configuration Parameters: k = 4, ∆t = 5, (Te = 20), m = 3 k×2n Required memory space: 8 = 512 K bytes. Given the tolerable penetration probability of 10%, 5%, and 1%, the bitmap filter provides capacity of 167K, 125K, and 83K active connections in Te , respectively. Compare with the campus network traffic Only 15K active connections within a Te of 20 seconds. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
  • 43. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Performance Summary Packet Processing: For an outgoing packet: O(m) hashes +O(m × k) marks. For an incoming packet: O(m) hashes +O(m) checks. Bitmap Rotation: Reset a bit vector: constant according to the given bitmap size. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
  • 44. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Performance Summary Packet Processing: For an outgoing packet: O(m) hashes +O(m × k) marks. For an incoming packet: O(m) hashes +O(m) checks. Bitmap Rotation: Reset a bit vector: constant according to the given bitmap size. Since the bitmap is designed to have fixed size and continuous memory space and the components used in the algorithms are easy to implement as hardware, these algorithms can be completely implemented as a hardware easily. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
  • 45. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Compare with Similar Implementations Hash + link-list AVL-tree Bitmap filter (Linux) Storage space - Complexity O(n) O(n) O(c) Storage space - Handle 2.55M active 77M bytes 77M bytes 8M bytes connections Computation Complexity - Insert a new state O(1) O(log n) O(1) Computation Complexity - Search for a state O(n) O(log n) O(1) Computation Complexity - Garbage collection O(n) O(n) O(c) Hardware acceleration Possible Expensive Cheap C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 24/31
  • 46. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation I: Drop Rate Comparison Compare the drop rate of BF and SPI-filter Environments Implement an SPI filter (expire idle state after 240 seconds). The bitmap filter: n = 20, k = 4, ∆t = 5, Te = 20 (512K bytes). Drop rates measure in a 5-second time unit. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
  • 47. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation I: Drop Rate Comparison Compare the drop rate of BF and SPI-filter Environments 3.5 Implement an SPI filter (expire idle Drop rate of the bitmap filter (%) 3.0 state after 240 seconds). 2.5 The bitmap filter: n = 20, k = 4, 2.0 ∆t = 5, Te = 20 (512K bytes). 1.5 Drop rates measure in a 5-second time unit. 1.0 1.0 1.5 2.0 2.5 3.0 Drop rate of the SPI filter (%) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
  • 48. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation II: Filter Rate Environments The same bitmap filter used in simulation I. Attack rate: spoofed addresses, 500K packets per second. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
  • 49. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation II: Filter Rate Environments The same bitmap filter used in simulation I. Attack rate: spoofed addresses, 500K packets per second. a. Filter Performance b. Attack Filtering Rate 100.01 4e+05 Filtering rate (%) Packet Count 99.99 2e+05 99.97 0e+00 99.95 0 5000 10000 15000 20000 12000 14000 16000 18000 20000 22000 Time (in seconds) Time (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
  • 50. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 27/31
  • 51. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
  • 52. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. 2 Attack from Insiders An inside attacker may quickly increase the bitmap utilization when attacking outsiders. It hence increase the false negative rate. An administrator may increase n or Te to tolerate such attacks. However, it would be better to identify and eliminate inside attackers. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
  • 53. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. 2 Attack from Insiders An inside attacker may quickly increase the bitmap utilization when attacking outsiders. It hence increase the false negative rate. An administrator may increase n or Te to tolerate such attacks. However, it would be better to identify and eliminate inside attackers. 3 Adaptive Packet Dropping For bandwidth attacks only, the bitmap filter may consider to adopt adaptive packet dropping to increase the compatibility. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
  • 54. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 29/31
  • 55. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Conclusion We propose the bitmap filter, an alternative implementation to replace the stateful packet inspection (SPI) filter, to stop malicious traffic for client networks. The bitmap filter successful reduces the complexities of both storage and computation to constants. Analyses and simulations show that with limited resources, the bitmap filter can filter 90% even 99% attack traffic. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 30/31
  • 56. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Thanks for your attention. Comments or questions? C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 31/31