Slide 1MotivationProblem DefinitionLog-based TracebackChallengesProposed MethodSPIE InfrastructureDiscussionCarnegie Mellon UniversityU Kang1Hash-Based IP TracebackU KangComputer Science Department15-744 Computer NetworksCarnegie Mellon UniversityU Kang2MotivationOur network or hosts have been compromisedHow can we trace the attackers identity?Carnegie Mellon UniversityU Kang3Problem DefinitionIP traceback problemGiven packets of interest,1. Identify the source of the packets2. Construct an attack graph composed of the attack paths for attack packets that arrived at the victimAttack GraphCarnegie Mellon UniversityU KangLog-based TracebackRouters keep the log of packetsIf an attack occurs, routers are queried for attack packetsCarnegie Mellon UniversityU Kang5ChallengesC1: Minimizing CostStorage used to keep informationC2: AccuracyNo false negativeMinimize false positiveC3: Maintaining PrivacyA tracing system should not adversely impact the privacy of legitimate usersCarnegie Mellon UniversityU Kang6Proposed MethodSource Path Isolation Engine(SPIE)Audit traffic by storing 32-bit packet digests rather than the packets themselvesSolves “C1: Minimizing Cost”, “C3: Maintaining Privacy”Bloom Filters to Minimize False PositiveSolves “C2: Accuracy”Bloom Filter - add() - isMember()Carnegie Mellon UniversityU Kang7SPIE Infrastructure1. IDS detects an attack packet2. IDS issue a traceback request to STM3. STM asks all SCARS in its domain to poll their respective DGAs for the relevant traffic digests4. SCARs construct attack subgraphsSTM: Traceback ManagerSCAR: Collection and Reduction AgentsDGA: Data Generation AgentCarnegie Mellon UniversityU Kang8DiscussionDeployment: can the SPIE infrastructure be deployed over multiple ISPs?Memory Requirements?A core router with a max. capacity of 640M pkts/sec requires 23 GB for one minute’s
View Full Document
Unlocking...