Vahid Aghaei-Foroushani scite author profile

EURASIP J. on Info. Security

2013

In this paper, we present a novel approach to IP traceback -deterministic flow marking (DFM). We evaluate this novel approach against two well-known IP traceback schemes. These are the probabilistic packet marking (PPM) and the deterministic packet marking (DPM) techniques. In order to do so, we analyzed these techniques in detail in terms of their performances and feasibilities on five Internet traces. These traces consist of Darpa 1999 traffic traces, CAIDA October 2012 traffic traces, MAWI December 2012 traffic traces, and Dal2010 traffic traces. We have employed 16 performance metrics to evaluate their performances. The empirical results show that the novel DFM technique can reduce the number of marked packets by 91% compared to the DPM, while achieving the same or better performance in terms of its ability to trace back the attack. Additionally, DFM provides an optional authentication so that a compromised router cannot forge markings of other uncompromised routers. Unlike PPM and DPM that trace the attack up to the ingress interface of the edge router close to the attacker, DFM allows the victim to trace the origin of incorrect or spoofed source addresses up to the attacker node, even if the attack has been originated from a network behind a network address translation (NAT) server. Our results show that DFM can reach up to approximately 99% traceback rate with no false positives.

Autonomous system based flow marking scheme for IP-Traceback

2016

On Evaluating IP Traceback Schemes: A Practical Perspective

2013

This paper presents an evaluation of two promising schemes for tracing cyber-attacks, the well-known Deterministic Packet Marking, DPM, and a novel marking scheme for IP traceback, Deterministic Flow Marking, DFM. First of all we explore the DPM in detail and then by investigating the DFM, we analyze the pros and cons of both approaches in depth in terms of practicality and feasibility, so that shortcomings of each scheme are highlighted. This evaluation is based on CAIDA Internet traces October 2012 dataset. The results show that using DFM may reduce as many as 90% of marked packets on average required for tracing attacks with no false positives, while it eliminates the spoofed marking embedded by the attacker as well as compromised routers in the attack path. Moreover, unlike DPM that traces the attack up to the ingress interface of the edge router close to the attacker, DFM allows the victim to trace the origin of incorrect or spoofed source addresses up to the attacker node, even if the attack has been originated from a network behind a network address translation (NAT), firewall, or a proxy server.

A Proxy Identifier Based on Patterns in Traffic Flows

2015

Proxies are used commonly on today's Internet. On one hand, end users can choose to use proxies for hiding their identities for privacy reasons. On the other hand, ubiquitous systems can use it for intercepting the traffic for purposes such as caching. In addition, attackers can use such technologies to anonymize their malicious behaviours and hide their identities. Identification of such behaviours is important for defense applications since it can facilitate the assessment of security threats. The objective of this paper is to identify proxy traffic as seen in a traffic log file without any access to the proxy server or the clients behind it. To achieve this: (i) we employ a mixture of log files to represent real-life proxy behavior, and (ii) we design and develop a data driven machine learning based approach to provide recommendations for the automatic identification of such behaviours. Our results show that we are able to achieve our objective with a promising performance even though the problem is very challenging.

Investigating unique flow marking for tracing back DDoS attacks

2015

In this paper, we outline the recent efforts of our research in defense against Distributed Denial of Service (DDoS) attacks. In particular, we present a novel approach to IP traceback, namely Unique Flow Marking (UFM), and we evaluate UFM against other marking schemes. Our results show that the UFM can reduce the number of marked packets compared to the other marking schemes, while achieving a better performance in terms of its ability to trace back the attack.