Reducing false rate packet recognition using Dual Counting Bloom Filter

Dodig, Ivica; Sruk, Vlado; Cafuta, Davor

doi:10.1007/s11235-017-0375-3

Cited by 6 publications

(5 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In summary, this paper presents the following contributions: (i) a technique, called SACK3, to detect and mitigate TCP SYN Flood attacks using anti-spoofing techniques while reducing the overhead of legit clients, (ii) a implementation of the improved version of SACK2 [Sun et al 2009] that uses dual counting Bloom Filters [Dodig et al 2017] for programmable data planes in P4, and (iii) a comprehensive evaluation of SACK3, which confirms its effectiveness against TCP SYN Flood attacks. Moreover, the experiments have shown a significant reduction of connection time against a pure Safe Reset proxy implemented in the data plane.…”

Section: Introductionmentioning

confidence: 66%

“…Experiments shown that the memory cost of SACK2 for a 10Gbps link is 364KB and can be easily accommodated in modern routers. An improved version of SACK2 was proposed in [Dodig et al 2017] that is able to use dual counting Bloom Filter (DCBF) to decrease false detection of matching packets.…”

Section: Sketch-based Solutionsmentioning

confidence: 99%

“…To solve the first limitation, we added a sketch-based algorithm to detect spoofed TCP SYN Flood on the data plane in order to choose suspicious clients to be authenticated. From the algorithms to detect ongoing spoofed TCP SYN Flood attacks listed in Section 2, we choose to implement an improved version [Dodig et al 2017] of the SACK2 algorithm due to its effectiveness, low resource usage, and simplicity. We implemented the DCBF (Dual Counting Bloom Filter), composed by CBF1 and CBF1 INV, to track the SYN-ACK/CliACK pair.…”

Section: Proposed Solutionmentioning

confidence: 99%

“…As such, streaming algorithms, or sketches, have been used into network elements (e.g., routers or middleboxes) in high-speed networks to handle a high volume of traffic while maintaining a low consumption overhead of CPU and memory. Several sketches have been proposed to detect TCP-SYN Flood attacks [Sun et al 2009, Dodig et al 2017. They rely on keeping tracking of the TCP Handshake to detect flooding attacks.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

DDoS on Sketch: Spoofed DDoS attack defense with programmable data plans using sketches in SDN

Tavares

Ferreto

2019

Anais Do XXXVII Simpósio Brasileiro De Redes De Computadores E Sistemas Distribuídos (SBRC 2019)

View full text Add to dashboard Cite

Distributed Denial of Service (DDoS) attacks continues to be a major issue in todays Internet. Over the last few years, we have observed a dramatic escalation in the number, scale, and diversity of these attacks. Among the various types, spoofed TCP SYN Flood is one of the most common forms of volumetric DDoS attacks. Several works explored the flexible management control provided by the new network paradigm called Defined Networking Software (SDN) to produce a flexible and powerful defense system. Among them, data plane based solutions combined with recent flexibility of programmable switches aims to leverage hardware speed and defend against Spoofed Flooding attacks. Usually, they implement anti-spoofing mechanisms that rely on performing client authentication on the data plane using techniques such as TCP Proxy, TCP Reset, and Safe Reset. However, these mechanisms have several limitations. First, due to the required interaction to authenticate the client, they penalize all clients connection time even without an ongoing attack. Second, they use a limited version of TCP cookies to detect a valid client ACK or RST, and finally, they are vulnerable to a buffer saturation attack due to limited data plan resources that stores the whitelist of authenticated users. In this work, we propose the use of sketch-based solutions to improve the data plane Safe Reset anti-spoofing defense mechanism. We implemented our solution in P4, a high-level language for programmable data planes, and evaluate our solution against a data plan. Safe Reset technique on an emulated environment using Mininet.

show abstract

Section: Introductionmentioning

confidence: 66%

Section: Sketch-based Solutionsmentioning

confidence: 99%

Section: Proposed Solutionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

DDoS on Sketch: Spoofed DDoS attack defense with programmable data plans using sketches in SDN

Tavares

Ferreto

2019

Anais Do XXXVII Simpósio Brasileiro De Redes De Computadores E Sistemas Distribuídos (SBRC 2019)

View full text Add to dashboard Cite

show abstract

“…However, this method relies excessively on packet size and cannot adapt to multiple attack scenarios. Dodig et al [7] proposed a new data structure based on a novel Dual Counting Bloom Filter to reduce detection errors for matching packages and theoretically analyzed the detection probability of determining the error rate and the requirement of increasing memory.…”

Section: Related Researchmentioning

confidence: 99%

Flow Correlation Degree Optimization Driven Random Forest for Detecting DDoS Attacks in Cloud Computing

Cheng¹,

Tang

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Distributed denial-of-service (DDoS) has caused major damage to cloud computing, and the false- and missing-alarm rates of existing DDoS attack-detection methods are relatively high in cloud environment. In this paper, we propose a DDoS attack-detection method with enhanced random forest (RF) optimized by genetic algorithm based on flow correlation degree (FCD) feature. We define the FCD feature according to the asymmetric and semidirectivity interaction characteristics and use the two-tuples FCD feature consisting of packet-statistical degree (PSD) and semidirectivity interaction abnormality (SDIA) to describe the features of attack flow and normal flow. Then we use a genetic algorithm based on the FCD feature sequences to optimize two key parameters of the decision tree in the RF: the maximum number of decision trees and the maximum depth of every single decision tree. We apply the trained RF model with optimized parameters to generate the classifier to be used for DDoS attack-detection. The experiment shows that the proposed method can effectively detect DDoS attacks in cloud environment with a higher accuracy rate and lower false- and missing-alarm rates compared to existing DDoS attack-detection methods.

show abstract