Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance

El-Atawy, Adel; Samak, Taghrid; Al-Shaer, Ehab; Li, Hong

doi:10.1109/infcom.2007.106

Cited by 56 publications

(26 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To overcome this optimization problem, research works (Gupta et al, 2000;Hamed et al, 2006aHamed et al, , 2006bEl-Atawy et al, 2007;Al-Shear et al, 2009) proposed approaches that used statistical structures in optimizing the average packet filtering time. In (Gupta et al, 2000), alphabetic tree was used to reduce the lookup time by only searching packet destination IP addresses against entries in the routing c o m p u t e r s & s e c u r i t y 5 3 ( 2 0 1 5 ) 1 0 9 e1 3 1 table.…”

Section: Related Workmentioning

confidence: 99%

“…However the statistical trees were not able to scale well with the number of fields in the IDSs. To solve this problem, the authors in (El-Atawy et al, 2007) proposed a technique that is based on statistics collected from policy segments in order to build Huffman trees that dynamically adapt to the traffic statistics.…”

Section: Related Workmentioning

confidence: 99%

“…This is because unwanted traffic may traverse a long path before being rejected by the default rule. It has been proven in (Hamed et al, 2006a(Hamed et al, , 2006bEl-Atawy et al, 2007;Trabelsi et al, 2013aTrabelsi et al, , 2013b that rejection of such unwanted traffic as early as possible would considerably increase the firewall performance. Thus, BSPL with splaying property can be adapted to ensure early packet rejection through splaying min-node to root / left.…”

Section: Level 1: Optimization At the Splay Filtersmentioning

confidence: 99%

See 2 more Smart Citations

Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement

Trabelsi¹,

Zeidan²,

Masud³

et al. 2015

Computers & Security

View full text Add to dashboard Cite

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Level 1: Optimization At the Splay Filtersmentioning

confidence: 99%

See 1 more Smart Citation

Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement

Trabelsi¹,

Zeidan²,

Masud³

et al. 2015

Computers & Security

View full text Add to dashboard Cite

“…For example, an NIDS evasion method [6] was proposed through algorithmic complexity attacking the rule matching algorithm, making inspection times 1.5 million times slower. In [7], the skewness in network traffic distribution was utilized to yield effective attacks. Recently, attacks based on algorithmic complexity were proposed for Snort [8], [9] and regular expression matching systems [10].…”

Section: B Related Workmentioning

confidence: 99%

Attacking Pattern Matching Algorithms Based on the Gap between Average-Case and Worst-Case Complexity

Liu¹,

Liu²,

Li³

et al. 2013

JACN

View full text Add to dashboard Cite

Abstract-We have developed an effective method to generate attack data for widely-used pattern matching algorithms. Perceived to be a fundamental problem in the field of computer science, pattern matching has received extensive attention in research and has been used in a variety of fields to include information retrieval, computational biology, information security, etc. The extensive applications of pattern matching are mainly rooted in the fact that pattern matching algorithms, such as SBOM and WuManber, typically have a low time-complexity. However, in the worst case time-complexities of algorithms are very high, making pattern matching algorithms vulnerable to algorithmic complexity attacks (in other words, one might significantly slow down pattern matching algorithms simply by feeding them with specifically-designed text). In this study, we investigated this potential vulnerability by proposing a dynamic programming method designed to attack text having knowledge of patterns. Experimental results suggest that SBOM and WuManber run the specifically-designed text slower than random text (real text). Interestingly, it has been observed that the attacking method is still effective even when parts of patterns are only known, meaning that even a leak of small proportions has the potential to lead to severe attacks. Finally, we propose some suggestions to reduce the risks of these attacks. To the best of our knowledge, this is the first time that an attacking pattern matching approach is proposed based on algorithm complexity.Index Terms-Computer security, algorithmic complexity attacks, pattern matching, SBOM algorithm, WuManber algorithm.

show abstract

“…The clear difference in skewness measure of various traffic and field values between spam and benign traffic is used as fingerprinting for spambots. The skewness distribution of Internet traffic was exploited to enhance filtering in [5], [4].…”

Section: A Measuring Skewness In Traffic Distributionmentioning

confidence: 99%

Information Theoretic Approach for Characterizing Spam Botnets Based on Traffic Properties

Smith

Al-Shaer

Elbadawi

2009

2009 IEEE International Conference on Communications

Self Cite

View full text Add to dashboard Cite

In this paper, we present several novel identifying characteristics of spam-sending bots (or spambots) based on traffic statistics. We use the entropy to measure the distribution skewness for a number of traffic features including packet interdeparture time, email per recipients, rate of change in recipient list and destination domains, and inconsistency in email header information of the outgoing email traffic. We also show how we can measure the deviation in these features from benign emails traffic to decisively detect spambots. Our tool is developed to sit anonymously behind the mail server in a network, capturing SMTP data packets and analyzing the traffic while keeping all of the personal email data private and unrecoverable. Unlike content filtering, our technique is hard to evade and used to detect spam email close to the source. In addition, our technique uses online light weight calculations and can be efficiently deployed in the end-user or ISP devices as well. We evaluated our technique using about 6 million email records of real spambot traffic collected during June 2007 -June 2008. Our evaluation results show that our tool can detect spambots accurately and efficiently even with high traffic volume.

show abstract

Using Online Traffic Statistical Matching for Optimizing Packet Filtering Performance

Cited by 56 publications

References 22 publications

Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement

Statistical dynamic splay tree filters towards multilevel firewall packet filtering enhancement

Attacking Pattern Matching Algorithms Based on the Gap between Average-Case and Worst-Case Complexity

Information Theoretic Approach for Characterizing Spam Botnets Based on Traffic Properties

Contact Info

Product

Resources

About