Communities of Interest for Internet Traffic Prioritization

Communities of Interest (COI) have been studied in the past to classify traffic within an enterprise network, and to mitigate denial-of-service (DoS) attacks. We investigate the use of Communities of Interest (COIs) to prioritize known good traffic on the Internet. Under our system, an ISP may construct a COI for each of its enterprise customers. The COI would contain entities which have previously had good communications with the customer. These COIs could then be used in combination with traffic differentiating mechanisms during periods of heavy traffic in order to prioritize traffic from communicating entities known to be good. We show that it is possible to construct an effective COI from information which would be available to an ISP about its customers, specifically sampled Netflow data. We investigate various heuristics to determine which flows actually represent good traffic whose endpoint should be inserted into the COI, and show that our heuristics are effective in differentiating wanted and unwanted traffic.

[1]  Zheng Wang,et al.  An Architecture for Differentiated Services , 1998, RFC.

[2]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[3]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[4]  David L. Black,et al.  An Architecture for Differentiated Service , 1998 .

[5]  Xipeng Xiao,et al.  Internet QoS: a big picture , 1999, IEEE Netw..

[6]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[7]  Patrick D. McDaniel,et al.  Analysis of Communities of Interest in Data Networks , 2005, PAM.

[8]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[9]  Theodore Johnson,et al.  Gigascope: a stream database for network applications , 2003, SIGMOD '03.

[10]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[11]  Michael Walfish,et al.  DDoS defense by offense , 2006, SIGCOMM 2006.

[12]  Carsten Lund,et al.  Properties and prediction of flow statistics from sampled packet streams , 2002, IMW '02.

[13]  Vyas Sekar,et al.  Analyzing large DDoS attacks using multiple data sources , 2006, LSAD '06.

[14]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[15]  Robert Raszuk,et al.  Dissemination of Flow Specification Rules , 2009, RFC.

[16]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[17]  Patrick D. McDaniel,et al.  Enterprise Security: A Community of Interest Based Approach , 2006, NDSS.

[18]  Kang G. Shin,et al.  Evolution of the Internet QoS and support for soft real-time applications , 2003, Proc. IEEE.

[19]  Corinna Cortes,et al.  Communities of interest , 2001, Intell. Data Anal..

[20]  Bill Lin,et al.  Minimizing collateral damage by proactive surge protection , 2007, LSAD '07.

[21]  D. Hogrefe,et al.  Mouse Trapping: A Flow Data Reduction Method , 2008, 2008 The Third International Conference on Internet Monitoring and Protection.

[22]  Alex C. Snoeren,et al.  PRIMED: community-of-interest-based DDoS mitigation , 2006, LSAD '06.