Reconstructing the Parameter for Massive Abnormal TCP Connections with Bloom Filter

The large scaled TCP abnormal behavior, such as DDoS, scanning etc., can be detected by some metrics and their experimental values derived by the uniqueness of TCP connections. An algorithm named Bloom Filter Reproduction (BFR) is proposed to reconstruct the original parameters in large scaled TCP abnormal behaviors pithily by enhanced simple hash functions. Without maintaining the TCP information of 96bits' 5-tuple, the BFR algorithm can reconstruct the abnormal parameters such as IP address or their aggregation timely during the detection process. The experiments show that BFR can disclose several abnormal behaviors mixed in network traffic at the same time with high precision and low overhead.

[1]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[2]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[3]  Santosh K. Shrivastava,et al.  Using Bloom Filters to Speed-up Name Lookup in Distributed Systems , 2002, Comput. J..

[4]  Anthony K. H. Tung,et al.  Mining top-n local outliers in large databases , 2001, KDD '01.

[5]  Abhishek Kumar,et al.  Data streaming algorithms for efficient and accurate estimation of flow size distribution , 2004, SIGMETRICS '04/Performance '04.

[6]  Kang G. Shin,et al.  SYN-dog: sniffing SYN flooding sources , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[7]  Abhishek Kumar,et al.  Space-code bloom filter for efficient traffic flow measurement , 2003, IMC '03.

[8]  Chin-Chen Chang,et al.  Partition search filter and its performance analysis , 1999, J. Syst. Softw..

[9]  Nicolas Hohn,et al.  Inverting sampled traffic , 2003, IEEE/ACM Transactions on Networking.

[10]  Clara Pizzuti,et al.  Outlier mining in large high-dimensional data sets , 2005, IEEE Transactions on Knowledge and Data Engineering.

[11]  Masayuki Murata,et al.  Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[12]  Abhishek Kumar,et al.  Space-code bloom filter for efficient per-flow traffic measurement , 2004, IEEE INFOCOM 2004.

[13]  Shigang Chen,et al.  A new perspective in defending against DDoS , 2004, Proceedings. 10th IEEE International Workshop on Future Trends of Distributed Computing Systems, 2004. FTDCS 2004..

[14]  Bernard Chazelle,et al.  The Bloomier filter: an efficient data structure for static support lookup tables , 2004, SODA '04.

[15]  Sarang Dharmapurikar,et al.  Longest prefix matching using bloom filters , 2006, IEEE/ACM Transactions on Networking.

[16]  L. Feinstein,et al.  DDoS tolerant networks , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[17]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[18]  Eddie Kohler,et al.  Observed structure of addresses in IP traffic , 2006, TNET.

[19]  Yan Chen,et al.  Reversible sketches for efficient and accurate change detection over network data streams , 2004, IMC '04.