The Experts below are selected from a list of 4134 Experts worldwide ranked by ideXlab platform
Jun Xu - One of the best experts on this subject based on the ideXlab platform.
-
IP traceback-based intelligent Packet Filtering: A novel technique for defending against Internet DDoS attacks
Proceedings - International Conference on Network Protocols ICNP, 2008Co-Authors: Minho Sung, Jun XuAbstract:Distributed Denial of Service (DDoS) is one of the most difficult security problems to address. While many existing techniques (e.g., IP traceback) focus on tracking the location of the attackers after-the-fact, little is done to mitigate the effect of an attack while it is raging on. We present a novel technique that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. The proposed scheme leverages on and generalizes the IP traceback schemes to obtain the information concerning whether a network edge is on the attacking path of an attacker ("infected") or not ("clean"). We observe that, while an attacker will have all the edges on its path marked as "infected," edges on the path of a legitimate client will mostly be "clean". By preferentially Filtering out Packets that are inscribed with the marks of "infected" edges, the proposed scheme removes most of the DDoS traffic while affecting legitimate traffic only slightly. Simulation results based on real-world network topologies all demonstrate that the proposed technique can improve the throughput of legitimate traffic by three to seven times during DDoS attacks.
-
ip traceback based intelligent Packet Filtering a novel technique for defending against internet ddos attacks
International Conference on Network Protocols, 2002Co-Authors: Minho Sung, Jun XuAbstract:Distributed denial of service (DDoS) is one of the most difficult security problems to address. While many existing techniques (e.g., IP traceback) focus on tracking the location of the attackers after-the-fact, little is done to mitigate the effect of an attack while it is raging on. We present a novel technique that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. The proposed scheme leverages on and generalizes the IP traceback schemes to obtain the information concerning whether a network edge is on the attacking path of an attacker ("infected") or not ("clean"). We observe that while an attacker will have all the edges on its path marked as "infected", edges on the path of a legitimate client will mostly be "clean". By preferentially Filtering out Packets that are inscribed with the marks of "infected" edges, the proposed scheme removes most of the DDoS traffic while affecting legitimate traffic only slightly. Simulation results based on real-world network topologies (e.g., Skitter) all demonstrate that the proposed technique can improve the throughput of legitimate traffic by 3 to 7 times during DDoS attacks.
Minho Sung - One of the best experts on this subject based on the ideXlab platform.
-
IP traceback-based intelligent Packet Filtering: A novel technique for defending against Internet DDoS attacks
Proceedings - International Conference on Network Protocols ICNP, 2008Co-Authors: Minho Sung, Jun XuAbstract:Distributed Denial of Service (DDoS) is one of the most difficult security problems to address. While many existing techniques (e.g., IP traceback) focus on tracking the location of the attackers after-the-fact, little is done to mitigate the effect of an attack while it is raging on. We present a novel technique that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. The proposed scheme leverages on and generalizes the IP traceback schemes to obtain the information concerning whether a network edge is on the attacking path of an attacker ("infected") or not ("clean"). We observe that, while an attacker will have all the edges on its path marked as "infected," edges on the path of a legitimate client will mostly be "clean". By preferentially Filtering out Packets that are inscribed with the marks of "infected" edges, the proposed scheme removes most of the DDoS traffic while affecting legitimate traffic only slightly. Simulation results based on real-world network topologies all demonstrate that the proposed technique can improve the throughput of legitimate traffic by three to seven times during DDoS attacks.
-
ip traceback based intelligent Packet Filtering a novel technique for defending against internet ddos attacks
International Conference on Network Protocols, 2002Co-Authors: Minho Sung, Jun XuAbstract:Distributed denial of service (DDoS) is one of the most difficult security problems to address. While many existing techniques (e.g., IP traceback) focus on tracking the location of the attackers after-the-fact, little is done to mitigate the effect of an attack while it is raging on. We present a novel technique that can effectively filter out the majority of DDoS traffic, thus improving the overall throughput of the legitimate traffic. The proposed scheme leverages on and generalizes the IP traceback schemes to obtain the information concerning whether a network edge is on the attacking path of an attacker ("infected") or not ("clean"). We observe that while an attacker will have all the edges on its path marked as "infected", edges on the path of a legitimate client will mostly be "clean". By preferentially Filtering out Packets that are inscribed with the marks of "infected" edges, the proposed scheme removes most of the DDoS traffic while affecting legitimate traffic only slightly. Simulation results based on real-world network topologies (e.g., Skitter) all demonstrate that the proposed technique can improve the throughput of legitimate traffic by 3 to 7 times during DDoS attacks.
Reza Askari Moghadam - One of the best experts on this subject based on the ideXlab platform.
-
Increasing overall network security by integrating signature-based NIDS with Packet Filtering firewall
IJCAI International Joint Conference on Artificial Intelligence, 2009Co-Authors: Hamed Salehi, Hossein Shirazi, Reza Askari MoghadamAbstract:Today network intrusion detection and intrusion prevention system (NIDS/IPS) are considered as one of the hottest topics in computer security. On the other side firewalls have optimized several times and different types have been introduced. Today by integrating NIDS and firewall a new product comes to the market, which is called IPS. IPSs protect information systems from unauthorized access, damage or disruption. They are installed on network primary point and perform deep Packet inspection (6 layers) so the hardware should be fast enough to sit almost invisibly within the network. This policy requires expensive hardware which is based on multiple server processor technology. It also needs appropriate changes in network design and policies. The cost may not be so reasonable for medium and small size companies. In this paper we are going to implement some kind of integration between signature-based NIDS and Packet Filtering firewalls which would increase the overall security by a reasonable cost in compare with modern IPSs. We try to conclude this by optimizing snort as a famous open source NIDS with a sample firewall program in Linux which is implemented by means of IPTABLES commands. The data is transferred in standard XML format. We also test the model by standard DARPA99 data sets and the results are satisfied.
Hamed Salehi - One of the best experts on this subject based on the ideXlab platform.
-
Increasing overall network security by integrating signature-based NIDS with Packet Filtering firewall
IJCAI International Joint Conference on Artificial Intelligence, 2009Co-Authors: Hamed Salehi, Hossein Shirazi, Reza Askari MoghadamAbstract:Today network intrusion detection and intrusion prevention system (NIDS/IPS) are considered as one of the hottest topics in computer security. On the other side firewalls have optimized several times and different types have been introduced. Today by integrating NIDS and firewall a new product comes to the market, which is called IPS. IPSs protect information systems from unauthorized access, damage or disruption. They are installed on network primary point and perform deep Packet inspection (6 layers) so the hardware should be fast enough to sit almost invisibly within the network. This policy requires expensive hardware which is based on multiple server processor technology. It also needs appropriate changes in network design and policies. The cost may not be so reasonable for medium and small size companies. In this paper we are going to implement some kind of integration between signature-based NIDS and Packet Filtering firewalls which would increase the overall security by a reasonable cost in compare with modern IPSs. We try to conclude this by optimizing snort as a famous open source NIDS with a sample firewall program in Linux which is implemented by means of IPTABLES commands. The data is transferred in standard XML format. We also test the model by standard DARPA99 data sets and the results are satisfied.
Ehab Al-shaer - One of the best experts on this subject based on the ideXlab platform.
-
Adaptive early Packet Filtering for defending firewalls against DoS attacks
Proceedings - IEEE INFOCOM, 2009Co-Authors: Adel El-atawy, Ehab Al-shaerAbstract:A major threat to data networks is based on the fact that some traffic can be expensive to classify and filter as it will undergo a longer than average list of Filtering rules before being rejected by the default deny rule. An attacker with some information about the access-control list (ACL) deployed at a firewall or an intrusion detection and prevention system (IDS/IPS) can craft Packets that will have maximum cost. In this paper, we present a technique that is light weight, traffic-adaptive and can be deployed on top of any Filtering mechanism to pre-filter unwanted expensive traffic. The technique utilizes Internet traffic characteristics coupled with a special carefully tuned representation of the policy to generate early defense policies. We use Boolean expressions built as binary decision diagrams (BDD) to represent relaxed versions of the policy that are faster to evaluate. Moreover, it is guaranteed that the technique will not add an overhead that will not be compensated by the gain in Filtering time in the underlying Filtering method. Evaluation has shown considerable savings to the overall Filtering process, thus saving the firewall processing power and increasing overall throughput. Also, the overhead changes according to the traffic behavior, and can be tuned to guarantee its worst case time cost.
