1 / 14

Design of Bloom Filter Array for Network Anomaly Detection

Design of Bloom Filter Array for Network Anomaly Detection. Author : Jieyan Fan , Dapeng Wu , Kejie Lu , Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter: Hsin-Mao Chen Date: 2009/10/21. Outline. Introduction Background Bloom Filter Array Data Structures Algorithm

aldona
Download Presentation

Design of Bloom Filter Array for Network Anomaly Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter: Hsin-Mao Chen Date:2009/10/21

  2. Outline • Introduction • Background • Bloom Filter Array • Data Structures • Algorithm • Random-keyed Hash Function • Analysis • Performance

  3. Introduction • Distributed Denial of Service (DDoS) attacks are the major threats to the Internet. • The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-directionalmatching.

  4. Background • Two-directional(2D) matching A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.

  5. Background

  6. Background • Bloom Filter Data1 Data2 Data3 K hash function h1() h2() h3() M-bit vector

  7. Bloom Filter Array • The key idea is to use a Bloom filter array to trade off a amount of accuracy, for much less space and time complexity.

  8. Data Structures • A smaller time slot τ, Γ = w × τ, where w is an integer. • Two arrays of bit vectors, {IVi}, {RVi}, i ∈ Zw. • An array of integers {Ci}, i ∈ Zw. • K hash functions, hi(·), i ∈ ZK. Γ …… τ τ τ IV1 RV1 C1 IV2 RV2 C2 IVw RVw Cw h1(), h2()…hk()

  9. Algorithm • Add new unmatched inbound flow. • Inbound packet is stored in at least one RVj. • Inbound packet is stored in IVi%w. Γ …… τ τ τ IV1 RV1 C1 IV2 RV2 C2 IVw RVw Cw h1(), h2()…hk()

  10. Algorithm • The first matched outbound packet comes. • Outbound packet is not contained in RVj%w. • Outbound packet is contained in IVj%w. Γ …… τ τ τ IV1 RV1 C1 IV2 RV2 C2 IVw RVw Cw h1(), h2()…hk()

  11. Random-keyed Hash Function • One kernel hash function with K randomly generated keys. • We can generate as many keys as we want. • The security issue is solved.

  12. Analysis

  13. Performance • Trace data provided by Auckland University. • <SA,DA,SP,DP> as the signature of the packets. • 2.4G Hz CPU and 1G memory. • There are 78501441 packets in the trace. • The average processing rate is 265000 packets/second.

  14. Performance Number of unmatched SYN packets

More Related