2nd International ICST Conference on Security and Privacy in Comunication Networks

Research Article

A Double Horizon Defense Design for Robust Regulation of Malicious Traffic

  • @INPROCEEDINGS{10.1109/SECCOMW.2006.359585,
        author={Ying  Xu and Roch  Guerin},
        title={A Double Horizon Defense Design for Robust Regulation of Malicious Traffic},
        proceedings={2nd International ICST Conference on Security and Privacy in Comunication Networks},
        publisher={IEEE},
        proceedings_a={SECURECOMM},
        year={2007},
        month={5},
        keywords={},
        doi={10.1109/SECCOMW.2006.359585}
    }
    
  • Ying Xu
    Roch Guerin
    Year: 2007
    A Double Horizon Defense Design for Robust Regulation of Malicious Traffic
    SECURECOMM
    IEEE
    DOI: 10.1109/SECCOMW.2006.359585
Ying Xu1,*, Roch Guerin1,*
  • 1: Department of Electrical and Systems Engineering, University of Pennsylvania, Philadelphia.
*Contact email: yingx@seas.upenn.edu, guerin@ee.upenn.edu

Abstract

Deploying defense mechanisms in routers holds promises for protecting infrastructure resources such as link bandwidth or router buffers against network denial-of-service (DoS) attacks. However, in spite of their efficacy against brute-force flooding attacks, existing router-based defenses often perform poorly when confronted to more sophisticated attack strategies. This paper presents the design and evaluation of a system aimed at identifying and containing a broad range of malicious traffic patterns. Its main feature is a double time horizon architecture, designed for effective regulation of attacking traffic at both short and long time scales. The short horizon component responds quickly to transient traffic surges that deviate significantly from regular (TCP) traffic, i.e., attackers that generate sporadic short bursts. Conversely, the long horizon mechanism enforces strict conformance with normal TCP behavior, but does so by considering traffic over longer time periods, and is therefore aimed at attackers that attempt to capture a significant amount of link bandwidth. The performance of the proposed system was tested extensively. Our findings suggest that the implementation cost of the system is reasonable, and that it is indeed efficient against various types of attacks while remaining transparent to normal TCP users