Abstract
Analysis of security attacks shows that an attack leaves its imprint or signature in the attack packets. Traffic from Distributed Denial of Service attacks and rapid worm spreads has the potential to yield signatures. While all signatures may not be indicative of attacks, it is useful to extract non-transient signatures that are carried by a sufficient number of flows/packets/bytes. The number of packets/bytes in the flows carrying the signature may be used for rate-limiting the flows, providing for timely and automated response to both known and unknown attacks. This paper proposes an efficient algorithm, PISA, which clusters flows based on similarity in packet information and extracts signatures from high-bandwidth clusters. Extensive experiments on two weeks of real attack data of 100 million packets yield about 1744 signatures. Additionally, PISA extracted the signature for the Blaster worm connection attempts in a mix of traffic from a trans-Pacific backbone link.
Chapter PDF
References
CERT, Vulnerabilities, Incidents and Fixes, http://www.cert.org/nav/index_red.html
Duda, R.O., Hard, P.E.: Pattern Classification and Scene Analysis. Wiley-Interscience, NY (1973)
Estan, C., Savage, S., Varghese, G.: Automatically Inferring Patterns of Resource Consumption in Network Traffic. In: Proceedings of the ACM SIGCOMM Conference, Karlsruhe, Germany (August 2003)
Jagadish, H.V., Madar, J., Ng, R.T.: Semantic Compression and Pattern Extraction with Fascicles. In: Proceedings of 25th VLDB, pp. 186–198 (1999)
Jain, A.K., Dubes, R.C.: Algorithms for Clustering Data. Prentice Hall, New Jersey (1988)
Jin, C., Wang, H., Shin, K.G.: Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic. In: ACM Conference on Computer and Communications Security (CCS 2003) (October 2003)
Dittrich, D.: Distributed Denial of Service Attacks/Tools, http://staff.washington.edu/dittrich/
Kim, H.-A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, CA (August 2004)
Mahajan, R., Bellovin, S.M., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling High Bandwidth Aggregates in the Network. Computer Communications Review 32(3), 62–73 (2002)
Mannila, H., Toivonen, H.: Level_Wise search and borders of theories in knowledge discovery. Data Mining and Knowledge Discovery 1(3), 241–258
Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service Activity. In: Proceedings of the 2001 USENIX Security Symposium, Washington, D.C. (August 2001)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Proceedings of the 6th ACM/USENIX OSDI Symposium, San Francisco, CA (December 2004)
MAWI Working Group, Packet traces from WIDE backbone, http://tracer.csl.sony.co.jp/mawi/
UCSD Network Telescope Backscatter Datasets for February 2001, CAIDA, http://www.caida.org/analysis/security/telescope/
Chhabra, P., et al.: XCHOKe: Malicious Source Control for Congestion Avoidance at Internet Gateways. In: Proceedings of 10th IEEE ICNP (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chhabra, P., John, A., Saran, H. (2005). PISA: Automatic Extraction of Traffic Signatures. In: Boutaba, R., Almeroth, K., Puigjaner, R., Shen, S., Black, J.P. (eds) NETWORKING 2005. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems. NETWORKING 2005. Lecture Notes in Computer Science, vol 3462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11422778_59
Download citation
DOI: https://doi.org/10.1007/11422778_59
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-25809-4
Online ISBN: 978-3-540-32017-3
eBook Packages: Computer ScienceComputer Science (R0)