Analysis of security attacks shows that an attack leaves its imprint or signature in the attack packets. Traffic from Distributed Denial of Service attacks and rapid worm spreads has the potential to yield signatures. While all signatures may not be indicative of attacks, it is useful to extract non-transient signatures that are carried by a sufficient number of flows/packets/bytes. The number of packets/bytes in the flows carrying the signature may be used for rate-limiting the flows, providing for timely and automated response to both known and unknown attacks. This paper proposes an efficient algorithm, PISA, which clusters flows based on similarity in packet information and extracts signatures from high-bandwidth clusters. Extensive experiments on two weeks of real attack data of 100 million packets yield about 1744 signatures. Additionally, PISA extracted the signature for the Blaster worm connection attempts in a mix of traffic from a trans-Pacific backbone link.


Signatures Traffic Clusters Security DDoS Worms 


  1. 1.
    CERT, Vulnerabilities, Incidents and Fixes,
  2. 2.
    Duda, R.O., Hard, P.E.: Pattern Classification and Scene Analysis. Wiley-Interscience, NY (1973)zbMATHGoogle Scholar
  3. 3.
    Estan, C., Savage, S., Varghese, G.: Automatically Inferring Patterns of Resource Consumption in Network Traffic. In: Proceedings of the ACM SIGCOMM Conference, Karlsruhe, Germany (August 2003)Google Scholar
  4. 4.
    Jagadish, H.V., Madar, J., Ng, R.T.: Semantic Compression and Pattern Extraction with Fascicles. In: Proceedings of 25th VLDB, pp. 186–198 (1999)Google Scholar
  5. 5.
    Jain, A.K., Dubes, R.C.: Algorithms for Clustering Data. Prentice Hall, New Jersey (1988)zbMATHGoogle Scholar
  6. 6.
    Jin, C., Wang, H., Shin, K.G.: Hop-Count Filtering: An Effective Defense Against Spoofed DDoS Traffic. In: ACM Conference on Computer and Communications Security (CCS 2003) (October 2003)Google Scholar
  7. 7.
    Dittrich, D.: Distributed Denial of Service Attacks/Tools,
  8. 8.
    Kim, H.-A., Karp, B.: Autograph: Toward Automated, Distributed Worm Signature Detection. In: Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, CA (August 2004)Google Scholar
  9. 9.
    Mahajan, R., Bellovin, S.M., Floyd, S., Ioannidis, J., Paxson, V., Shenker, S.: Controlling High Bandwidth Aggregates in the Network. Computer Communications Review 32(3), 62–73 (2002)CrossRefGoogle Scholar
  10. 10.
    Mannila, H., Toivonen, H.: Level_Wise search and borders of theories in knowledge discovery. Data Mining and Knowledge Discovery 1(3), 241–258Google Scholar
  11. 11.
    Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service Activity. In: Proceedings of the 2001 USENIX Security Symposium, Washington, D.C. (August 2001)Google Scholar
  12. 12.
    Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Proceedings of the 6th ACM/USENIX OSDI Symposium, San Francisco, CA (December 2004)Google Scholar
  13. 13.
    MAWI Working Group, Packet traces from WIDE backbone,
  14. 14.
    UCSD Network Telescope Backscatter Datasets for February 2001, CAIDA,
  15. 15.
    Chhabra, P., et al.: XCHOKe: Malicious Source Control for Congestion Avoidance at Internet Gateways. In: Proceedings of 10th IEEE ICNP (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Parminder Chhabra
    • 1
  • Ajita John
    • 2
  • Huzur Saran
    • 3
  1. 1.Winlab, RutgersThe State University of New JerseyUSA
  2. 2.Avaya Labs ResearchLincroftUSA
  3. 3.Dept. of CS & EngIndian Institute of TechnologyNew DelhiIndia

Personalised recommendations