Enhancing List-Based Packet Filter Using IP Verification Mechanism against IP Spoofing Attack in Network Intrusion Detection

  • Yuxin Meng
  • Lam-for Kwok
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7645)


Signature-based network intrusion detection systems (NIDSs) have become an essential part in current network security infrastructure to identify different kinds of network attacks. However, signature matching is a big suffering problem for these systems in which the cost of the signature matching is at least linear to the size of an input string. To mitigate this issue, we have developed a context-aware packet filter by means of the blacklist technique to filter out network packets for a signature-based NIDS and achieved good results. But the effect of the whitelist technique has not been explored in our previous work. In this paper, we therefore aim to develop a list-based packet filter by combining the whitelist technique with the blacklist-based packet filter under some specific conditions, and investigate the effect of the whitelist on packet filtration. To protect both the blacklist and the whitelist, we employ an IP verification mechanism to defend against IP spoofing attack. We implemented the list-based packet filter in a network environment and evaluated it with two distinct datasets, the experimental results show that by deploying with the IP verification mechanism, the whitelist technique can improve the packet filtration without lowering network security.


Intrusion Detection System Network Packet Filter List Technique Network Security and Performance IP Verification 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  2. 2.
    Scarfone, K., Mell, P.: Guide to Intrusion Detection and Prevention Systems (IDPS). NIST Special Publication 800-94 (2007)Google Scholar
  3. 3.
    Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proceedings of Usenix Lisa Conference, pp. 229–238 (1999)Google Scholar
  4. 4.
    Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with High-Volume Network Intrusion Detection. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 2–11 (2004)Google Scholar
  5. 5.
    Vigna, G., Kemmerer, R.A.: NetSTAT: A Network-based Intrusion Detection Approach. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 25–34 (1998)Google Scholar
  6. 6.
    Valdes, A., Anderson, D.: Statistical Methods for Computer Usage Anomaly Detection Using NIDES. Technical Report, SRI International (January 1995)Google Scholar
  7. 7.
    Ghosh, A.K., Wanken, J., Charron, F.: Detecting Anomalous and Unknown Intrusions Against Programs. In: Proceedings of Annual Computer Security Applications Conference (ACSAC), pp. 259–267 (1998)Google Scholar
  8. 8.
    Snort, The Open Source Network Intrusion Detection System, (accessed on April 21, 2012)
  9. 9.
    Rivest, R.L.: On the worst-case behavior of string-searching algorithms. SIAM Journal on Computing, 669–674 (1977)Google Scholar
  10. 10.
    Isacenkova, J., Balzarotti, D.: Measurement and Evaluation of A Real World Deployment of A Challenge-Response Spam Filter. In: Proceedings of ACM SIGCOMM Conference on Internet Measurement Conference (IMC), pp. 413–426 (2011)Google Scholar
  11. 11.
    Sommer, R., Paxson, V.: Outside the Closed World: On using Machine Learning for Network Intrusion Detection. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 305–316. IEEE, New York (2010)Google Scholar
  12. 12.
    Lofgren, P., Hopper, N.: FAUST: Efficient, TTP-free Abuse Prevention by Anonymous Whitelisting. In: Proceedings of Annual ACM Workshop on Privacy in the Electronic Society (WPES), pp. 125–130 (2011)Google Scholar
  13. 13.
    Wireshark, (accessed on April 25, 2012)
  14. 14.
    Erickson, D., Casado, M., Mckeown, N.: The Effectiveness of Whitelisting: a User-Study. In: Proceedings of Conference on Email and Anti-Spam, pp. 1–10 (2008)Google Scholar
  15. 15.
    Yoon, M.K.: Using Whitelisting to Mitigate DDoS Attacks on Critical Internet Sites. IEEE Communications Magazine 48(7), 110–115 (2010)CrossRefGoogle Scholar
  16. 16.
  17. 17.
  18. 18.
    Chen, E.Y., Itoh, M.: A Whitelist Approach to Protect SIP Servers from Flooding Attacks. In: Proceedings of IEEE International Workshop Technical Committee on Communications Quality and Reliability (CQR), pp. 1–6 (2010)Google Scholar
  19. 19.
    Colasoft Packet Builder, (accessed on April 12, 2012)
  20. 20.
    Kim, T.H., Choi, Y.S., Kim, J., Hong, S.J.: Annulling SYN Flooding Attacks with Whitelist. In: Proceedings of International Conference on Advanced Information Networking and Applications Workshops, pp. 371–376 (2008)Google Scholar
  21. 21.
    McHugh, J.: Testing Intrusion Detection Systems: a Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information System Security 3(4), 262–294 (2000)CrossRefGoogle Scholar
  22. 22.
    Meng, Y., Kwok, L.F.: Adaptive Context-aware Packet Filter Scheme using Statistic-based Blacklist Generation in Network Intrusion Detection. In: Proceedings of International Conference on Information Assurance and Security (IAS), pp. 74–79 (2011)Google Scholar
  23. 23.
    Li, J., Sung, M., Xu, J., Li, L.: Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Information-Theoretic Foundation. IEEE/ACM Transactions on Networking 16(6), 1253–1266 (2008)CrossRefGoogle Scholar
  24. 24.
    Goodrich, M.T.: Efficient Packet Marking for Large-Scale IP Traceback. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 117–126 (2002)Google Scholar
  25. 25.
    Jin, C., Wang, H., Shin, K.G.: Hop-Count Filtering: an Effective Defense Against Spoofed DDoS Traffic. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), pp. 30–41 (2003)Google Scholar
  26. 26.
    Yaar, A., Perrig, A., Song, D.: Pi: A Path Identification Mechanism to Defend against DDoS Attacks. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 93–107 (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Yuxin Meng
    • 1
  • Lam-for Kwok
    • 1
  1. 1.Department of Computer ScienceCity University of Hong KongHong Kong SAR, China

Personalised recommendations