Extensions to the source path isolation engine for precise and efficient log-based IP traceback

Egon Hilgenstieler, Elias P. Duarte, Glenn Mansfield-Keeni, Norio Shiratori

    Research output: Contribution to journalArticle

    19 Citations (Scopus)

    Abstract

    IP traceback is used to determine the source and path traversed by a packet received from the Internet. In this work we first show that the Source Path Isolation Engine (SPIE), a classical log-based IP traceback system, can return misleading attack graphs in some particular situations, which may even make it impossible to determine the real attacker. We show that by unmasking the TTL field SPIE returns a correct attack graph that precisely identifies the route traversed by a given packet allowing the correct identification of the attacker. Nevertheless, an unmasked TTL poses new challenges in order to preserve the confidentiality of the communication among the system's components. We solve this problem presenting two distributed algorithms for searching across the network overlay formed by the packet log bases. Two other extensions to SPIE are proposed that improve the efficiency of source discovery: separate logs are kept for each router interface improving the distributed search procedure; an efficient dynamic log paging strategy is employed, which is based on the actual capacity factor instead of the fixed time interval originally employed by SPIE. The system was implemented and experimental results are presented.

    Original languageEnglish
    Pages (from-to)383-392
    Number of pages10
    JournalComputers and Security
    Volume29
    Issue number4
    DOIs
    Publication statusPublished - 2010 Jun

    Fingerprint

    social isolation
    Engines
    Transistor transistor logic circuits
    Overlay networks
    Routers
    Parallel algorithms
    Internet
    efficiency
    communication
    Communication

    Keywords

    • Attack Response
    • Denial of service
    • Packet tracing
    • Traceback
    • Traffic logging

    ASJC Scopus subject areas

    • Computer Science(all)
    • Law

    Cite this

    Extensions to the source path isolation engine for precise and efficient log-based IP traceback. / Hilgenstieler, Egon; Duarte, Elias P.; Mansfield-Keeni, Glenn; Shiratori, Norio.

    In: Computers and Security, Vol. 29, No. 4, 06.2010, p. 383-392.

    Research output: Contribution to journalArticle

    Hilgenstieler, Egon ; Duarte, Elias P. ; Mansfield-Keeni, Glenn ; Shiratori, Norio. / Extensions to the source path isolation engine for precise and efficient log-based IP traceback. In: Computers and Security. 2010 ; Vol. 29, No. 4. pp. 383-392.
    @article{a134196dd6d34e0f8ffb19b3b174d51b,
    title = "Extensions to the source path isolation engine for precise and efficient log-based IP traceback",
    abstract = "IP traceback is used to determine the source and path traversed by a packet received from the Internet. In this work we first show that the Source Path Isolation Engine (SPIE), a classical log-based IP traceback system, can return misleading attack graphs in some particular situations, which may even make it impossible to determine the real attacker. We show that by unmasking the TTL field SPIE returns a correct attack graph that precisely identifies the route traversed by a given packet allowing the correct identification of the attacker. Nevertheless, an unmasked TTL poses new challenges in order to preserve the confidentiality of the communication among the system's components. We solve this problem presenting two distributed algorithms for searching across the network overlay formed by the packet log bases. Two other extensions to SPIE are proposed that improve the efficiency of source discovery: separate logs are kept for each router interface improving the distributed search procedure; an efficient dynamic log paging strategy is employed, which is based on the actual capacity factor instead of the fixed time interval originally employed by SPIE. The system was implemented and experimental results are presented.",
    keywords = "Attack Response, Denial of service, Packet tracing, Traceback, Traffic logging",
    author = "Egon Hilgenstieler and Duarte, {Elias P.} and Glenn Mansfield-Keeni and Norio Shiratori",
    year = "2010",
    month = "6",
    doi = "10.1016/j.cose.2009.12.011",
    language = "English",
    volume = "29",
    pages = "383--392",
    journal = "Computers and Security",
    issn = "0167-4048",
    publisher = "Elsevier Limited",
    number = "4",

    }

    TY - JOUR

    T1 - Extensions to the source path isolation engine for precise and efficient log-based IP traceback

    AU - Hilgenstieler, Egon

    AU - Duarte, Elias P.

    AU - Mansfield-Keeni, Glenn

    AU - Shiratori, Norio

    PY - 2010/6

    Y1 - 2010/6

    N2 - IP traceback is used to determine the source and path traversed by a packet received from the Internet. In this work we first show that the Source Path Isolation Engine (SPIE), a classical log-based IP traceback system, can return misleading attack graphs in some particular situations, which may even make it impossible to determine the real attacker. We show that by unmasking the TTL field SPIE returns a correct attack graph that precisely identifies the route traversed by a given packet allowing the correct identification of the attacker. Nevertheless, an unmasked TTL poses new challenges in order to preserve the confidentiality of the communication among the system's components. We solve this problem presenting two distributed algorithms for searching across the network overlay formed by the packet log bases. Two other extensions to SPIE are proposed that improve the efficiency of source discovery: separate logs are kept for each router interface improving the distributed search procedure; an efficient dynamic log paging strategy is employed, which is based on the actual capacity factor instead of the fixed time interval originally employed by SPIE. The system was implemented and experimental results are presented.

    AB - IP traceback is used to determine the source and path traversed by a packet received from the Internet. In this work we first show that the Source Path Isolation Engine (SPIE), a classical log-based IP traceback system, can return misleading attack graphs in some particular situations, which may even make it impossible to determine the real attacker. We show that by unmasking the TTL field SPIE returns a correct attack graph that precisely identifies the route traversed by a given packet allowing the correct identification of the attacker. Nevertheless, an unmasked TTL poses new challenges in order to preserve the confidentiality of the communication among the system's components. We solve this problem presenting two distributed algorithms for searching across the network overlay formed by the packet log bases. Two other extensions to SPIE are proposed that improve the efficiency of source discovery: separate logs are kept for each router interface improving the distributed search procedure; an efficient dynamic log paging strategy is employed, which is based on the actual capacity factor instead of the fixed time interval originally employed by SPIE. The system was implemented and experimental results are presented.

    KW - Attack Response

    KW - Denial of service

    KW - Packet tracing

    KW - Traceback

    KW - Traffic logging

    UR - http://www.scopus.com/inward/record.url?scp=77951256934&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=77951256934&partnerID=8YFLogxK

    U2 - 10.1016/j.cose.2009.12.011

    DO - 10.1016/j.cose.2009.12.011

    M3 - Article

    VL - 29

    SP - 383

    EP - 392

    JO - Computers and Security

    JF - Computers and Security

    SN - 0167-4048

    IS - 4

    ER -