A TCAM-based solution for integrated traffic anomaly detection and policy filtering

نویسندگان

  • Zhijun Wang
  • Hao Che
  • Jiannong Cao
  • Jingshan Wang
چکیده

0140-3664/$ see front matter 2009 Elsevier B.V. A doi:10.1016/j.comcom.2009.07.016 * Corresponding author. Tel.: +852 2766 7277. E-mail address: [email protected] (Z. W The survivability of the future Internet is largely dependent on whether it will be able to successfully address both security and performance issues facing the Internet. On one hand, the Internet becomes more and more vulnerable due to fast spreading malicious attacks. On the other hand, it is under great stress to meet ever growing/changing application demands while having to sustain multi-gigabit forwarding performance. In this paper, we propose a Ternary Content Addressable Memory (TCAM) coprocessor based solution for high speed, integrated TCP flow anomaly detection and policy filtering. The attacking packets with spoofed source IP addresses are detected through two-dimensional (2D) matching. The key features of the solution are: (1) setting flag bits in TCAM action code to support various packet treatments; (2) managing TCP flow state in pair to do 2D matching. We evaluate the solution’s ability to detect TCP-based flooding attacks based on real-world-trace simulations. The results show that the proposed solution can match up OC-192 line rate. The possible modifications of the solution for the detection of low rate TCP-targeted attacks are also discussed. 2009 Elsevier B.V. All rights reserved.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Anomaly-based Web Attack Detection: The Application of Deep Neural Network Seq2Seq With Attention Mechanism

Today, the use of the Internet and Internet sites has been an integrated part of the people’s lives, and most activities and important data are in the Internet websites. Thus, attempts to intrude into these websites have grown exponentially. Intrusion detection systems (IDS) of web attacks are an approach to protect users. But, these systems are suffering from such drawbacks as low accuracy in ...

متن کامل

Geological noise removal in geophysical magnetic survey to detect unexploded ordnance based on image filtering

This paper describes the application of three straightforward image-based filtering methods to remove the geological noise effect which masks unexploded ordnances (UXOs) magnetic signals in geophysical surveys. Three image filters comprising of mean, median and Wiener are used to enhance the location of probable UXOs when they are embedded in a dominant background geological noise. The study ar...

متن کامل

Moving dispersion method for statistical anomaly detection in intrusion detection systems

A unified method for statistical anomaly detection in intrusion detection systems is theoretically introduced. It is based on estimating a dispersion measure of numerical or symbolic data on successive moving windows in time and finding the times when a relative change of the dispersion measure is significant. Appropriate dispersion measures, relative differences, moving windows, as well as tec...

متن کامل

Field classification, modeling and anomaly detection in unknown CAN bus networks

This paper describes a novel domain-aware anomaly detection system for in-car CAN bus network traffic. Through inspection of real CAN bus communication, we were able to split the messages into fields and identify the field types, without any prior knowledge of the message formats. We discovered the presence of Constant fields, Multi-Value fields and Counter or Sensor fields. Next we developed a...

متن کامل

Firewall Management for to Resolve the Policy Anomalies

Firewall is a security system for network, that controls the network traffic based on firewall rules. Firewall depends on the policy configuration, but managing that firewall policy is complex. Existing policy analysis tools, such as Firewall Policy Advisor and FIREMAN, they can only detect the policy anomaly cannot resolve these anomalies, and detection time was also increased. Therefore, I re...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • Computer Communications

دوره 32  شماره 

صفحات  -

تاریخ انتشار 2009