Cheng-Yuan Ho

Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems

False positives and false negatives happen to every intrusion detection and intrusion prevention system. This work proposes a mechanism for false positive/negative assessment with multiple IDSs/IPSs to collect FP and FN cases from real-world traffic and statistically analyze these cases. Over a period of 16 months, more than 2000 FPs and FNs have been collected and analyzed. From the statistical analysis results, we obtain three interesting findings. First, more than 92.85 percent of false cases are FPs even if the numbers of attack types for FP and FN are similar. That is mainly because the behavior of applications or the format of the application content is self-defined; that is, there is not complete conformance to the specifications of RFCs. Accordingly, when this application meets an IDS/IPS with strict detection rules, its traffic will be regarded as malicious traffic, resulting in a lot of FPs. Second, about 91 percent of FP alerts, equal to about 85 percent of false cases, are not related to security issues, but to management policy. For example, some companies and campuses limit or forbid their employees and students from using peer-to-peer applications; therefore, in order to easily detect P2P traffic, an IDS/IPS is configured to be sensitive to it. Hence, this causes alerts to be triggered easily regardless of whether the P2P application has malicious traffic or not. The last finding shows that buffer overflow, SQL server attacks, and worm slammer attacks account for 93 percent of FNs, even though they are aged attacks. This indicates that these attacks always have new variations to evade IDS/IPS detection.

Fast retransmit and fast recovery schemes of transport protocols: A survey and taxonomy

Although there are two standard transport protocols, TCP and UDP, offering services in the Internet, the majority of the traffic over the Internet is TCP-based. TCP-based applications can react to packet losses; however, many performance problems have been recently observed in the Internet. To resolve these problems, several new TCP fast retransmit and fast recovery algorithms have been proposed. This article surveys state-of-the-art fast retransmit and fast recovery mechanisms of TCP to address the lost packet problem, and presents a description of some useful algorithms, design issues, advantages, and disadvantages. The objective of this article is fourfold: to provide an introduction to TCP protocol; to discuss problems degrading TCP retransmission performance in the present-day Internet; to describe some proposed transport protocols that solve a number of throughput issues; and finally, to gain new insight into these protocols and thereby suggest avenues for future research. Based on our taxonomy, existing fast retransmit and fast recovery schemes of transport protocols are described in this survey.

A cross-layer approach for real-time multimedia streaming on wireless peer-to-peer ad hoc network

Peer-to-peer (P2P) live streaming over mobile ad hoc network (MANET) is a state-of-the-art technique for wireless multimedia applications, such as entertainments and disaster recovery. The peers share the live streaming over MANET via multi-hop wireless link, so an efficient data delivery scheme must be required. However, the high churn rate and the frequent mobility baffle the P2P membership management and overlay maintenance. The unreliable wireless connection of MANET leads to the difficulties of large-scale and real-time streaming distribution, and a lack of overlay proximity leads to the inefficient streaming delivery. We present a cross-layer design for P2P over MANET to manage and maintain the overlay, and select efficient routing path to multicast media streams. Our proposed scheme (COME-P2P) integrates both P2P DHT-based lookup and IPv6 routing header to improve the delivery efficiency. Through the cross-layer design, the low layer detects mobility for informing high layer to refine the finger table, and high layer maintains the efficient multicast path for informing low layer to refine the routing table. How to keep stable routing paths for live streaming via IPv6 routing is the main contribution of this paper. The overlay proximity can shorten routing propagation delay, and the hop-by-hop routing can avoid the traffic bottleneck. Through the mathematical analysis and simulation results, COME-P2P can be demonstrated to achieve high smoothness and reduce signaling overhead for live streaming.

Performance improvement of congestion avoidance mechanism for TCP Vegas

In this paper, we propose a router-based congestion avoidance mechanism (RoVegas) for TCP Vegas. TCP Vegas detects network congestion in the early stage and successfully prevents periodic packet loss that usually occurs in TCP Reno. It has been demonstrated that TCP Vegas outperforms TCP Reno in many aspects. However, TCP Vegas suffers several problems that inhere in its congestion avoidance mechanism, these include issues of rerouting, persistent congestion, fairness, and network asymmetry. By performing the proposed scheme in routers along the round-trip path, RoVegas can solve the problems of rerouting and persistent congestion, enhance the fairness among the competitive connections, and improve the throughput when congestion occurs on the backward path. Through the results of both analysis and simulation, we demonstrate the effectiveness of RoVegas.

CODE TCP: A competitive delay-based TCP

TCP Vegas is a well-known delay-based congestion control mechanism. Studies have indicated that TCP Vegas outperforms TCP Reno in many aspects. However, Reno currently remains the most widely deployed TCP variant in the Internet. This is mainly because of the incompatibility of Vegas with Reno. The performance of Vegas is generally mediocre in environments where it coexists with Reno. Hence, there exists no incentive for operating systems to adopt Vegas as the default transport layer protocol. In this study, we propose a new variant of Vegas called COmpetitive DElay-based TCP (CODE TCP). This variant is compatible with Reno and it can obtain a fair share of network resources. CODE is a sender-sided modification and hence it can be implemented solely at the end host. Simulations and experiments confirm that CODE has better fairness characteristics in network environments in which it coexists with Reno while retaining the good features of Vegas.

Can: A context-aware NAT traversal scheme

Network Address Translation (NAT) is a technique commonly used to share one public IPv4 address among several hosts located behind a NAT device. NAT devices typically block session requests originating from outside, causing NAT traversal problem that prevents the establishment of peer-topeer (P2P) sessions. There have been many proposals for the NAT traversal problem. However, existing methods induce high connectivity check delay and resource demand when finding a communicating path, calling for a routine that determines the path best suited for a given pair of communicating peers. This study proposes CAN, a Context-Aware NAT traversal scheme which gathers and exchanges network-context information to find the most appropriate path for two communicating peers behind NAT devices. We have implemented CAN and conducted extensive experiments with off-the-shelf NAT devices to compare the performance of CAN with Interactivity Connectivity Establishment (ICE), the most acknowledged approach to creating a session across NATs. Experimental results show that CAN outperforms ICE in terms of direct communication ratio, connectivity check delay and message overload when checking connectivity.

Creditability-based weighted voting for reducing false positives and negatives in intrusion detection

False positives (FPs) and false negatives (FNs) happen in every Intrusion Detection System (IDS). How often they occur is regarded as a measurement of the accuracy of the system. Frequent occurrences of FPs not only reduce the throughput of an IDS as FPs block the normal traffic and also degrade its trustworthiness. It is also difficult to eradicate all FNs from an IDS. One way to overcome the shortcomings of a single IDS is to employ multiple IDSs in its place and leverage the different capabilities and domain knowledge of these systems. Nonetheless, making a correct intrusion decision based on the outcomes of multiple IDSs has been a challenging task, as different IDSs may respond differently to the same packet trace. In this paper, we propose a method to reduce FPs and FNs by applying a creditability-based weighted voting (CWV) scheme to the outcomes of multiple IDSs. First, the CWV scheme evaluates the creditability of each individual IDS by monitoring its response to a large collection of pre-recorded packet traces containing various types of intrusions. For each IDS, our scheme then assigns different weights to each intrusion type according to its FP and FN ratios. Later, after their operations, the outcomes of individual IDSs are merged using a weighted voting scheme. In benchmarking tests, our CWV-based multiple IDSs demonstrated significant improvement in accuracy and efficiency when compared with multiple IDSs employing an ordinary majority voting (MV) scheme. The accuracy is the percentage of whole traces that are determined accurately, while the efficiency indicates that the voting algorithm performs better on reducing both FP and FN ratios. The CWV scheme achieved 95% accuracy and 94% efficiency while the MV scheme produced only 66% accuracy and 41% efficiency; the average percentages of FP/FN reduction were 21% and 58% respectively.

To Call or To Be Called Behind NATs is Sensitive in Solving the Direct Connection Problem

In this article, we first depict the call-role sensitivity problem in Network Address Translation (NAT) traversal, and then propose an approach to resolving the problem. The problem is whether a direct connection can be found between two peers across NATs mainly depends on the NAT type at the callers side. We propose the extra-candidate connectivity check where both peers initiate a direct connectivity check to eliminate the effect of the call role. We have implemented the extra-candidate connectivity check and conducted experiments with 18 different NATs. Experimental results show that our approach can indeed resolve the call-role sensitivity problem, and maximize the direct connectivity rate (DCR) which is improved by 18.71% from the original scheme.

WARD: a transmission control protocol-friendly stateless active queue management scheme

In this article, the problem of providing a fair bandwidth allocation to the flows sharing a congested link in a router is investigated. Queue management, bandwidth share and congestion control are very important to both the robustness and fairness of the Internet. The buffer at the outgoing link is a simple FIFO, shared by packets belonging to the flows. A new transmission control protocol (TCP)-friendly router-based active queue management scheme, termed WARD, is proposed to approximate the fair queueing policy. WARD is a simple packet-dropping algorithm with a random mechanism which discriminates against flows that submit more packets per second than is allowed as their fair share. By doing this, it not only protects TCP connections from user datagram protocol flows, but also solves the problem of competing bandwidth among different TCP versions, such as TCP Vegas and TCP Reno. In addition, WARD works quite well for TCP flow isolation even with different round trip times. In other words, WARD improves the unfair bandwidth allocation properties. Furthermore, as it is stateless and easy to implement, WARD controls unresponsive or misbehaving flows with only a minimum overhead.

An enhanced slow-start mechanism for TCP Vegas

In this article, we present a new slow-start variant, which improves the throughput of transmission control protocol (TCP) Vegas. We call this new mechanism Gallop-Vegas because it quickly ramps up to the available bandwidth and reduces the burstiness during the slow-start phase. TCP is known to send bursts of packets during its slow-start phase due to the fast window increase and the ACK-clock based transmission. This phenomenon causes TCP Vegas to change from slow-start phase to congestion-avoidance phase too early in the large bandwidth-delay product (BDP) links. Therefore, in Gallop-Vegas, we increase the congestion window size with a rate between exponential growth and linear growth during slow-start phase. Our analysis, simulation results, and measurements on the Internet show that Gallop-Vegas significantly improves the performance of a connection, especially during the slow-start phase. Furthermore, it is implementation feasible because only sending part needs to be modified.