Yabo Dong

Multi-Fractal Characteristics of Mobile Node's Traffic in Wireless Mesh Network with AODV and DSDV Routing Protocols

The analysis of traffic characteristics can be used for performance evaluation, design and implementation of routing protocols in WMNs (Wireless Mesh Networks). Higher bursty traffic will cause larger queue size, which means more dropping packets, and thus affects other metrics. Because burstiness can be modeled by multi-fractal characteristics effectively, multi-fractal characteristics of mobile node’s traffic in WMNs are analyzed with typical proactive and reactive routing protocols, which are DSDV (Destination Sequenced Distance Vector) and AODV (Ad hoc On-demand Distance Vector), respectively. Three types of traffic models are used to generate traffic at application level, which corresponding to open-loop and closed-loop scenarios. With different configurations, the probability distribution of inter-arrival time and multi-fractal characteristics of traffic at mobile node and gateway are analyzed with DSDV and AODV protocols. Results show that inter-arrival time with AODV and DSDV protocols possesses heavy-tailed property. And traffic with DSDV protocol exhibits more multi-fractal characteristics than that with AODV protocol, which can explain the higher routing performance of AODV.

Detecting randomly scanning worms based on heavy-tailed property

Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

Research of Characteristics of Worm Traffic

Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

Mitigating Denial of Capability with An Notification Mechanism

Denial-of-service (DoS) attacks is a major threat to Internet security. Among numerous defense techniques, recently architecture-level capabilities scheme is a promising one. As a typical and comprehensive capabilities scheme, traffic validation architecture (TVA) tries to limit DoS attacks essentially and completely. Yet its effectiveness suffers from a new kind of DoS attacks, denial-of-capability (DoC), which takes place in the connection-setup step when clients send requests for capabilities. To overcome the DoC attacks, potential attack characteristics are analyzed in detail. And a notification-based mechanism is proposed to mitigate DoC attacks and enhance the robustness of TVA. A capability-enabled router should send a reverse notification with a special and unforgeable source identifier to the source when it has to drop a request packet under DoC attacks. Then an enhanced request packet including the source identifier is returned by the source and verified by the router. The enhanced request packet with higher secure level is processed in enhanced channels instead of unprivileged channels. Moreover enhanced requests are fair-queued based on per-source instead of per-Pi in TVA. Theoretical analysis and simulation results show that the notification mechanism can suppress DoC attacks effectively and make the capabilities architecture more robust and practical.

The multi-fractal nature of worm and normal traffic at individual source level

Worms have been becoming a serious threat in web age because worms can cause huge loss due to the fast-spread property. To detect worms effectively, it is important to investigate the characteristics of worm traffic at individual source level. We model worm traffic with the multi-fractal process, and compare the multi-fractal property of worm and normal traffics at individual source level. The results show that the worm traffic possesses less multi-fractal property.

A hybrid simulating framework of TCP traffic at aggregated level

To obtain a trade-off between veracity and complexity when simulating TCP traffic, a hybrid simulating framework is proposed based on the packet-level simulation and aggregated control. The aggregated TCP traffic of access network in the gateway is proposed as simulated object, instead of the traffic generated at individual host or session level. The framework is divided into four parts: traffic generator, transmission controller, traffic sink and network. The traffic with self-similarity or multi-fractal property at application level is generated by traffic generator. The transmission controller sends packets to traffic sink based on aggregated control. The transmission controller also sends control information to traffic generator according to the status of network, and the traffic generator decides how to change the generating mode of traffic. The simulation results of non-congestion case and congestion case show the validity of the framework. The time cost shows our simulating framework possesses better performance.

Resisting Network DDoS Attacks by Packet Asymmetry Path Marking

A novel packet marking scheme is proposed to defend against network or bandwidth DDoS attacks, especially where malicious packets do not target the victim directly. A recent study shows that packet-level symmetry exists in legitimate Internet traffic while malicious flooding traffic often exhibits packet asymmetry. Our scheme utilizes the packet asymmetry to differentiate malicious and legitimate traffic. When a packet to a destination host is transmitted from a router, a packet asymmetry score, the ratio of transmitted to received packets of the destination host over the last interval, is calculated and recorded into the packets header additively. Malicious packets should carry higher scores because of the absence of reverse packets. When packets with packet asymmetry scores arrive at a downstream router, where some packets are dropped because of congestion, the router should drop packets with higher scores preferentially. Simulation results show the scheme is effective to defend against DDoS attacks targeting network resources.

Cooperation system of worm detection and quarantine in real time

Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Optimal control of DDoS defense with multi-resource max-min fairness

Distributed defense of DDoS (Distributed Denial of Service) attack has been extensively researched in recent years and control-based defense is a hopeful way. However, existed methods only deal with bandwidth protection. The paper takes defense of DDoS flood as a kind of Processing and Bandwidth Resources allocation and solves it using control theory. Our defense mechanism FFDRF (Feedback Filtering with Dual-Resource Fairness) sets up filters in edge routers of AS and adjusts the filtering thresholds through feedback between these routers and the victim. The simulation results show that FFDRF can make the legitimate traffic keep high survival rate while is stable and converges quickly even in case of heterogeneous flow sources and link conditions. Compared with level-k max-min fairness defense, FFDRF is more effective against CPU-consuming flood. And an implementation of FFDRF in a linux router indicates that FFDRF is feasible in real-life routers.

Space-Time Correlation Based Fault Correction of Wireless Sensor Networks

The nodes within wireless sensor network (WSN) have low reliability, and are easy to act abnormally and produce erroneous data. To address the problem, we propose a distributed fault correction algorithm, which makes use of correlation among data of adjacent nodes and the correlation between current data and historical data on a single node. The algorithm could correct measurement errors every time nodes take measures. Simulation results show that the algorithm could help correct lots of errors, and only introduce very few errors, while still keep effective for nodes near event region border where many existed algorithms failed.