No Arabic abstract
In this paper, we consider the problem of blocking malicious traffic on the Internet, via source-based filtering. In particular, we consider filtering via access control lists (ACLs): these are already available at the routers today but are a scarce resource because they are stored in the expensive ternary content addressable memory (TCAM). Aggregation (by filtering source prefixes instead of individual IP addresses) helps reduce the number of filters, but comes also at the cost of blocking legitimate traffic originating from the filtered prefixes. We show how to optimally choose which source prefixes to filter, for a variety of realistic attack scenarios and operators policies. In each scenario, we design optimal, yet computationally efficient, algorithms. Using logs from Dshield.org, we evaluate the algorithms and demonstrate that they bring significant benefit in practice.
How can we protect the network infrastructure from malicious traffic, such as scanning, malicious code propagation, and distributed denial-of-service (DDoS) attacks? One mechanism for blocking malicious traffic is filtering: access control lists (ACLs) can selectively block traffic based on fields of the IP header. Filters (ACLs) are already available in the routers today but are a scarce resource because they are stored in the expensive ternary content addressable memory (TCAM). In this paper, we develop, for the first time, a framework for studying filter selection as a resource allocation problem. Within this framework, we study five practical cases of source address/prefix filtering, which correspond to different attack scenarios and operators policies. We show that filter selection optimization leads to novel variations of the multidimensional knapsack problem and we design optimal, yet computationally efficient, algorithms to solve them. We also evaluate our approach using data from Dshield.org and demonstrate that it brings significant benefits in practice. Our set of algorithms is a building block that can be immediately used by operators and manufacturers to block malicious traffic in a cost-efficient way.
Distributed Denial-of-Service (DDoS) attacks are a major problem in the Internet today. In one form of a DDoS attack, a large number of compromised hosts send unwanted traffic to the victim, thus exhausting the resources of the victim and preventing it from serving its legitimate clients. One of the main mechanisms that have been proposed to deal with DDoS is filtering, which allows routers to selectively block unwanted traffic. Given the magnitude of DDoS attacks and the high cost of filters in the routers today, the successful mitigation of a DDoS attack using filtering crucially depends on the efficient allocation of filtering resources. In this paper, we consider a single router, typically the gateway of the victim, with a limited number of available filters. We study how to optimally allocate filters to attack sources, or entire domains of attack sources, so as to maximize the amount of good traffic preserved, under a constraint on the number of filters. We formulate the problem as an optimization problem and solve it optimally using dynamic programming, study the properties of the optimal allocation, experiment with a simple heuristic and evaluate our solutions for a range of realistic attack-scenarios. First, we look at a single-tier where the collateral damage is high due to the filtering at the granularity of domains. Second, we look at the two-tier problem where we have an additional constraint on the number of filters and the filtering is performed on the granularity of attackers and domains.
Deep packet inspection (DPI) has been extensively investigated in software-defined networking (SDN) as complicated attacks may intractably inject malicious payloads in the packets. Existing proprietary pattern-based or port-based third-party DPI tools can suffer from limitations in efficiently processing a large volume of data traffic. In this paper, a novel OpenFlow-enabled deep packet inspection (OFDPI) approach is proposed based on the SDN paradigm to provide adaptive and efficient packet inspection. First, OFDPI prescribes an early detection at the flow-level granularity by checking the IP addresses of each new flow via OpenFlow protocols. Then, OFDPI allows for deep packet inspection at the packet-level granularity: (i) for unencrypted packets, OFDPI extracts the features of accessible payloads, including tri-gram frequency based on Term Frequency and Inverted Document Frequency (TF-IDF) and linguistic features. These features are concatenated into a sparse matrix representation and are then applied to train a binary classifier with logistic regression rather than matching with specific pattern combinations. In order to balance the detection accuracy and performance bottleneck of the SDN controller, OFDPI introduces an adaptive packet sampling window based on the linear prediction; and (ii) for encrypted packets, OFDPI extracts notable features of packets and then trains a binary classifier with a decision tree, instead of decrypting the encrypted traffic to weaken user privacy. A prototype of OFDPI is implemented on the Ryu SDN controller and the Mininet platform. The performance and the overhead of the proposed sulotion are assessed using the real-world datasets through experiments. The numerical results indicate that OFDPI can provide a significant improvement in detection accuracy with acceptable overheads.
Traffic load balancing and radio resource management is key to harness the dense and increasingly heterogeneous deployment of next generation $5$G wireless infrastructure. Strategies for aggregating user traffic from across multiple radio access technologies (RATs) and/or access points (APs) would be crucial in such heterogeneous networks (HetNets), but are not well investigated. In this paper, we develop a low complexity solution for maximizing an $alpha$-optimal network utility leveraging the multi-link aggregation (simultaneous connectivity to multiple RATs/APs) capability of users in the network. The network utility maximization formulation has maximization of sum rate ($alpha=0$), maximization of minimum rate ($alpha to infty$), and proportional fair ($alpha=1$) as its special cases. A closed form is also developed for the special case where a user aggregates traffic from at most two APs/RATs, and hence can be applied to practical scenarios like LTE-WLAN aggregation (LWA) and LTE dual-connectivity solutions. It is shown that the required objective may also be realized through a decentralized implementation requiring a series of message exchanges between the users and network. Using comprehensive system level simulations, it is shown that optimal leveraging of multi-link aggregation leads to substantial throughput gains over single RAT/AP selection techniques.
Accurate network traffic prediction of base station cell is very vital for the expansion and reduction of wireless devices in base station cell. The burst and uncertainty of base station cell network traffic makes the network traffic nonlinear and non-stationary, which brings challenges to the long-term prediction of network traffic. In this paper, the traffic model LMA-DeepAR for base station network is established based on DeepAR. Acordding to the distribution characteristics of network traffic, this paper proposes an artificial feature sequence calculation method based on local moving average (LMA). The feature sequence is input into DeepAR as covariant, which makes the statistical characteristics of network traffic near a period of time in the past be considered when updating parameters, and the interference of non-stationary network traffic on model training will be reduced. Experimental results show that the proposed prediction approach (LMA-DeepAR) outperforms other methods in the overall long-term prediction performance and stability of multi cell network traffic.