Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payload Attribution via Hierarchical Bloom Filters

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Payload Attribution via Hierarchical Bloom Filters"— Presentation transcript:

1 Payload Attribution via Hierarchical Bloom Filters
Kulesh Shanmugasundaram, Hervé Brönnimann Nasir Memon Joint work with Herve and Nasir

2 suppose we get an email like this, what can we do about it?
How can we answer these questions

3 Have Problem. Will Solve.
Hash-packets: Storage is better Need packets for attribution! We just have s! Packet-loggers: Need ~2TB/day IS is not going to like this Bloom-Filters: Storage is better than hashes SPIE uses it for single packet traceback We just have s! To tackle the problem we have some options We can use packet-loggers but they will consume lot of storage. In our network it will be about 2TB/day We can hash the packets instead but simply hashing the whole packet requires the entire packet later when we need to query. But, we only have s (or application view) Bloom filters are used successfully in SPIE to traeback single packets. Again, the scheme necessitates the whole packet.

4 Our Solution: Create digests of payload s.t we can:
So the problem is how to we identify the sources/destinations of a bit-string in a network? This talk is about our solution which creates digests of payload s.t it can attribute excerpts of payload and reduce storage requirements at the same time. The Problem: Identify the sources/ destinations of a bit-string in a network Our Solution: Create digests of payload s.t we can: Attribute excerpts of payload Reduce storage requirements

5 Bloom Filters FP = (1- (1 - 1/m)kn)k Bloom Filter:
Randomized data for representing a set in order to support membership queries. Insert(x): Flip bits H1(x)… Hk(x) to ‘1’ IsMember(y): If H1(Y) … Hk(Y) all ‘1’ “yes” otherwise “no” Can tradeoff memory (m), compute power (k), and accuracy (FP) m – length of bit vector (range of H(.)) k – number of hashes per element n – number of elements in the set H2(x) H1(x) Hk(x) H3(x) 1 m-bit vector The core of our digesting scheme is a bloom filter. Basically, a bloom filter is a randomized ds tha represents a set of elements and can answer membership queries with high-probability. -- few words about insertion and testing -- few words on trade-offs FP = (1- (1 - 1/m)kn)k

6 Packet Digests & Bloom Filters
Snoeren et. al. used it successfully in SPIE for single packet traceback (“Hash-Based IP Traceback”) Space Efficient: 16-bits per packet (m/n=16) and 8 hashes (k=8) false positive (FP) = 5.74 x 10-4 No false negatives! However, we don’t have packets. We only have some excerpt of payload Don’t know where the excerpt was aligned in the packet Extend Bloom Filters to support excerpt/substring matching But we cannot digest the whole packet if we were to support queries on excerpts.

7 Block-based Bloom Filter
P = s p0 p1 p2 p(n/s) P = create s-byte blocks of payload P = (p0|0) (p1|s) (p2|2s) (p(n/s)|n/s) append blocks’ Offset (in payload) Explain this quickly. Insert each block into a Bloom Filter

8 X Q = s q0 q1 q2 … q(l/s) Q = BBF = … (q0|0) (q0|s) (q1|2s) (q2|3s)
create s-byte blocks of query string Try all possible offsets (q0|0) (q0|s) q0=p1 (q1|2s) q1=p2 (q2|3s) q2=p3 H1(q0|0)=1 H2(q0|0)=1 H3(q0|0)=0 Run thru this quickly. X “q0q1q2” was seen in a payload at offset ‘s’ BBF = (p0|0) (p1|s) (p2|2s) (p2|3s) (p(n/s)|n/s)

9 A B R C D P1 = P2 = BBF = “Offset Collisions” (A|0) (B|s) (R|2s)
(A|3s) (C|4s) (A|5s) (C|0) (D|s) (A|2s) (B|3s) (R|4s) “Offset Collisions” (A|0) (B|s) (R|2s) (A|3s) (C|4s) (A|5s) (C|0) (D|s) (A|2s) (B|3s) (R|4s) “offset collisions” are bad. Makes the system easy to circumvent and false positives! For query strings: “AD”, “CB”, “DR”, “AA” etc. BBF falsely identifies them as seen in the payload! Because BBF cannot distinguish between P1 and P2

10 Hierarchical Bloom Filter
An HBF is basically a set of BBF for geometrically increasing sizes of blocks. (p0|0) (p1|s) (p2|2s) (p(n/s)|n/s) level-0 P = (p0p1|0) (p2p3|2s) (p(n/s-1)p(n/s)|(n/s-1)) level-1 (p0p1p2p3|0) level-2 Hierarchical Bloom Filter We can eliminate “offset collisions” by inserting the blocks in a hierarchy. This allows us to check if in fact two blocks occurred together. Querying is similar to BBF at each level. Querying is similar to BBF. Matches at each level can be confirmed a level above.

11 Hierarchical Bloom Filter
Now we have a data structure that: Allows us to do substring matching Avoids “offset collisions” Improves accuracy over standard Bloom Filter and BBF FPeHBF << FPeBBF << FP HBF Performance Summary: Using a Bloom Filter with m/n=5, k=2, FP=0.1090 Block size of 128-bytes Achieves about 100 fold savings in storage For a 512-byte query FPHBF = 2.75x10-4 In summary, we have a … (pretty much say what’s on the slide) Highlight the performance of HBF. (128-byte block is a sweet spot for tracing s and worms because usually there are at least 1KB) (I will put the equations for FPs as soon as I figure out how best to present them!)

12 A Payload Attribution System (PAS)
The HBF presented so far allow us to do substring matching but does not tie a source/destination with the matched excerpt. But we can easily tie in source/destination into HBF, just like we tied the offsets of blocks. Now we insert, (block||offset) and (block||offset||(source,dest)) (Point it in the figure) Source/destination lists are readily available in networks (firewalls, logs, netflow) provide this info. But our prototype maintains one anyway. System design of a payload attribution system Packet id or host identifier is (SourceIP||DestIP) Although host identifier can be obtained from firewalls and routers (Netflow), a list of host ids is maintained by the system

13 Tracking MyDoom Recorded all email traffic for a week
Using HBF and raw traffic Was not aware of MyDoom during this collection When signatures became available we used them to query the system To find hosts that are infected in our network How the hosts were infected

14 MyDoom’s Weekly Progress…

15 MyDoom’s Daily Progress

16 Attacks on PAS Resource Exhaustion: Malicious Transformation:
Flood the network with random bits of data Malicious Transformation: Create packets of length (blocksize – 1) Stuffing: Stuff every other block with application dependent escape characters For smaller blocks we can try to guess for larger blocks it is not possible! Exploiting Collisions: Hash collisions Very unlikely for strong hash functions We use a random seed for every HBF so it makes it more difficult Packet collisions A possibility in Block-based Bloom Filters but not in HBFs Streaming transformations: Encryption, compression

17 Conclusion & Future Work
Summary: A data structure for digesting payloads Supports queries on excerpts Reduces storage requirements Provides some privacy guarantees Payload Attribution System: Capable of attributing excerpts of payload to source/destination In alpha-tests in our campus network Future work: Value-based blocking using Rabin fingerprints Enhancing storage of host ids Hardware implementations

18

Download ppt "Payload Attribution via Hierarchical Bloom Filters"

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.

IP Router Architectures. Outline Basic IP Router Functionalities IP Router Architectures.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.

Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.
1 Fast Routing Table Lookup Based on Deterministic Multi- hashing Zhuo Huang, David Lin, Jih-Kwon Peir, Shigang Chen, S. M. Iftekharul Alam Department.

1 Fast Routing Table Lookup Based on Deterministic Multi- hashing Zhuo Huang, David Lin, Jih-Kwon Peir, Shigang Chen, S. M. Iftekharul Alam Department.
ForNet: A Distributed Forensic Network Kulesh Shanmugasundaram

ForNet: A Distributed Forensic Network Kulesh Shanmugasundaram
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 2010/10/25.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
IP Spoofing CIS 610 Week 2: 13-JAN-2004. Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.

IP Spoofing CIS 610 Week 2: 13-JAN Definition and Background n Def’n: The forging of the IP Source Address field in an IP packet n First mentioned.
Hit or Miss ? !!!.  Cache RAM is high-speed memory (usually SRAM).  The Cache stores frequently requested data.  If the CPU needs data, it will check.

Hit or Miss ? !!!.  Cache RAM is high-speed memory (usually SRAM).  The Cache stores frequently requested data.  If the CPU needs data, it will check.
Bloom Filters Kira Radinsky Slides based on material from:

Bloom Filters Kira Radinsky Slides based on material from:
Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.

Deterministic Memory- Efficient String Matching Algorithms for Intrusion Detection Nathan Tuck, Timothy Sherwood, Brad Calder, George Varghese Department.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Beyond Bloom Filters: From Approximate Membership Checks to Approximate State Machines By F. Bonomi et al. Presented by Kenny Cheng, Tonny Mak Yui Kuen.

Beyond Bloom Filters: From Approximate Membership Checks to Approximate State Machines By F. Bonomi et al. Presented by Kenny Cheng, Tonny Mak Yui Kuen.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.

Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Reverse Hashing for Sketch Based Change Detection in High Speed Networks Ashish Gupta Elliot Parsons with Robert Schweller, Theory Group Advisor: Yan Chen.

Similar presentations

Ads by Google