Mobile agent based TCP attacker identification in MANET using the traffic history (MAITH)

TCP attacks are the major problem faced by Mobile Ad hoc Networks (MANETs) due to its limited network and host resources. Attacker traceback is a promising solution which allows a victim to identify the exact location of the attacker and hence enables the victim to take proper countermeasure near attack origins, for forensics and to discourage attackers from launching the attacks. However, attacker traceback in MANET is a challenging problem due to dynamic network topology, limited network and host resources such as memory, bandwidth and battery life. We introduce a novel method of TCP attacker Identification in MANET using the Traffic History - MAITH. Based on the comprehensive evaluation based on simulations, we showed that MAITH can successfully track down the attacker under diverse mobile multi-hop network environment with low communication, computation, and memory overhead.

Generalized distributive law for ML decoding of STBCs: further results

The problem of designing good Space-Time Block Codes (STBCs) with low maximum-likelihood (ML) decoding complexity has gathered much attention in the literature. All the known low ML decoding complexity techniques utilize the same approach of exploiting either the multigroup decodable or the fast-decodable (conditionally multigroup decodable) structure of a code. We refer to this well known technique of decoding STBCs as Conditional ML (CML) decoding. In [1], we introduced a framework to construct ML decoders for STBCs based on the Generalized Distributive Law (GDL) and the Factor-graph based Sum-Product Algorithm, and showed that for two specific families of STBCs, the Toepltiz codes and the Overlapped Alamouti Codes (OACs), the GDL based ML decoders have strictly less complexity than the CML decoders. In this paper, we introduce a `traceback' step to the GDL decoding algorithm of STBCs, which enables roughly 4 times reduction in the complexity of the GDL decoders proposed in [1]. Utilizing this complexity reduction from `traceback', we then show that for any STBC (not just the Toeplitz and Overlapped Alamouti Codes), the GDL decoding complexity is strictly less than the CML decoding complexity. For instance, for any STBC obtained from Cyclic Division Algebras that is not multigroup or conditionally multigroup decodable, the GDL decoder provides approximately 12 times reduction in complexity compared to the CML decoder. Similarly, for the Golden code, which is conditionally multigroup decodable, the GDL decoder is only about half as complex as the CML decoder.

用于IP追踪的包标记的注记

拒绝服务攻击是一类最难对付的网络安全问题.近来,人们提出了多种对策.其中由Savage等人提出的一类基于概率的包标记方案比较有研究价值.这里先对拒绝服务攻击的对策作一简述,然后分析了几种包标记方案,指出了它们的一些缺陷,并提出了一些改进措施.其中,对基本型概率包标记方案的一个修改使得计算量大大减少.

IP追踪中的自适应包标记

拒绝服务(DoS)攻击是目前最难处理的网络难题之一.最近,研究人员针对DoS攻击提出了多种方案,这些方案都各有优缺点.其中,由Savage等人提出的概率包标记方案受到了广泛的重视,也有不少的变种出现.在这一类的标记方案中,路由器以固定的概率选择是否标记一个数据包,这导致受害需要较多的数据包进行攻击路径的重构.本文提出一种自适应的标记策略,经实验验证受害者用较少的数据包即可重构攻击路径,这不仅为受害者及早地响应攻击争取了更多的时间,还限制了攻击者的伪造能力.

基于有序标记的IP包追踪方案

包标记方案是一种针对DoS攻击提出的数据包追踪方案，由于其具有响应时间快、占用资源少的特点，近年来受到了研究者的广泛关注．但由于包标记方案标记过程的随机性，使得受害者进行路径重构时所需收到的数据包数目大大超过了进行重构所必需收到的最小数据包数目，从而导致重构误报率的提高和响应时间的增长．本文提出了一种基于有序标记的IP包追踪方案，该方案通过存储每个目标IP地址的标记状态，对包标记的分片进行有序发送，使得在DoS发生时，受害者重构路径所需收到的标记包的数目大大降低，从而提高了对DoS攻击的响应时间和追踪准确度．该算法的提出进一步提高了包标记方案在实际应用中的可行性．

基于路由器编码的自适应包标记

拒绝服务攻击由于其高发性、大危害、难防范而成为因特网上的一大难题.研究人员为此提出了各种各样的对策,其中概率包标记具有较大的潜力.然而,现有的标记方案都存在各种各样的缺点.提出了一个新的标记方案,与其他标记方法相比,该方案具有反映灵敏,误报率低和计算量小的优点.此外,该方法还限制了攻击者伪造追踪信息的能力.

一种分块包标记的IP追踪方案

DDoS攻击以其高发性、高破坏力和难以防范的特点，近年来成为互联网的主要安全威胁之一．研究者们提出了多种对抗DDoS攻击的方法．：乓中，Savage等人提出的概率包标记方案以其易于实施、消耗资源小等优点，引起人们的重视．然而概率包标记方案存在两个明显缺陷：多攻击路径重构时的高误报率和高计算复杂度．在概率包标记的基础上，提出了一种分块包标记方案，该方案与概率包标记方案相比具有较低的误报率和较低的计算复杂度，因而具有更高的实际应用意义．

Behavioural correlation for detecting P2P bots

In the past few years, IRC bots, malicious programs which are remotely controlled by the attacker through IRC servers, have become a major threat to the Internet and users. These bots can be used in different malicious ways such as issuing distributed denial of services attacks to shutdown other networks and services, keystrokes logging, spamming, traffic sniffing cause serious disruption on networks and users. New bots use peer to peer (P2P) protocols start to appear as the upcoming threat to Internet security due to the fact that P2P bots do not have a centralized point to shutdown or traceback, thus making the detection of P2P bots is a real challenge. In response to these threats, we present an algorithm to detect an individual P2P bot running on a system by correlating its activities. Our evaluation shows that correlating different activities generated by P2P bots within a specified time period can detect these kind of bots.