Detecting Malicious Packet Losses
In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite chal...
Gespeichert in:
| Veröffentlicht in: | IEEE transactions on parallel and distributed systems 2009-02, Vol.20 (2), p.191-206 |
|---|---|
| Hauptverfasser: | , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 206 |
|---|---|
| container_issue | 2 |
| container_start_page | 191 |
| container_title | IEEE transactions on parallel and distributed systems |
| container_volume | 20 |
| creator | Mzrak, Alper T. Savage, Stefan Marzullo, Keith |
| description | In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user-defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior. |
| doi_str_mv | 10.1109/TPDS.2008.70 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_ieee_primary_4515859</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>4515859</ieee_id><sourcerecordid>1671281140</sourcerecordid><originalsourceid>FETCH-LOGICAL-c449t-fa75fd46805d7086a404cf5420ee81971d661781412766807917f998534fa8a63</originalsourceid><addsrcrecordid>eNp90T1PwzAQBmALgUQpbGwshQEYSLmzz18javmSiqhEmS0rdVBK2pQ4Hfj3OCpiYOjkGx69uvPL2CnCEBHs7Ww6fhtyADPUsMd6KKXJOBqxn2YgmVmO9pAdxbgAQJJAPXY-Dm3I23L1MXjxVZmX9SYOpj7_DO1gUscY4jE7KHwVw8nv22fvD_ez0VM2eX18Ht1NspzItlnhtSzmpAzIuQajPAHlhSQOIRi0GudKoTZIyLVKSlvUhbVGCiq88Ur02dU2d93UX5sQW7csYx6qyq9CWspZEIoLspjk5U4pSGipZRd5vROi0sgNIkGiF__oot40q3Sws8iBW8NNQjdblDfpa5pQuHVTLn3z7RBc14DrGnBdA053mWdbXoYQ_ihJlEZa8QMaSnym</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>912029828</pqid></control><display><type>article</type><title>Detecting Malicious Packet Losses</title><source>IEEE Electronic Library (IEL)</source><creator>Mzrak, Alper T. ; Savage, Stefan ; Marzullo, Keith</creator><creatorcontrib>Mzrak, Alper T. ; Savage, Stefan ; Marzullo, Keith</creatorcontrib><description>In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user-defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.</description><identifier>ISSN: 1045-9219</identifier><identifier>EISSN: 1558-2183</identifier><identifier>DOI: 10.1109/TPDS.2008.70</identifier><identifier>CODEN: ITDSEO</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Ambiguity ; Buffers ; Communication system traffic control ; Congestion ; distributed systems ; Internet ; Internet dependability ; Intrusion detection ; intrusion detection and tolerance ; Loss measurement ; malicious routers ; Networks ; Protocol (computers) ; reliable networks ; Routers ; Routing protocols ; Size measurement ; Streams ; Studies ; Telecommunication traffic ; Testing ; Thresholds</subject><ispartof>IEEE transactions on parallel and distributed systems, 2009-02, Vol.20 (2), p.191-206</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2009</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c449t-fa75fd46805d7086a404cf5420ee81971d661781412766807917f998534fa8a63</citedby><cites>FETCH-LOGICAL-c449t-fa75fd46805d7086a404cf5420ee81971d661781412766807917f998534fa8a63</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/4515859$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/4515859$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Mzrak, Alper T.</creatorcontrib><creatorcontrib>Savage, Stefan</creatorcontrib><creatorcontrib>Marzullo, Keith</creatorcontrib><title>Detecting Malicious Packet Losses</title><title>IEEE transactions on parallel and distributed systems</title><addtitle>TPDS</addtitle><description>In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user-defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.</description><subject>Ambiguity</subject><subject>Buffers</subject><subject>Communication system traffic control</subject><subject>Congestion</subject><subject>distributed systems</subject><subject>Internet</subject><subject>Internet dependability</subject><subject>Intrusion detection</subject><subject>intrusion detection and tolerance</subject><subject>Loss measurement</subject><subject>malicious routers</subject><subject>Networks</subject><subject>Protocol (computers)</subject><subject>reliable networks</subject><subject>Routers</subject><subject>Routing protocols</subject><subject>Size measurement</subject><subject>Streams</subject><subject>Studies</subject><subject>Telecommunication traffic</subject><subject>Testing</subject><subject>Thresholds</subject><issn>1045-9219</issn><issn>1558-2183</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2009</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNp90T1PwzAQBmALgUQpbGwshQEYSLmzz18javmSiqhEmS0rdVBK2pQ4Hfj3OCpiYOjkGx69uvPL2CnCEBHs7Ww6fhtyADPUsMd6KKXJOBqxn2YgmVmO9pAdxbgAQJJAPXY-Dm3I23L1MXjxVZmX9SYOpj7_DO1gUscY4jE7KHwVw8nv22fvD_ez0VM2eX18Ht1NspzItlnhtSzmpAzIuQajPAHlhSQOIRi0GudKoTZIyLVKSlvUhbVGCiq88Ur02dU2d93UX5sQW7csYx6qyq9CWspZEIoLspjk5U4pSGipZRd5vROi0sgNIkGiF__oot40q3Sws8iBW8NNQjdblDfpa5pQuHVTLn3z7RBc14DrGnBdA053mWdbXoYQ_ihJlEZa8QMaSnym</recordid><startdate>20090201</startdate><enddate>20090201</enddate><creator>Mzrak, Alper T.</creator><creator>Savage, Stefan</creator><creator>Marzullo, Keith</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>F28</scope><scope>FR3</scope></search><sort><creationdate>20090201</creationdate><title>Detecting Malicious Packet Losses</title><author>Mzrak, Alper T. ; Savage, Stefan ; Marzullo, Keith</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c449t-fa75fd46805d7086a404cf5420ee81971d661781412766807917f998534fa8a63</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2009</creationdate><topic>Ambiguity</topic><topic>Buffers</topic><topic>Communication system traffic control</topic><topic>Congestion</topic><topic>distributed systems</topic><topic>Internet</topic><topic>Internet dependability</topic><topic>Intrusion detection</topic><topic>intrusion detection and tolerance</topic><topic>Loss measurement</topic><topic>malicious routers</topic><topic>Networks</topic><topic>Protocol (computers)</topic><topic>reliable networks</topic><topic>Routers</topic><topic>Routing protocols</topic><topic>Size measurement</topic><topic>Streams</topic><topic>Studies</topic><topic>Telecommunication traffic</topic><topic>Testing</topic><topic>Thresholds</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Mzrak, Alper T.</creatorcontrib><creatorcontrib>Savage, Stefan</creatorcontrib><creatorcontrib>Marzullo, Keith</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>ANTE: Abstracts in New Technology & Engineering</collection><collection>Engineering Research Database</collection><jtitle>IEEE transactions on parallel and distributed systems</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Mzrak, Alper T.</au><au>Savage, Stefan</au><au>Marzullo, Keith</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Detecting Malicious Packet Losses</atitle><jtitle>IEEE transactions on parallel and distributed systems</jtitle><stitle>TPDS</stitle><date>2009-02-01</date><risdate>2009</risdate><volume>20</volume><issue>2</issue><spage>191</spage><epage>206</epage><pages>191-206</pages><issn>1045-9219</issn><eissn>1558-2183</eissn><coden>ITDSEO</coden><abstract>In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user-defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TPDS.2008.70</doi><tpages>16</tpages><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | ISSN: 1045-9219 |
| ispartof | IEEE transactions on parallel and distributed systems, 2009-02, Vol.20 (2), p.191-206 |
| issn | 1045-9219 1558-2183 |
| language | eng |
| recordid | cdi_ieee_primary_4515859 |
| source | IEEE Electronic Library (IEL) |
| subjects | Ambiguity Buffers Communication system traffic control Congestion distributed systems Internet Internet dependability Intrusion detection intrusion detection and tolerance Loss measurement malicious routers Networks Protocol (computers) reliable networks Routers Routing protocols Size measurement Streams Studies Telecommunication traffic Testing Thresholds |
| title | Detecting Malicious Packet Losses |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-04T19%3A46%3A27IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Detecting%20Malicious%20Packet%20Losses&rft.jtitle=IEEE%20transactions%20on%20parallel%20and%20distributed%20systems&rft.au=Mzrak,%20Alper%20T.&rft.date=2009-02-01&rft.volume=20&rft.issue=2&rft.spage=191&rft.epage=206&rft.pages=191-206&rft.issn=1045-9219&rft.eissn=1558-2183&rft.coden=ITDSEO&rft_id=info:doi/10.1109/TPDS.2008.70&rft_dat=%3Cproquest_RIE%3E1671281140%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=912029828&rft_id=info:pmid/&rft_ieee_id=4515859&rfr_iscdi=true |