The information technology has revolutionized almost every facet of our lives. Government, commercial, and educational organizations depend on computers and Internet to such an extent that day-to-day operations are significantly hindered when the networks are “down” (Gordon, Loeb, Lucyshyn & Richardson, 2005). The prosperity of the Internet also attracted abusers and attackers motivated for personal, financial, or even political reasons. What attackers aim at currently is beyond obtaining unauthorized network accesses or stealing private information, there have been attacks on Internet infrastructures (Chakrabarti & Manimaran, 2002; Moore, Voelker & Savage, 2001; Naoumov & Ross, 2006). Distributed Denial of Services (DDoS) attacks is one of such attacks that can lead to enormous destruction, as different infrastructure components of the Internet have implicit trust relationship with each other (Mirkovic & Reiher, 2004; Specht & Lee, 2004). The DDoS attacker often exploits the huge resource asymmetry between the Internet and the victim systems (Chen, Hwang & Ku, 2007; Douligeris & Mitrokosta, 2003). A comprehensive solution to DDoS attacks requires covering global effects over a wide area of autonomous system (AS) domains on the Internet (Mirkovic & Reiher, 2005). Timely detection of the ongoing attacks is the prerequisite of any effective defense scheme (Carl, Kesidis, Brooks & Rai, 2006). It is highly desirable to detect DDoS attacks at very early stage, instead of waiting for the flood to become widespread. It is mandatory for the detection systems to collect real time traffic data from widely deployed traffic monitors and construct the spatiotemporal pattern of anomaly propagation inside the network. This chapter will introduce a novel distributed real time data aggregation technique named Change Aggregation Tree (CAT). The CAT system adopts a hierarchical architecture to simplify the alert correlation and global detection procedures. At intra-domain level, each individual router, which plays the role of traffic monitor, periodically report the local traffic status to the CAT server in the AS. At the inter-domain layer, CAT servers share local detected anomaly patterns with peers located in other ASes, where the potential attack victim is located.
TopIntroduction
The information technology has revolutionized almost every facet of our lives. Government, commercial, and educational organizations depend on computers and Internet to such an extent that day-to-day operations are significantly hindered when the networks are “down” (Gordon, Loeb, Lucyshyn & Richardson, 2005). The prosperity of the Internet also attracted abusers and attackers motivated for personal, financial, or even political reasons. What attackers aim at currently is beyond obtaining unauthorized network accesses or stealing private information, there have been attacks on Internet infrastructures (Chakrabarti & Manimaran, 2002; Moore, Voelker & Savage, 2001; Naoumov & Ross, 2006).
Distributed Denial of Services (DDoS) attacks is one of such attacks that can lead to enormous destruction, as different infrastructure components of the Internet have implicit trust relationship with each other (Mirkovic & Reiher, 2004; Specht & Lee, 2004). The DDoS attacker often exploits the huge resource asymmetry between the Internet and the victim systems (Chen, Hwang & Ku, 2007; Douligeris & Mitrokosta, 2003).
A comprehensive solution to DDoS attacks requires covering global effects over a wide area of autonomous system (AS) domains on the Internet (Mirkovic & Reiher, 2005). Timely detection of the ongoing attacks is the prerequisite of any effective defense scheme (Carl, Kesidis, Brooks & Rai, 2006). It is highly desirable to detect DDoS attacks at very early stage, instead of waiting for the flood to become widespread. It is mandatory for the detection systems to collect real time traffic data from widely deployed traffic monitors and construct the spatiotemporal pattern of anomaly propagation inside the network.
This chapter will introduce a novel distributed real time data aggregation technique named Change Aggregation Tree (CAT). The CAT system adopts a hierarchical architecture to simplify the alert correlation and global detection procedures. At intra-domain level, each individual router, which plays the role of traffic monitor, periodically report the local traffic status to the CAT server in the AS. At the inter-domain layer, CAT servers share local detected anomaly patterns with peers located in other ASes, where the potential attack victim is located.
TopBackground
To monitor the traffic fluctuations in a real time manner, network devices often play the role of distributed sensor system that collects local data individually. However, as a large scale distributed system without a central administrator, it is challenging to create a spatiotemporal picture covering wide area cross multiple ISP networks. Unfortunately, such a big picture is essential to detect the anomalies embedded in the traffic flows (Chen, Hwang & Ku, 2007; Papadopoulos, Lindell, Mehringer, Hussain & Govindan, 2003). For this reason, efficient distributed data aggregation techniques have become a hot topic in research community. Due to the limited space, here we only provide a brief survey of reported works which are closely relevant to our work.
A couple of overlay based data aggregation techniques have been proposed to monitor local network traffic and detect anomalies and attacks collaboratively (Feinstein, Schnackenberg, Balupari & Kindred, 2003). In WormShield (Cai, Hwang, Pan & Papadopoulos, 2007), a balanced distributed data aggregation tree (DAT) was proposed, which is capable of collecting and aggregating the fingerprint of Internet worms generated locally. Comparing to the original overlay based data aggregation such as Chord (Stoica, Morris, Karger, Kaashoek & Balakrishnan, 2001), DAT can compute global fingerprint statistics in a scalable and load-balanced fashion. Several data aggregation systems use advanced statistical algorithms to predict lost values (Zhao, Govindan & Estrin, 2003; Madden, Franklin, Hellerstein & Hong, 2002) and try to reduce the sensitivity of large scale data aggregation networks to the loss of data (Huang, Zhao, Joseph & Kubiatowicz, 2006).