10-03-2011, 04:20 PM
[attachment=9970]
Detecting Malicious Packet Losses
Abstract
In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user -defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions.
Existing System
1. Previous detection protocols have tried to address this problem with a user -defined threshold: too many dropped packets imply malicious intent.
2. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks.
Limitation of Existing System
1. Thus, existing traffic validation systems must inevitably produce false positives for benign events and/or produce false negatives by failing to report real malicious packet dropping.
2. Previous work has approached this issue using a static user-defined threshold, which is fundamentally limiting.
Proposed System
1. We are designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur.
2. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions.
Advantage
Finally, our own work broke the problem into three pieces:
1. A traffic validation mechanism
2. A distributed detection protocol
3. And a rerouting countermeasure.
Hardware Requirements:
PROCESSOR : PENTIUM IV 2.6 GHz
RAM : 512 MB
MONITOR : 15”
HARD DISK : 20 GB
CDDRIVE : 52X
KEYBOARD : STANDARD 102 KEYS
MOUSE : 3 BUTTONS
Software Requirements:
FRONT END : JAVA, SWING
TOOLS USED : JFRAME BUILDER
OPERATING SYSTEM: WINDOWS XP
Detecting Malicious Packet Losses
Abstract
In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user -defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions.
Existing System
1. Previous detection protocols have tried to address this problem with a user -defined threshold: too many dropped packets imply malicious intent.
2. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks.
Limitation of Existing System
1. Thus, existing traffic validation systems must inevitably produce false positives for benign events and/or produce false negatives by failing to report real malicious packet dropping.
2. Previous work has approached this issue using a static user-defined threshold, which is fundamentally limiting.
Proposed System
1. We are designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur.
2. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions.
Advantage
Finally, our own work broke the problem into three pieces:
1. A traffic validation mechanism
2. A distributed detection protocol
3. And a rerouting countermeasure.
Hardware Requirements:
PROCESSOR : PENTIUM IV 2.6 GHz
RAM : 512 MB
MONITOR : 15”
HARD DISK : 20 GB
CDDRIVE : 52X
KEYBOARD : STANDARD 102 KEYS
MOUSE : 3 BUTTONS
Software Requirements:
FRONT END : JAVA, SWING
TOOLS USED : JFRAME BUILDER
OPERATING SYSTEM: WINDOWS XP