Abstract
Compromised end-user machines are an important source of the unwanted traffic that traverses the Internet. These machines have typically installed in them malicious software that misuses their network resources. Thereby, the packet streams that a compromised machine sends out consists of legitimate and unwanted packets. In this work, we present a traffic regulation method that limits the number of unwanted packets that such machines send to the Internet. The method operates on the time-series representation of a packet stream and it examines the “burstiness” instead of the rate of packets. The method filters out packets from this stream using signatures produced with wavelet-based multi-resolution analysis, along with a similarity measure. We evaluate the proposed method with real traffic traces (i.e., Domain Name System queries from legitimate end-users and e-mail worms) and compare it with a rate limiting method. We show that the method limits the amount of unwanted traffic that a compromised end-user machine sends to the Internet while it has, compared to the rate limiting method, a lower number of legitimate packet drops.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Kreibich, C., Kanich, C., Levchenko, K., Enright, B., Voelker, G.M., Paxson, V., Savage, S.: On the spam campaign trail. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET 2008), pp. 1:1–1:9. USENIX Association, Berkeley (2008)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of the 22th International Conference on Computer Communications (INFOCOM 2003). IEEE Computer Society, Washington, DC (2003)
Dietrich, C., Rossow, C.: Empirical research on ip blacklisting. In: Proceedings of the 5th Conference on Email and Anti-Spam, CEAS 2008 (2008)
Cormack, G.V., Lynam, T.R.: Online supervised spam filter evaluation. ACM Transactions on Information Systems 25 (2007)
Solan, E., Reshef, E.: The effects of anti-spam methods on spam mail. In: Proceedings of the 3rd Conference on Email and Anti-Spam, CEAS 2006 (2006)
Weaver, N., Ellis, D.: Worms vs. perimeters: The case for hard-lans. In: Proceedings of the 12th Annual IEEE Symposium on High Performance Interconnects. IEEE Computer Society, Los Alamitos (2004)
Kalakota, P., Huang, C.T.: On the benefits of early filtering of botnet unwanted traffic. In: Proceedings of 18th International Conference on Computer Communications and Networks (ICCCN 2009). IEEE Computer Society, Washington, DC (2009)
Andersson, L., Davies, E., Zhang, L.: Report from the IAB workshop on Unwanted Traffic March 9-10, 2006. RFC 4948, Informational (2007)
Cisco Tech Notes: Comparing Traffic Policing and Traffic Shaping for Bandwidth Limiting. Document ID: 19645. Cisco Systems Inc.
Wong, C., Bielski, S., Studer, A., Wang, C.-X.: Empirical Analysis of Rate Limiting Mechanisms. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 22–42. Springer, Heidelberg (2006)
Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC 2002). IEEE Computer Society, Washington, DC (2002)
Schechter, S.E., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)
Chen, S., Tang, Y.: Slowing down internet worms. In: Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS 2004), pp. 312–319. IEEE Computer Society, Washington, DC (2004)
Zou, C.C., Gong, W., Towsley, D.: Worm propagation modeling and analysis under dynamic quarantine defense. In: Proceedings of the ACM Workshop on Rapid Malcode (WORM 2003), pp. 51–60. ACM, New York (2003)
Sekar, V., Xie, Y., Reiter, M.K., Zhang, H.: A multi-resolution approach for worm detection and containment. In: Proceedings of the International Conference on Dependable Systems and Networks (DSN 2006), pp. 189–198. IEEE Computer Society, Washington, DC (2006)
Mirkovic, J., Reiher, P.: A taxonomy of ddos attack and ddos defense mechanisms. ACM SIGCOMM Computer Communications Review 34, 39–53 (2004)
Jiang, H., Dovrolis, C.: Why is the internet traffic bursty in short time scales? In: Proceedings of the International Conference on Measurements and Modeling of Computer Systems (SIGMETRICS 2005), pp. 241–252. ACM, New York (2005)
Abry, P., Veitch, D.: Wavelet analysis of long-range dependent traffic. IEEE Transactions on Information Theory 44, 2–15 (1998)
Percival, D.B., Walden, A.T.: Wavelet Methods for Time Series Analysis. Cambridge University Press (2000)
Mallat, S.: A theory for multiresolution signal decomposition: the wavelet representation. IEEE Transactions on Pattern Analysis and Machine Intelligence, 674 –693 (1989)
Chatzis, N., Pujol, E.: Email worm mitigation by controlling the name server response rate, pp. 139–145. IEEE Computer Society, Los Alamitos (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Pujol-Gil, E., Chatzis, N. (2012). A Traffic Regulation Method Based on MRA Signatures to Reduce Unwanted Traffic from Compromised End-User Machines. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds) Data Privacy Management and Autonomous Spontaneus Security. DPM SETOP 2011 2011. Lecture Notes in Computer Science, vol 7122. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28879-1_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-28879-1_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28878-4
Online ISBN: 978-3-642-28879-1
eBook Packages: Computer ScienceComputer Science (R0)