Understanding and Filtering Malicious Traffic

• UCI: Anh Le, Athina Markopoulou
• UCR: Michalis Faloutsos, Marios Kokkodis
• EPFL: Katerina Argyraki

• UCI: Fabio Soldo, Karim El Defrawy
• AT&T Research: Bala Krishnamurthy and Kobus van der Merwe.

• This work is supported by an NSF CyberTrust grant: I-BLOCK: Understanding and Filtering of Malicious Traffic.
• Student research at UCI was partially supported by a VURI gift from AT&T Research for the academic year 07-08.

Disclaimer: Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation

How can we protect the network infrastructure from malicious traffic, such as scanning, malicious code propagation, and distributed denial-of-service (DDoS) attacks? We are interested in filtering-based defense systems against malicious traffic.

Filtering Algorithms. One mechanism for blocking malicious traffic is filtering: access control lists (ACLs) can selectively block traffic based on fields of the IP header. Filters (ACLs) are already available in the routers today but are a scarce resource because they are stored in the expensive ternary content addressable memory (TCAM). In this work, we develop a framework for studying filter selection as a resource allocation problem. Within this framework, we study five practical cases of source address/prefix filtering, which correspond to different attack scenarios and operator's policies. We show that filter selection optimization leads to novel variations of the multidimensional knapsack problem and we design optimal, yet computationally efficient, algorithms to solve them. We also evaluate our approach using data from Dshield.org and demonstrate that it brings significant benefits in practice. Our set of algorithms is a building block that can be immediately used by operators and manufacturers to block malicious traffic in a cost-efficient way.

Characterizing Malicious IP Behavior. In parallel, we are studying the characteristics of several publicly available blacklists (such as Spamhaus) and IDS log repositories (Dshield.org) in order to understand the behavior of malicious IP sources and flows. One goal is to construct blacklists that can accurately predict the behavior of malicious sources; such blacklists will be used as input to the filtering algorithms, which can then block the malicious sources. Another goal is to automatically identify patterns of malicious behavior using flow data.

Defense Mechanisms against Phishing Sites. We developed PhishDef - a lightweight yet accurate mechanism for classifying phishing sites based only on the URL name. We are currently developing a browser plug-in that implements the algorithm on the client side.

• F. Soldo, A. Metwally, Traffic Anomaly Detection Based on the IP Size Distribution, in Proc. of IEEE Infocom 2012, March 2012.

• A. Le, A. Markopoulou, M. Faloutsos, "PhishDef: URL Names Say It All", in Proc. of IEEE INFOCOM 2011 mini-conference, pp. 191-195, Shanghai, China, April 10-15, 2011 (arXiv version, poster, slides)

• M.Kokkodis, M.Faloutsos, A.Markopoulou, “Network-level characteristics of Spamming: An empirical analysis,” in Proc. of ICNP Workshop on Trust and Security in the Future Internet (FIST) 2011, Vancouver, BC Canada, Oct. 2011.

• F.Soldo, A. Le, A. Markopoulou, “Blacklisting Recommendation System: Using Spatio-Temporal Patterns to Predict Future Attacks”, to appear in IEEE JSAC on Forensics for Communications and Networking, Vol. 29, No. 7, pp. 1423–1438, August 2011.
• F. Soldo, A. Le, A. Markopoulou, “Predictive Blacklisting as an Implicit Recommendation System”, in Proc. of IEEE INFOCOM 2010. Media coverage of this work by: the MIT Technology Review, Slashdot, and Dark Reading and ACM TechNews.
• F. Soldo, Predicting Future Attacks, Tech.Report, Winter 2009.

• F.Soldo, K.Argyraki, A. Markopoulou, "Optimal Source-Based Filtering of Malicious Traffic", accepted to IEEE/ACM Transactions on Networking. And on arXiv:1006.1165.
• F. Soldo, A. Markopoulou, K. Argyraki, Optimal Filtering of Source Address Prefixes: Models and Algorithms, accepted to INFOCOM 2009 (slides).
• F. Soldo, A. Markopoulou, K. Argyraki, Optimal Filtering of Malicious IP Sources, Technical Report arXiv:cs.NI/0811.3828, Nov. 2008.
• F. Soldo, A. Markopoulou, “Filtering Malicious Sources: Models and Algorithms”, invited talk to the IPAM Workshop II: Applications of Internet MRA to Cyber-Security, UCLA, Oct.2008 (slides).
• F. Soldo, K. El Defrawy, A. Markopoulou, B. Krishnamurthy, K. van der Merwe, ”Filtering Sources of Unwanted Traffic Based on Blacklists”, in ITA Workshop '08, San Diego, CA, Jan.2008 (slides).

• K. El Defrawy, A. Markopoulou, K. Argyraki, Optimal allocation of Filters against DDoS Attacks, in Proc. of ITA Workshop '07, UCSD, Jan. 2007 (slides).
• K. El Defrawy, A. Markopoulou, K. Argyraki, Optimal filter allocation against DDoS attacks, Technical Report arXiv:cs.NI/0612066, arXiv.org, Dec. 2006.