CT-ISG: I-BLOCK: Understanding and Filtering of Malicious IP Traffic

CT-ISG：I-BLOCK：恶意 IP 流量的理解和过滤

• 批准号: 0831530
• 负责人: Athina Markopoulou
• 金额: $ 39.98万
• 依托单位: University of California-Irvine
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-09-01 至 2012-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0831530&HistoricalAwards=false
• 关键词: CT; ISG; BLOCK; Understanding; Filtering

0831530- CT-ISG: I-BLOCK: Understanding and Filtering Malicious IP TrafficAthina Markopoulou and Michalis FaloutsosUC Irvine and UC RiversideHow can network infrastructure be protected from malicious traffic, such as scanning, malicious code propagation, spam, and distributed denial-of-service attacks? This project investigates mechanisms at the network layer for blocking malicious traffic. One such mechanism is IP filtering: access control lists (ACLs) can selectively block traffic based on fields of the IP header. This mechanism is already available in routers today but, in order to be effective, two issues must be addressed. First, one must identify which IP addresses to block, which requires understanding and detection of malicious activity. A key insight to exploit is that malicious traffic exhibits clustering in both time and address space. Second, filters (ACLs) are a scarce resource, because they are stored in the expensive ternary content addressable memory (TCAM). To decrease the number of filters and therefore the cost, aggregation is used: a single filter blocks an entire range of IP addresses; however, this also blocks legitimate traffic originating from that range. Filter selection becomes an optimization problem that tries to block as many malicious and as few legitimate sources as possible, given a limited number of filters.Outcomes of this project will include: (a) methods for modeling malicious traffic at the IP level (b) cost-efficient filtering algorithms and (c) a prototype to be tested in real networks. The problem is challenging and requires synergy between machine learning, data-mining, optimization and algorithmic techniques. The project can impact networking practice, by providing a comprehensive set of tools that can be deployed on today's Internet architecture.

0831530- CT-ISG：I-BLOCK：了解和过滤恶意IP攻击Athina Markopoulou和Michalis FaloutsosUC Irvine和UC RiversideHow can network infrastructure be protected from malicious traffic，such as scanning，malicious code propagation，spam，and distributed denial of service attacks？本项目研究在网络层阻止恶意流量的机制。其中一种机制是IP过滤：访问控制列表（Access Control List，简称ACL）可以根据IP报头的字段选择性地阻止流量。这种机制在今天的路由器中已经可用，但是为了有效，必须解决两个问题。首先，必须确定要阻止哪些IP地址，这需要了解和检测恶意活动。 要利用的一个关键洞察是，恶意流量在时间和地址空间上都表现出集群。第二，过滤器（Filter）是一种稀缺资源，因为它们存储在昂贵的三进制内容可寻址存储器（TCAM）中。为了减少过滤器的数量，从而降低成本，使用聚合：单个过滤器阻止整个范围的IP地址;但是，这也阻止了来自该范围的合法流量。过滤器的选择成为一个优化问题，试图阻止尽可能多的恶意和尽可能少的合法来源，给出了有限的过滤器。这个项目的成果将包括：（a）在IP级别的恶意流量建模方法（B）成本效益的过滤算法和（c）原型在真实的网络进行测试。这个问题具有挑战性，需要机器学习、数据挖掘、优化和算法技术之间的协同作用。该项目可以通过提供一套全面的工具来影响网络实践，这些工具可以部署在当今的互联网架构上。