Towards a theory of intrusion detection
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Hi-index | 0.00 |
Cyber-attackers often use incorrect source IP addresses in attack packets (spoofed IP packets) to achieve anonymity, reduce the risk of trace-back and avoid detection. We present the predictive ingress filtering (InFilter) approach for network-based detection of spoofed IP packets near cyber-attack targets. Our InFilter hypothesis states that traffic entering an IP network from a specific source frequently uses the same ingress point. We have empirically validated this hypothesis by analysis of trace-routes to 20 Internet targets from 24Looking-Glass sites, and 30-days of Border Gateway Protocol-derived path information for the same 20 targets. We have developed a system architecture and software implementation based on the InFilter approach that can be used at Border Routers of large IP networks to detect spoofed IP traffic. Our implementation had a detection rate of about 80% and a false positive rate of about 2% in testbed experiments using Internet traffic and real cyber-attacks.