Cyber Early Warning System (CEWAS)
Abstract
Telcordia has developed innovative technology for the detection of packets with fictitious source IP addresses in large IP networks (e.g. NIPRNet). We present the predictive Ingress Filtering (InFilter) approach for network-based detection of spoofed IP packets near the target of cyber-attacks. Our InFilter hypothesis states that traffic entering an IP network from a specific source frequently uses the same ingress point. We have empirically validated this hypothesis by analysis of 41,000 trace-routes to 20 Internet targets from 24 Looking-Glass sites, and 30-days of Border Gateway Protocol-derived path information for the same 20 targets. We have developed a system architecture and software implementation based on the InFilter approach that can be used at Border Routers of large IP networks to detect spoofed IP traffic. Extensive experimentation revealed that CEWAS exhibited a detection rate of between 80 and 100%, depending on the attack frequency. The false positive rate for CEWAS was typically around 1.6% of all observed traffic in the target network. Both these metrics compare favorably with state-of-the-art in Intrusion Detection Systems that do not use signatures of attacks. The project has resulted in two research papers being published in high-quality peer-reviewed conferences, in addition to a patent-application.
Document Details
- Document Type
- Technical Report
- Publication Date
- Mar 01, 2006
- Accession Number
- ADA449253
Entities
People
- Abhrajit Ghosh
- Rajesh Talpade