Bloom Filter for Network Security Alex X. Liu & Haipeng Dai

Similar documents
Bloom Filters. References:

Computer Based Image Algorithm For Wireless Sensor Networks To Prevent Hotspot Locating Attack

CACHING IN WIRELESS SENSOR NETWORKS BASED ON GRIDS

Strongly Anonymous Communications in Mobile Ad Hoc Networks

Error Detection and Correction by using Bloom Filters R. Prem Kumar, Smt. V. Annapurna

A Robust Bloom Filter

Wireless Network Security Spring 2015

A Multipath AODV Reliable Data Transmission Routing Algorithm Based on LQI

An Enhanced Bloom Filter for Longest Prefix Matching

One Memory Access Bloom Filters and Their Generalization

Big Data Analytics CSCI 4030

Payload Inspection Using Parallel Bloom Filter in Dual Core Processor

Overlay and P2P Networks. Unstructured networks. Prof. Sasu Tarkoma

Research on WSN Secure Communication Method Based on Digital Watermark for the Monitoring of Electric Transmission Lines

Wireless Network Security Spring 2016

A Survey on Traffic Pattern Discovery in Mobile Ad hoc Network

International Journal of Advance Engineering and Research Development

CS 5114 Network Programming Languages Data Plane. Nate Foster Cornell University Spring 2013

NDN-NIC: Name-based Filtering on Network Interface Card

Bloom Filters and its Variants

Background on Bloom Filter

Denial of Service, Traceback and Anonymity

DO NOT OPEN UNTIL INSTRUCTED

A Scheme of Multi-path Adaptive Load Balancing in MANETs

Mapping Internet Sensors with Probe Response Attacks

Wireless Network Security Spring 2015

Lecture 13: Routing in multihop wireless networks. Mythili Vutukuru CS 653 Spring 2014 March 3, Monday

Model the P2P Attack in Computer Networks

TOWARD PRIVACY PRESERVING AND COLLUSION RESISTANCE IN A LOCATION PROOF UPDATING SYSTEM

A Secure Routing Protocol for Wireless Adhoc Network Creation

Wireless Network Security Spring 2016

CSc 466/566. Computer Security. 18 : Network Security Introduction

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

An Efficient and Practical Defense Method Against DDoS Attack at the Source-End

PartialSync: Efficient Synchronization of a Partial Namespace in NDN

DDOS Attack Prevention Technique in Cloud

Chapter 8 roadmap. Network Security

Overlay and P2P Networks. Unstructured networks. Prof. Sasu Tarkoma

SMITE: A Stochastic Compressive Data Collection. Sensor Networks

DoS Attacks. Network Traceback. The Ultimate Goal. The Ultimate Goal. Overview of Traceback Ideas. Easy to launch. Hard to trace.

Configuring Flood Protection

Challenges in Mobile Ad Hoc Network

PRIVACY AND TRUST-AWARE FRAMEWORK FOR SECURE ROUTING IN WIRELESS MESH NETWORKS

Distributed Indexing and Data Dissemination in Large Scale Wireless Sensor Networks

A Low-Overhead Hybrid Routing Algorithm for ZigBee Networks. Zhi Ren, Lihua Tian, Jianling Cao, Jibi Li, Zilong Zhang

ECE 697J Advanced Topics in Computer Networks

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

ENSF: ENERGY-EFFICIENT NEXT-HOP SELECTION METHOD USING FUZZY LOGIC IN PROBABILISTIC VOTING-BASED FILTERING SCHEME

Codes, Bloom Filters, and Overlay Networks. Michael Mitzenmacher

Secure Enhanced Authenticated Routing Protocol for Mobile Ad Hoc Networks

Experience with SPM in IPv6

A Real-Time Directed Routing Protocol Based on Projection of Convex Holes on Underwater Acoustic Networks

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures

Research on Transmission Based on Collaboration Coding in WSNs

Impact of Black Hole and Sink Hole Attacks on Routing Protocols for WSN

Security Issues In Mobile IP

Eradication of Vulnerable host from N2N communication Networks using probabilistic models on historical data

Mapping Internet Sensors with Probe Response Attacks

Pseudonym Based Security Architecture for Wireless Mesh Network

A Hybrid Approach to CAM-Based Longest Prefix Matching for IP Route Lookup

Introduction to Network. Topics

FPX Architecture for a Dynamically Extensible Router

NETWORK INTRUSION DETECTION SYSTEM: AN IMPROVED ARCHITECTURE TO REDUCE FALSE POSITIVE RATE

Initial connection setup. Adding subflow setup. Three-way handshake with MP_CAPABLE Exchange 64 bit key(key-a, Key-B)

PROTECTING SOURCE LOCATION PRIVACY AGAINST WORMHOLE ATTACK USING DAWN IN WIRELESS SENSOR NETWORKS

T Computer Networks II. Mobility Issues Contents. Mobility. Mobility. Classifying Mobility Protocols. Routing vs.

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

SYN Flood Attack Protection Technology White Paper

Use of Symmetric And Asymmetric Cryptography in False Report Filtering in Sensor Networks

CS246: Mining Massive Datasets Jure Leskovec, Stanford University

Scalable overlay Networks

Stateless Network Functions:

The Research of Long-Chain Wireless Sensor Network Based on 6LoWPAN

Source Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network

Computer Networks (Introduction to TCP/IP Protocols)

Increasing the effectiveness of packet marking schemes using wrap-around counting Bloom filter

Secure Routing and Transmission Protocols for Ad Hoc Networks

Energy Optimized Routing Algorithm in Multi-sink Wireless Sensor Networks

20-CS Cyber Defense Overview Fall, Network Basics

CSE 565 Computer Security Fall 2018

Detection of Node Replication Attacks in Mobile Sensor Networks Using Localized Algorithms

Mobile ad hoc networks Various problems and some solutions

ID Bloom Filter: Achieving Faster Multi-Set Membership Query in Network Applications

EFFICIENT AND PRIVACY-AWARE DATA AGGREGATION IN MOBILE SENSING

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Project Proposal. ECE 526 Spring Modified Data Structure of Aho-Corasick. Benfano Soewito, Ed Flanigan and John Pangrazio

Dynamic Key Ring Update Mechanism for Mobile Wireless Sensor Networks

Introduction and Statement of the Problem

Difference Bloom Filter: a Probabilistic Structure for Multi-set Membership Query

A Secure Data Transmission Scheme in Wireless Sensor Networks

INTERNET TRAFFIC MEASUREMENT (PART II) Gaia Maselli

Analysis of Black-Hole Attack in MANET using AODV Routing Protocol

Lesson n.11 Data Structures for P2P Systems: Bloom Filters, Merkle Trees

A METHOD TO DETECT PACKET DROP ATTACK IN MANET

DYNAMIC SEARCH TECHNIQUE USED FOR IMPROVING PASSIVE SOURCE ROUTING PROTOCOL IN MANET

Chapter 55 Elimination of Black Hole and False Data Injection Attacks in Wireless Sensor Networks

International Journal of Advanced Engineering Research and Science (IJAERS) [Vol-1, Issue-2, July 2014] ISSN:

Securing MANETs using Cluster-based Certificate Revocation Method: An Overview

Chapter 7. Denial of Service Attacks

Transcription:

Bloom Filter for Network Security Alex X. Liu & Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University

Bloom Filters Given a set S = {x 1,x 2,x 3, x n } on a universe U, want to answer queries of the form: Is y S. Bloom filter provides an answer in Constant time (time to hash). Small amount of space. But with some probability of being wrong. Alternative to hashing with interesting tradeoffs. 2

B B B Bloom Filters Start with an m bit array, filled with 0s. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Hash each item x j in S k times. If H i (x j ) = a, set B[a] = 1. 0 1 0 0 1 0 1 0 0 1 1 1 0 1 1 0 To check if y is in S, check B at H i (y). All k values must be 1. 0 1 0 0 1 0 1 0 0 1 1 1 0 1 1 0 Possible to have a false positive; all k values are 1, but y is not in S. B 0 1 0 0 1 0 1 0 0 1 1 1 0 1 1 0 n items m = cn bits k hash functions 3

False Positive Probability Pr(specific bit of filter is 0) is kn kn/ m p' (1 1/ m) e p If ρ is fraction of 0 bits in the filter then false positive probability is k k k k / c k (1 ρ) (1 p ') (1 p) = (1 e ) Approximations valid as ρ is concentrated around E[ρ]. Martingale argument suffices. Find optimal at k = (ln 2)m/n by calculus. So optimal fpp is about (0.6185) m/n n items m = cn bits k hash functions 4

Example False positive rate 0.1 0.09 0.08 0.07 0.06 0.05 0.04 0.03 0.02 0.01 0 Opt k = 8 ln 2 = 5.45... 0 1 2 3 4 5 6 7 8 9 10 Hash functions m/n = 8 n items m = cn bits k hash functions 5

Handling Deletions Bloom filters can handle insertions, but not deletions. If deleting x i means resetting 1s to 0s, then deleting x i will delete x j. x i x j B 0 1 0 0 1 0 1 0 0 1 1 1 0 1 1 0 6

Counting Bloom Filters B B B B Start with an m bit array, filled with 0s. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Hash each item x j in S k times. If H i (x j ) = a, add 1 to B[a]. 0 3 0 0 1 0 2 0 0 3 2 1 0 2 1 0 To delete x j decrement the corresponding counters. 0 2 0 0 0 0 2 0 0 3 2 1 0 1 1 0 Can obtain a corresponding Bloom filter by reducing to 0/1. 0 1 0 0 0 0 1 0 0 1 1 1 0 1 1 0 7

Counting Bloom Filters: Overflow Must choose counters large enough to avoid overflow. Poisson approximation suggests 4 bits/counter. Average load using k = (ln 2)m/n counters is ln 2. Probability a counter has load at least 16: Failsafes possible. We assume 4 bits/counter for comparisons. e ln 2 (ln 2) 16 /16! 6.78E 17 8

d-left Hashing Split hash table into d equal subtables. To insert, choose a bucket uniformly for each subtable. Place item in a cell in the least loaded bucket, breaking ties to the left. 9

Properties of d-left Hashing Analyzable using both combinatorial methods and differential equations. Maximum load very small: O(log log n). Differential equations give very, very accurate performance estimates. Maximum load is extremely close to average load for small values of d. 10

Example of d-left hashing Consider 3-left performance. Average load 4 Load 0 2.3e-05 Load 1 6.0e-04 Load 2 1.1e-02 Load 3 1.5e-01 Load 4 6.6e-01 Load 5 1.8e-01 Load 6 2.3e-05 Load 7 5.6e-31 Average load 6.4 Load 0 1.7e-08 Load 1 5.6e-07 Load 2 1.2e-05 Load 3 2.1e-04 Load 4 3.5e-03 Load 5 5.6e-02 Load 6 4.8e-01 Load 7 4.5e-01 Load 8 6.2e-03 Load 9 4.8e-15 11

A taxonomy of Bloom filter Application in Network Security 12

Wireless Networks: Authentication A protocol to authenticate messages flooded in large-scale WSNs. Each sensor node is preloaded with l symmetric keys and k hash functions. The sink also maintains k hash functions and n keys. The sink constructs n message authentication codes (MACs) using the n keys. These resulting MACs are then inserted into the BF. Subsequently, the BF is flooded along with the message in the whole network. When the message arrives at each node, l MACs are constructed again in the same way by using l keys stored in the node. These l MACs are sought in the arrived BF. When a zero value is found, the message is assumed to be invalid; otherwise, it is sent to the neighbor nodes. Moreover, they proposed to use compressed Bloom filters for reducing false positive rate and the size of BF. J.H. Son, H. Luo, S.W. Seo, Authenticated flooding in large-scale sensor networks, in: IEEE International Conference on Mobile Adhoc and Sensor Systems (MASS), 2005, pp. 536 543. 13

Wireless Networks: Authentication BMAP Bloom filter construction and verification J.H. Son, H. Luo, S.W. Seo, Authenticated flooding in large-scale sensor networks, in: IEEE International Conference on Mobile Adhoc and Sensor Systems (MASS), 2005, pp. 536 543. 14

Wireless Networks: Node Authentication In data-centric sensor networks, key BFs have been used for generating query messages and enhancing the privacy of information against various attacks. In order to avoid performing membership test by the attacker, the IDs of all storage cells are encrypted using cell keys, and then hashed and inserted into the BF. In this scheme, when the query message arrives at a cell, it is sought in the key BF. If the neighbor is in the BF, the message is sent to that neighbor. M. Shao, S. Zhu, W. Zhang, G. Cao, Y. Yang, pdcs: security and privacy support for data-centric sensor networks, IEEE Transactions on Mobile Computing 8 (8) (2009) 1023 1138. 15

Wireless Networks: Anonymity A secure anonymous routing protocol for clustered ad hoc network. Because of using BFs, this protocol does not require any public key operation. In this scheme, BF has been used to both anonymous data transmission and anonymous route discovery. The identities of the nodes in the route from source to destination are mapped into the BF. Therefore, to hide the ID, the node only needs to hash its ID by k hash functions and set the corresponding bits in the BF. In the data transmission phase, the BF containing routing information is sent along with the message. S. Chen, L. Xu, Z. Chen, Secure anonymous routing in trust and clustered wireless ad hoc networks, in: Second International Conference on Communications and Networking in China, 2007, pp. 994 998. 16

Wireless Networks: Firewall In mesh networks, firewall schemes are essential to classify and filter traffic. Each node adopts a Bloom filter to represent all packets accepted by the node, and then distributes the Bloom filter to all nodes in the network. When a node wants to forward a packet, it queries the packet from all Bloom filters it has received from other nodes. If it is found, the packet is forwarded; otherwise, it is discarded. In this scheme, a firewall rule is presented by the set R = {sourceip, destinationip, sourceport, destinationport}. L. Maccari, R. Fantacci, P. Neira, R.M. Gasca, Mesh network firewalling with Bloom filters, in: IEEE International Conference on Communications (ICC), 2007, pp. 1546 1551. 17

Wireless Networks: Tracebacking Cooperative sensors utilize multi-dimensional BFs, named space time Bloom filters, to maintain the attributes of the packets in order to traceback the attacker packets. In addition to the packet information, the ID of the forwarding node is also added to the input string of the hash functions. When passing a packet through a sensor, this packet is mapped into the BF of the sensor. Later, the BF will be used to reconstruct the attack graph. However, this scheme has been designed for a small sensor network, and it has no feature to recompute the attack path. D. Sy, L. Bao, CAPTRA: coordinated packet traceback, in: Proceedings of the fifth international conference on Information Processing in Sensor Networks, 2006, pp. 124 135. 18

Wireless Networks: Tracebacking Space-Time Bloom Filter for Packet Tracking Packet Tracing Process using Space-Time Bloom Filter D. Sy, L. Bao, CAPTRA: coordinated packet traceback, in: Proceedings of the fifth international conference on Information Processing in Sensor Networks, 2006, pp. 124 135. 19

Wireless Networks: Node replication detection A cell forwarding and cross forwarding to improve the node replica detection in WSNs. The proposed schemes use BFs to store the information stored at the sensors to reduce the memory usage of intermediate nodes in LSM. These schemes use two BFs, one for storing ID of the nodes (ID filter) and the other one for keeping the locations (location filter). Subsequently, these two BFs will be utilized by the nodes to detect conflicting claims in the subsequent operations. These schemes are based on distributing the location claims to relay nodes in the network. Since the location claim is distributed to many nodes in the network, it increases a chance to detect the node replication. A lot of communication overhead, despite of using BFs, because they try to forward the location claims to intermediate nodes which act as a witness node M. Zhang, V. Khanapure, S. Chen, X. Xiao, Memory efficient protocols for detecting node replication attacks in wireless sensor networks, in: 17th IEEE International Conference on Network Protocols (ICNP), 2009, pp. 284 293. 20

Wired Networks: String Matching A set of hardware BFs have been used in parallel to verify which input flow matches against a set of predefined signatures. In this architecture, each BF maintains the signatures of a particular length. Therefore, each BF is utilized to find the strings of a specific length in the input stream. In each run, a window of the data stream is inspected by the system. If each of these BFs detects a match, the string is delivered to the analyzer to perform exact matching; otherwise, the next byte of the stream is processed. If there are multiple matches for different lengths, the longest one is selected. S. Dharmapurikar, P. Krishnamurthy, T. Sproull, J. Lockwood, Deep packet inspection using parallel bloom filters, IEEE Micro 24 (1) (2004) 52 61. 21

Wired Networks: String Matching A window of streaming data containing strings of length from L min = 3 to L max = w S. Dharmapurikar, P. Krishnamurthy, T. Sproull, J. Lockwood, Deep packet inspection using parallel bloom filters, IEEE Micro 24 (1) (2004) 52 61. 22

Wired Networks: Spam filtering An approximate method was proposed to speed up spam filter processing. It utilizes BFs in two techniques, called approximate pruning and approximate lookup. In the former case, an m-bit BF is used to maintain the tokens resulting from parsing each message in order to reduce the delay of searching repeated tokens when performing approximate membership test. In the latter case, a 2D BF is used to reduce memory requirement by supporting information retrieval. The authors reported that the scheme has shown a factor of 6x speedup with similar false negative rates and identical false positive rates compared to the original filters Z. Zhong, K. Li, Speedup statistical spam filter by approximation, IEEE Transactions on Computers 60 (1) (2010) 120 134. 23

Wired Networks: Spam filtering Bayesian filter stages: (a) The stage with its output and (b) the speedup techniques corresponding to the stages. Z. Zhong, K. Li, Speedup statistical spam filter by approximation, IEEE Transactions on Computers 60 (1) (2010) 120 134. 24

Wired Networks: DoS and DDoS attacks detection SYN Flood Attack C. Sun, C. Hu, Y. Tang, B. Liu, More accurate and fast SYN flood detection, in: Proceedings of 18th IEEE International Conference on Computer Communications and Networks (ICCCN), 2009, pp. 1 6. 25

Wired Networks: DoS and DDoS attacks detection SACK uses Client ACK (CliACK) packets to detect SYN flooding attacks. SACK applies SYN/ACK CliACK pair to detect the victim server. Two CBFs are used to maintain the full information of TCP connection, including the 6-tuple of the output SYN/ACK packet, i.e., source and destination s IP addresses, source and destination s ports, sequence number and ACK sequence number, and also the same 6-tuple of the input ACK packet. The logic architecture of SACK C. Sun, C. Hu, Y. Tang, B. Liu, More accurate and fast SYN flood detection, in: Proceedings of 18th IEEE International Conference on Computer Communications and Networks (ICCCN), 2009, pp. 1 6. 26

Summary Bloom filter variants and their contribution to network security; false positive (FP), false negative (FN). 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback