Skip to main content
SpringerLink
Log in

Reducing false rate packet recognition using Dual Counting Bloom Filter

  • Published:
Telecommunication Systems Aims and scope Submit manuscript

Abstract

Distributed Denial of Service (DDoS) attacks are a serious threat to Internet security. A lot of research effort focuses on having detection and prevention methods on the victim server side or source side. The Bloom filter is a space-efficient data structure used to support pattern matching problems. The filter is utilised in network applications for deep packet inspection of headers and contents and also looks for predefined strings to detect irregularities. In intrusion detection systems, the accuracy of pattern matching algorithms is crucial for dependable detection of matching pairs, and its complexity usually poses a critical performance bottleneck. In this paper, we will propose a novel Dual Counting Bloom Filter (DCBF) data structure to decrease false detection of matching packets applicable for the \(\textit{SACK}^2\) algorithm. A theoretical evaluation will determine the false rate probability of detection and requirements for increased memory. The proposed approach significantly reduces the false rate compared to previously published results. The results indicate that the increased complexity of the DCBF does not affect efficient implementation of hardware for embedded systems that are resource constrained. The experimental evaluation was performed using extensive simulations based on real Internet traces of a wide area network link, and it was subsequently proved that DCBF significantly reduces the false rate.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Cisco. (2016). Annual Security Report 2016. http://www.cisco.com/c/dam/assets/offers/pdfs/cisco-asr-2016.pdf. Accessed Jan 2016.

  2. Zhang, G., Fischer-Hübner, S., & Ehlert, S. (2010). Blocking attacks on SIP VoIP proxies caused by external processing. Telecommunication Systems, 45(1), 61–76.

    Article  Google Scholar 

  3. Sun, C., Fan, J., & Liu, B. (2007). A robust scheme to detect SYN flooding attacks. In Second International Conference on Communications and Networking (pp. 397–401).

  4. Li, L., & Lee, G. (2005). DDoS attack detection and wavelets. Telecommunication Systems, 28(3–4), 435–451.

    Article  Google Scholar 

  5. Zlomislić, V., Fertalj, K., & Sruk, V. (2017). Denial of service attacks, defences and research challenges. Cluster Computing The Journal of Networks, Software Tools and Applications, 20(1), 1–11.

    Google Scholar 

  6. DDoS Attacks in Q4 2015. Kaspersky Lab Report. https://securelist.com/analysis/quarterly-malware-reports/73414/kaspersky-ddos-intelligence-report-for-q4-2015/. Accessed Jan 2016.

  7. Markku, A., Aura, T., & Särelä, M. (2014). Denial-of-service attacks in Bloom-filter-based forwarding. IEEE/ACM Transactions on Networking (TON), 22(5), 1463–1476.

    Article  Google Scholar 

  8. Mehdi, M. A., & Amphawan, A. (2012). Review of syn-flooding attack detection mechanism. International Journal of Distributed & Parallel Systems, 3(1), 99–117.

    Article  Google Scholar 

  9. Scarfone, K., & Mell, P. (2010). Guide to intrusion detection and prevention systems (IDPS) (NIST SP 800-94). Washington, DC: Computer Security Resource Center, National Institute of Standards and Technology, U.S. Department of Commerce.

  10. Wang, G., Xu, M., & Huan, X. (2012). Design and implementation of an embedded router with packet filtering. In Proceedings—2012 IEEE Symposium on Electrical and Electronics Engineering, EEESYM 2012 (pp. 285–288).

  11. Mittal, A., Shrivastava, A. K., & Manoria, M. (2011). A review of DDOS attack and its countermeasures in TCP based networks. International Journal of Computer Science & Engineering Survey (IJCSES), 2(4), 177–187.

    Article  Google Scholar 

  12. Ma, X., & Chen, Y. (2014). DDoS detection method based on chaos analysis of network traffic entropy. IEEE Communications Letters, 18(1), 114–117.

    Article  Google Scholar 

  13. Broder, A., & Mitzenmacher, M. (2003). Network application of Bloom filters: A survey. Internet Mathematics, 1(4), 485–509.

    Article  Google Scholar 

  14. Sun, C., Hu, C., Tang, Yi, & Liu, B. (2009). More accurate and fast SYN flood detection. In Proceedings of 18th International Conference on Computer Communications and Networks (pp. 1–6).

  15. Farkaz, F., & Halasz, S. (2006). Embedded fuzzy controller for industrial applications. Acta Polytechnica Hungarica, 3(2), 41–63.

    Google Scholar 

  16. Xia, Z., Lu, S., Li, J., & Tang, J. (2010). Enhancing DDoS flood attack detection via intelligent fuzzy logic. Informatica (Slovenia) An International Journal of Computing and Informatics, 34(4), 497–507.

    Google Scholar 

  17. Kawahara, R., Ishibashi, K., Mori, T., Kamiyama, N., Harada, S., & Asano, S. (2007). Detection accuracy of network anomalies using sampled flow statistics. In Global Telecommunications Conference 2007, GLOBE-COM ’07 (pp. 1959–1964). IEEE.

  18. Kanwal, G., & Rshma, C. (2011). Detection of DDoS attack using data mining. International Journal of Computing and Business Research (IJCBR), 2(1), 1–10.

    Google Scholar 

  19. Prathibha, R. C., & Rejimol Robinson, R. R. (2014). A comparative study of defense mechanisms against SYN flooding attack. International Journal of Computer Applications, 98(1), 16–21.

    Google Scholar 

  20. Fall, R. K., & Stevens, R. W. (2012). TCP/IP illustrated, volume 1: The protocols. Addison-Wesley Professional Computing Series. New York: Pearson Education.

  21. Sun, C., Fan, J., Shi, L., & Liu, B. (2007). A novel router-based scheme to mitigate SYN flooding DDoS attacks. In IEEE INFOCOM (Poster), Anchorage, Alaska, USA

  22. Kompella, R., Singh, S., & Varghese, G. (2007). On scalable attack detection in the network. IEEE/ACM Transactions on Networking, 15(1), 14–25.

    Article  Google Scholar 

  23. Chen, W., Yeung, D. Y. (2006). Defending against TCP SYN flooding attacks under different types of IP spoofing. In International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL06) (pp. 38–42).

  24. Chen, W., & Yeung, D. Y. (2006). Throttling spoofed SYN flooding traffic at the source. Telecommunication Systems, 33(1), 47–65.

    Article  Google Scholar 

  25. Nashat, D., Juang, X., & Horiguchi, S. (2008). Router based detection for low-rate agents of DDoS attack. In 2008 International Conference on High Performance Switching and Routing (pp. 177–182).

  26. Ling, Y., Gu, Y., & Wei, G. (2009). Detect SYN flooding attack in edge routers. International Journal of Security and its Applications, 3(1), 31–45.

    Google Scholar 

  27. Sun, C., Hu, C., & Liu, B. (2013). \(\mathit{SACK}^2\): Effective SYN flood detection against skillful spoofs. IET Information Security, 6(3), 149–156.

    Article  Google Scholar 

  28. Halagan, T., Kovacik, T., Truchly, P., & Binder, A. (2015). Syn flood attack detection and type distinguishing mechanism based on Counting Bloom Filter. In Information and Communication Technology: Third IFIP TC 5/8 International Conference, ICT-EurAsia 2015, and 9th IFIP WG 8.9 Working Conference, CONFENIS 2015, Held as Part of WCC 2015, Daejeon, Korea, 4–7 Oct 2015, Proceedings (pp. 30–39). Springer, New York.

  29. Alzahrani, A. B., Vassilakis, G. V., & Reed, J. M. (2014). Selecting Bloom-filter header lengths for secure information centric networking. In 2014 9th International Symposium on Communication Systems, Networks & Digital Signal Processing (CSNDSP) (pp. 628–633). IEEE.

  30. Alzahrani, B., Vassilakis, V., Alreshoodi, M., Alarfaj, F., & Alhindi, A. (2016). Proactive detection of DDOS attacks in Publish-Subscribe networks. International Journal of Network Security & Its Applications (IJNSA), 8(4), 1–15.

    Google Scholar 

  31. Blustein, J., & El-Maazawi, A. (2002). Bloom filters—A tutorial, analysis, and survey. Faculty of Computer Science, Dalhousie University. https://www.cs.dal.ca/sites/default/files/technical_reports/CS-2002-10.pdf. Accessed Jan 2016.

  32. Ramakrishna, M. V., Fu, E., & Bahcekapili, E. (1997). Efficient hardware hashing functions for high performance computers. IEEE Transactions on Computers, 46(12), 1378–1381.

    Article  Google Scholar 

  33. Ramakrishna, M. V., Fu, E., & Bahcekapili, E. (1994). A performance study of hashing functions for hardware applications. In Proceedings of International Conference on Computing and Information (pp. 1621–1636).

  34. Harwayne-Gidansky, J., Stefan, D., & Dalal, I. (2009). FPGA-based SoC for real-time network intrusion detection using Counting Bloom Filters. In IEEE Southeastcon 2009 (pp. 452–458).

  35. Tabataba, F.S., & Hashemi, M.R. (2011). Improving false positive in Bloom filter. In 2011 19th Iranian Conference on Electrical Engineering (pp. 1–5).

  36. Rottenstreich, O., Kanizo, Y., & Keslassy, I. (2014). The variable increment counting Bloom filter. IEEE/ACM Transactions on Networking, 22(4), 1092–1105.

    Article  Google Scholar 

  37. Särelä, M., Rothenberg, C. E., Aura, T., Zahemszky, A., Nikander, P., & Ott, J. (2011). Forwarding anomalies in Bloom filter-based multicast. In INFOCOM, 2011 Proceedings IEEE (pp. 2399–2407).

  38. Fan, L., Cao, P., Almeida, J., & Broder, A. Z. (2000). Summary cache: A scalable wide-area web cache sharing protocol. IEEE/ACM Transactions on Networking (TON), 8(3), 281–293.

    Article  Google Scholar 

Download references

Acknowledgements

The authors would like to thank Central Informatics Support staff at Zagreb University of Applied Sciences for gathering the data.

Author information

Authors and Affiliations

  1. Zagreb University of Applied Sciences, Vrbik 8, Zagreb, Croatia

    Ivica Dodig & Davor Cafuta

  2. Faculty of Electrical Engineering and Computing, University of Zagreb, Unska 3, Zagreb, Croatia

    Vlado Sruk

Authors
  1. Ivica Dodig
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vlado Sruk
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Davor Cafuta
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ivica Dodig.

Ethics declarations

Conflict of interest

On behalf of all authors, the corresponding author states that there is no conflict of interest.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Dodig, I., Sruk, V. & Cafuta, D. Reducing false rate packet recognition using Dual Counting Bloom Filter. Telecommun Syst 68, 67–78 (2018). https://doi.org/10.1007/s11235-017-0375-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11235-017-0375-3

Keywords

Search

Navigation