burnup credit criticality safety analysis using - wiki.ornl.gov
Post on 11-Feb-2022
7 Views
Preview:
TRANSCRIPT
Design of the Host Guard Firewall for Network Protection
KAMEL H. RAHOUMA* AND KHALID S. NASR**
Electrical Engineering Department,
Faculty of Engineering,
Minia University, Minia, EGYPT
*kamel_rahouma (**khalid_salih) @ yahoo.com
Abstract:- This paper presents a new design for a packet filtering firewall, called Host Guard Firewall (HGF) which helps
to mitigate the most pressing problems facing the global Internet It presents also a new designed Host Guard Protocol
(HGP) which help to authenticate the authorized packet.
The new designed HGF firewall acts in the reverse direction like a military check point that does not allow any one to
cross the point without an authenticated permission. The authenticated permission here is an authentication mark given to
the passing authorized packets. The HGF is used as a DoS defense system deployed at a source-end network.
The HGP guarantees the authenticity between the hosts on the network. This is done by signing the trusted outgoing
packets with the HGP authentication mark which is the permission of passing of these packets through the network. The
HGP mark is proposed as a puzzle which is generated and identified with the same intended programs. The authentication
mark could be generated and protected using electronic and encryption means at the data link layer of the open system
interconnected network configuration.
Keywords:- Firewalls, Network protection, Host guard firewall, Host guard protocol, Packet filtering, DoS attack.
1- Introduction A firewall is a component or a set of components that
restricts access between a protected network and the
Internet, or between other sets of the network, and it
relays only data packets that are clearly intended for and
authorized to reach the other side [1].
The function of a firewall is conventionally specified as
a sequence of rules. Each rule in a firewall is of the
form: <Predicate> → <Decision> , where the
<Predicate> of a rule is a Boolean expression over some
packet fields together with the physical network
interface on which a packet arrives. The <decision> of a
rule can be accept, or discard, or a combination of these
decisions with other options such as the logging option.
A packet matches a rule if and only if (iff) the packet
satisfies the predicate of the rule [2].
A firewalls can be classified as a software program or a
hardware device that filters the incoming packets and, in
some installations, outgoing packets of information
[3,4]. Firewalls, virtual private networks (VPNs),
authentication and Encryption are essential parts for
network security. They must be considered as pieces of a
puzzle (security issues) as shown in figure (1), to
obstruct any attempt to attack [5]. Firewalls are designed
to provide "policy-based" network filtering [6]. Here, we
are interested in the firewalls, because they are the
cornerstones and core elements in the network security
[7-9].
In this paper, we propose a new design of firewalls,
called Host Guard Firewall (HGF) which is composed of
a modified stateful packet filtering firewall and a new
unit, called the Host Guard Protocol (HGP). This new
design assists in mitigating the most pressing problem
facing the firewalls and the global Internet (namely, the
denial of service "DoS" attacks).
Figure (1): Pieces of the security policy (issues) [10]
The paper is divided into five sections followed by a list
of the references. Section (2) introduces the stateful
packet filtering firewall. Section (3) presents the new
proposed host guard firewall including its detection
system and its architecture and main components
according to the OSI system operation layers. Section
(4) presents the flowcharts and algorithms for each
component in the proposed design and gives some
implementation issues. Section (5) concludes some
points and remarks.
2- The stateful packet filtering
firewalls There are several classifications of the firewalls [1, 14-
17]. One main classification divides firewalls into two
main types, the Packet Filtering and the Proxy Server
types. Any other types of firewalls can fall under these
two broad types. Operations that are simple but need to
be done fast and on individual packets are easier to do in
packet filtering systems. But, operations that require
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 61 ISBN: 978-960-474-048-2
detailed protocol knowledge or prolonged tracking of
past events are easier to do in proxy systems.
A proxy is something or someone who does something
on behalf of somebody else [1]. Proxy services are
specialized applications or server programs that take
users' requests for Internet services (such as FTP and
Telnet) and forward them to the actual services. The
proxies provide replacement connections and act as
gateways to the services. For this reason, proxies are
sometimes known as application-level gateways [1].
Proxy services are effective only when they're used in
conjunction with a mechanism that restricts direct
communications between the internal and external hosts.
The packet filtering firewalls are functioning at the IP
packet level (the network layer). Any packet is inspected
against the firewall rules. Once the firewall has looked at
all the information, a straightforward packet filtering
router either sends the packet onto the destination it was
bound for, or drops the packet; just forgets about it;
without notifying the sender, or rejects the packet; or
refuses to forward it; and returns an error to the sender,
or logs the information about the packet, or sets off an
alarm to notify somebody about the packet immediately
[1]. The packet filtering firewalls can be classified
accordingly into three types [1, 18, 19]: Static packet
filtering firewalls, dynamic packet filtering firewalls,
and the stateful packet filtering firewalls. The stateful
packet filter can keep track of packets. Almost all
stateful packet filters are also capable of looking at the
contents of packets, and many of them can modify these
contents [1]. It is useful for some applications that need
to keep tracking of packets and observing the traffic, at a
flow and connection granularity, at the fourth layer (the
transport layer) [20].
Before building a firewall, it is important to understand
exactly what network resources and services that must
be protected and what kind of attacks that form the
pressing problems in hindering the network security.
Bedside that, a trade-off in terms of complexity and
security needs must be taken into account. However, the
most pressing problems for packet filtering firewalls are:
complexity of configuring and ordering the filtering
rules, complications of IP fragmentation.
Firewall filtering rules should be carefully written and
organized in order to correctly implement the security
policy [21]. Generally, the filtering rules are expressed
in a table of conditions and actions that are applied in a
certain order until a decision to allow or drop the packet
is reached [16].
Fragmentation means the ability to divide a large packet
into smaller packets, called fragments, which can
traverse the communication link. The fragments are then
reassembled into the full packet by the destination
machine [1]. The common packet filtering approach
dealing with fragmentation is to allow any non-first
fragments to pass through and to do packet filtering only
on the first fragment of a packet. This showed problems
with fragmented packets and attacks where the
destination host will hold the non first fragments in
memory for a while, waiting to see if it gets the missing
first fragment piece. This makes it possible for attackers
to use fragmented packets in a (DoS) attack. When the
destination host gives up on reassembling the packet, it
will send an ICMP "packet reassembly time expired"
message back to the source host, which will tell an
attacker that the host exists and that the connection didn't
succeed. Also, attackers can use specially fragmented
packets to conceal data [1, 19]:
The most pressing vulnerability facing firewalls in
general is the Differentiation between legitimate traffic
and attack traffic. The most effective feature of DoS
attacks is that the attack traffic can be made arbitrarily
similar to the legitimate one. This complicates the
defenses. The aim of the attack is to disrupt the normal
operation of the targeted network system by consuming
(exhausting) its resources (memory, buffers, CPU time
to compute responses, etc.) or the resources on the way
to communicate with a victim (network bandwidth) [22,
23].
A DoS attack can be more severe when an attacker uses
multiple hosts over the Internet to storm a victim, where
the attacker compromises many hosts and deploys
attacking agents on them. The attacker signals all agents
to simultaneously launch an attack on a victim with a
flood of packets, and thereby overwhelm its resources
and render it incapable of performing normal services
for legitimate users. This type of attack is called the
Distributed Denial of Service attack (DDoS). Thus, the
power of the DDoS attack is amplified and the problem
of defense is made more complicated. There are two
major impacts of the DoS/DDoS attacks. These are: the
consumption of the host’s resources and the
consumption of the network bandwidth [24].
The current DDoS defense systems can be divided into
autonomous (single defense node or point) and
distributed systems (multiple defense nodes or points).
Nodes communicate through the network and coordinate
their actions to achieve a better overall defense. We
concern here with the autonomous systems which are
divided according to points of defense at the victim, the
intermediate network, and, the source. The defense at the
source-end network is more efficient than the defense at
the victim-end network or at intermediate system, where
it can observe only a small portion of the attack and this
enables an effective response and minimizes any
collateral damage [25].
From the discussion of the DoS/DDoS attacks and types
of firewalls, we need to use a firewall to operate at TCP,
UDP level (The transport layer). The suitable type of
firewalls that manages traffic at that level is the stateful
packet filtering firewall. In addition, the methods of
designing the stateful firewalls can be used to assist the
design of the proxy servers. The stateful firewall model
consists of two sections: a stateful section and a stateless
section. Each section consists of a sequence of rules. For
every packet, the stateful section is used to check
whether the state has a previous packet that may affect
the current packet state. The stateless section is used to
decide the state of each packet based on the information
in the packet itself and its tag value.
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 62 ISBN: 978-960-474-048-2
3- The Host Guard Firewall The Host Guard Firewall (HGF) is a modified stateful
packet filtering firewall beside a new proposed Host
Guard Protocol (HGP). The stateful packet filtering is
composed of a modified packet filtering firewall that
operates at the third layer (network layer) beside a new
observation unit which observes the traffic at the
transport layer. The HGF is designed to use a DoS
defense system and to operate at the source-end host as a
reverse firewall that manages the outgoing packets
according to statistical analysis and algorithms which
manages the policing rules.
3.1. The HGF detection system The HGF defense system operates apparently as an
autonomous system, by detecting attacks and responding
to them without communication with any other entity. It
also can operate implicitly as a participant in a
distributed defense system where it sends authenticated
mark to a destination host using an authentication HGP
protocol which is investigated by other hosts, during the
communication, to guarantee legitimate transactions
between all the hosts that exist on the Internet. All the
hosts, connected to the Internet, are forced to use the
HGF firewall to be granted the access to the services on
the network. The HGF can thus observe every packet
exchanged between the host and the outside world.
Figure (2), shows the places of HGFs and their
operation.
HGF detects the outgoing DoS attacks by monitoring the
two-way traffic between the source-end host and the rest
of the Internet. The system looks for any anomalies in
the traffic that may be considered as signs of a DoS
attack. From these anomalies: the presence of IP
spoofing (the creation of IP packets using somebody
else’s IP source addresses), and the non-responsive
foreign host (Aggressive sending rate coupled with low
response rate).
The most famous attacks uses the IP spoofing is the
DoS/DDoS attacks. Many works in the literature propose
the detection and prevention for the IP spoofing at the
server level (ISP, Proxy server,..etc) using ingress and
egress filters, but no one presents any technique to detect
and prevent the IP spoofing at the host level.
In this paper we propose a technique to join between the
host level and the sever level to hinder the IP spoofing
and to maintain using a unique IP address for a unique
host and to prevent changing the IP unless the host has
been given a permission from the main server which
manages the communication between each two hosts
with unique IPs.
Figure (2): operation of HGF Firewalls at each host on
the Internet.
To hinder the IP spoofing in case of accessing the
Internet through a telephone line connected to an ISP,
(with dynamic addresses), the user doesn’t select an IP
address, but the ISP gives him/her an available IP
address from the local address pool. We suggest that, the
ISP should make an attachment between the given IP
and the telephone number and logs this attachment in its
logs. If the user is on line and wants to use a different IP,
the ISP hinders him/her. If the user signs out and tries to
sign in again, the ISP will give him/her another IP
address and store the new attachment (telephone number
with the new IP address) in its logs. If the user commits
any attack, it is easy to trace his/her IP address which is
attached to the telephone number. In case of connecting
directly (with static addresses), the user types an
available IP address for his computer, and there is a
flexibility to change this IP address more than once
according to the local address set. The suggested
solution for this problem is to collect and store the
physical features (Serial Numbers of Mother Board,
CPU, VGA Card, Sound Card …etc) as well as the IP
address of the host. Thus, If a host wants to attach to the
network (LAN, WAN…etc), it attaches with a certain IP
address from the IP set available in its domain and
known to the server. At that time the server sends a
query to the host to get information about its physical
features and couples them with its IP address. Then the
host is granted a permission to access the resources with
a certain unique IP address. If a host wants to access
with IP address already used on line, the server denies its
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 63 ISBN: 978-960-474-048-2
request. If a host wants to access using an IP address
which is reserved for a certain off line host, the server
also denies its request. However, if the reserved IP of a
certain host is not used for a long time, based upon
certain conditions and security policies, the server may
grant that IP to a new host request to access the network.
This helps us identify the original source-end host and to
revoke the compromised hosts. Beside that, the ingress
and egress filters at the server level can be used as a
complement defense against any leakage IP spoofed
addresses.
Sometimes, the non-responsive foreign host is known
as an aggressive sending rate coupled with low response
rate. Mirkovic states [26] that this anomaly pertains only
two-way communications that follow a request/response
paradigm such as TCP, some types of ICMP traffic,
DNS traffic, NTP traffic, etc. In these communications,
one party sends one or several packets to the other party,
and waits for a reply before sending any more packets.
For such communications it is anomalous to observe an
aggressive sending rate coupled with a low response
rate. A low response rate is perceived by HGF as an
indication that the foreign host may be overwhelmed by
the attack and cannot reply, while an aggressive sending
rate indicates that the local host is likely to perform the
attack. By detecting the non-responsive foreign hosts,
the HGF actually aims to detect the occurrence of the
DoS effect. Coupling detection of DoS may lead to
"after-the-fact" detection, once damage has been done. It
would be better if the detection could be performed in
the early stages of the attack. Thus, preserving more of
the victim's resources. The early detection can be
handled through the HGF firewall. Thus, the HGF
responds by revoking the marking outgoing packet flow
from the source-end host (local host) to the outside
network, and thus relieves the victim from a heavy
traffic volume.
3.2 The HGF architecture The HGF is a self-regulating reverse-feedback system. It
consists of a stateful packet filtering firewall and a HGP
marking unit. The stateful packet filtering is a modified
packet filtering firewall that operates at the network
layer added to an Observation unit that operates at the
transport layer. Figure (3) shows the architecture of the
proposed HGF.
The HGF can perform this differentiation between
legitimate and attack traffic by monitoring the flow and
the connections all the time, and bye analyzing them
statistically and constructing a set of legitimate traffic
models as reference models. The HGF uses the
legitimate traffic models for comparing any out going
traffic and preventing any malicious traffic that violates
these legitimate models. A mismatch is then likely a sign
of an attack. The traffic models classification can be
done through the modified stateful packet filtering,
which composes of a modified packet filtering and an
observation unit.
Figure (3): Architecture of the proposed HGF.
The legitimate traffic models can be divided into
legitimate flow models and legitimate connection
models, where the flow is a group of connections. The
flow classification can be done at the network layer
through the modified packet filtering unit according to
the IP source/destination addresses. This can be achieved
using statistical detection methods such as the packet
inter-arrival time, the entropy. The flow that clearly
matches the corresponding models is deemed like a
legitimate flow, otherwise deemed like an attack flow.
The connection classification can be done at the
transport layer through the observation unit according to
outbound/inbound services. This can be achieved using a
sequential change-point detection algorithm known as
CUSUM (cumulative sum). The connections that clearly
match the model are deemed like a legitimate
connection, otherwise deemed like an attack connection.
3.2.1 The Observation Unit The observation unit monitors all the packets passing
through the source-end host and gathers statistics on the
two-way communications between the host and the rest
of the Internet. Periodically, these statistics are
compared to the models of legitimate connections and
they are thus classified. The connection classification is
performed at each Connection Observation Interval.
During classification, the HGF compares the connection
statistics to the corresponding legitimate connection
models. About 90% of the Internet traffic is a TCP
traffic [26, 27], which is the base for most of the
transport layer services. Therefore we will concern with
building the legitimate TCP connection model.
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 64 ISBN: 978-960-474-048-2
The TCP protocol uses a two-way communication
paradigm to achieve a reliable delivery. The normal TCP
communication can be modeled by the ratio of the
number of packets sent to and received from a specific
destination. This ratio is ideally one, but due to some
network factors such as the network congestion and
different TCP implementations it is push to slightly
higher values. Mirkovic suggests that the legitimate TCP
connection model defines TCPrto (values of 3) as the
maximum allowed ratio of the number of packets sent
and received on the connection. The connection is
classified as an attack connection if its packet ratio is
above the threshold [28, 29].
3.2.2 The packet filtering unit The packet filtering unit, is an ordinary packet filter with
some modifications using some of the statistical
detection methods that progress it from a stateless packet
filtering to the first grade (or rank) of stateful packet
filtering.
The ordinary packet filters build their security policy and
their decisions according to a set of stateless rules. But
with the new proposed packet filtering unit, the security
policy and decisions are based according to a set of state
rules. The flow classification is performed at each Flow
Observation Interval. And it can be fulfilled using
statistical detection techniques, like the packet inter-
arrival time and the entropy.
3.2.3 The HGP marking unit
The first idea for our proposed HGP protocol was to use
authentication packets or marks, generated randomly
with a probability that accommodates and takes into
account the trade-offs in terms of avoiding bandwidth
congestion and guaranteeing legitimate transaction
between hosts. But this technique is vulnerable for
attacks, where the attacker may inject malicious packets
between the legitimate ones. Therefore, we propose an
alternative technique where the HGP uses an
authenticated mark attached to any trusted outgoing
packet. All the packets are then investigated separately
for that mark.
Thus, in short, it can be seen that the observation and
packet filtering units are responsible for deciding the
authenticity of any passing packet depending on some
statistical rules and policies. Then, the HGP marking
unit generates the authentication mark and protects it
from faking or spoofing. Several methods and schemes
of packet marking have been proposed in the literature
[22, 30-32]. All these schemes were proposed at the
router level or at ISP level. Nothing was proposed for
packet marking at the source-end host level. The HGP
unit creates the authentication mark, imposes the users to
use it, and protects this authentication mark from faking.
The system assumes, firstly that, all the used HGP units
have the same program which creates (at the source) and
identifies (at the destination) the authentication mark.
The most suitable technique for creating this mark is
generating it as a puzzle which is difficult to be solved
without the intended solving program. Thus, when the
sending host wants to sign the outgoing trusted packets
with authentication marks, it creates a puzzle P and the
solution S of this puzzle and it uses a hash function to
hash the puzzle and it solution h(p,s), h(s). The sending
host (through the HGP unit) divides the concatenation of
the outgoing packets into samples of packets. The HGP
unit signs the first packet in each sample with the puzzle
and its solution digest h(p,s) and the rest of packets in
the sample are signed by the solution digest h(s) only.
The location, from the packet, where the mark is placed,
is randomly chosen. This of course means that a pseudo-
random number generator is to be used to tell about the
location.
The destination host generates the puzzle & solution
digest h(p,s) and the solution digest h(s), in the same
way they were calculated at the source end. When the
authenticated packets reach the destination host, it
detects the packet marks. If the received packet does not
have the mark, the host discards it. If the received packet
is signed with an authentication mark (the puzzle and its
solution digests h(p,s) at the first packet of the sample,
and the solution digest h(s) only at the rest of the sample
packets, the host identifies the puzzle and its solution
digests from the packets. The host then compares the
created digests to the received ones based on the location
of the mark from the packet. If the generated and
received digests match, the packets are allowed to pass,
and else, they are discarded. To protect this mark from
faking or spoofing, the mark generation apart can be
separated from the attacker, by physically programming
and encrypting it on a separated IC chip [33, 34].
4- Flow charts and algorithms of the
proposed HGF firewall In this section, we will present the flowcharts and
algorithms which explain the steps and procedures of
each unit in our proposed HGF firewall, to carry out its
overall operation. To do that, we will give the following
sections:
1- The HGF firewall overall Operation
- The HGF in the forward direction
- The HGF in the reverse direction
2- The flow and connection inspection using the HGF
3- The HGP marking
4.1 The HGF firewall overall Operation 4.1.1 The HGF in the forward direction Figure (4) shows the flowchart of the overall system for
the proposed HGF in the forward direction. The HGF
firewall in the forward direction inspects the incoming
packets.
Algorithm 1:
1: for each incoming packet, check the attached HGP
mark
2: if the HGP mark = valid, then
3: pass the packet to the network layer
4: IP source/destination address & spoofing
inspection
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 65 ISBN: 978-960-474-048-2
5: if source/destination address = valid, then
6: pass the packet to the transport layer
7: source/destination ports inspection
8: if source/destination ports =
valid, then
9: pass the packet to the rest of
higher layers.
10: else, go to 15
11: end if
12: else, go to 15
13; end if
14: else
15: drop the packet
15: end if
16: end for
4.1.2 The HGF in the reverse direction Figure (5) shows the flowchart of the overall system of
the HGF in the reverse direction. The HGF firewall in
the reverse direction inspects the outgoing packets.
Algorithm 2: 1: for each outgoing packet, inspects the
source/destination ports
2: if the source/destination ports = valid, then
3: pass the packet to network layer
4: IP source/destination address & spoofing
inspection
5: if source/destination address = valid, then
6: pass the packet to data link layer
7: sign the packet with HGP mark
8: pass the authenticated packet to
physical layer
Figure (4): The overall HGF system flow chart in the
forward direction
9: else, go to 12
10: end if
11: else
12: drop the packet
13: end if
14: end for
Figure (5): The overall HGF system flowchart in the
reverse direction
4. 2 The Flow and Connection inspection
using HGF As mentioned in section 3, the proposed HGF firewall is
composed of two units, the stateful packet filtering unit
and the HGP marking unit. The stateful packet filtering
unit is responsible for the flow, connection inspection.
The HGP protocol is responsible for marking the trusted
outgoing packets. This section presents, in details, the
responsibility of the stateful packet filtering. The stateful
packet filtering is composed of a packet filtering unit
which detects and analyses the flows, and an observation
unit which detects and analyses the connections. We
present the statistical detection methods for each unit.
4.3.1 The Packet filtering unit The packet filtering unit inspects the incoming packets
in the forward direction and the outgoing packets in the
reverse direction at the network layer. For awareness of
the importance and effectiveness of using statistical
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 66 ISBN: 978-960-474-048-2
detection methods, we will present a packet filtering
operation with/without using the statistical detection.
4.3.1.1 The Packet filtering Operation without
the statistical detection
1- Packet filtering module operation on the
incoming packets Figure (6) shows how a packet filtering unit inspects the
incoming packets in the forward direction by stateless
rules and allows only the packets matching the
permission rules.
Algorithm 3
1: for each received packet, inspect the
source/destination addresses.
2: if a packet = rule, then
3: if the packet = permission rule, then
4: pass the packet to the transport layer, and the
upper layers.
5: else go to 12
6: end if
7: else if any more rules = yes, then
8: set the packet to the next rule and go to 2
9: else go to 12
10: end if
11: end if
12: drop the packet
13: end for
Figure (6): A packet filtering module operation on the
incoming packets
2- The Packet filtering module operation on the
outgoing packets
Figure (7) shows how a packet filtering unit inspects the
outgoing packets in the reverse direction by stateless
rules and allows only the packets matching the
permission rules.
Algorithm 4
1: for each received packet, inspects the
source/destination addresses.
2: if a packet = rule, then
3: if the packet = permission rule, then
4: pass the packet to the data-link layer, and
the lower layers.
5: else go to 12
6: end if
7: else if any more rules = yes, then
8: set the packet to the next rule and go to 2
9: else go to 12
10: end if
11: end if
12: drop packet
13: end for
Figure (7): A packet filtering module operation on the
outgoing packets
4.2.1.2 The Packet filtering operation with the
statistical detection For the packet filtering operation, the suitable statistical
detection methods are the packet inter-arrival time, and
the entropy [35, 36].
1- The Packet inter-arrival time can be used for traffic
volume calculation and to determine if there is any
violation for the normal traffic.
0]0[],1[][ =−−= PATiPATiPATT
2- The Entropy is a numerical measure of the
uncertainty of traffic, with respect to any property of
the packet (i.e. source/destination address).
∑=
−=n
iii PPH
12log
With these two statistical methods, the packet filtering
unit will progress from stateless packet filtering to the
first grade (or rank) of stateful packet filtering.
1- The Source-end host detection At the packet filtering level, the HGF uses two
algorithms for the statistical calculation to detect the
suspicious traffic that may indicate a high probability for
existing DoS attacks. The results from these algorithms
will be accumulated to or be summed with the results of
the algorithms used at the observation unit to decide and
classify the traffic to be either a legitimate or an attack
traffic.
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 67 ISBN: 978-960-474-048-2
There are two threshold values, )(xT , that are used as
an indicator in each algorithm to indicate the traffic is
either normal and abnormal traffic. These thresholds are
calculated at every observation interval by using a
weighted averageµ , and normal distribution
valuesσ . If the detecting values are closer to the
average, the traffic will be considered normal. These
thresholds are determined as follows:
10,)()1()()( 21 <<−+= −− αµααµµ xxx nnn
,.....3,2,1,)()()( =+= kxkxxT n σµ
)(
)(,
rH
sHTxwhere
s
s= , :µ average,
:α weighted value, :σ standard deviation,
:)(sH s source address entropy of the sent packets,
and :)(rH s source address entropy of the received
packets
When attacks happen, the packet inter-arrival time, T, of
the total packets decreases. Therefore, when T is smaller
than its threshold, tT , we can suspect a DoS attack. If
the number of outgoing or sent packets to a certain
destination IP address increases than the number of
incoming or received (or reply) packets from the same
IP address. This increases the outgoing packets
entropy )(sH s , and decreases the received (or reply)
packet entropy )(rH s . Therefore, the rate of source
address entropy, )(/)( rHsH ss , of the sent and
received packets suddenly rises. Based on these
parameters, we can decide suspicious packets as a DoS
attack when the rate of the source address entropy
exceeds its threshold value, HsT . This can be written
as:
The Packet inter-arrival time T < Tt where; T: traffic
volume, Tt: threshold of traffic volume
The Rate of source address entropy is
Hs
s
s TrH
sH>
)(
)( , where; HsT : threshold of source
address entropy,
2- The victim-end detection Although the source-end defense tries to prevent the
DoS by hindering it at the source-end network (in the
reverse direction), this technique can't prevent the DoS
completely, where there are some attack packets skulk
behind the detection. Therefore we must use, beside the
source-end defense, the victim-end defense system that
works in the forward direction as any ordinary defense
system. There are several techniques which can be used
for defense at victim-end to detect and eliminate the rest
of DoS attack packets. We will present a technique that
is used at the source-end host but in an opposite meaning
and direction. The suitable statistical techniques at IP
layer to defend in the forward direction are also, the
traffic volume calculation (using the packet inter-arrival
time in the same technique that is used at the source-end
host) and the entropy, or the destination address entropy.
When the number of the received packets increases than
the number of the sent packets, the received packets
entropy )( rHd
increases, and the sent packet
entropy )( sHd
decreases. Therefore, the rate of the
destination address entropy, )(/)( sHrHdd
, of
the received and the sent packets suddenly rises. Based
on this parameter, we can decide suspicious packets as a
DoS attack when the rate of destination address entropy
exceeds its threshold value,HdT
. This can be written
as:
Rate of destination address entropy
is
Hd
d
d TsH
rH>
)(
)(, where;
HdT : threshold of
destination address entropy , and it can be calculated
as mentioned above.
,.....3,2,1,)()()( =+= kxkxxT n σµ ,
)(
)(
sH
rHxbut
d
d=
4.2.2 The Observation Unit As mentioned in the previous chapter, the observation
unit is responsible for monitoring the traffic and
gathering the statistics at a connection granularity. The
traffic may contain a mixture of many transport
protocols and applications. We see that monitoring the
connection at the transport layer protocols is sufficient to
assess the traffic, and is a good way to classify the traffic
to be either a legitimate traffic or an attack traffic.
The TCP connection model As mentioned in the previous chapter, a large percentage
of traffic in the Internet (about 90%) is a TCP traffic.
Therefore, we will concern with building the TCP
connection model. We use the sequential change-point
detection algorithm known as CUSUM (cumulative
sum) [35], to detect the TCP rate anomaly. This
algorithm is a statistical tool that is based on finding the
time of switching from one state (normal) to another
state (attack) in a time series.
The ratio DDDn TCPfromTCPtoX /= is
the random variable monitored using the CUSUM
algorithm, where DTCPto denotes the number of
TCP packets having a destination address D (outgoing
packets through the outbound service) during the
monitoring time intervaln
∆ , and
DTCPfrom denotes the number of TCP packets
having a source address D (incoming packets through
the outbound service) during n∆ .
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 68 ISBN: 978-960-474-048-2
The CUSUM algorithm assumes that the mean value of
the random variable DnZ is negative during the normal
conditions, and that it becomes positive when a change
occurs. Therefore, DnX is transformed into another
random sequence DnZ with a negative mean [37]:
β−= Dn
Dn XZ
Where β is a predefined upper bound of the DnX in
the normal network conditions. In most situations, the
upper bound of DnX is 3. Since D
nZ has a negative
mean in the normal operation, the negative values will
not accumulate with time. On the contrary, when an
attack occurs, DnZ will suddenly become large and
positive.
4.2.3 The HGP marking unit The suitable technique for creating the HGP
authentication mark is generating it as a puzzle. This
puzzle is created and solved by the intended program
which will be privately used by the HGP unit. The
exclusiveness of this program on the HGP unit and
protecting it from any faking or spoofing can be handled
electronically. In this section, we present the form of the
puzzle and its operation flowchart and algorithm. Figure
(8) shows the generation of the puzzle and its solution
digest. The Solution digest can be made through the hash
function which is non-invertible function. This increases
the difficulty level of the puzzle faking or spoofing.
Figure (8): The HGP mark generation
The hash function A hash function is a computationally efficient function
mapping binary strings of arbitrary length to binary
strings of some fixed length, called hash-values. Often
informally called one-way hash function. A hash
function is a function h which has, at least, the following
three properties [37]:
1- Compression - h maps an input S of arbitrary finite bit
length, to an output h(S) of fixed bit length n.
2- Ease of computation - given h and an input S, h(S) is
easy to compute.
3- Non Invertible – This means that the function can be
computed in one direction but it it can't be reversed.
Hash functions take a message as input and produce an
output referred to as a hash-code, hash-result, hash-
value, or simply hash. More precisely, a hash function h
maps bit strings of arbitrary finite length to strings of
fixed length, say n bits [57]. Figure (9) shows the hash
function h as iterative processes which hash arbitrary
length inputs by processing successive fixed-size blocks
of the input [38].
IVH =0; ),(
1 iiiSHhH −= , 1 < i <
t ; tHsh =)(
Hi-1 serves as the n-bit chaining variable between stage i
- 1 and stage i, and H0 is a pre-defined starting value or
initializing value (IV).
As mentioned in section (3), when the first packet in the
selected sample is received, the receiving host identifies
the puzzle (P) and solves it. After that, the host creates
the hash function of the solution of the puzzle (S) and
uses this created hash or digest to compare the received
digest of the solution which is attached to all the
received packets, and decides to allow or to drop the
packets according to the result of its comparison. The
algorithms (5,6) show the steps and procedures of this
process.
Figure (9): A general model for an iterated hash function
Algorithm 5 When the packets are checked by the observation and
the packet filtering units. The trusted packet is allowed
to pass to the HGP unit which signs it with an
authentication HGP mark. This mark can be generated as
follows:
1: generate a puzzle (P) and its solution (S).
2: compute the hash function h of the puzzle solution S;
h(s). For simplicity, in a separated algorithm
(algorithm 6), we will explain how to compute the
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 69 ISBN: 978-960-474-048-2
Observation unit inspection
TCP ?
3
/
←
=
βset
TCPfromTCPtoX DDDn
β−= Dn
Dn XZ
?0>DnZ
YesNo
YesNo
S>L ?
Rejected Packet
No
HGP marking unit
Outgoing authenticated marked packet
DOS Attack at source-end
Other connection
models
Yes
S=S+1L=L+1
Hs
s
s TrH
sH>
)(
)(
S=S+1L=L+1
A
hash function or message digest of the puzzle
solution.
3: pickup the first packet from a selected sample.
4: sign this first packet by the puzzle and its solution
digest h(s).
5: sign the following packets in the concatenation or the
sample by the solution digest h(s) only.
6: repeat the steps from 2-5 with the rest of the samples.
Algorithm 6 1: capture the puzzle solution as an input.
2: divide the puzzle solution into fixed-length r-bits
blocks Si.
3: append padding bits
4: append length block
5: capture the blocks Si as an input to the internal fixed
size hash function h, the compression function of h.
6: h starts with an initial value (H0).
7: h captures H0 and the first block S1 as a first input.
8: h computes the hash H1= h (H0, S1) of bitlength n
9: h captures H1 and the second block S2 as an input.
10: h computes the hash H2 = (H1, S2)
11: h repeats the steps 9, 10 until the final block St.
12: Ht is the final output from h
13: h(s) = Ht; the puzzle solution digest with fixed n-
bits.
Figure (10) shows the flowchart of the overall operation
of the designed HGF in the reverse direction and the
algorithm 7, interprets this flowchart.
]1[][ −−= iPATiPATT
10,)()1()()( 21 <<−+= −− αµααµµ xxx nnn
,.....3,2,1,)()()( =+= kxkxxT n σµ
µ
)(
)(
rH
sHxT
TxT
s
sHs
t
=←
=←
∑=
−=n
iiis PPrH
12log)(
∑=
−=n
iiis
PPsH1
2log)(
Figure (10): The HGF overall operation in the reverse direction
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 70 ISBN: 978-960-474-048-2
5- Conclusions This paper presented a new design for a packet filtering
firewall, called Host Guard Firewall (HGF) which helps
mitigate the most pressing problem facing the global
Internet and it is suitable and available to apply to the
proxy server. A new designed Host Guard Protocol
(HGP), which help to authenticate the authorized packet,
was also presented.
The new designed HGF firewall acts in the reverse
direction like a military check point that does not allow
any one to cross it without an authenticated permission.
The authenticated permission here is the authentication
mark given to the passing authorized packets
The HGF is used as a DoS defense system deployed at a
source-end network. Its goal is twofold: (1) detecting the
outgoing DoS attacks and stopping them by controlling
the outgoing traffic form the source host to the victim,
(2) providing a guaranty service to the legitimate
transactions between all hosts that exist on the Internet.
A consequence of that is that the HGF mitigates the
DOS at intermediate systems and victim-end network.
The new designed protocol, HGP, guarantees the
authenticity between the hosts on the network by signing
the trusted outgoing packets with the HGP
authentication mark which is the permission of passing
of these packets through the network. The HGP mark is
proposed as a puzzle which is generated and identified
with the same intended programs. The mark generation
and protection is electronically and cryptographically
handled. This protocol is proposed to be located at the
data link layer.
This paper used some effective statistical methods which
help the HGF and can be used with any intrusion
detection system to detect the flow and the connections
of the traffic, and stop the attack traffic.
The paper was divided into five sections followed by a
list of the references. Section (1) introduced to the paper
and section (2) introduced the stateful packet filtering
firewall. Section (3) presented the new proposed host
guard firewall including its detection system and its
architecture and main components according to the OSI
system operation layers. Section (4) presented the
flowcharts and algorithms for each component in the
proposed design and gave some implementation issues.
Section (5) concluded some points and remarks.
References 1- Zwicky, E. D.; Cooper S. and Chapman D. B.:
"Building Internet Firewalls", Orielly & Associates
Inc., 2nd
Edition, June 2000.
2- Karygiannis, T. and Owens, L.: "Wireless Network
Security 802.11, Bluetooth and Handheld Devices",
Special Publication 800-48, National Institute Of
Standards and Technology (NIST), November 2002.
3- Henmi, A.; Lucas, M.; Singh, A. and Cantrell, C.:
"Firewall Policies and VPN Configurations?",
Syngress Publishing Inc., 2nd
Edition, 2006.
4- Kamara, S.; Fahmy, S.; Schultz, E.; Kerschbaum, F.
and Frantzen, M.: "Analysis of vulnerabilities in
Internet firewalls", Elsevier Science B.V.,
Computers and Security, Vol. 22, No. 3, pp. 214-
232, April 2003.
5- Bates, R. J.: "Broadband Telecommunications
Handbook", McGraw-Hill, 2nd
Edition, 2002.
6- Hartmeier, D.: "Design and Performance of the
OpenBSD Stateful Packet Filter (pf)", In Proc. The
USENIX Annual Technical Conference, Freenix
Track, pp. 171–180, 2002.
7- Huang, Y. and Jiang, Y.: "Firewall Design:
Understandable, Designable and Testable", In Proc.
The International Conference on Security and
Management (SAM), Las Vegas, Nevada, USA, pp.
272-278, June 2006.
8- Al-Shaer, E. and Hamed, H.: "Firewall Policy
Advisor for anomaly discovery and rule editing", In
Proc. IFIP/IEEE Eighth International Symposium
on Integrated Network Management, pp. 17–30,
March 2003.
9- Wool, A.: "The use and usability of direction-based
filtering in firewalls", Elsevier Science B.V.,
Computers & Security, Vol. 23, No. 6, pp. 459-468.
September 2004.
10- Stallings, W.: "Cryptography and Network Security
Principles and Practices", Prentice Hall Inc., 3rd
Edition, 2003.
14- Grennan, M.: "firewall and proxy server howto",
National Science Foundation - Division of
Undergraduate Education (NSF-DUE), 2000.
Available at: http://www.grennan.com/Firewall-
HOWTO.html
15- Gouda, M. G. and Liu, X.-Y. A.: "Structured
Firewall Design", Elsevier Science B.V., Computer
Networks, Vol. 51, No. 4, pp. 1106-1120, March
2007.
16- Oikonomou, G.; Reiher, P.; Robinson, M. and
Mirkovic, J.: "A Framework for A Collaborative
DDoS Defense", In Proc. Annual Computer
Security Applications Conference (ACSAC 22),
December 2006. Available as defcom.pdf.
17- Ingham, K. and Forrest, S.: "A History and Survey
of Network Firewalls", Technical Report
2002-37, University of New Mexico Computer
Science Department, 2002. Available at:
http://www.cs.unm.edu/~treport/tr/02-
12/firewall.pdf
18- "Dynamic Packet Filtering", Netmaster Digital
Security Inc., 2002. Available at:
www.netmaster.com/products/ggos-dpf.pdf
19- Verwoerd, T. W.: "Stateful Distributed Firewalls",
University of Canterbury, Computer Science
Department, Master Thesis, 2001. Available at:
http://www.cosc.canterbury.
ac.nz/research/reports/MastTheses/2001/mast_0103.
20- Guo, F. and Chiueh, T.-C.: "Traffic Analysis: from
Stateful Firewall to Network Intrusion Detection
System", Stony Brook University, Computer
Science Department, January 2004. Available at:
http://www.ecsl.cs.sunysb.edu/tr/TR164.pdf
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 71 ISBN: 978-960-474-048-2
21- Al-Shaer, E.; Hamed, H.; Boutaba, R. and Hasan,
M.: "Conflict Classification and Analysis of
Distributed Firewall Policies", In IEEE Journal on
Selected Areas in Communications, Volume 23, No.
10, pp. 2069 – 2084, October 2005.
22- Siris, V. A. and Stavrakis, I.: "Provider-Based
Deterministic Packet Marking Against Distributed
DoS Attacks", In Journal of Network and Computer
Applications, Vol. 30, No. 3, pp. 858-876, August
2007.
23- Habib, A.; Hefeeda, M. and Bhargava B.: "Detecting
service violations and DoS attacks", In Proc.
Network and Distributed System Security
Symposium (NDSS '03), San Diego, CA, pp. 177-
189, February 2003.
24- Peng, T.; Leckie, C. and Ramamohanarao, K.:
"Survey of Network-Based Defense Mechanisms
Countering the DoS and DDoS Problems", ACM
Computing Surveys, Vol. 39, No. 1, April 2007.
25- Mirkovic, J.; Robinson, M. and Reiher, P.: "Alliance
Formation for DDoS Defense", In Proc. The New
Security Paradigms Workshop, ACM SIGSAC, pp.
11–18, August 2003.
26- Mirkovic, J.: "D-WARD: Source-End Defense
Against Distributed Denial-of Service Attacks",
University of California, Computer Science
Department, Ph.D. Dissertation, August 2003.
Available at: http://lasr.cs.ucla.edu/ddos/dward-
thesis.pdf.
27- Wang, H.; Zhang D. and Shin K. G.: "Detecting
SYN Flooding Attacks", In Proc. 21st IEEE
International Conference on Computer
Communications, INFOCOM, Vol. 3, pp. 1530 -
1539, June 2002.
28- Ohsita, Y.; Ata, S. and Murata, M.: "Detecting
distributed denial-of-service attacks by analyzing
TCP SYN packets statistically", In Proc. IEEE
Global Telecommunications Conference,
GLOBECOM, Volume 4, pp. 2043 - 2049,
November 2004.
29- Gil, T. And Poleto, M.: "MULTOPS: A Data-
Structure for Bandwidth Attack Detection", In Proc.
10th
Usenix Security Symposium, pp. 23-28, August
2001.
30- Song, B.; Heo, J. and Hong C.: "Collaborative
Defense Mechanism Using Statistical Detection
Method Against DDoS Attacks", IEICE
Transactions on Communications Journal, Vol. E90-
B, No. 10, pp. 2655-2664, October 2007.
31- Feinstein, L.; Schnackenberg, D., Balupari, R. and
Kindred, D.: "Statistical Approaches to DDoS
Attack Detection and Response", In Proc. IEEE,
DARPA Information Survivability Conference and
Exposition, Vol. 1, pp. 303 - 314, April 2003.
32- Burgess, M.: "Probabilistic Anomaly Detection in
Distributed Computer Networks", Science of
Computer Programming Journal, Vol. 60, No. 1, pp.
1-26, March 2006.
33- Al-Duwairi, B. and Manimaran, G.: "A novel packet
marking scheme for IP traceback", In Proc. 10th
IEEE International Conference on Parallel and
Distributed Systems, ICPADS, pp. 195 – 202, July
2004.
34- Adler, M.: "Tradeoffs in probabilistic packet
marking for IP traceback", In 34th
ACM Symposium
on Theory of Computing (STOC), Quebec, Canada,
pp. 407-418, 2002.
35- Lam, H.-Y.; Li, C.-P.; Chanson, S. T.; Yeung D.-Y.:
"A Coordinated Detection and Response Scheme for
Distributed Denial-of-Service Attacks", In Proc.
IEEE International Conference on Communications,
Vol. 5, pp.2165 – 2170, June 2006.
36- Gu, Y.; McCallum, A. and Towsley D.: "Detecting
Anomalies In Network Traffic Using Maximum
Entropy Estimation", In Proc. The Internet
Measurement Conference (IMC 2005), pp. 345-350,
October 2005.
37- Schneier, B."Applied Cryptography, Second Edition:
Protocols, Algorthms, and Source Code in C",
Wiley Computer Publishing, John Wiley & Sons,
Inc., 1996.
38- Menezes, A. J.; van Oorschot, P. C. and Vanstone,
S. A.: "Handbook of Applied Cryptography", CRC
Press, 1996.
Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)
ISSN: 1790-5117 72 ISBN: 978-960-474-048-2
top related