Hash-based IP traceback is a technique to generate audit trails for traffic within a network. Using the audit trails, it reconstructs not only the true attack paths of a Distributed Denial of Service attack (DDoS attack), but also the true path of a single packet attack. However, hash-based IP traceback cannot identify attacker nodes themselves because it has no audit trail on the subnet's layer-2 network under the detected leaf router, which is the nearest node to an attacker node on a layer-3 network. We propose a layer-2 extension to hash-based IP traceback, which stores two identifiers with packets' audit trails while reducing the memory requirement for storing identifiers. One of these identifiers shows the leaf router's interface through which an attacking packet came, and the other represents the ingress port on a layer-2 switch through which the attacking packet came. We implement a prototype on FreeBSD and evaluate it in a preliminary experiment.

The Bloom Filter (BF), a space-and-time-efficient hash-coding method, is used as one of the fundamental modules in several network processing algorithms and applications such as route lookups, cache hits, packet classification, per-flow state management or network monitoring. BF is a simple space-efficient randomized data structure used to represent a data set in order to support membership queries. However, BF generates false positives, and cannot count the number of distinct elements. A counting Bloom Filter (CBF) can count the number of distinct elements, but CBF needs more space than BF. We propose an alternative data structure of CBF, and we called this structure an Adaptive Bloom Filter (ABF). Although ABF uses the same-sized bit-vector used in BF, the number of hash functions employed by ABF is dynamically changed to record the number of appearances of a each key element. Considering the hash collisions, the multiplicity of a each key element on ABF can be estimated from the number of hash functions used to decode the membership of the each key element. Although ABF can realize the same functionality as CBF, ABF requires the same memory size as BF. We describe the construction of ABF and IABF (Improved ABF), and provide a mathematical analysis and simulation using Zipf's distribution. Finally, we show that ABF can be used for an unpredictable data set such as real network traffic.

Building an experimental network within a testbed has been a tiresome process for experimenters, due to the complexity of the physical resource assignment and the configuration overhead. Also, the process could not be expedited across testbeds, because the syntax of a configuration file varies depending on specific hardware and software. Re-configuration of an experimental topology for each testbed wastes time, an experimenter could not carry out his/her experiments during the limited lease time of a testbed at worst. In this paper, we propose the AnyBed: the experimental network-building system. The conceptual idea of AnyBed is "If experimental network topologies can be portable across any kinds of testbed, then, it would expedite building an experimental network on a testbed while manipulating experiments by each testbed support tool". To achieve this concept, AnyBed divide an experimental network configuration into the logical and physical network topologies. Mapping these two topologies, AnyBed can build intended logical network topology on any PC clusters. We have evaluated the AnyBed implementation using two distinct clusters. The evaluation result shows a BGP topology with 150 nodes can be constructed on a large scale testbed in less than 113 seconds.

Detecting traffic anomalies is an indispensable component of overall security architecture. As Internet and traffic data with more sophisticated attacks grow exponentially, preserving security with signature-based traffic analyzers or analyzers that do not support massive traffic are not sufficient. In this paper, we propose a novel method based on combined sketch technique and S-transform analysis for detecting anomalies in massive traffic streams. The method does not require any prior knowledge such as attack patterns and models representing normal traffic behavior. To detect anomalies, we summarize the entropy of traffic data over time and maintain the summarized data in sketches. The entropy fluctuation of the traffic data aggregated to the same bucket is observed by S-transform to detect spectral changes referred to as anomalies in this work. We evaluated the performance of the method with real-world backbone traffic collected at the United States and Japan transit link in terms of both accuracy and false positive rates. We also explored the method parameters' influence on detection performance. Furthermore, we compared the performance of our method to S-transform-based and Wavelet-based methods. The results demonstrated that our method was capable of detecting anomalies and overcame both methods. We also found that our method was not sensitive to its parameter settings.