Currently in the Internet there is an increasing number of unwanted, unsolicited "garbage" packets mainly generated by botnets, which can launch Distributed Denial-of-Service attacks, worm attacks, and spam. These garbage packets are allowed to traverse the Internet to cause severe traffic burdens, waste communication resources, and disrupt the Internet?s normal functions. Such packets need to be discarded as close to their sources as possible to increase the availability and reliability of the Internet.

This project aims to establish a comprehensive and sustainable architecture that coordinates the routers in the Internet to achieve early filtering of botnet garbage packets in Internet traffic. The architecture comprises four major components: rule generation component, rule dissemination component, rule management component, and rule security component. The objective is to investigate and quantify the tradeoff between the saved bandwidth originally consumed by the garbage traffic and the throughput slowdown introduced by the routers' extra filtering overhead, and find optimal solutions under the tradeoff function. The evaluation plan will use benchmarks developed under various traffic traces and network topologies to evaluate the performance of the developed algorithms and technologies, and derive insights on how far and wide the filtering rules should be disseminated and installed under different attack scenarios in order to optimize the performance.

Completion of the project will create techniques and software that improve the security and capacity of the Internet overall. Additionally, early filtering of garbage traffic will limit the damages caused by large-scale botnet attacks, reduce operational costs for ISPs, enhance the performance of many online services and applications, and increase the reliability of critical national infrastructures.

Project Report

In this project, our goal is to design and establish a comprehensive and sustainable architecture that coordinates the routers in the Internet to achieve early filtering of malicious unwanted packets generated by botnets, including the unwanted traffic transmitted from the bots toward the victim, and the command-and-control (C&C) traffic exchanged between the bots. We aim to save the network resources previously comsumed by the malicious unwanted traffic and return them to be used by the legitimate traffic, such that the network performance and service quality can be sustained and improved. The completion of our project results in the following significant accomplishments. First, we apply the access lists (ACL) and TCL scripts used in Cisco routers to implement a prototype of rule exchange mechanism that allows adjacent routers to exchange and install filtering rules targeting to malicious unwanted traffic. Second, we design and implement a dynamic programming based algorithm that can automatically select a subset of routers in the network to install given filtering rules in order to optimize the performance of our early filtering approach. Third, we exploit insights observed from human browsing patterns to design and implement a heuristic algorithm for near real-time detection of C&C traffic generated by HTTP-based botnets. Moreover, with the REU supplement, the PI worked with two undergraduate students to develop a tool for visualization of traffic monitoring, which can be used by a network administrator to enhance the detection of malicious unwanted traffic. In broader impact, we have demonstrated that our early filtering approach, if installed in routers, can mitigate the damage of large-scale botnet attacks, and thus reduce operational costs for ISPs, enhance the performance of many online services and applications, and increase the reliability of critical national infrastructures. The more reliable Internet service resulting from our technology will also benefit disciplines that require intensive communications over the Internet, including computational physics, astronomy, medical science, and biology. To disseminate our discoveries to the broader research community, we have published the results from this project as conference papers and book chapters, and have presented our work at international conferences including ICCCN and GLOBECOM. Moreover, we have integrated our research discoveries into related courses in the curriculum, in order to enhance students' awareness of botnet attacks and mitigation solutions.

Agency
National Science Foundation (NSF)
Institute
Division of Computer and Network Systems (CNS)
Type
Standard Grant (Standard)
Application #
0916857
Program Officer
Ralph Wachter
Project Start
Project End
Budget Start
2010-02-01
Budget End
2014-01-31
Support Year
Fiscal Year
2009
Total Cost
$216,000
Indirect Cost
Name
University South Carolina Research Foundation
Department
Type
DUNS #
City
Columbia
State
SC
Country
United States
Zip Code
29208