Payload attribution via hierarchical bloom filters

Kulesh Shanmugasundaram, Hervé Brönnimann, Nasir Memon

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Payload attribution is an important problem often encountered in network forensics. Given an excerpt of a payload, finding its source and destination is useful for many security applications such as identifying sources and victims of a worm or virus. Although IP traceback techniques have been proposed in the literature, these techniques cannot help when we do not have the entire packet or when we only have an excerpt of the payload. In this paper, we present a payload attribution system (PAS) that attributes reasonably long excerpts of payloads to their source and/or destination hosts. The system we propose is based on a novel data structure called a Hierarchical Bloom Filter (HBF). An HBF creates compact digests of payloads and provides probabilistic answers to membership queries on the excerpts of payloads. We also present the performance analysis of the method and experimental results from a prototype demonstrating the practicality and efficacy of the system. The system can reliably work with certain packet transformations and is flexible enough to be used if the query string is spread across several packets. The system, however, can be evaded by splitting or by "stuffing" the payload. Future work focuses on making the system robust against such evasions.

Original languageEnglish (US)
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
EditorsB. Pfitzmann, P. Liu
Pages31-41
Number of pages11
StatePublished - 2004
EventProceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004 - Washington, DC, United States
Duration: Oct 25 2004Oct 29 2004

Other

OtherProceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004
CountryUnited States
CityWashington, DC
Period10/25/0410/29/04

Fingerprint

Viruses
Data structures
Digital forensics

Keywords

  • ForNet
  • Hierarchical Bloom Filters
  • Payload attribution
  • Security

ASJC Scopus subject areas

  • Computer Science(all)

Cite this

Shanmugasundaram, K., Brönnimann, H., & Memon, N. (2004). Payload attribution via hierarchical bloom filters. In B. Pfitzmann, & P. Liu (Eds.), Proceedings of the ACM Conference on Computer and Communications Security (pp. 31-41)

Payload attribution via hierarchical bloom filters. / Shanmugasundaram, Kulesh; Brönnimann, Hervé; Memon, Nasir.

Proceedings of the ACM Conference on Computer and Communications Security. ed. / B. Pfitzmann; P. Liu. 2004. p. 31-41.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Shanmugasundaram, K, Brönnimann, H & Memon, N 2004, Payload attribution via hierarchical bloom filters. in B Pfitzmann & P Liu (eds), Proceedings of the ACM Conference on Computer and Communications Security. pp. 31-41, Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, Washington, DC, United States, 10/25/04.
Shanmugasundaram K, Brönnimann H, Memon N. Payload attribution via hierarchical bloom filters. In Pfitzmann B, Liu P, editors, Proceedings of the ACM Conference on Computer and Communications Security. 2004. p. 31-41
Shanmugasundaram, Kulesh ; Brönnimann, Hervé ; Memon, Nasir. / Payload attribution via hierarchical bloom filters. Proceedings of the ACM Conference on Computer and Communications Security. editor / B. Pfitzmann ; P. Liu. 2004. pp. 31-41
@inproceedings{5dfe16bca7124f60beba7f299b206296,
title = "Payload attribution via hierarchical bloom filters",
abstract = "Payload attribution is an important problem often encountered in network forensics. Given an excerpt of a payload, finding its source and destination is useful for many security applications such as identifying sources and victims of a worm or virus. Although IP traceback techniques have been proposed in the literature, these techniques cannot help when we do not have the entire packet or when we only have an excerpt of the payload. In this paper, we present a payload attribution system (PAS) that attributes reasonably long excerpts of payloads to their source and/or destination hosts. The system we propose is based on a novel data structure called a Hierarchical Bloom Filter (HBF). An HBF creates compact digests of payloads and provides probabilistic answers to membership queries on the excerpts of payloads. We also present the performance analysis of the method and experimental results from a prototype demonstrating the practicality and efficacy of the system. The system can reliably work with certain packet transformations and is flexible enough to be used if the query string is spread across several packets. The system, however, can be evaded by splitting or by {"}stuffing{"} the payload. Future work focuses on making the system robust against such evasions.",
keywords = "ForNet, Hierarchical Bloom Filters, Payload attribution, Security",
author = "Kulesh Shanmugasundaram and Herv{\'e} Br{\"o}nnimann and Nasir Memon",
year = "2004",
language = "English (US)",
pages = "31--41",
editor = "B. Pfitzmann and P. Liu",
booktitle = "Proceedings of the ACM Conference on Computer and Communications Security",

}

TY - GEN

T1 - Payload attribution via hierarchical bloom filters

AU - Shanmugasundaram, Kulesh

AU - Brönnimann, Hervé

AU - Memon, Nasir

PY - 2004

Y1 - 2004

N2 - Payload attribution is an important problem often encountered in network forensics. Given an excerpt of a payload, finding its source and destination is useful for many security applications such as identifying sources and victims of a worm or virus. Although IP traceback techniques have been proposed in the literature, these techniques cannot help when we do not have the entire packet or when we only have an excerpt of the payload. In this paper, we present a payload attribution system (PAS) that attributes reasonably long excerpts of payloads to their source and/or destination hosts. The system we propose is based on a novel data structure called a Hierarchical Bloom Filter (HBF). An HBF creates compact digests of payloads and provides probabilistic answers to membership queries on the excerpts of payloads. We also present the performance analysis of the method and experimental results from a prototype demonstrating the practicality and efficacy of the system. The system can reliably work with certain packet transformations and is flexible enough to be used if the query string is spread across several packets. The system, however, can be evaded by splitting or by "stuffing" the payload. Future work focuses on making the system robust against such evasions.

AB - Payload attribution is an important problem often encountered in network forensics. Given an excerpt of a payload, finding its source and destination is useful for many security applications such as identifying sources and victims of a worm or virus. Although IP traceback techniques have been proposed in the literature, these techniques cannot help when we do not have the entire packet or when we only have an excerpt of the payload. In this paper, we present a payload attribution system (PAS) that attributes reasonably long excerpts of payloads to their source and/or destination hosts. The system we propose is based on a novel data structure called a Hierarchical Bloom Filter (HBF). An HBF creates compact digests of payloads and provides probabilistic answers to membership queries on the excerpts of payloads. We also present the performance analysis of the method and experimental results from a prototype demonstrating the practicality and efficacy of the system. The system can reliably work with certain packet transformations and is flexible enough to be used if the query string is spread across several packets. The system, however, can be evaded by splitting or by "stuffing" the payload. Future work focuses on making the system robust against such evasions.

KW - ForNet

KW - Hierarchical Bloom Filters

KW - Payload attribution

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=14844288974&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=14844288974&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:14844288974

SP - 31

EP - 41

BT - Proceedings of the ACM Conference on Computer and Communications Security

A2 - Pfitzmann, B.

A2 - Liu, P.

ER -