7th Annual IEEE Information Assurance Workshop

 21-23 June 2006

 "The West Point Workshop"

 United States Military Academy, West Point, New York
Chair:  LTC Ronald Dodge, Ronald.Dodge@usma.edu

http://www.itoc.usma.edu/workshop/2006
   

Home
Call for Papers
Papers
Posters
Submission
Registration
Travel
Lodging
Program
Vendor Info
Contacts
Photographs
   IAWorkshop 2006 START Conference Manager    

A Control Theoretical Approach for Flow Control to Mitigate Bandwidth Attacks

Sui Song

The 7th IEEE Information Assurance Workshop (IAWorkshop 2006)
West Point, New York, USA, June 21-23, 2006

Abstract

flooding-based distributed denial-of-service (DoS) attack presents a very serious threat to the stability of the Internet. However, current intrusion detection is unreliable and may have high false-positives. Rate-limiting is a better-suited response than complete filtering. Filtering out all the traffic to the victim would greatly damage misclassified flows, whereas rate-limiting still allows some packets to reach the destination and thus keeps connection alive. Allowing some attack packets through is acceptable, since the attack’s overall impact depends on the volume of the attack packets. Moreover, if the flow-rate of low-priority is reduced, the high-priority flow will get more chances to access the server they share, which eventually reduce the congestion and improve the throughput of the high-priority flow. Based on the concept of flow aggregation management architecture [15], we present a Flow-based Congestion Control (FCC) architecture that consists of a Flow-based Quality-of-Service (FQoS) regulator and PID controller. The whole system adopts a control-theoretic approach to adjust the traffic rate of every link (or server) so as to maintain the traffic rates at their desired level. In order to provide more fine-grained differentiated services (or flows) with different weight and maximally limit malicious services (or flows), we propose multi-level packet classification structure. Moreover, in order maximally to block flooding, the flow-based network intrusion detection [15] is used to classify each flow in the network into different priority classes and give different treatment to the flow-rates belonging to different classes. The architecture is shown to be highly flexible service differentiation and robust against different types of flooding attacks, and traditional network traffic control can be implemented using one common framework. This system has been evaluated by using simulated test-bed data. Results showed the success that the system mitigates bandwidth flooding attacks.

  
START Conference Manager (V2.52.3)
Maintainer: rrgerber@softconf.com

 

   
         
The IEEE Information Assurance Workshop is sponsored by the IEEE Systems Man and Cybernetics Society, supported by the National Security Agency, and hosted by the Information Technology Operations Center, Department of Electrical Engineering and Computer Science, at the United States Military Academy, West Point, New York.