Payload attribution via hierarchical bloom filters

Kulesh Shanmugasundaram, Hervé Brönnimann, Nasir Memon

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Payload attribution is an important problem often encountered in network forensics. Given an excerpt of a payload, finding its source and destination is useful for many security applications such as identifying sources and victims of a worm or virus. Although IP traceback techniques have been proposed in the literature, these techniques cannot help when we do not have the entire packet or when we only have an excerpt of the payload. In this paper, we present a payload attribution system (PAS) that attributes reasonably long excerpts of payloads to their source and/or destination hosts. The system we propose is based on a novel data structure called a Hierarchical Bloom Filter (HBF). An HBF creates compact digests of payloads and provides probabilistic answers to membership queries on the excerpts of payloads. We also present the performance analysis of the method and experimental results from a prototype demonstrating the practicality and efficacy of the system. The system can reliably work with certain packet transformations and is flexible enough to be used if the query string is spread across several packets. The system, however, can be evaded by splitting or by "stuffing" the payload. Future work focuses on making the system robust against such evasions.

Original languageEnglish (US)
Title of host publicationProceedings of the ACM Conference on Computer and Communications Security
EditorsB. Pfitzmann, P. Liu
Pages31-41
Number of pages11
StatePublished - 2004
EventProceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004 - Washington, DC, United States
Duration: Oct 25 2004Oct 29 2004

Other

OtherProceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004
Country/TerritoryUnited States
CityWashington, DC
Period10/25/0410/29/04

Keywords

  • ForNet
  • Hierarchical Bloom Filters
  • Payload attribution
  • Security

ASJC Scopus subject areas

  • General Computer Science

Fingerprint

Dive into the research topics of 'Payload attribution via hierarchical bloom filters'. Together they form a unique fingerprint.

Cite this