Date of Award

Fall 2014

Document Type

Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department

Computational Analysis and Modeling

First Advisor

Vir Phoha

Abstract

Multiple schemes that utilize probabilistic packet marking (PPM) have been proposed to deal with Distributed Denial of Service (DDoS) attacks by reconstructing their attack graphs and identifying the attack sources.

In the first part of this dissertation, we present our contribution to the family of PPM-based schemes for Internet Protocol (IP) traceback. Our proposed approach, Prediction-Based Scheme (PBS), consists of marking and traceback algorithms that reduce scheme convergence times by dealing with the problems of data loss and incomplete attack graphs exhibited by previous PPM-based schemes.

Compared to previous PPM-based schemes, the PBS marking algorithm ensures that traceback is possible with about 54% as many total network packets, while the traceback algorithm takes about 33% as many marked packets for complete attack path construction.

In the second part of this dissertation, we tackle the problem of scheme evaluation and comparison across discrepant network topologies. Previous research in this area has overlooked the influence of network topology on scheme performance and often utilized disparate and simplistic network abstractions to evaluate and compare these schemes.

Our approach to this problem involves the evaluation of selected PPM-based schemes across a set of 60 Internet-like topologies and the adaptation of the network motif approach to provide a common ground for comparing the schemes' performances in different network topologies. This approach allows us to determine the level of structural similarity between network topologies and consequently enables the comparison of scheme performance even when the schemes are implemented on different topologies.

Furthermore, we identify three network-dependent factors that affect different PPM-based schemes uniquely causing a variation in, and discrepancy between, scheme performance from one network to another.

Results indicate that scheme performance is dependent on the network upon which it is implemented, i.e. the value of the PPM-based schemes' convergence times and their rankings vary depending on the underlying network topology. We show how the identified network factors contribute, individually and collectively, to the scheme performance in large-scale networks. Additionally, we identify five superfamilies from the 60 considered networks and find that networks within a superfamily also exhibit similar PPM-based scheme performance. To complement our results, we present an analytical model showing a link between scheme performance in any superfamily, and the motifs exhibited by the networks in that superfamily.

Our work highlights a need for multiple network evaluation of network protocols. To this end, we demonstrate a method of identifying structurally similar network topologies among which protocol performance is potentially comparable. Our work also presents an effective way of comparing general network protocol performance in which the protocol is evaluated on specific representative networks instead of an entire set of networks.

Share

COinS