How can network infrastructure be protected from malicious traffic, such as scanning, malicious code propagation, spam, and distributed denial-of-service attacks? This project investigates mechanisms at the network layer for blocking malicious traffic. One such mechanism is IP filtering: access control lists (ACLs) can selectively block traffic based on fields of the IP header. This mechanism is already available in routers today but, in order to be effective, two issues must be addressed. First, one must identify which IP addresses to block, which requires understanding and detection of malicious activity. A key insight to exploit is that malicious traffic exhibits clustering in both time and address space. Second, filters (ACLs) are a scarce resource, because they are stored in the expensive ternary content addressable memory (TCAM). To decrease the number of filters and therefore the cost, aggregation is used: a single filter blocks an entire range of IP addresses; however, this also blocks legitimate traffic originating from that range. Filter selection becomes an optimization problem that tries to block as many malicious and as few legitimate sources as possible, given a limited number of filters. Outcomes of this project will include: (a) methods for modeling malicious traffic at the IP level (b) cost-efficient filtering algorithms and (c) a prototype to be tested in real networks. The problem is challenging and requires synergy between machine learning, data-mining, optimization and algorithmic techniques. The project can impact networking practice, by providing a comprehensive set of tools that can be deployed on today's Internet architecture.
CT-ISG: I-BLOCK: Understanding and Filtering of Malicious IP Traffic