Securing computer networks: Access control management and attack source identification

We study the problem of securing computer networks. We mainly focus on two issues: managing access control lists of multiple firewalls and identifying attack sources. As the number of firewalls increases in computer networks, it is crucial to deploy the firewalls and to build an efficient access control list on each of them. Multiple firewalls cooperate to implement the access control by filtering out unwanted packets. The source address of a packet is a decisive parameter when the filtering is carried out. For example, edge firewalls between the intranet and the Internet may use dynamic filters, which can block packets of suspicious source addresses in order to defeat denial of service attacks. However, wily attackers may play tricks to give false information about their source addresses. Therefore, attack sources should be exactly identified before the filtering is applied. In this dissertation, we propose three novel techniques.;First, we study the problem of placing multiple firewalls in an enterprise network. A firewall's complexity is known to increase with the size of its access control list, i.e. rule set. When designing a security-sensitive network, it is critical to construct the network topology and its routing structure carefully in order to reduce the firewall rule sets, which helps lower the chance of security loopholes and prevent performance bottleneck. We study the problems of how to place the firewalls in a topology during network design and how to construct the routing tables during operation, such that the maximum firewall rule set can be minimized.;Second, we study the problem of identifying attack sources on the Internet. It is crucial to find out attacker's unique address before the corresponding filtering rule is activated at the edge firewalls. On the current Internet, not only is a host free to send packets to any destination address, but also it is free to forge any source address that it does not own. This freedom creates a huge security problem. The victims under attack do not know where the malicious packets are actually from and which sources should be blocked because, with forged source addresses, the malicious packets may appear to come from all over the Internet. We propose a path address scheme to identify attackers even when they use spoofed source addresses. Under this scheme, each path on the Internet is assigned a path address. IP addresses are owned by the end hosts; path addresses are owned by the network, which is beyond the reach of the hosts.;Third, we study the problems of spread estimation and spreader detection. The spread of a source host is the number of distinct destinations that it has sent packets to during a measurement period. A spread estimator is a software/hardware module on a router that inspects the arrival packets and estimates the spread of each source. It has important applications in detecting port scans and DDoS attacks, measuring the infection rate of a worm, assisting resource allocation in a server farm, determining popular web contents for caching, to name a few. We design a new spread estimator that delivers good performance in tight memory space where all existing estimators no longer work.;We also study the problem of detecting spreaders. We call an external source address a spreader if it connects to more than a threshold number of distinct internal destination addresses during a period of time (such as a day). We note that none of the current intrusion detection systems can identify spreaders in real-time if the attacker slows down in sending attack packets. We call such an attacker an invisible spreader. We observe that normal traffic has strong skewness especially in an enterprise (or university campus) network. We propose a new scheme to detect invisible spreaders by exploiting the traffic skewness.