burnup credit criticality safety analysis using - wiki.ornl.gov

Design of the Host Guard Firewall for Network Protection

KAMEL H. RAHOUMA* AND KHALID S. NASR**

Electrical Engineering Department,

Faculty of Engineering,

Minia University, Minia, EGYPT

*kamel_rahouma (**khalid_salih) @ yahoo.com

Abstract:- This paper presents a new design for a packet filtering firewall, called Host Guard Firewall (HGF) which helps

to mitigate the most pressing problems facing the global Internet It presents also a new designed Host Guard Protocol

(HGP) which help to authenticate the authorized packet.

The new designed HGF firewall acts in the reverse direction like a military check point that does not allow any one to

cross the point without an authenticated permission. The authenticated permission here is an authentication mark given to

the passing authorized packets. The HGF is used as a DoS defense system deployed at a source-end network.

The HGP guarantees the authenticity between the hosts on the network. This is done by signing the trusted outgoing

packets with the HGP authentication mark which is the permission of passing of these packets through the network. The

HGP mark is proposed as a puzzle which is generated and identified with the same intended programs. The authentication

mark could be generated and protected using electronic and encryption means at the data link layer of the open system

interconnected network configuration.

Keywords:- Firewalls, Network protection, Host guard firewall, Host guard protocol, Packet filtering, DoS attack.

1- Introduction A firewall is a component or a set of components that

restricts access between a protected network and the

Internet, or between other sets of the network, and it

relays only data packets that are clearly intended for and

authorized to reach the other side [1].

The function of a firewall is conventionally specified as

a sequence of rules. Each rule in a firewall is of the

form: <Predicate> → <Decision> , where the

<Predicate> of a rule is a Boolean expression over some

packet fields together with the physical network

interface on which a packet arrives. The <decision> of a

rule can be accept, or discard, or a combination of these

decisions with other options such as the logging option.

A packet matches a rule if and only if (iff) the packet

satisfies the predicate of the rule [2].

A firewalls can be classified as a software program or a

hardware device that filters the incoming packets and, in

some installations, outgoing packets of information

[3,4]. Firewalls, virtual private networks (VPNs),

authentication and Encryption are essential parts for

network security. They must be considered as pieces of a

puzzle (security issues) as shown in figure (1), to

obstruct any attempt to attack [5]. Firewalls are designed

to provide "policy-based" network filtering [6]. Here, we

are interested in the firewalls, because they are the

cornerstones and core elements in the network security

[7-9].

In this paper, we propose a new design of firewalls,

called Host Guard Firewall (HGF) which is composed of

a modified stateful packet filtering firewall and a new

unit, called the Host Guard Protocol (HGP). This new

design assists in mitigating the most pressing problem

facing the firewalls and the global Internet (namely, the

denial of service "DoS" attacks).

Figure (1): Pieces of the security policy (issues) [10]

The paper is divided into five sections followed by a list

of the references. Section (2) introduces the stateful

packet filtering firewall. Section (3) presents the new

proposed host guard firewall including its detection

system and its architecture and main components

according to the OSI system operation layers. Section

(4) presents the flowcharts and algorithms for each

component in the proposed design and gives some

implementation issues. Section (5) concludes some

points and remarks.

2- The stateful packet filtering

firewalls There are several classifications of the firewalls [1, 14-

17]. One main classification divides firewalls into two

main types, the Packet Filtering and the Proxy Server

types. Any other types of firewalls can fall under these

two broad types. Operations that are simple but need to

be done fast and on individual packets are easier to do in

packet filtering systems. But, operations that require

Proceedings of the 7th WSEAS International Conference on INFORMATION SECURITY and PRIVACY (ISP '08)

ISSN: 1790-5117 61 ISBN: 978-960-474-048-2

detailed protocol knowledge or prolonged tracking of

past events are easier to do in proxy systems.

A proxy is something or someone who does something

on behalf of somebody else [1]. Proxy services are

specialized applications or server programs that take

users' requests for Internet services (such as FTP and

Telnet) and forward them to the actual services. The

proxies provide replacement connections and act as

gateways to the services. For this reason, proxies are

sometimes known as application-level gateways [1].

Proxy services are effective only when they're used in

conjunction with a mechanism that restricts direct

communications between the internal and external hosts.

The packet filtering firewalls are functioning at the IP

packet level (the network layer). Any packet is inspected

against the firewall rules. Once the firewall has looked at

all the information, a straightforward packet filtering

router either sends the packet onto the destination it was

bound for, or drops the packet; just forgets about it;

without notifying the sender, or rejects the packet; or

refuses to forward it; and returns an error to the sender,

or logs the information about the packet, or sets off an

alarm to notify somebody about the packet immediately

[1]. The packet filtering firewalls can be classified

accordingly into three types [1, 18, 19]: Static packet

filtering firewalls, dynamic packet filtering firewalls,

and the stateful packet filtering firewalls. The stateful

packet filter can keep track of packets. Almost all

stateful packet filters are also capable of looking at the

contents of packets, and many of them can modify these

contents [1]. It is useful for some applications that need

to keep tracking of packets and observing the traffic, at a

flow and connection granularity, at the fourth layer (the

transport layer) [20].

Before building a firewall, it is important to understand

exactly what network resources and services that must

be protected and what kind of attacks that form the

pressing problems in hindering the network security.

Bedside that, a trade-off in terms of complexity and

security needs must be taken into account. However, the

most pressing problems for packet filtering firewalls are:

complexity of configuring and ordering the filtering

rules, complications of IP fragmentation.

Firewall filtering rules should be carefully written and

organized in order to correctly implement the security

policy [21]. Generally, the filtering rules are expressed

in a table of conditions and actions that are applied in a

certain order until a decision to allow or drop the packet

is reached [16].

Fragmentation means the ability to divide a large packet

into smaller packets, called fragments, which can

traverse the communication link. The fragments are then

reassembled into the full packet by the destination

machine [1]. The common packet filtering approach

dealing with fragmentation is to allow any non-first

fragments to pass through and to do packet filtering only

on the first fragment of a packet. This showed problems

with fragmented packets and attacks where the

destination host will hold the non first fragments in

memory for a while, waiting to see if it gets the missing

first fragment piece. This makes it possible for attackers

to use fragmented packets in a (DoS) attack. When the

destination host gives up on reassembling the packet, it

will send an ICMP "packet reassembly time expired"

message back to the source host, which will tell an

attacker that the host exists and that the connection didn't

succeed. Also, attackers can use specially fragmented

packets to conceal data [1, 19]:

The most pressing vulnerability facing firewalls in

general is the Differentiation between legitimate traffic

and attack traffic. The most effective feature of DoS

attacks is that the attack traffic can be made arbitrarily

similar to the legitimate one. This complicates the

defenses. The aim of the attack is to disrupt the normal

operation of the targeted network system by consuming

(exhausting) its resources (memory, buffers, CPU time

to compute responses, etc.) or the resources on the way

to communicate with a victim (network bandwidth) [22,

23].

A DoS attack can be more severe when an attacker uses

multiple hosts over the Internet to storm a victim, where

the attacker compromises many hosts and deploys

attacking agents on them. The attacker signals all agents

to simultaneously launch an attack on a victim with a

flood of packets, and thereby overwhelm its resources

and render it incapable of performing normal services

for legitimate users. This type of attack is called the

Distributed Denial of Service attack (DDoS). Thus, the

power of the DDoS attack is amplified and the problem

of defense is made more complicated. There are two

major impacts of the DoS/DDoS attacks. These are: the

consumption of the host’s resources and the

consumption of the network bandwidth [24].

The current DDoS defense systems can be divided into

autonomous (single defense node or point) and

distributed systems (multiple defense nodes or points).

Nodes communicate through the network and coordinate

their actions to achieve a better overall defense. We

concern here with the autonomous systems which are

divided according to points of defense at the victim, the

intermediate network, and, the source. The defense at the

source-end network is more efficient than the defense at

the victim-end network or at intermediate system, where

it can observe only a small portion of the attack and this

enables an effective response and minimizes any

collateral damage [25].

From the discussion of the DoS/DDoS attacks and types

of firewalls, we need to use a firewall to operate at TCP,

UDP level (The transport layer). The suitable type of

firewalls that manages traffic at that level is the stateful

packet filtering firewall. In addition, the methods of

designing the stateful firewalls can be used to assist the

design of the proxy servers. The stateful firewall model

consists of two sections: a stateful section and a stateless

section. Each section consists of a sequence of rules. For

every packet, the stateful section is used to check

whether the state has a previous packet that may affect

the current packet state. The stateless section is used to

decide the state of each packet based on the information

in the packet itself and its tag value.


ISSN: 1790-5117 62 ISBN: 978-960-474-048-2

3- The Host Guard Firewall The Host Guard Firewall (HGF) is a modified stateful

packet filtering firewall beside a new proposed Host

Guard Protocol (HGP). The stateful packet filtering is

composed of a modified packet filtering firewall that

operates at the third layer (network layer) beside a new

observation unit which observes the traffic at the

transport layer. The HGF is designed to use a DoS

defense system and to operate at the source-end host as a

reverse firewall that manages the outgoing packets

according to statistical analysis and algorithms which

manages the policing rules.

3.1. The HGF detection system The HGF defense system operates apparently as an

autonomous system, by detecting attacks and responding

to them without communication with any other entity. It

also can operate implicitly as a participant in a

distributed defense system where it sends authenticated

mark to a destination host using an authentication HGP

protocol which is investigated by other hosts, during the

communication, to guarantee legitimate transactions

between all the hosts that exist on the Internet. All the

hosts, connected to the Internet, are forced to use the

HGF firewall to be granted the access to the services on

the network. The HGF can thus observe every packet

exchanged between the host and the outside world.

Figure (2), shows the places of HGFs and their

operation.

HGF detects the outgoing DoS attacks by monitoring the

two-way traffic between the source-end host and the rest

of the Internet. The system looks for any anomalies in

the traffic that may be considered as signs of a DoS

attack. From these anomalies: the presence of IP

spoofing (the creation of IP packets using somebody

else’s IP source addresses), and the non-responsive

foreign host (Aggressive sending rate coupled with low

response rate).

The most famous attacks uses the IP spoofing is the

DoS/DDoS attacks. Many works in the literature propose

the detection and prevention for the IP spoofing at the

server level (ISP, Proxy server,..etc) using ingress and

egress filters, but no one presents any technique to detect

and prevent the IP spoofing at the host level.

In this paper we propose a technique to join between the

host level and the sever level to hinder the IP spoofing

and to maintain using a unique IP address for a unique

host and to prevent changing the IP unless the host has

been given a permission from the main server which

manages the communication between each two hosts

with unique IPs.

Figure (2): operation of HGF Firewalls at each host on

the Internet.

To hinder the IP spoofing in case of accessing the

Internet through a telephone line connected to an ISP,

(with dynamic addresses), the user doesn’t select an IP

address, but the ISP gives him/her an available IP

address from the local address pool. We suggest that, the

ISP should make an attachment between the given IP

and the telephone number and logs this attachment in its

logs. If the user is on line and wants to use a different IP,

the ISP hinders him/her. If the user signs out and tries to

sign in again, the ISP will give him/her another IP

address and store the new attachment (telephone number

with the new IP address) in its logs. If the user commits

any attack, it is easy to trace his/her IP address which is

attached to the telephone number. In case of connecting

directly (with static addresses), the user types an

available IP address for his computer, and there is a

flexibility to change this IP address more than once

according to the local address set. The suggested

solution for this problem is to collect and store the

physical features (Serial Numbers of Mother Board,

CPU, VGA Card, Sound Card …etc) as well as the IP

address of the host. Thus, If a host wants to attach to the

network (LAN, WAN…etc), it attaches with a certain IP

address from the IP set available in its domain and

known to the server. At that time the server sends a

query to the host to get information about its physical

features and couples them with its IP address. Then the

host is granted a permission to access the resources with

a certain unique IP address. If a host wants to access

with IP address already used on line, the server denies its


ISSN: 1790-5117 63 ISBN: 978-960-474-048-2

request. If a host wants to access using an IP address

which is reserved for a certain off line host, the server

also denies its request. However, if the reserved IP of a

certain host is not used for a long time, based upon

certain conditions and security policies, the server may

grant that IP to a new host request to access the network.

This helps us identify the original source-end host and to

revoke the compromised hosts. Beside that, the ingress

and egress filters at the server level can be used as a

complement defense against any leakage IP spoofed

addresses.

Sometimes, the non-responsive foreign host is known

as an aggressive sending rate coupled with low response

rate. Mirkovic states [26] that this anomaly pertains only

two-way communications that follow a request/response

paradigm such as TCP, some types of ICMP traffic,

DNS traffic, NTP traffic, etc. In these communications,

one party sends one or several packets to the other party,

and waits for a reply before sending any more packets.

For such communications it is anomalous to observe an

aggressive sending rate coupled with a low response

rate. A low response rate is perceived by HGF as an

indication that the foreign host may be overwhelmed by

the attack and cannot reply, while an aggressive sending

rate indicates that the local host is likely to perform the

attack. By detecting the non-responsive foreign hosts,

the HGF actually aims to detect the occurrence of the

DoS effect. Coupling detection of DoS may lead to

"after-the-fact" detection, once damage has been done. It

would be better if the detection could be performed in

the early stages of the attack. Thus, preserving more of

the victim's resources. The early detection can be

handled through the HGF firewall. Thus, the HGF

responds by revoking the marking outgoing packet flow

from the source-end host (local host) to the outside

network, and thus relieves the victim from a heavy

traffic volume.

3.2 The HGF architecture The HGF is a self-regulating reverse-feedback system. It

consists of a stateful packet filtering firewall and a HGP

marking unit. The stateful packet filtering is a modified

packet filtering firewall that operates at the network

layer added to an Observation unit that operates at the

transport layer. Figure (3) shows the architecture of the

proposed HGF.

The HGF can perform this differentiation between

legitimate and attack traffic by monitoring the flow and

the connections all the time, and bye analyzing them

statistically and constructing a set of legitimate traffic

models as reference models. The HGF uses the

legitimate traffic models for comparing any out going

traffic and preventing any malicious traffic that violates

these legitimate models. A mismatch is then likely a sign

of an attack. The traffic models classification can be

done through the modified stateful packet filtering,

which composes of a modified packet filtering and an

observation unit.

Figure (3): Architecture of the proposed HGF.

The legitimate traffic models can be divided into

legitimate flow models and legitimate connection

models, where the flow is a group of connections. The

flow classification can be done at the network layer

through the modified packet filtering unit according to

the IP source/destination addresses. This can be achieved

using statistical detection methods such as the packet

inter-arrival time, the entropy. The flow that clearly

matches the corresponding models is deemed like a

legitimate flow, otherwise deemed like an attack flow.

The connection classification can be done at the

transport layer through the observation unit according to

outbound/inbound services. This can be achieved using a

sequential change-point detection algorithm known as

CUSUM (cumulative sum). The connections that clearly

match the model are deemed like a legitimate

connection, otherwise deemed like an attack connection.

3.2.1 The Observation Unit The observation unit monitors all the packets passing

through the source-end host and gathers statistics on the

two-way communications between the host and the rest

of the Internet. Periodically, these statistics are

compared to the models of legitimate connections and

they are thus classified. The connection classification is

performed at each Connection Observation Interval.

During classification, the HGF compares the connection

statistics to the corresponding legitimate connection

models. About 90% of the Internet traffic is a TCP

traffic [26, 27], which is the base for most of the

transport layer services. Therefore we will concern with

building the legitimate TCP connection model.


ISSN: 1790-5117 64 ISBN: 978-960-474-048-2

The TCP protocol uses a two-way communication

paradigm to achieve a reliable delivery. The normal TCP

communication can be modeled by the ratio of the

number of packets sent to and received from a specific

destination. This ratio is ideally one, but due to some

network factors such as the network congestion and

different TCP implementations it is push to slightly

higher values. Mirkovic suggests that the legitimate TCP

connection model defines TCPrto (values of 3) as the

maximum allowed ratio of the number of packets sent

and received on the connection. The connection is

classified as an attack connection if its packet ratio is

above the threshold [28, 29].

3.2.2 The packet filtering unit The packet filtering unit, is an ordinary packet filter with

some modifications using some of the statistical

detection methods that progress it from a stateless packet

filtering to the first grade (or rank) of stateful packet

filtering.

The ordinary packet filters build their security policy and

their decisions according to a set of stateless rules. But

with the new proposed packet filtering unit, the security

policy and decisions are based according to a set of state

rules. The flow classification is performed at each Flow

Observation Interval. And it can be fulfilled using

statistical detection techniques, like the packet inter-

arrival time and the entropy.

3.2.3 The HGP marking unit

The first idea for our proposed HGP protocol was to use

authentication packets or marks, generated randomly

with a probability that accommodates and takes into

account the trade-offs in terms of avoiding bandwidth

congestion and guaranteeing legitimate transaction

between hosts. But this technique is vulnerable for

attacks, where the attacker may inject malicious packets

between the legitimate ones. Therefore, we propose an

alternative technique where the HGP uses an

authenticated mark attached to any trusted outgoing

packet. All the packets are then investigated separately

for that mark.

Thus, in short, it can be seen that the observation and

packet filtering units are responsible for deciding the

authenticity of any passing packet depending on some

statistical rules and policies. Then, the HGP marking

unit generates the authentication mark and protects it

from faking or spoofing. Several methods and schemes

of packet marking have been proposed in the literature

[22, 30-32]. All these schemes were proposed at the

router level or at ISP level. Nothing was proposed for

packet marking at the source-end host level. The HGP

unit creates the authentication mark, imposes the users to

use it, and protects this authentication mark from faking.

The system assumes, firstly that, all the used HGP units

have the same program which creates (at the source) and

identifies (at the destination) the authentication mark.

The most suitable technique for creating this mark is

generating it as a puzzle which is difficult to be solved

without the intended solving program. Thus, when the

sending host wants to sign the outgoing trusted packets

with authentication marks, it creates a puzzle P and the

solution S of this puzzle and it uses a hash function to

hash the puzzle and it solution h(p,s), h(s). The sending

host (through the HGP unit) divides the concatenation of

the outgoing packets into samples of packets. The HGP

unit signs the first packet in each sample with the puzzle

and its solution digest h(p,s) and the rest of packets in

the sample are signed by the solution digest h(s) only.

The location, from the packet, where the mark is placed,

is randomly chosen. This of course means that a pseudo-

random number generator is to be used to tell about the

location.

The destination host generates the puzzle & solution

digest h(p,s) and the solution digest h(s), in the same

way they were calculated at the source end. When the

authenticated packets reach the destination host, it

detects the packet marks. If the received packet does not

have the mark, the host discards it. If the received packet

is signed with an authentication mark (the puzzle and its

solution digests h(p,s) at the first packet of the sample,

and the solution digest h(s) only at the rest of the sample

packets, the host identifies the puzzle and its solution

digests from the packets. The host then compares the

created digests to the received ones based on the location

of the mark from the packet. If the generated and

received digests match, the packets are allowed to pass,

and else, they are discarded. To protect this mark from

faking or spoofing, the mark generation apart can be

separated from the attacker, by physically programming

and encrypting it on a separated IC chip [33, 34].

4- Flow charts and algorithms of the

proposed HGF firewall In this section, we will present the flowcharts and

algorithms which explain the steps and procedures of

each unit in our proposed HGF firewall, to carry out its

overall operation. To do that, we will give the following

sections:

1- The HGF firewall overall Operation

- The HGF in the forward direction

- The HGF in the reverse direction

2- The flow and connection inspection using the HGF

3- The HGP marking

4.1 The HGF firewall overall Operation 4.1.1 The HGF in the forward direction Figure (4) shows the flowchart of the overall system for

the proposed HGF in the forward direction. The HGF

firewall in the forward direction inspects the incoming

packets.

Algorithm 1:

1: for each incoming packet, check the attached HGP

mark

2: if the HGP mark = valid, then

3: pass the packet to the network layer

4: IP source/destination address & spoofing

inspection


ISSN: 1790-5117 65 ISBN: 978-960-474-048-2

5: if source/destination address = valid, then

6: pass the packet to the transport layer

7: source/destination ports inspection

8: if source/destination ports =

valid, then

9: pass the packet to the rest of

higher layers.

10: else, go to 15

11: end if

12: else, go to 15

13; end if

14: else

15: drop the packet

15: end if

16: end for

4.1.2 The HGF in the reverse direction Figure (5) shows the flowchart of the overall system of

the HGF in the reverse direction. The HGF firewall in

the reverse direction inspects the outgoing packets.

Algorithm 2: 1: for each outgoing packet, inspects the

source/destination ports

2: if the source/destination ports = valid, then

3: pass the packet to network layer

4: IP source/destination address & spoofing

inspection

5: if source/destination address = valid, then

6: pass the packet to data link layer

7: sign the packet with HGP mark

8: pass the authenticated packet to

physical layer

Figure (4): The overall HGF system flow chart in the

forward direction

9: else, go to 12

10: end if

11: else

12: drop the packet

13: end if

14: end for

Figure (5): The overall HGF system flowchart in the

reverse direction

4. 2 The Flow and Connection inspection

using HGF As mentioned in section 3, the proposed HGF firewall is

composed of two units, the stateful packet filtering unit

and the HGP marking unit. The stateful packet filtering

unit is responsible for the flow, connection inspection.

The HGP protocol is responsible for marking the trusted

outgoing packets. This section presents, in details, the

responsibility of the stateful packet filtering. The stateful

packet filtering is composed of a packet filtering unit

which detects and analyses the flows, and an observation

unit which detects and analyses the connections. We

present the statistical detection methods for each unit.

4.3.1 The Packet filtering unit The packet filtering unit inspects the incoming packets

in the forward direction and the outgoing packets in the

reverse direction at the network layer. For awareness of

the importance and effectiveness of using statistical


ISSN: 1790-5117 66 ISBN: 978-960-474-048-2

detection methods, we will present a packet filtering

operation with/without using the statistical detection.

4.3.1.1 The Packet filtering Operation without

the statistical detection

1- Packet filtering module operation on the

incoming packets Figure (6) shows how a packet filtering unit inspects the

incoming packets in the forward direction by stateless

rules and allows only the packets matching the

permission rules.

Algorithm 3

1: for each received packet, inspect the

source/destination addresses.

2: if a packet = rule, then

3: if the packet = permission rule, then

4: pass the packet to the transport layer, and the

upper layers.

5: else go to 12

6: end if

7: else if any more rules = yes, then

8: set the packet to the next rule and go to 2

9: else go to 12

10: end if

11: end if

12: drop the packet

13: end for

Figure (6): A packet filtering module operation on the

incoming packets

2- The Packet filtering module operation on the

outgoing packets

Figure (7) shows how a packet filtering unit inspects the

outgoing packets in the reverse direction by stateless

rules and allows only the packets matching the

permission rules.

Algorithm 4

1: for each received packet, inspects the

source/destination addresses.

2: if a packet = rule, then

3: if the packet = permission rule, then

4: pass the packet to the data-link layer, and

the lower layers.

5: else go to 12

6: end if

7: else if any more rules = yes, then

8: set the packet to the next rule and go to 2

9: else go to 12

10: end if

11: end if

12: drop packet

13: end for

Figure (7): A packet filtering module operation on the

outgoing packets

4.2.1.2 The Packet filtering operation with the

statistical detection For the packet filtering operation, the suitable statistical

detection methods are the packet inter-arrival time, and

the entropy [35, 36].

1- The Packet inter-arrival time can be used for traffic

volume calculation and to determine if there is any

violation for the normal traffic.

0]0[],1[][ =−−= PATiPATiPATT

2- The Entropy is a numerical measure of the

uncertainty of traffic, with respect to any property of

the packet (i.e. source/destination address).

∑=

−=n

iii PPH

12log

With these two statistical methods, the packet filtering

unit will progress from stateless packet filtering to the

first grade (or rank) of stateful packet filtering.

1- The Source-end host detection At the packet filtering level, the HGF uses two

algorithms for the statistical calculation to detect the

suspicious traffic that may indicate a high probability for

existing DoS attacks. The results from these algorithms

will be accumulated to or be summed with the results of

the algorithms used at the observation unit to decide and

classify the traffic to be either a legitimate or an attack

traffic.


ISSN: 1790-5117 67 ISBN: 978-960-474-048-2

There are two threshold values, )(xT , that are used as

an indicator in each algorithm to indicate the traffic is

either normal and abnormal traffic. These thresholds are

calculated at every observation interval by using a

weighted averageµ , and normal distribution

valuesσ . If the detecting values are closer to the

average, the traffic will be considered normal. These

thresholds are determined as follows:

10,)()1()()( 21 <<−+= −− αµααµµ xxx nnn

,.....3,2,1,)()()( =+= kxkxxT n σµ

)(

)(,

rH

sHTxwhere

s

s= , :µ average,

:α weighted value, :σ standard deviation,

:)(sH s source address entropy of the sent packets,

and :)(rH s source address entropy of the received

packets

When attacks happen, the packet inter-arrival time, T, of

the total packets decreases. Therefore, when T is smaller

than its threshold, tT , we can suspect a DoS attack. If

the number of outgoing or sent packets to a certain

destination IP address increases than the number of

incoming or received (or reply) packets from the same

IP address. This increases the outgoing packets

entropy )(sH s , and decreases the received (or reply)

packet entropy )(rH s . Therefore, the rate of source

address entropy, )(/)( rHsH ss , of the sent and

received packets suddenly rises. Based on these

parameters, we can decide suspicious packets as a DoS

attack when the rate of the source address entropy

exceeds its threshold value, HsT . This can be written

as:

The Packet inter-arrival time T < Tt where; T: traffic

volume, Tt: threshold of traffic volume

The Rate of source address entropy is

Hs

s

s TrH

sH>

)(

)( , where; HsT : threshold of source

address entropy,

2- The victim-end detection Although the source-end defense tries to prevent the

DoS by hindering it at the source-end network (in the

reverse direction), this technique can't prevent the DoS

completely, where there are some attack packets skulk

behind the detection. Therefore we must use, beside the

source-end defense, the victim-end defense system that

works in the forward direction as any ordinary defense

system. There are several techniques which can be used

for defense at victim-end to detect and eliminate the rest

of DoS attack packets. We will present a technique that

is used at the source-end host but in an opposite meaning

and direction. The suitable statistical techniques at IP

layer to defend in the forward direction are also, the

traffic volume calculation (using the packet inter-arrival

time in the same technique that is used at the source-end

host) and the entropy, or the destination address entropy.

When the number of the received packets increases than

the number of the sent packets, the received packets

entropy )( rHd

increases, and the sent packet

entropy )( sHd

decreases. Therefore, the rate of the

destination address entropy, )(/)( sHrHdd

, of

the received and the sent packets suddenly rises. Based

on this parameter, we can decide suspicious packets as a

DoS attack when the rate of destination address entropy

exceeds its threshold value,HdT

. This can be written

as:

Rate of destination address entropy

is

Hd

d

d TsH

rH>

)(

)(, where;

HdT : threshold of

destination address entropy , and it can be calculated

as mentioned above.

,.....3,2,1,)()()( =+= kxkxxT n σµ ,

)(

)(

sH

rHxbut

d

d=

4.2.2 The Observation Unit As mentioned in the previous chapter, the observation

unit is responsible for monitoring the traffic and

gathering the statistics at a connection granularity. The

traffic may contain a mixture of many transport

protocols and applications. We see that monitoring the

connection at the transport layer protocols is sufficient to

assess the traffic, and is a good way to classify the traffic

to be either a legitimate traffic or an attack traffic.

The TCP connection model As mentioned in the previous chapter, a large percentage

of traffic in the Internet (about 90%) is a TCP traffic.

Therefore, we will concern with building the TCP

connection model. We use the sequential change-point

detection algorithm known as CUSUM (cumulative

sum) [35], to detect the TCP rate anomaly. This

algorithm is a statistical tool that is based on finding the

time of switching from one state (normal) to another

state (attack) in a time series.

The ratio DDDn TCPfromTCPtoX /= is

the random variable monitored using the CUSUM

algorithm, where DTCPto denotes the number of

TCP packets having a destination address D (outgoing

packets through the outbound service) during the

monitoring time intervaln

∆ , and

DTCPfrom denotes the number of TCP packets

having a source address D (incoming packets through

the outbound service) during n∆ .


ISSN: 1790-5117 68 ISBN: 978-960-474-048-2

The CUSUM algorithm assumes that the mean value of

the random variable DnZ is negative during the normal

conditions, and that it becomes positive when a change

occurs. Therefore, DnX is transformed into another

random sequence DnZ with a negative mean [37]:

β−= Dn

Dn XZ

Where β is a predefined upper bound of the DnX in

the normal network conditions. In most situations, the

upper bound of DnX is 3. Since D

nZ has a negative

mean in the normal operation, the negative values will

not accumulate with time. On the contrary, when an

attack occurs, DnZ will suddenly become large and

positive.

4.2.3 The HGP marking unit The suitable technique for creating the HGP

authentication mark is generating it as a puzzle. This

puzzle is created and solved by the intended program

which will be privately used by the HGP unit. The

exclusiveness of this program on the HGP unit and

protecting it from any faking or spoofing can be handled

electronically. In this section, we present the form of the

puzzle and its operation flowchart and algorithm. Figure

(8) shows the generation of the puzzle and its solution

digest. The Solution digest can be made through the hash

function which is non-invertible function. This increases

the difficulty level of the puzzle faking or spoofing.

Figure (8): The HGP mark generation

The hash function A hash function is a computationally efficient function

mapping binary strings of arbitrary length to binary

strings of some fixed length, called hash-values. Often

informally called one-way hash function. A hash

function is a function h which has, at least, the following

three properties [37]:

1- Compression - h maps an input S of arbitrary finite bit

length, to an output h(S) of fixed bit length n.

2- Ease of computation - given h and an input S, h(S) is

easy to compute.

3- Non Invertible – This means that the function can be

computed in one direction but it it can't be reversed.

Hash functions take a message as input and produce an

output referred to as a hash-code, hash-result, hash-

value, or simply hash. More precisely, a hash function h

maps bit strings of arbitrary finite length to strings of

fixed length, say n bits [57]. Figure (9) shows the hash

function h as iterative processes which hash arbitrary

length inputs by processing successive fixed-size blocks

of the input [38].

IVH =0; ),(

1 iiiSHhH −= , 1 < i <

t ; tHsh =)(

Hi-1 serves as the n-bit chaining variable between stage i

- 1 and stage i, and H0 is a pre-defined starting value or

initializing value (IV).

As mentioned in section (3), when the first packet in the

selected sample is received, the receiving host identifies

the puzzle (P) and solves it. After that, the host creates

the hash function of the solution of the puzzle (S) and

uses this created hash or digest to compare the received

digest of the solution which is attached to all the

received packets, and decides to allow or to drop the

packets according to the result of its comparison. The

algorithms (5,6) show the steps and procedures of this

process.

Figure (9): A general model for an iterated hash function

Algorithm 5 When the packets are checked by the observation and

the packet filtering units. The trusted packet is allowed

to pass to the HGP unit which signs it with an

authentication HGP mark. This mark can be generated as

follows:

1: generate a puzzle (P) and its solution (S).

2: compute the hash function h of the puzzle solution S;

h(s). For simplicity, in a separated algorithm

(algorithm 6), we will explain how to compute the


ISSN: 1790-5117 69 ISBN: 978-960-474-048-2

Observation unit inspection

TCP ?

3

/

←

=

βset

TCPfromTCPtoX DDDn

β−= Dn

Dn XZ

?0>DnZ

YesNo

YesNo

S>L ?

Rejected Packet

No

HGP marking unit

Outgoing authenticated marked packet

DOS Attack at source-end

Other connection

models

Yes

S=S+1L=L+1

Hs

s

s TrH

sH>

)(

)(

S=S+1L=L+1

A

hash function or message digest of the puzzle

solution.

3: pickup the first packet from a selected sample.

4: sign this first packet by the puzzle and its solution

digest h(s).

5: sign the following packets in the concatenation or the

sample by the solution digest h(s) only.

6: repeat the steps from 2-5 with the rest of the samples.

Algorithm 6 1: capture the puzzle solution as an input.

2: divide the puzzle solution into fixed-length r-bits

blocks Si.

3: append padding bits

4: append length block

5: capture the blocks Si as an input to the internal fixed

size hash function h, the compression function of h.

6: h starts with an initial value (H0).

7: h captures H0 and the first block S1 as a first input.

8: h computes the hash H1= h (H0, S1) of bitlength n

9: h captures H1 and the second block S2 as an input.

10: h computes the hash H2 = (H1, S2)

11: h repeats the steps 9, 10 until the final block St.

12: Ht is the final output from h

13: h(s) = Ht; the puzzle solution digest with fixed n-

bits.

Figure (10) shows the flowchart of the overall operation

of the designed HGF in the reverse direction and the

algorithm 7, interprets this flowchart.

]1[][ −−= iPATiPATT

10,)()1()()( 21 <<−+= −− αµααµµ xxx nnn

,.....3,2,1,)()()( =+= kxkxxT n σµ

µ

)(

)(

rH

sHxT

TxT

s

sHs

t

=←

=←

∑=

−=n

iiis PPrH

12log)(

∑=

−=n

iiis

PPsH1

2log)(

Figure (10): The HGF overall operation in the reverse direction


ISSN: 1790-5117 70 ISBN: 978-960-474-048-2

5- Conclusions This paper presented a new design for a packet filtering

firewall, called Host Guard Firewall (HGF) which helps

mitigate the most pressing problem facing the global

Internet and it is suitable and available to apply to the

proxy server. A new designed Host Guard Protocol

(HGP), which help to authenticate the authorized packet,

was also presented.

The new designed HGF firewall acts in the reverse

direction like a military check point that does not allow

any one to cross it without an authenticated permission.

The authenticated permission here is the authentication

mark given to the passing authorized packets

The HGF is used as a DoS defense system deployed at a

source-end network. Its goal is twofold: (1) detecting the

outgoing DoS attacks and stopping them by controlling

the outgoing traffic form the source host to the victim,

(2) providing a guaranty service to the legitimate

transactions between all hosts that exist on the Internet.

A consequence of that is that the HGF mitigates the

DOS at intermediate systems and victim-end network.

The new designed protocol, HGP, guarantees the

authenticity between the hosts on the network by signing

the trusted outgoing packets with the HGP

authentication mark which is the permission of passing

of these packets through the network. The HGP mark is

proposed as a puzzle which is generated and identified

with the same intended programs. The mark generation

and protection is electronically and cryptographically

handled. This protocol is proposed to be located at the

data link layer.

This paper used some effective statistical methods which

help the HGF and can be used with any intrusion

detection system to detect the flow and the connections

of the traffic, and stop the attack traffic.

The paper was divided into five sections followed by a

list of the references. Section (1) introduced to the paper

and section (2) introduced the stateful packet filtering

firewall. Section (3) presented the new proposed host

guard firewall including its detection system and its

architecture and main components according to the OSI

system operation layers. Section (4) presented the

flowcharts and algorithms for each component in the

proposed design and gave some implementation issues.

Section (5) concluded some points and remarks.

References 1- Zwicky, E. D.; Cooper S. and Chapman D. B.:

"Building Internet Firewalls", Orielly & Associates

Inc., 2nd

Edition, June 2000.

2- Karygiannis, T. and Owens, L.: "Wireless Network

Security 802.11, Bluetooth and Handheld Devices",

Special Publication 800-48, National Institute Of

Standards and Technology (NIST), November 2002.

3- Henmi, A.; Lucas, M.; Singh, A. and Cantrell, C.:

"Firewall Policies and VPN Configurations?",

Syngress Publishing Inc., 2nd

Edition, 2006.

4- Kamara, S.; Fahmy, S.; Schultz, E.; Kerschbaum, F.

and Frantzen, M.: "Analysis of vulnerabilities in

Internet firewalls", Elsevier Science B.V.,

Computers and Security, Vol. 22, No. 3, pp. 214-

232, April 2003.

5- Bates, R. J.: "Broadband Telecommunications

Handbook", McGraw-Hill, 2nd

Edition, 2002.

6- Hartmeier, D.: "Design and Performance of the

OpenBSD Stateful Packet Filter (pf)", In Proc. The

USENIX Annual Technical Conference, Freenix

Track, pp. 171–180, 2002.

7- Huang, Y. and Jiang, Y.: "Firewall Design:

Understandable, Designable and Testable", In Proc.

The International Conference on Security and

Management (SAM), Las Vegas, Nevada, USA, pp.

272-278, June 2006.

8- Al-Shaer, E. and Hamed, H.: "Firewall Policy

Advisor for anomaly discovery and rule editing", In

Proc. IFIP/IEEE Eighth International Symposium

on Integrated Network Management, pp. 17–30,

March 2003.

9- Wool, A.: "The use and usability of direction-based

filtering in firewalls", Elsevier Science B.V.,

Computers & Security, Vol. 23, No. 6, pp. 459-468.

September 2004.

10- Stallings, W.: "Cryptography and Network Security

Principles and Practices", Prentice Hall Inc., 3rd

Edition, 2003.

14- Grennan, M.: "firewall and proxy server howto",

National Science Foundation - Division of

Undergraduate Education (NSF-DUE), 2000.

Available at: http://www.grennan.com/Firewall-

HOWTO.html

15- Gouda, M. G. and Liu, X.-Y. A.: "Structured

Firewall Design", Elsevier Science B.V., Computer

Networks, Vol. 51, No. 4, pp. 1106-1120, March

2007.

16- Oikonomou, G.; Reiher, P.; Robinson, M. and

Mirkovic, J.: "A Framework for A Collaborative

DDoS Defense", In Proc. Annual Computer

Security Applications Conference (ACSAC 22),

December 2006. Available as defcom.pdf.

17- Ingham, K. and Forrest, S.: "A History and Survey

of Network Firewalls", Technical Report

2002-37, University of New Mexico Computer

Science Department, 2002. Available at:

http://www.cs.unm.edu/~treport/tr/02-

12/firewall.pdf

18- "Dynamic Packet Filtering", Netmaster Digital

Security Inc., 2002. Available at:

www.netmaster.com/products/ggos-dpf.pdf

19- Verwoerd, T. W.: "Stateful Distributed Firewalls",

University of Canterbury, Computer Science

Department, Master Thesis, 2001. Available at:

http://www.cosc.canterbury.

ac.nz/research/reports/MastTheses/2001/mast_0103.

pdf

20- Guo, F. and Chiueh, T.-C.: "Traffic Analysis: from

Stateful Firewall to Network Intrusion Detection

System", Stony Brook University, Computer

Science Department, January 2004. Available at:

http://www.ecsl.cs.sunysb.edu/tr/TR164.pdf


ISSN: 1790-5117 71 ISBN: 978-960-474-048-2

21- Al-Shaer, E.; Hamed, H.; Boutaba, R. and Hasan,

M.: "Conflict Classification and Analysis of

Distributed Firewall Policies", In IEEE Journal on

Selected Areas in Communications, Volume 23, No.

10, pp. 2069 – 2084, October 2005.

22- Siris, V. A. and Stavrakis, I.: "Provider-Based

Deterministic Packet Marking Against Distributed

DoS Attacks", In Journal of Network and Computer

Applications, Vol. 30, No. 3, pp. 858-876, August

2007.

23- Habib, A.; Hefeeda, M. and Bhargava B.: "Detecting

service violations and DoS attacks", In Proc.

Network and Distributed System Security

Symposium (NDSS '03), San Diego, CA, pp. 177-

189, February 2003.

24- Peng, T.; Leckie, C. and Ramamohanarao, K.:

"Survey of Network-Based Defense Mechanisms

Countering the DoS and DDoS Problems", ACM

Computing Surveys, Vol. 39, No. 1, April 2007.

25- Mirkovic, J.; Robinson, M. and Reiher, P.: "Alliance

Formation for DDoS Defense", In Proc. The New

Security Paradigms Workshop, ACM SIGSAC, pp.

11–18, August 2003.

26- Mirkovic, J.: "D-WARD: Source-End Defense

Against Distributed Denial-of Service Attacks",

University of California, Computer Science

Department, Ph.D. Dissertation, August 2003.

Available at: http://lasr.cs.ucla.edu/ddos/dward-

thesis.pdf.

27- Wang, H.; Zhang D. and Shin K. G.: "Detecting

SYN Flooding Attacks", In Proc. 21st IEEE

International Conference on Computer

Communications, INFOCOM, Vol. 3, pp. 1530 -

1539, June 2002.

28- Ohsita, Y.; Ata, S. and Murata, M.: "Detecting

distributed denial-of-service attacks by analyzing

TCP SYN packets statistically", In Proc. IEEE

Global Telecommunications Conference,

GLOBECOM, Volume 4, pp. 2043 - 2049,

November 2004.

29- Gil, T. And Poleto, M.: "MULTOPS: A Data-

Structure for Bandwidth Attack Detection", In Proc.

10th

Usenix Security Symposium, pp. 23-28, August

2001.

30- Song, B.; Heo, J. and Hong C.: "Collaborative

Defense Mechanism Using Statistical Detection

Method Against DDoS Attacks", IEICE

Transactions on Communications Journal, Vol. E90-

B, No. 10, pp. 2655-2664, October 2007.

31- Feinstein, L.; Schnackenberg, D., Balupari, R. and

Kindred, D.: "Statistical Approaches to DDoS

Attack Detection and Response", In Proc. IEEE,

DARPA Information Survivability Conference and

Exposition, Vol. 1, pp. 303 - 314, April 2003.

32- Burgess, M.: "Probabilistic Anomaly Detection in

Distributed Computer Networks", Science of

Computer Programming Journal, Vol. 60, No. 1, pp.

1-26, March 2006.

33- Al-Duwairi, B. and Manimaran, G.: "A novel packet

marking scheme for IP traceback", In Proc. 10th

IEEE International Conference on Parallel and

Distributed Systems, ICPADS, pp. 195 – 202, July

2004.

34- Adler, M.: "Tradeoffs in probabilistic packet

marking for IP traceback", In 34th

ACM Symposium

on Theory of Computing (STOC), Quebec, Canada,

pp. 407-418, 2002.

35- Lam, H.-Y.; Li, C.-P.; Chanson, S. T.; Yeung D.-Y.:

"A Coordinated Detection and Response Scheme for

Distributed Denial-of-Service Attacks", In Proc.

IEEE International Conference on Communications,

Vol. 5, pp.2165 – 2170, June 2006.

36- Gu, Y.; McCallum, A. and Towsley D.: "Detecting

Anomalies In Network Traffic Using Maximum

Entropy Estimation", In Proc. The Internet

Measurement Conference (IMC 2005), pp. 345-350,

October 2005.

37- Schneier, B."Applied Cryptography, Second Edition:

Protocols, Algorthms, and Source Code in C",

Wiley Computer Publishing, John Wiley & Sons,

Inc., 1996.

38- Menezes, A. J.; van Oorschot, P. C. and Vanstone,

S. A.: "Handbook of Applied Cryptography", CRC

Press, 1996.


ISSN: 1790-5117 72 ISBN: 978-960-474-048-2

burnup credit criticality safety analysis using - wiki.ornl.gov

Documents