HARNET-2: ID Router

  • Introduction
  • IDR Structure
  • Key Technical Components

  • Introduction

    Intrusion Detection Router (IDR) is constructed to protect against network attack. IDR has built-in intrusion detection mechanisms, so as to enable the detection, reaction, and investigation of various hacking attacks. Focus will be given to the DDoS attack. Existing machine learning and data mining techniques will be used to enable the routers to construct the detection and reaction rules dynamically. For the IDRs to trace the origin of the attack, a network control sub-system will be set up and built on Virtual Private Network. For easy network monitoring, a secure wireless control device will be developed and integrated with the network control module.

    To test the HARNET-2, the hacking machines will be used to launch attacks to test its capability of the intrusion detection, reaction and investigation functions.

    To demonstrate the feasibility of performing intrusion detection and providing protection against DDoS for real-life high-speed networks, we shall use Network Processor development board/subsystem to implement part of the router software to scale up the supported link-speed. The Network Processor hardware will integrate with off-the-shelf PCs and network interface cards, which will then be integrated as a network device under the control of the Linux OS.

    back to top

    IDR Architecture
    There are two main components: Detector and Filter

    IDR Functional Block (Click to enlarge the diagram)

    back to top

    Key Technical Components

    • Statistical-based DDOS onslaught detection
      • use Bloom-filter-like flow-monitor array to reduce memory/state-space requirement from O(F) to O(logF) where F = # of traffic flows

    • Hierarchical Class-based Queueing (CBQ) scheduler
      • contain negative impact of suspicious traffic flows without affecting legitimate ones

    • Fine-grain attack traffic identification/ classification using Rule-based, self-tuning leaky-bucket array
      • enable real-time, online data-mining/ analysis
      • well-suited for high-speed, hardware implementation

    • Hop-by-hop pushback and flow-control to establish Distributed Line of Defense
      • Soft-state pushback/control signalling among IDRs
      • Attack source traceback, status update and report consolidation
    back to top