An IP Traceback Protocol using a Compressed Hash Table, a Sinkhole Router and Data Mining based on Network Forensics against Network Attacks

• A hash table by using CHTM is compressed and its result is stored in DB.
• The traceback against attacks can be done in real time and even after some time.
• Its attack patterns are analyzed by AAM with the attack packets transferred from a Sinkhole Router.
• New attack patterns are extracted by analyzing the collected attack information.
• Its results make the attack filtering of routers strengthened.

The Source Path Isolation Engine (SPIE) is based on a bloom filter. The SPIE is designed to improve the memory efficiency by storing in a bloom filter the information on packets that are passing through routers, but the bloom filter must be initialized periodically because of its limited memory. Thus, there is a problem that the SPIE cannot trace back the attack packets that passed through the routers earlier. To address this problem, this paper proposes an IP Traceback Protocol (ITP) that uses a Compressed Hash Table, a Sinkhole Router and Data Mining based on network forensics against network attacks. The ITP embeds in routers the Compressed Hash Table Module (CHTM), which compresses the contents of a Hash Table and also stores the result in a database. This protocol can trace an attack back not only in real time using a hash table but also periodically using a Compressed Hash Table (CHT). Moreover, the ITP detects a replay attack by attaching time-stamps to the messages and verifies its integrity by hashing it. This protocol also strengthens the attack packet filtering function of routers for the System Manager to update the attack list in the routers periodically and improves the Attack Detection Rate using the association rule among the attack packets with an Apriori algorithm.