Method and apparatus for detecting spoofed network traffic
First Claim
1. A method of detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of interfaces, comprising:
- creating a mapping table indicating correlations between IP address prefixes and AS numbers by processing routing information from a plurality of data sources;
for each interface,acquiring IP address prefixes from a training traffic flow entering the interface;
converting the IP address prefixes into AS numbers based on the mapping table; and
generating an interface expected AS number table for the interface based on the AS numbers; and
determining if an operational traffic flow is allowed to enter the network based on the interface expected AS number table.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for detecting spoofed IP network traffic is presented. A mapping table is created to indicate correlations between IP address prefixes and AS numbers, based on routing information collected from a plurality of data sources. At each interface of a target network, IP address prefixes from a training traffic flow are acquired and further converted into AS numbers based on the mapping table. An EAS (Expected Autonomous System) table is populated by the AS numbers collected for each interface. The EAS table is used to determine if an operation traffic flow is allowed to enter the network.
-
Citations
23 Claims
-
1. A method of detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of interfaces, comprising:
-
creating a mapping table indicating correlations between IP address prefixes and AS numbers by processing routing information from a plurality of data sources; for each interface, acquiring IP address prefixes from a training traffic flow entering the interface; converting the IP address prefixes into AS numbers based on the mapping table; and generating an interface expected AS number table for the interface based on the AS numbers; and determining if an operational traffic flow is allowed to enter the network based on the interface expected AS number table. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer readable medium having computer readable program for operating on a computer for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of interfaces, said program comprising instructions that cause the computer to perform the steps:
-
creating a mapping table indicating correlations between IP address prefixes and AS numbers by processing routing information from a plurality of data sources; for each interface, acquiring IP address prefixes from a training traffic flow entering the interface; converting the IP address prefixes into AS numbers based on the mapping table; and generating an interface expected AS number table for the interface based on the AS numbers; and determining if an operational traffic flow is allowed to enter the network based on the interface expected AS number table. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. An anti-spoofing apparatus comprising:
-
a mapping component which generates a mapping table indicating correlations between IP address prefixes and AS numbers by processing routing information from a plurality of data sources; wherein the mapping table is stored in a first database; a learning component which acquires IP address prefixes from a plurality of training traffic flows entering a network, converts the acquired IP address prefixes into AS numbers based on the mapping table and generates an expected AS number table based on the converted AS numbers; wherein the expected AS number table is stored in a second database; and a determining component which acquires an IP prefix of an incoming operational traffic flow, converts the IP prefix into an AS number based on the mapping table and determines whether the incoming operational traffic flow is allowed to enter the network; wherein the determining component comprises a comparing component which compares the converted AS number with the AS numbers of the EAS number table and the determining component generates an alert notification based on the result of the comparison, wherein the alert notification is stored in a third database.
-
-
22. A network system comprising:
-
a plurality of interfaces for receiving and forwarding traffic flows; a plurality of traffic monitors in communication with the plurality of interfaces, for collecting information from the traffic flows; and at least one server in communication with the plurality of traffic monitors, for controlling the traffic flows within the network system, said server comprises an anti-spoofing apparatus comprising; a mapping component which generates a mapping table indicating correlations between IP address prefixes and AS numbers by processing routing information from a plurality of data sources; a learning component which acquires IP address prefixes from a plurality of training traffic flows, converts the acquired IP address prefixes into AS numbers based on the mapping table and generates an expected AS number table based on the converted AS numbers; and a determining component which acquires an IP prefix of an incoming operational traffic flow, converts the IP prefix into an AS number based on the mapping table and determines whether the incoming operational traffic flow is allowed to enter the network. - View Dependent Claims (23)
-
Specification