[论文笔记] Internet Cache Pollution Attacks and Countermeasures

mendeley的复制比较好用
&&颜色mark也很好用
ISP ：Internet Service Product

缓存污染的两种方式：

• Locality-disruption
  attacks continuously generate requests for new unpopular files, thus ruining the cache file locality.
  by robots and crawlers

• False-locality
  attacks repeatedly request the same set of files, thus creating a false file locality at proxy caches.

两种代理

• forward proxies

it performs as an intermediate server that sits between the client and the origin server.

• reverse proxies.
  appears to the client just like an ordinary web server.；
  located close to a back-end server behind a firewall and provides Internet users access to such a server.

术语

• flash crowd
  The large number of people brought by the sudden increase in popularity of an Internet site or resource due to an event or link from another site

• heavy-tailed distribution:
  长尾分布，重尾分布(Heavy-tailed Distribution)
  简单理解就是少量的种类占大量的比例，很多种类只占小比例

Experiments
尝试找到论文源码！
Simulator:
a discrete-event
1、支持LFU LRU GDSF等替换算法
2、cache size可变
3、多种DoS行为
4、多种workloads
5、模拟the effects of access and local network capacities on system performanc
local link capacity在cache之前的容量

workloads

P2P
p2p traffic accounts for the vast majority of the network’s total bandwidth

The model captures key parameters of p2p workloads, such as request rates, number of clients, number of objects, and changes to the set of clients and objects.

we generate web workloads by applying a version of the same model and by fitting a set of empirically-extracted distributions [27].
所以我们的这个是不考虑的对吧？
网页客户端访问Google 几千次，可以用
fetch-repeatedly systems [4].很好地去建模
直接使用已有的数据？？？
[4]
We generate web object sizes by fitting the empirically- measured heavy-tailed distribution reported in[27]

Clients select objects
from a Zipf distribution in an independent and identically
distributed fashion.
会有考虑这个吗$\alpha$?
会把生成的请求考虑这个吗？我们的攻击中有必要吗

结论里面有：
在locality-distribution的情况下，只要掺杂4%即可大幅度降低
对于false-locality attacks
一开始会降低，后来都是false的，命中false的去了

System Factors

• Attackers’ file size

• Access link capacity

• The Impact of the Zipf parameter α:

如果这么去攻击，会被轻易抵御吗
反侦察
我发送的请求实际上很少

检查false-locality

false-locality谁经常去请求unpopular的文件，谁就有问题

判断是clients是attackers的两个指标：
record the files that each client requests over longer time scales, and calculate the following statistics: (i) the number of repeated requests and (ii) the percent of repeated requests (ratio of repeated requests vs. the total request hits in the cache). Only when both metrics exceed given thresholds, we mark such a client as the attacker.

什么是网络上的正常行为？
the real
popular files are accessed by a large number of regular clients
(tens of thousands or more),
the number of such regular
clients should be much larger than the number of attackers.

Some benign client IPs can generate a large number of requests, and consequently a relatively large number of repeated requests e.g., due to NAT effects.the percent of repeated requests from the same IP is small in general.
On the other hand, other clients could generate a small number of requests but with relatively high percent of repeated requests (again, due to the NAT effects). Still, they are unlikely to be attackers.

• 60% of HTTP requests are generated for dynamic content and are thus uncacheable
• certain programs, e.g., web crawlers, repeatedly request the same file until a successful download occurs. The
• it is also possible for some clients to solely keep loading the same web page, e.g., “http://www.google.com,” without placing any queries. However, there are only a small number of such popular web pages and the access patterns for those pages tend to be stable. ->建立白名单
  什么是网络上的异常行为?

it is rare for a normal client to reload the same file multiple times in a short period, e.g., a few hours or a day

不应该是我们要用的

检查 Locality-disruption attacks

正常的是怎么做到的啊

检测攻击

For each cached file, we record its entry time.
Periodically, we compute the average durations for all files in
the cache. When the average duration is very low, we detect
the attacks.

检测攻击者

Thus, for each file in cache,
we record the client IP making the most recent access request.
When we detect the locality disruption attack, we check the
IP addresses in the cache table and search for those that make
most of the requests. 等

Regular clients usually request popular
files, and requests toward these files are often shared by
many different clients. That is, when counting the number of
requested files in the cache by the requestor IP, the attackers
will surface with a large number of requested files in cache.
This is precisely because the number of attackers is much
lower than the number of regular clients.