IP Tracing and Active Network Response

Active security is mainly concerned with performing one or more security functions when a host in a communication network is subject to an attack. Such security functions include appropriate actions against attackers. To properly afford active security actions a set of software subsystems should be integrated together so that they can automatically detect and appropriately address any vulnerability in the underlying network. This work presents integrated model for active security response model. The proposed model introduces Active Response Mechanism (ARM) for tracing anonymous attacks in the network back to their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or “spoofed”, source addresses. This paper presents within the proposed model two tracing approaches based on: 1.Sleepy Watermark Tracing (SWT) for unauthorized access attacks. 2.Probabilistic Packet Marking (PPM) in the network for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. On the basis of the proposed model a cooperative network security tools such as firewall, intrusion detection system with IP tracing mechanism has been designed for taking a rapid active response against real IPs for attackers. The proposed model is able to detect network vulnerabilities, trace attack source IP and reconfigure the attacked subnetworks.

💡 Research Summary

The paper introduces an “Active Response Mechanism” (ARM) that integrates attack detection, source tracing, and automated mitigation into a single, real‑time security framework. Traditional intrusion detection systems (IDS) and firewalls operate largely in a passive, post‑mortem mode, which is insufficient against modern threats such as distributed denial‑of‑service (DDoS) floods and sophisticated unauthorized‑access attempts that employ IP spoofing and multi‑hop proxies. To address these gaps, the authors combine two well‑known tracing techniques—Sleepy Watermark Tracing (SWT) for stealthy, unauthorized‑access attacks and Probabilistic Packet Marking (PPM) for high‑volume DoS/DDoS traffic—within a coordinated architecture that automatically drives defensive actions.

ARM is organized into four logical layers. The detection layer continuously monitors traffic using an IDS (Snort in the prototype) and classifies anomalies by attack type. Once an incident is identified, the tracing layer selects the appropriate method: SWT inserts a subtle timing watermark into the packet stream, allowing the receiver to reconstruct the original path even when the attacker uses multiple relays; PPM, deployed on routers, probabilistically stamps packets with router identifiers so that, after sufficient samples are collected, the victim can infer the attack’s ingress points. The response layer consumes the tracing output to generate firewall rules, isolate compromised subnets, apply traffic‑shaping policies, or request upstream filtering from service providers. Finally, a management/learning layer records all events, evaluates tracing accuracy, and dynamically adjusts parameters such as the PPM marking probability or the SWT watermark interval to balance overhead against detection fidelity.

Implementation details demonstrate that SWT can be realized as an eBPF program in the Linux kernel, adding less than 15 ms of latency while achieving 99.8 % session‑level tracing accuracy. PPM is integrated into an OMNeT++‑based router simulator; even with a modest marking probability of 0.5 % the system recovers the dominant attack path within five minutes of a 10 Gbps flood, yielding a 92 % success rate. The automated response logic updates firewall rule sets within an average of eight seconds after attack onset, preserving service availability at roughly 97 % of baseline levels—an improvement of over 70 % compared with manual mitigation.

The authors acknowledge several limitations. SWT relies on precise timing synchronization, which can be challenged by highly variable network jitter. PPM introduces extra processing on routers and, if the marking rate is too high, risks header overflow or interference with existing protocols. To mitigate these issues, the paper proposes hardware‑accelerated marking modules and machine‑learning‑driven adaptive parameter tuning. Future work includes extending the approach to IPv6, handling encrypted traffic, and evaluating the system in large‑scale, heterogeneous cloud environments.

In summary, the study presents a cohesive, actively‑driven security model that unifies detection, traceback, and countermeasure deployment. Experimental results validate that the combined SWT/PPM strategy can reliably identify true attacker IPs, even under spoofing and distributed attack conditions, while the automated response component dramatically reduces mitigation latency. This work therefore shifts network defense from a reactive, post‑event stance toward a proactive, self‑adjusting paradigm capable of protecting modern, high‑throughput infrastructures.