Results 1 - 10
of
76
PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks
- IEEE Transactions on Dependable and Secure Computing
, 2006
"... Abstract—Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. This paper introduces a DDoS defense scheme that supports automated online attack characterizations and accurate attack packet discarding based on statistical processing. The key idea is to prioritize a pack ..."
Abstract
-
Cited by 30 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. This paper introduces a DDoS defense scheme that supports automated online attack characterizations and accurate attack packet discarding based on statistical processing. The key idea is to prioritize a packet based on a score which estimates its legitimacy given the attribute values it carries. Once the score of a packet is computed, this scheme performs score-based selective packet discarding where the dropping threshold is dynamically adjusted based on the score distribution of recent incoming packets and the current level of system overload. This paper describes the design and evaluation of automated attack characterizations, selective packet discarding, and an overload control process. Special considerations are made to ensure that the scheme is amenable to high-speed hardware implementation through scorebook generation and pipeline processing. A simulation study indicates that PacketScore is very effective in blocking several different attack types under many different conditions. Index Terms—Network level security and protection, performance evaluation, traffic analysis, network monitoring, security, simulation. 1
Automatically Generating Models for Botnet Detection
, 2009
"... A botnet is a network of compromised hosts that is under the control of a single, malicious entity, often called the botmaster. We present a system that aims to detect bot-infected machines, independent of any prior information about the command and control channels or propagation vectors, and witho ..."
Abstract
-
Cited by 28 (7 self)
- Add to MetaCart
(Show Context)
A botnet is a network of compromised hosts that is under the control of a single, malicious entity, often called the botmaster. We present a system that aims to detect bot-infected machines, independent of any prior information about the command and control channels or propagation vectors, and without requiring multiple infections for correlation. Our system relies on detection models that target the characteristic fact that every bot receives commands from the botmaster to which it responds in a specific way. These detection models are generated automatically from network traffic traces recorded from actual bot instances. We have implemented the proposed approach and demonstrate that it can extract effective detection models for a variety of different bot families. These models are precise in describing the activity of bots and raise very few false positives.
Collaborative detection of DDoS attacks over multiple network domains
- IEEE Trans. Parallel Distrib. Syst
"... Abstract—This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic-flow level. The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISPs). At the early st ..."
Abstract
-
Cited by 22 (2 self)
- Add to MetaCart
(Show Context)
Abstract—This paper presents a new distributed approach to detecting DDoS (distributed denial of services) flooding attacks at the traffic-flow level. The new defense system is suitable for efficient implementation over the core networks operated by Internet service providers (ISPs). At the early stage of a DDoS attack, some traffic fluctuations are detectable at Internet routers or at the gateways of edge networks. We develop a distributed change-point detection (DCD) architecture using change aggregation trees (CAT). The idea is to detect abrupt traffic changes across multiple network domains at the earliest time. Early detection of DDoS attacks minimizes the flooding damages to the victim systems serviced by the provider. The system is built over attack-transit routers, which work together cooperatively. Each ISP domain has a CAT server to aggregate the flooding alerts reported by the routers. CAT domain servers collaborate among themselves to make the final decision. To resolve policy conflicts at different ISP domains, a new secure infrastructure protocol (SIP) is developed to establish mutual trust or consensus. We simulated the DCD system up to 16 network
Defending against TCP SYN flooding attacks under different types of IP spoofing
- In International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL ’06), p. 38, Morne, Mauritius (Apr., 2006). IEEE Computer Society. ISBN
, 2006
"... TCP-based flooding attacks are a common form of Distributed Denial-of-Service (DDoS) attacks which abuse network resources and can bring about serious threats to the Internet. Incorporating IP spoofing makes it even more difficult to defend against such attacks. Among different IP spoofing technique ..."
Abstract
-
Cited by 16 (0 self)
- Add to MetaCart
(Show Context)
TCP-based flooding attacks are a common form of Distributed Denial-of-Service (DDoS) attacks which abuse network resources and can bring about serious threats to the Internet. Incorporating IP spoofing makes it even more difficult to defend against such attacks. Among different IP spoofing techniques, which include random spoofing, subnet spoofing and fixed spoofing, subnet spoofing is the most difficult type to fight against. In this paper, we propose a simple and efficient method to detect and defend against TCP SYN flooding attacks under different IP spoofing types, including subnet spoofing. The method makes use of a storage-efficient data structure and a change-point detection method to distinguish complete three-way TCP handshakes from incomplete ones. Simulation experiments consistently show that our method is both efficient and effective in defending against TCP-based flooding attacks under different IP spoofing types. 1
Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks
, 2009
"... Internet Protocol (IP) traceback is the enabling technology to control Internet crime. In this paper, we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking pa ..."
Abstract
-
Cited by 14 (0 self)
- Add to MetaCart
(Show Context)
Internet Protocol (IP) traceback is the enabling technology to control Internet crime. In this paper, we present a novel and practical IP traceback system called Flexible Deterministic Packet Marking (FDPM) which provides a defense system with the ability to find out the real sources of attacking packets that traverse through the network. While a number of other traceback schemes exist, FDPM provides innovative features to trace the source of IP packets and can obtain better tracing capability than others. In particular, FDPM adopts a flexible mark length strategy to make it compatible to different network environments; it also adaptively changes its marking rate according to the load of the participating router by a flexible flow-based marking scheme. Evaluations on both simulation and real system implementation demonstrate that FDPM requires a moderately small number of packets to complete the traceback process; add little additional load to routers and can trace a large number of sources in one traceback process with low false positive rates. The built-in overload prevention mechanism makes this system capable of achieving a satisfactory traceback result even when the router is heavily loaded. The motivation of this traceback system is from DDoS defense. It has been used to not only trace DDoS attacking packets but also enhance filtering attacking traffic. It has a wide array of applications for other security systems.
Collaborative change detection of DDoS attacks on community and
- ISP networks,” in the IEEE International Symposium on Collaborative Technologies and Systems (CTS’06
"... ABSTRACT ∗ A community network often operates within the same ISP (Internet Service Provider) domain or administered by a virtual organization spanning across multiple network domains with an established trust relationship. To counter DDoS (distributed denial-of-service) attacks in such a federated ..."
Abstract
-
Cited by 13 (4 self)
- Add to MetaCart
ABSTRACT ∗ A community network often operates within the same ISP (Internet Service Provider) domain or administered by a virtual organization spanning across multiple network domains with an established trust relationship. To counter DDoS (distributed denial-of-service) attacks in such a federated network environment, the routers can work cooperatively to raise early warning to avoid catastrophic damages. This paper proposes a collaborative architecture to detect DDoS flooding attacks. The scheme appeals, in particular, to protect networked resource centers that work as a collaboration Grid. By monitoring the distribution of suspicious traffic changes over a number of attack-transit routers, we developed a new Change-Aggregation Tree (CAT) mechanism to enable early detection of DDoS attacks on community networks. We want to detect flooding attacks as early as possible. Here, we report preliminary NS-2 simulation results on a singledomain ISP core network to prove the effectiveness of the new collaborative CAT architecture for DDoS defense. The simulated system achieved a detection rate as high as 95 % with less than 1 % of false positive alarms. Extensions of this architecture to cross-domain DDoS defense are discussed with further research challenges identified.
Reverse hashing for high-speed network monitoring: Algorithms, evaluation, and applications
- In IEEE INFOCOM
, 2004
"... A key function for network traffic monitoring and analysis is the ability to perform aggregate queries over multiple data streams. Change detection is an important primitive which can be extended to construct many aggregate queries. The recently proposed sketches [1] are among the very few that can ..."
Abstract
-
Cited by 12 (2 self)
- Add to MetaCart
(Show Context)
A key function for network traffic monitoring and analysis is the ability to perform aggregate queries over multiple data streams. Change detection is an important primitive which can be extended to construct many aggregate queries. The recently proposed sketches [1] are among the very few that can detect heavy changes online for high speed links, and thus support various aggregate queries in both temporal and spatial domains. However, it does not preserve the keys (e.g., source IP address) of flows, making it difficult to reconstruct the desired set of anomalous keys. In an earlier abstract we proposed a framework for a reversible sketch data structure that offers hope for efficient extraction of keys [2]. However, this scheme is only able to detect a single heavy change key and places restrictions on the statistical properties of the key space. To address these challenges, we propose an efficient reverse hashing scheme to infer the keys of culprit flows from reversible sketches. There are two phases. The first operates online, recording the packet stream in a compact representation with negligible extra memory and few extra memory accesses. Our prototype single FPGA board implementation can achieve a throughput of over 16 Gbps for 40-byte-packet streams (the worst case). The second phase identifies heavy changes and their keys from the representation in nearly real time. We evaluate our scheme using traces from large edge routers with OC-12 or higher links. Both the analytical and experimental results show that we are able to achieve online traffic monitoring and accurate change/intrusion detection over massive data streams on high speed links, all in a manner that scales to large key space size. To the best of our knowledge, our system is the first to achieve these properties simultaneously. I.
Reversible Sketches: Enabling Monitoring and Analysis over High-speed Data Streams
"... Abstract — A key function for network traffic monitoring and analysis is the ability to perform aggregate queries over multiple data streams. Change detection is an important primitive which can be extended to construct many aggregate queries. The recently proposed sketches [1] are among the very fe ..."
Abstract
-
Cited by 12 (0 self)
- Add to MetaCart
(Show Context)
Abstract — A key function for network traffic monitoring and analysis is the ability to perform aggregate queries over multiple data streams. Change detection is an important primitive which can be extended to construct many aggregate queries. The recently proposed sketches [1] are among the very few that can detect heavy changes online for high speed links, and thus support various aggregate queries in both temporal and spatial domains. However, it does not preserve the keys (e.g., source IP address) of flows, making it difficult to reconstruct the desired set of anomalous keys. To address this challenge, we propose the reversible sketch data structure along with reverse hashing algorithms to infer the keys of culprit flows. There are two phases. The first operates online, recording the packet stream in a compact representation with negligible extra memory and few extra memory accesses. Our prototype single FPGA board implementation can achieve a throughput of over 16 Gbps for 40-byte-packet streams (the worst case). The second phase identifies heavy changes and their keys from the representation in nearly real time. We evaluate our scheme using traces from large edge routers with OC-12 or higher links. Both the analytical and experimental results show that we are able to achieve online traffic monitoring and accurate change/intrusion detection over massive data streams on high speed links, all in a manner that scales to large key space size. To the best of our knowledge, our system is the first to achieve these properties simultaneously. I.
Wavelet-based Real Time Detection of Network Traffic Anomalies
"... Abstract—Real time network monitoring for intrusions is offered by various host and network based intrusion detection systems. These systems largely use signature or pattern matching techniques at the core and thus are ineffective in detecting unknown anomalous activities. In this paper, we apply si ..."
Abstract
-
Cited by 10 (0 self)
- Add to MetaCart
(Show Context)
Abstract—Real time network monitoring for intrusions is offered by various host and network based intrusion detection systems. These systems largely use signature or pattern matching techniques at the core and thus are ineffective in detecting unknown anomalous activities. In this paper, we apply signal processing techniques in intrusion detection systems, and develop and implement a framework, called Waveman, for real time wavelet-based analysis of network traffic anomalies. Then, we use two metrics, namely percentage deviation and entropy, to evaluate the performance of various wavelet functions on detecting different types of anomalies like Denial of Service (DoS) attacks and portscans. Our evaluation results show that Coiflet and Paul wavelets perform better than other wavelets in detecting most anomalies considered in this work. Keywords-network traffic anomaly; intrusion detection; wavelet; percentage deviation; entropy I.
