The Internet Protocol.

Distributed Denial of Service (DDoS) attacks are one of the most harmful threats in today’s Internet, disrupting the availability of essential services. The challenge of DDoS detection is the combination of attack approaches coupled with the volume of live traffic to be analysed. In this paper, we present a practical, lightweight deep learning DDoS detection system called Lucid, which exploits the properties of Convolutional Neural Networks (CNNs) to classify traffic flows as either malicious or benign. We make four main contributions; (1) an innovative application of a CNN to detect DDoS traffic with low processing overhead, (2) a dataset-agnostic preprocessing mechanism to produce traffic observations for online attack detection, (3) an activation analysis to explain Lucid’s DDoS classification, and (4) an empirical validation of the solution on a resource-constrained hardware platform. Using the latest datasets, Lucid matches existing state-of-the-art detection accuracy whilst presenting a 40x reduction in processing time, as compared to the state-of-the-art. With our evaluation results, we prove that the proposed approach is suitable for effective DDoS detection in resource-constrained operational environments.

/pdf/lucid-a-practical-lightweight-deep-learning-solution-for-2wl46phf2o.pdf

Lucid: A Practical, Lightweight Deep Learning Solution for DDoS Attack Detection

Distributed Denial of Service (DDoS) attacks are one of the most harmful threats in today's Internet, disrupting the availability of essential services. The challenge of DDoS detection is the combination of attack approaches coupled with the volume of live traffic to be analysed. In this paper, we present a practical, lightweight deep learning DDoS detection system called LUCID, which exploits the properties of Convolutional Neural Networks (CNNs) to classify traffic flows as either malicious or benign. We make four main contributions; (1) an innovative application of a CNN to detect DDoS traffic with low processing overhead, (2) a dataset-agnostic preprocessing mechanism to produce traffic observations for online attack detection, (3) an activation analysis to explain LUCID's DDoS classification, and (4) an empirical validation of the solution on a resource-constrained hardware platform. Using the latest datasets, LUCID matches existing state-of-the-art detection accuracy whilst presenting a 40x reduction in processing time, as compared to the state-of-the-art. With our evaluation results, we prove that the proposed approach is suitable for effective DDoS detection in resource-constrained operational environments.

/pdf/lucid-a-practical-lightweight-deep-learning-solution-for-ezuf269cwu.pdf

LUCID: A Practical, Lightweight Deep Learning Solution for DDoS Attack Detection

Impact of Coronavirus Pandemic Crisis on Technologies and Cloud Computing Applications

The Internet of Things (IoT) represents a mean to share resources (memory, storage computational power, data, etc.) between computers and mobile devices, as well as buildings, wearable devices, electrical grids, and automobiles, just to name few. The IoT is leading to the development of advanced information services that will require large storage and computational power, as well as real-time processing capabilities. The integration of IoT with emerging technologies such as Fog Computing can complement these requirements with pervasive and cost-effective services capable of processing large-scale geo-distributed information. In any IoT application, communication availability is essential to deliver accurate and useful information, for instance, to take actions during dangerous situations, or to manage critical infrastructures. IoT components like gateways, also called Fog Nodes, face outstanding security challenges as the attack surface grows with the number of connected devices requesting communication services. These Fog nodes can be targeted by an attacker, preventing the nodes from delivering important information to the final users or to perform accurate automated actions. This paper introduces an Anomaly Behavior Analysis Methodology based on Artificial Neural Networks, to implement an adaptive Intrusion Detection System (IDS) capable of detecting when a Fog node has been compromised, and then take the required actions to ensure communication availability. The experimental results reveal that the proposed approach has the capability for characterizing the normal behavior of Fog Nodes despite its complexity due to the adaptive scheme, and also has the capability of detecting anomalies due to any kind of sources such as misuses, cyber-attacks or system glitches, with high detection rate and low false alarms.

/pdf/artificial-neural-networks-based-intrusion-detection-system-31icju3jd4.pdf

Artificial Neural Networks Based Intrusion Detection System for Internet of Things Fog Nodes

Address Resolution (AR) and Duplicate Address Detection (DAD) are considered the most important processes in Neighbour Discovery Protocol (NDP), which occurs frequently from each Internet Protocol version 6 (IPv6) host communicating with other neighbouring hosts. Two NDP messages are used during AR and DAD to communicate with one another in the same IPv6 link-local network, namely Neighbour Solicitation (NS) and Neighbour Advertisement (NA) messages. However, NDP messages have non-secure designs and lack verification mechanisms for authenticating whether incoming messages originate from a legitimate or illegitimate node. Therefore, any node in the same link can manipulate NS or NA messages and then launch a Denial-of-Service (DoS) attack. Techniques proposed to secure AR and DAD include Secure NDP (SeND) and Trust-NDP (Trust-ND); however, these techniques either entail high processing time and bandwidth consumption or are vulnerable to DoS attacks because of their designs. Therefore, to secure AR and DAD, this study aims to introduce a prevention technique called Match-Prevention, which secures target IP addresses and exchange messages (i.e. NS and NA). The processing time, bandwidth consumption and DoS prevention success rate of Match-Prevention in different scenarios are evaluated, and its performance is compared with those of existing techniques, including Standard-Process (i.e., Standard-AR and Standard-DAD), SeND and Trust-ND. Results show that Match-Prevention requires less processing time during AR and DAD processes and less bandwidth consumption compared with other existing techniques. In terms of DoS prevention success rate, the experiments show that Standard-Process and Trust-ND are unable to secure AR and DAD from DoS attacks, whilst SeND is vulnerable to flooding attacks. By contrast, Match-Prevention allows IPv6 nodes to verify the incoming message, discard the fake message before further processing and prevent a DoS attack during AR and DAD in an IPv6 link-local network.

/pdf/match-prevention-technique-against-denial-of-service-attack-1yrojg5ug8.pdf

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

The implementation of the neighbor discovery protocol has introduced new security vulnerabilities to Internet protocol version 6 (IPv6) networks One of the most common attacks being attributed to the IPv6 network layer is the denial of service (DoS) router advertisement (RA) flooding attack An attacker can flood massive amounts of RA packets to the IPv6 multicast address which cause the hosts inside the link-local network to run out of central processing unit resources due to packet processing overhead This research proposes a hybrid approach of entropy-based technique combined with the adaptive threshold algorithm to detect the aforementioned attack By dynamically adapting the threshold and choosing the right entropy feature, the proposed technique is able to detect various scenarios of DoS RA flooding attack, including evasion techniques used by attackers The proposed technique yields 98% detection accuracy according to the experiment conducted

Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm to Detect RA Flooding Attack in IPv6 Networks

An efficiently unlimited address space is provided by Internet Protocol version 6 (IPv6). It aims to accommodate thousands of hundreds of unique devices on a similar link. This can be achieved through the Duplicate Address Detection (DAD) process. It is considered one of the core IPv6 network's functions. It is implemented to make sure that IP addresses do not conflict with each other on the same link. However, IPv6 design's functions are exposed to security threats like the DAD process, which is vulnerable to Denial of Service (DoS) attack. Such a threat prevents the host from configuring its IP address by responding to each Neighbor Solicitation (NS) through fake Neighbor Advertisement (NA). Various mechanisms have been proposed to secure the IPv6 DAD procedure. The proposed mechanisms, however, suffer from complexity, high processing time, and the consumption of more resources. The experiments-based findings revealed that all the existing mechanisms had failed to secure the IPv6 DAD process. Therefore, DAD-match security technique is proposed in this study to efficiently secure the DAD process consuming less processing time. DAD-match is built based on SHA-3 to hide the exchange tentative IP among hosts throughout the process of DAD in an IPv6 link-local network. The obtained experimental results demonstrated that the DAD-match security technique achieved less processing time compared with the existing mechanisms as it can resist a range of different threats like collision and brute-force attacks. The findings concluded that the DAD-match technique effectively prevents the DoS attack during the DAD process. The DAD-match technique is implemented on a small area IPv6 network; hence, the author future work is to implement and test the DAD-match technique on a large area IPv6 network.

/pdf/dad-match-security-technique-to-prevent-denial-of-service-fvyiihghhm.pdf

DAD-match; Security technique to prevent denial of service attack on duplicate address detection process in IPv6 link-local network.

The deployment of Internet Protocol Version 6 (IPv6) has progressed at a rapid pace. IPv6 has introduced new features and capabilities that is not available in IPv4. However, new security risks and challenges emerge with any new technology. Similarly, Duplicate Address Detection (DAD), part of Neighbor Discovery Protocol in IPv6 protocol, is subject to security threats such as denial-of-service attacks. This paper presents a comprehensive review on detection and defense mechanisms for DAD on fixed network. The strengths and weaknesses of each mechanism to Secure-DAD process are discussed from the perspective of implementation and processing time. Finally, challenges and future directions are presented along with feature requirements for the new security mechanism to secure DAD procedure in an IPv6 link-local network.

/pdf/detection-and-defense-mechanisms-on-duplicate-address-4b60z36hwr.pdf

Detection and Defense Mechanisms on Duplicate Address Detection Process in IPv6 Link-Local Network: A Survey on Limitations and Requirements

With the increasing number of nodes, connecting on the same link needs a distinct Internet protocol (IP) address for each node. Duplicate address detection (DAD) is the process responsible for verifying the uniqueness of the IP address on the same link by using two neighbor discovery protocol (NDP) messages, namely, neighbor solicitation and neighbor advertisement. Given that NDP messages are unsecured by their design, any node can manipulate these messages and launch a denial of service (DoS) attack. This attack on DAD prevents legitimate node from configuring its IP address. Many mechanisms have been proposed to address this issue, but they have exhibited side effects, such as complexity and performance degradation. This study proposed a new security technique called DAD-match that relies on cryptographic hash function to hide a tentative IP address during the DAD procedure. We aimed to develop a DAD-match technique that will provide a noncomplex lightweight security and completely prevent DoS attacks during DAD procedure in IPv6 link-local network.

Ayman Al-Ani

Papers

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm to Detect RA Flooding Attack in IPv6 Networks

DAD-match; Security technique to prevent denial of service attack on duplicate address detection process in IPv6 link-local network.

Detection and Defense Mechanisms on Duplicate Address Detection Process in IPv6 Link-Local Network: A Survey on Limitations and Requirements

Proposed DAD-match Security Technique based on Hash Function to Secure Duplicate Address Detection in IPv6 Link-local Network