Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack.

/pdf/a-survey-of-defense-mechanisms-against-distributed-denial-of-36i5dbdzy6.pdf

A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks

Mobile Edge Computing, Fog et al.: A Survey and Analysis of Security Threats and Challenges

Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-IoT dataset

Cyber-attacks are becoming more sophisticated and thereby presenting increasing challenges in accurately detecting intrusions. Failure to prevent the intrusions could degrade the credibility of security services, e.g. data confidentiality, integrity, and availability. Numerous intrusion detection methods have been proposed in the literature to tackle computer security threats, which can be broadly classified into Signature-based Intrusion Detection Systems (SIDS) and Anomaly-based Intrusion Detection Systems (AIDS). This survey paper presents a taxonomy of contemporary IDS, a comprehensive review of notable recent works, and an overview of the datasets commonly used for evaluation purposes. It also presents evasion techniques used by attackers to avoid detection and discusses future research challenges to counter such techniques so as to make computer systems more secure.

/pdf/survey-of-intrusion-detection-systems-techniques-datasets-pqubhd28lv.pdf

Survey of intrusion detection systems: techniques, datasets and challenges

Distributed denial of service (DDoS) attacks in cloud computing environments are growing due to the essential characteristics of cloud computing. With recent advances in software-defined networking (SDN), SDN-based cloud brings us new chances to defeat DDoS attacks in cloud computing environments. Nevertheless, there is a contradictory relationship between SDN and DDoS attacks. On one hand, the capabilities of SDN, including software-based traffic analysis, centralized control, global view of the network, dynamic updating of forwarding rules, make it easier to detect and react to DDoS attacks. On the other hand, the security of SDN itself remains to be addressed, and potential DDoS vulnerabilities exist across SDN platforms. In this paper, we discuss the new trends and characteristics of DDoS attacks in cloud computing, and provide a comprehensive survey of defense mechanisms against DDoS attacks using SDN. In addition, we review the studies about launching DDoS attacks on SDN, as well as the methods against DDoS attacks in SDN. To the best of our knowledge, the contradictory relationship between SDN and DDoS attacks has not been well addressed in previous works. This work can help to understand how to make full use of SDN's advantages to defeat DDoS attacks in cloud computing environments and how to prevent SDN itself from becoming a victim of DDoS attacks, which are important for the smooth evolution of SDN-based cloud without the distraction of DDoS attacks.

Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges

With the growing popularity of cloud computing, the exploitation of possible vulnerabilities grows at the same pace; the distributed nature of the cloud makes it an attractive target for potential intruders. Despite security issues delaying its adoption, cloud computing has already become an unstoppable force; thus, security mechanisms to ensure its secure adoption are an immediate need. Here, we focus on intrusion detection and prevention systems (IDPSs) to defend against the intruders. In this paper, we propose a Distributed, Collaborative, and Data-driven Intrusion Detection and Prevention system (DCDIDP). Its goal is to make use of the resources in the cloud and provide a holistic IDPS for all cloud service providers which collaborate with other peers in a distributed manner at different architectural levels to respond to attacks. We present the DCDIDP framework, whose infrastructure level is composed of three logical layers: network, host, and global as well as platform and software levels. Then, we review its components and discuss some existing approaches to be used for the modules in our proposed framework. Furthermore, we discuss developing a comprehensive trust management framework to support the establishment and evolution of trust among different cloud service providers.

http://d-scholarship.pitt.edu/13461/1/icst.collaboratecom.2011.247158(1).pdf

DCDIDP: A distributed, collaborative, and data-driven intrusion detection and prevention framework for cloud computing environments

Several alert correlation approaches have been proposed to date to reduce the number of non-relevant alerts and false positives typically generated by Intrusion Detection Systems (IDS). Inspired by the mental process of the contextualisation used by security analysts to weed out less relevant alerts, some of these approaches have tried to incorporate contextual information such as: type of systems, applications, users, and networks into the correlation process. However, these approaches are not flexible as they only perform correlation based on the narrowly defined contexts. information resources available to the security analysts while preserving the maximum flexibility and the power of abstraction in both the definition and the usage of such concepts, we propose ONTIDS, a context-aware and ontology-based alert correlation framework that uses ontologies to represent and store the alerts information, alerts context, vulnerability information, and the attack scenarios. ONTIDS employs simple ontology logic rules written in Semantic Query-enhance Web Rule Language (SQWRL) to correlate and filter out non-relevant alerts. We illustrate the potential usefulness and the flexibility of ONTIDS by employing its reference implementation on two separate case studies, inspired from the DARPA 2000 and UNB ISCX IDS evaluation datasets.

ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework

Dynamic Spectrum Access (DSA) systems are being developed to improve spectrum utilization. Most of the research on DSA systems assumes that the participants involved are honest, cooperative, and that no malicious adversaries will attack or exploit the network. Some recent research efforts have focused on studying security issues in cognitive radios but there are still significant security challenges in the implementation of DSA systems that have not been addressed.

In this paper we focus on security issues in DSA. We identify various attacks (e.g., DoS attacks, system penetration, repudiation, spoofing, authorization violation, malware infection, data modification, etc.) and suggest various approaches to address them. We show that
significant security issues exist that should be addressed by the research community if DSA is to find its way into production systems. We also show that, in many cases, existing approaches to securing IT systems can be applied to DSA and identify other DSA specific security challenges
where additional research will be required.

Security in Dynamic Spectrum Access Systems: A Survey

One of the fundamental challenges in real-world Intrusion Detection Systems (IDS) is the large number of redundant, non-relevant false positive alerts that they generate. In this paper, we propose an alert fusion approach that incorporates contextual information with the goal of leveraging the benefits of multi-sensor detection while reducing false positives. In order to allow for automated reasoning on the information resources available for the fusion process, we design a set of comprehensive and extensible ontologies, and implemented fusion and detection algorithms as simple rules in Ontologic Web Language Description Logic (OWL-DL), using the Semantic Query-Enhance Web Rule Language (SQWRL). To illustrate and evaluate our approach, we use one of the attack scenarios of the DARPA 2000 dataset. The results obtained show that our approach can reduce false positives, while achieving the same detection rates achieved by using the Snort and ISS RealSecure.

Saman Taghavi Zargar

Papers

A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks

DCDIDP: A distributed, collaborative, and data-driven intrusion detection and prevention framework for cloud computing environments

ONTIDS: A Highly Flexible Context-Aware and Ontology-Based Alert Correlation Framework

Security in Dynamic Spectrum Access Systems: A Survey

Semantic-based context-aware alert fusion for distributed Intrusion Detection Systems