Thwarting DDoS attacks in grid using information divergence
TL;DR: A five-fold DDoS Defense Mechanism using an Information Divergence scheme that detects the attacker and discards the adversary's packets for a fixed amount of time in an organized manner is proposed.
About: This article is published in Future Generation Computer Systems.The article was published on 2013-01-01. It has received 29 citations till now. The article focuses on the topics: Application layer DDoS attack & Trinoo.
Citations
More filters
01 Jul 2014
TL;DR: This paper introduces an attack-generating tool to test and confirm previously reported vulnerabilities, and proposes an intelligent, fast and adaptive system for detecting against XML and HTTP application layer attacks.
Abstract: Recently, a new kind of vulnerability has surfaced: application layer Denial-of-Service (DoS) attacks targeting web services. These attacks aim at consuming resources by sending Simple Object Access Protocol (SOAP) requests that contain malicious XML content. These requests cannot be detected on the network or transportation (TCP/IP) layer, as they appear as legitimate packets. Until now, there is no web service security specification that addresses this problem. Moreover, the current WS-Security standard induces crucial additional vulnerabilities threatening the availability of certain web service implementations. First, this paper introduces an attack-generating tool to test and confirm previously reported vulnerabilities. The results indicate that the attacks have a devastating impact on the web service availability, even whilst utilizing an absolute minimum of attack resources. Since these highly effective attacks can be mounted with relative ease, it is clear that defending against them is essential, looking at the growth of cloud and web services. Second, this paper proposes an intelligent, fast and adaptive system for detecting against XML and HTTP application layer attacks. The intelligent system works by extracting several features and using them to construct a model for typical requests. Finally, outlier detection can be used to detect malicious requests. Furthermore, the intelligent defense system is capable of detecting spoofing and regular flooding attacks. The system is designed to be inserted in a cloud environment where it can transparently protect the cloud broker and even cloud providers. For testing its effectiveness, the defense system was deployed to protect web services running on WSO2 with Axis2: the defacto standard for open source web service deployment. The proposed defense system demonstrates its capability to effectively filter out the malicious requests, whilst generating a minimal amount of overhead for the total response time.
60 citations
01 Mar 2018
TL;DR: To achieve a higher security level for power systems, the research community should follow a systematic approach and consider all stages of the holistic resilience cycle in addressing security problems of the power systems.
Abstract: In this paper, we study the literature on cyber-physical security of electrical power systems. The paper is intended to address the security strengths and weaknesses of the electrical power systems against malicious attacks. The concept of holistic resilience cycle (HRC) is introduced to improve cyber-physical security of electrical power systems. HRC is a systematic view to the security of the power systems, characterized by its four stages as closely interconnected and explicable only by reference to the whole. HRC includes four stages of prevention and planning, detection, mitigation and response, and system recovery. Power systems are evolving from traditional settings towards more autonomous and smart grids. Cyber-physical security is critical for the safe and secure operations of the power systems. To achieve a higher security level for power systems, the research community should follow a systematic approach and consider all stages of the holistic resilience cycle in addressing security problems of the power systems.
59 citations
TL;DR: An efficient DDoS attack detection technique based on multilevel auto-encoder based feature learning that outperforms the compared methods in terms of prediction accuracy is proposed.
Abstract: Bidirectional communication infrastructure of smart systems, such as smart grids, are vulnerable to network attacks like distributed denial of services (DDoS) and can be a major concern in the present competitive market. In DDoS attack, multiple compromised nodes in a communication network flood connection requests, bogus data packets or incoming messages to targets like database servers, resulting in denial of services for legitimate users. Recently, machine learning based techniques have been explored by researchers to secure the network from DDoS attacks. Under different attack scenarios on a system, measurements can be observed either in an online manner or batch mode and can be used to build predictive learning systems. In this work, we propose an efficient DDoS attack detection technique based on multilevel auto-encoder based feature learning. We learn multiple levels of shallow and deep auto-encoders in an unsupervised manner which are then used to encode the training and test data for feature generation. A final unified detection model is then learned by combining the multilevel features using and efficient multiple kernel learning (MKL) algorithm. We perform experiments on two benchmark DDoS attack databases and their subsets and compare the results with six recent methods. Results show that the proposed method outperforms the compared methods in terms of prediction accuracy.
38 citations
Cites background or methods from "Thwarting DDoS attacks in grid usin..."
...The number of layers in each MSDA is selected as Lm = [1, 3, 5, 7, 9, 11]....
[...]
...The number of layers in each MSDA is randomly chosen from the set Lm = [1, 3, 5, 7, 9, 11]....
[...]
...Varalakshmi and Selvi [9] detects and discards false malicious requests using information divergence scheme....
[...]
...[9] P. Varalakshmi and S. T. Selvi, ‘‘Thwarting DDoS attacks in grid using information divergence,’’ Future Gener....
[...]
01 Dec 2014
TL;DR: The obtained results show that the proposed model has the ability to mitigate most of TCP attacks and achieves high detection accuracy (97%) with fewer false alarms.
Abstract: A Distributed Denial of Service (DDOS) attack can make huge damages to resources and access of the resources to genuine users. Offered defending system cannot be easily applied in cloud computing due to their relatively low competence and wide storage. In this work we presented statistical technique to detect and filter DDOS attacks. The proposed model requires small storage and ability of fast detection. The obtained results show that our model has the ability to mitigate most of TCP attacks. Detection accuracy and Time consumption were the metrics used to evaluate the performance of our proposed model. From the simulation results, it is visible our algorithms achieve high detection accuracy (97%) with fewer false alarms.
36 citations
Journal Article•
TL;DR: Goodput of Datacenter has been improved by detecting and mitigating the incoming traffic threats at each stage and simulation results proved that the Enhanced Entropy approach behaves better at DDoS attack prone zones.
Abstract: Distributed Denial of Service (DDoS) attack launched in Cloud computing environment resulted in loss of sensitive information, Data corruption and even rarely lead to service shutdown. Entropy based DDoS mitigation approach analyzes the heuristic data and acts dynamically according to the traffic behavior to effectively segregate the characteristics of incoming traffic. Heuristic data helps in detecting the traffic condition to mitigate the flooding attack. Then, the traffic data is analyzed to distinguish legitimate and attack characteristics. An additional Trust mechanism has been deployed to differentiate legitimate and aggressive legitimate users. Hence, Goodput of Datacenter has been improved by detecting and mitigating the incoming traffic threats at each stage. Simulation results proved that the Enhanced Entropy approach behaves better at DDoS attack prone zones. Profit analysis also proved that the proposed mechanism is deployable at Datacenter for attack mitigation and resource protection which eventually results in beneficial service at slenderized revenue
31 citations
Cites methods from "Thwarting DDoS attacks in grid usin..."
...DDoS defense mechanism [10] used hop count filter, anomaly detectors, normal profile creation and atta cker profile creation and comparing the incoming traffic to reduce false positive and false negative in order to impro ve the efficiency attacker detection schemes using Kullbac k-Liebler Divergence....
[...]
References
More filters
01 Aug 2001
TL;DR: The authors present an extensible and open Grid architecture, in which protocols, services, application programming interfaces, and software development kits are categorized according to their roles in enabling resource sharing.
Abstract: "Grid" computing has emerged as an important new field, distinguished from conventional distributed computing by its focus on large-scale resource sharing, innovative applications, and, in some cases, high performance orientation. In this article, the authors define this new field. First, they review the "Grid problem," which is defined as flexible, secure, coordinated resource sharing among dynamic collections of individuals, institutions, and resources--what is referred to as virtual organizations. In such settings, unique authentication, authorization, resource access, resource discovery, and other challenges are encountered. It is this class of problem that is addressed by Grid technologies. Next, the authors present an extensible and open Grid architecture, in which protocols, services, application programming interfaces, and software development kits are categorized according to their roles in enabling resource sharing. The authors describe requirements that they believe any such mechanisms must satisfy and discuss the importance of defining a compact set of intergrid protocols to enable interoperability among different Grid systems. Finally, the authors discuss how Grid technologies relate to other contemporary technologies, including enterprise integration, application service provider, storage service provider, and peer-to-peer computing. They maintain that Grid concepts and technologies complement and have much to contribute to these other approaches.
6,716 citations
01 Apr 2004
TL;DR: This paper presents two taxonomies for classifying attacks and defenses in distributed denial-of-service (DDoS) and provides researchers with a better understanding of the problem and the current solution space.
Abstract: Distributed denial-of-service (DDoS) is a rapidly growing problem. The multitude and variety of both the attacks and the defense approaches is overwhelming. This paper presents two taxonomies for classifying attacks and defenses, and thus provides researchers with a better understanding of the problem and the current solution space. The attack classification criteria was selected to highlight commonalities and important features of attack strategies, that define challenges and dictate the design of countermeasures. The defense taxonomy classifies the body of existing DDoS defenses based on their design decisions; it then shows how these decisions dictate the advantages and deficiencies of proposed solutions.
1,866 citations
15 Sep 2004
TL;DR: A payload-based anomaly detector, called PAYL, for intrusion detection that demonstrates the surprising effectiveness of the method on the 1999 DARPA IDS dataset and a live dataset the authors collected on the Columbia CS department network.
Abstract: We present a payload-based anomaly detector, we call PAYL, for intrusion detection. PAYL models the normal application payload of network traffic in a fully automatic, unsupervised and very effecient fashion. We first compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port. We then use Mahalanobis distance during the detection phase to calculate the similarity of new data against the pre-computed profile. The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold. We demonstrate the surprising effectiveness of the method on the 1999 DARPA IDS dataset and a live dataset we collected on the Columbia CS department network. In once case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.
943 citations
"Thwarting DDoS attacks in grid usin..." refers background in this paper
...Schemes related to checking the payload of the packet for specific attack characteristics in Intrusion Detection Systems (IDS) are discussed by Wang and Stolfo [21]....
[...]
Proceedings Article•
01 Dec 1997TL;DR: A backpropagation neural network called NNID (Neural Network Intrusion Detector) was trained in the identification task and tested experimentally on a system of 10 users, suggesting that learning user profiles is an effective way for detecting intrusions.
Abstract: With the rapid expansion of computer networks during the past few years, security has become a crucial issue for modern computer systems. A good way to detect illegitimate use is through monitoring unusual user activity. Methods of intrusion detection based on hand-coded rule sets or predicting commands on-line are laborous to build or not very reliable. This paper proposes a new way of applying neural networks to detect intrusions. We believe that a user leaves a 'print' when using the system; a neural network can be used to learn this print and identify each user much like detectives use thumbprints to place people at crime scenes. If a user's behavior does not match his/her print, the system administrator can be alerted of a possible security breech. A backpropagation neural network called NNID (Neural Network Intrusion Detector) was trained in the identification task and tested experimentally on a system of 10 users. The system was 96% accurate in detecting unusual activity, with 7% false alarm rate. These results suggest that learning user profiles is an effective way for detecting intrusions.
493 citations
"Thwarting DDoS attacks in grid usin..." refers methods in this paper
...[8]; clustering proposed by Toelle and Niggenmann [9]; and statistical Detection proposed by Yau et al....
[...]
TL;DR: A novel filtering technique, called Hop-Count Filtering (HCF), is presented-which builds an accurate IP-to-hop-count (IP2HC) mapping table-to detect and discard spoofed IP packets.
Abstract: IP spoofing has often been exploited by Distributed Denial of Service (DDoS) attacks to: 1) conceal flooding sources and dilute localities in flooding traffic, and 2) coax legitimate hosts into becoming reflectors, redirecting and amplifying flooding traffic. Thus, the ability to filter spoofed IP packets near victim servers is essential to their own protection and prevention of becoming involuntary DoS reflectors. Although an attacker can forge any field in the IP header, he cannot falsify the number of hops an IP packet takes to reach its destination. More importantly, since the hop-count values are diverse, an attacker cannot randomly spoof IP addresses while maintaining consistent hop-counts. On the other hand, an Internet server can easily infer the hop-count information from the Time-to-Live (TTL) field of the IP header. Using a mapping between IP addresses and their hop-counts, the server can distinguish spoofed IP packets from legitimate ones. Based on this observation, we present a novel filtering technique, called Hop-Count Filtering (HCF)--which builds an accurate IP-to-hop-count (IP2HC) mapping table--to detect and discard spoofed IP packets. HCF is easy to deploy, as it does not require any support from the underlying network. Through analysis using network measurement data, we show that HCF can identify close to 90% of spoofed IP packets, and then discard them with little collateral damage. We implement and evaluate HCF in the Linux kernel, demonstrating its effectiveness with experimental measurements.
350 citations